[midPoint] distinguishedName required to outbound - WHY?
oleg okunev
legeech at inbox.ru
Mon Oct 3 16:42:44 CEST 2016
my steps
1.add new user (give only name and pass)
2. save
3. edit user
4. add projection Active Directory Medusa (LDAPS)
it shows all empty fields
all with otbound mapping mark BUT distinguishedName with asterisk
cn
distinguishedName *
givenName
objectCategory
pwdLastSet
sAMAccountName
showInAdvancedViewOnly
sn
userPrincipalName
nothig filling.
5. so when i try to save it says field distinguishedName is requared!
BUT if i push on name of projection ( Active Directory Medusa (LDAPS) ) all fields are minimize and after that i can save successfully
and shows that after save.
distinguishedName *
distinguishedName
i can make print screen)
im using MS AD.
and NO i didnt modify config
Attributes
+ Attribute - ri: accountExpires ri: aCSPolicyName ri: adminCount ri: adminDescription ri: adminDisplayName ri: allowedAttributes ri: allowedAttributesEffective ri: allowedChildClasses ri: allowedChildClassesEffective ri: assistant ri: attributeCertificateAttribute ri: audio ri: badPasswordTime ri: badPwdCount ri: bridgeheadServerListBL ri: businessCategory ri: c ri: canonicalName ri: carLicense ri: cn ri: co ri: codePage ri: comment ri: company ri: controlAccessRights ri: countryCode ri: createTimeStamp ri: dBCSPwd ri: defaultClassStore ri: department ri: departmentNumber ri: description ri: desktopProfile ri: destinationIndicator ri: directReports ri: displayName ri: displayNamePrintable ri: distinguishedName ri: division ri: dn ri: dSASignature ri: dSCorePropagationData ri: dynamicLDAPServer ri: employeeID ri: employeeNumber ri: employeeType ri: extensionName ri: facsimileTelephoneNumber ri: flags ri: fromEntry ri: frsComputerReferenceBL ri: fRSMemberReferenceBL ri: fSMORoleOwner ri: generationQualifier ri: givenName ri: groupMembershipSAM ri: groupPriority ri: groupsToIgnore ri: homeDirectory ri: homeDrive ri: homePhone ri: homePostalAddress ri: houseIdentifier ri: initials ri: instanceType ri: internationalISDNNumber ri: ipPhone ri: isCriticalSystemObject ri: isDeleted ri: isPrivilegeHolder ri: isRecycled ri: jpegPhoto ri: l ri: labeledURI ri: lastKnownParent ri: lastLogoff ri: lastLogon ri: lastLogonTimestamp ri: lmPwdHistory ri: localeID ri: lockoutTime ri: logonCount ri: logonHours ri: logonWorkstation ri: mail ri: managedObjects ri: manager ri: masteredBy ri: maxStorage ri: memberOf ri: mhsORAddress ri: middleName ri: mobile ri: modifyTimeStamp ri: mS-DS-ConsistencyChildCount ri: mS-DS-ConsistencyGuid ri: mS-DS-CreatorSID ri: msCOM-PartitionSetLink ri: msCOM-UserLink ri: msCOM-UserPartitionSetLink ri: msDFSR-ComputerReferenceBL ri: msDFSR-MemberReferenceBL ri: msDRM-IdentityCertificate ri: msDS-AllowedToActOnBehalfOfOtherIdentity ri: msDS-AllowedToDelegateTo ri: msDS-Approx-Immed-Subordinates ri: msDS-AssignedAuthNPolicy ri: msDS-AssignedAuthNPolicySilo ri: msDS-AuthenticatedAtDC ri: msDS-AuthenticatedToAccountlist ri: msDS-AuthNPolicySiloMembersBL ri: msDS-Cached-Membership ri: msDS-Cached-Membership-Time-Stamp ri: msDS-ClaimSharesPossibleValuesWithBL ri: msDS-EnabledFeatureBL ri: msDS-FailedInteractiveLogonCount ri: msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon ri: msDS-HABSeniorityIndex ri: msDS-HostServiceAccountBL ri: msDS-IsDomainFor ri: msDS-IsFullReplicaFor ri: msDS-IsPartialReplicaFor ri: msDS-IsPrimaryComputerFor ri: msDS-KrbTgtLinkBl ri: msDS-LastFailedInteractiveLogonTime ri: msDS-LastKnownRDN ri: msDS-LastSuccessfulInteractiveLogonTime ri: msDS-LocalEffectiveDeletionTime ri: msDS-LocalEffectiveRecycleTime ri: msDs-masteredBy ri: msds-memberOfTransitive ri: msDS-MembersForAzRoleBL ri: msDS-MembersOfResourcePropertyListBL ri: msds-memberTransitive ri: msDS-NC-RO-Replica-Locations-BL ri: msDS-NCReplCursors