[midPoint] midpoint group membership
Radovan Semancik
radovan.semancik at evolveum.com
Tue Nov 8 13:11:26 CET 2016
Hi,
AD is doing its own referential integrity. I.e. When account is renamed
AD will automatically rename it in all the groups. That's the reason for
the unwillingToPerform: midPoint tries to remove a value that is no
longer there because AD has changed it already.
You can switch off midPoint referential integrity behavior for the
association by using explicitReferentialIntegrity property:
<association>
.....
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
--
Radovan Semancik
Software Architect
evolveum.com
On 11/03/2016 02:51 PM, Oskar Butovič - AMI Praha a.s. wrote:
> little correction error was in modifying group so:
> Error modifying LDAP entry CN=All,DC=test,DC=com: [remove:member:
> CN=test user,OU=old org,DC=test,DC=com,]: unwillingToPerform:
> 00000561: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data
> 0?? (53))
>
> 2016-11-03 14:44 GMT+01:00 Oskar Butovič - AMI Praha a.s.
> <oskar.butovic at ami.cz <mailto:oskar.butovic at ami.cz>>:
>
> Hello everybody,
>
> I have noticed weird behaviour related to provisioning group
> membership. I am using version 3.4.2-SNAPSHOT from support branch.
>
> When I have configured this according to
> https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO
> <https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO>
> . Everything works fine until midpoint tries to move user to
> different OU in AD.
>
> for ecample i have user:
> CN=test user,OU=old org,DC=test,DC=com
> as member in group CN=All,DC=test,DC=com
>
> when idem tries to move user to:
> CN=test user,OU=new org,DC=test,DC=com
> it should stay as a member of group CN=All,DC=test,DC=com
>
> but although all other AD related changes are executed correctly
> in this transaction, AD returns error:
> Error modifying LDAP entry CN=test user,OU=new org,DC=test,DC=com:
> [remove:member: CN=test user,OU=old org,DC=test,DC=com,]:
> unwillingToPerform: 00000561: SvcErr: DSID-031A12D2, problem 5003
> (WILL_NOT_PERFORM), data 0?? (53))
>
> which is understandable because user is no longer in old org but
> why does midpoint try to remove account from group only when
> account is moved within organizational structure? Normal recompute
> or reconcilliation doesnt behave this way and ends correctly.
>
> Best Regards
>
> Oskar Butovič
>
> --
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101 <tel:%5B%2B420%5D%20774%20480%20101>
> e-mail: oskar.butovic at ami.cz <mailto:oskar.butovic at ami.cz>
>
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239 <tel:%5B%2B420%5D%20274%20783%20239>
> web: www.ami.cz <http://www.ami.cz/>
>
>
>
> AMI Praha a.s.
>
>
> AMI Praha a.s.
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá
> za společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
> výhradně písemnou formu.
>
>
>
>
> --
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101
> e-mail: oskar.butovic at ami.cz <mailto:oskar.butovic at ami.cz>
>
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz <http://www.ami.cz/>
>
>
>
> AMI Praha a.s.
>
>
> AMI Praha a.s.
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
> výhradně písemnou formu.
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161108/df3f34be/attachment.htm>
More information about the midPoint
mailing list