[midPoint] midpoint group membership
Oskar Butovič - AMI Praha a.s.
oskar.butovic at ami.cz
Thu Nov 3 14:44:01 CET 2016
Hello everybody,
I have noticed weird behaviour related to provisioning group membership. I
am using version 3.4.2-SNAPSHOT from support branch.
When I have configured this according to
https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO
. Everything works fine until midpoint tries to move user to different OU
in AD.
for ecample i have user:
CN=test user,OU=old org,DC=test,DC=com
as member in group CN=All,DC=test,DC=com
when idem tries to move user to:
CN=test user,OU=new org,DC=test,DC=com
it should stay as a member of group CN=All,DC=test,DC=com
but although all other AD related changes are executed correctly in this
transaction, AD returns error:
Error modifying LDAP entry CN=test user,OU=new org,DC=test,DC=com:
[remove:member: CN=test user,OU=old org,DC=test,DC=com,]:
unwillingToPerform: 00000561: SvcErr: DSID-031A12D2, problem 5003
(WILL_NOT_PERFORM), data 0?? (53))
which is understandable because user is no longer in old org but why does
midpoint try to remove account from group only when account is moved within
organizational structure? Normal recompute or reconcilliation doesnt behave
this way and ends correctly.
Best Regards
Oskar Butovič
--
Oskar Butovič
solution architect
gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz
[image: AMI Praha a.s.]
[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161103/c6bb1418/attachment.htm>
More information about the midPoint
mailing list