[midPoint] midpoint group membership
Oskar Butovič - AMI Praha a.s.
oskar.butovic at ami.cz
Thu Nov 3 14:51:29 CET 2016
little correction error was in modifying group so:
Error modifying LDAP entry CN=All,DC=test,DC=com: [remove:member: CN=test
user,OU=old org,DC=test,DC=com,]: unwillingToPerform: 00000561: SvcErr:
DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0?? (53))
2016-11-03 14:44 GMT+01:00 Oskar Butovič - AMI Praha a.s. <
oskar.butovic at ami.cz>:
> Hello everybody,
>
> I have noticed weird behaviour related to provisioning group membership. I
> am using version 3.4.2-SNAPSHOT from support branch.
>
> When I have configured this according to https://wiki.evolveum.com/
> display/midPoint/Active+Directory+Group+Synchronization+HOWTO .
> Everything works fine until midpoint tries to move user to different OU in
> AD.
>
> for ecample i have user:
> CN=test user,OU=old org,DC=test,DC=com
> as member in group CN=All,DC=test,DC=com
>
> when idem tries to move user to:
> CN=test user,OU=new org,DC=test,DC=com
> it should stay as a member of group CN=All,DC=test,DC=com
>
> but although all other AD related changes are executed correctly in this
> transaction, AD returns error:
> Error modifying LDAP entry CN=test user,OU=new org,DC=test,DC=com:
> [remove:member: CN=test user,OU=old org,DC=test,DC=com,]:
> unwillingToPerform: 00000561: SvcErr: DSID-031A12D2, problem 5003
> (WILL_NOT_PERFORM), data 0?? (53))
>
> which is understandable because user is no longer in old org but why does
> midpoint try to remove account from group only when account is moved within
> organizational structure? Normal recompute or reconcilliation doesnt behave
> this way and ends correctly.
>
> Best Regards
>
> Oskar Butovič
>
> --
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101
> e-mail: oskar.butovic at ami.cz
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz
>
>
> [image: AMI Praha a.s.]
>
> [image: AMI Praha a.s.]
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
--
Oskar Butovič
solution architect
gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz
[image: AMI Praha a.s.]
[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161103/36ab637b/attachment.htm>
More information about the midPoint
mailing list