ri: msDS-NCReplInboundNeighbors ri: msDS-NCReplOutboundNeighbors ri: msDS-NcType ri: msDS-NonMembersBL ri: msDS-ObjectReferenceBL ri: msDS-OIDToGroupLinkBl ri: msDS-OperationsForAzRoleBL ri: msDS-OperationsForAzTaskBL ri: msDS-parentdistname ri: msDS-PhoneticCompanyName ri: msDS-PhoneticDepartment ri: msDS-PhoneticDisplayName ri: msDS-PhoneticFirstName ri: msDS-PhoneticLastName ri: msDS-PrimaryComputer ri: msDS-PrincipalName ri: msDS-PSOApplied ri: msDS-ReplAttributeMetaData ri: msDS-ReplValueMetaData ri: msDS-ReplValueMetaDataExt ri: msDS-ResultantPSO ri: msDS-RevealedDSAs ri: msDS-RevealedListBL ri: msDS-SecondaryKrbTgtNumber ri: msDS-Site-Affinity ri: msDS-SourceObjectDN ri: msDS-SupportedEncryptionTypes ri: msDS-SyncServerUrl ri: msDS-TasksForAzRoleBL ri: msDS-TasksForAzTaskBL ri: msDS-TDOEgressBL ri: msDS-TDOIngressBL ri: msDS-User-Account-Control-Computed ri: msDS-UserPasswordExpiryTimeComputed ri: msDS-ValueTypeReferenceBL ri: msExchHouseIdentifier ri: msIIS-FTPDir ri: msIIS-FTPRoot ri: mSMQDigests ri: mSMQDigestsMig ri: mSMQSignCertificates ri: mSMQSignCertificatesMig ri: msNPAllowDialin ri: msNPCallingStationID ri: msNPSavedCallingStationID ri: msPKI-CredentialRoamingTokens ri: msPKIAccountCredentials ri: msPKIDPAPIMasterKeys ri: msPKIRoamingTimeStamp ri: msRADIUS-FramedInterfaceId ri: msRADIUS-FramedIpv6Prefix ri: msRADIUS-FramedIpv6Route ri: msRADIUS-SavedFramedInterfaceId ri: msRADIUS-SavedFramedIpv6Prefix ri: msRADIUS-SavedFramedIpv6Route ri: msRADIUSCallbackNumber ri: msRADIUSFramedIPAddress ri: msRADIUSFramedRoute ri: msRADIUSServiceType ri: msRASSavedCallbackNumber ri: msRASSavedFramedIPAddress ri: msRASSavedFramedRoute ri: msSFU30Name ri: msSFU30NisDomain ri: msSFU30PosixMemberOf ri: msTSAllowLogon ri: msTSBrokenConnectionAction ri: msTSConnectClientDrives ri: msTSConnectPrinterDrives ri: msTSDefaultToMainPrinter ri: msTSExpireDate ri: msTSExpireDate2 ri: msTSExpireDate3 ri: msTSExpireDate4 ri: msTSHomeDirectory ri: msTSHomeDrive ri: msTSInitialProgram ri: msTSLicenseVersion ri: msTSLicenseVersion2 ri: msTSLicenseVersion3 ri: msTSLicenseVersion4 ri: msTSLSProperty01 ri: msTSLSProperty02 ri: msTSManagingLS ri: msTSManagingLS2 ri: msTSManagingLS3 ri: msTSManagingLS4 ri: msTSMaxConnectionTime ri: msTSMaxDisconnectionTime ri: msTSMaxIdleTime ri: msTSPrimaryDesktop ri: msTSProfilePath ri: msTSProperty01 ri: msTSProperty02 ri: msTSReconnectionAction ri: msTSRemoteControl ri: msTSSecondaryDesktops ri: msTSWorkDirectory ri: name ri: netbootSCPBL ri: networkAddress ri: nonSecurityMemberBL ri: ntPwdHistory ri: nTSecurityDescriptor ri: o ri: objectCategory ri: objectGUID ri: objectVersion ri: operatorCount ri: otherFacsimileTelephoneNumber ri: otherHomePhone ri: otherIpPhone ri: otherLoginWorkstations ri: otherMailbox ri: otherMobile ri: otherPager ri: otherTelephone ri: otherWellKnownObjects ri: ou ri: ownerBL ri: pager ri: partialAttributeDeletionList ri: partialAttributeSet ri: personalTitle ri: photo ri: physicalDeliveryOfficeName ri: possibleInferiors ri: postalAddress ri: postalCode ri: postOfficeBox ri: preferredDeliveryMethod ri: preferredLanguage ri: preferredOU ri: primaryGroupID ri: primaryInternationalISDNNumber ri: primaryTelexNumber ri: profilePath ri: proxiedObjectName ri: proxyAddresses ri: pwdLastSet ri: queryPolicyBL ri: registeredAddress ri: replPropertyMetaData ri: replUpToDateVector ri: repsFrom ri: repsTo ri: revision ri: roomNumber ri: sAMAccountName ri: scriptPath ri: sDRightsEffective ri: secretary ri: seeAlso ri: serialNumber ri: serverReferenceBL ri: servicePrincipalName ri: showInAdvancedViewOnly ri: siteObjectBL ri: sn ri: st ri: street ri: streetAddress ri: structuralObjectClass ri: subRefs ri: subSchemaSubEntry ri: systemFlags ri: telephoneNumber ri: teletexTerminalIdentifier ri: telexNumber ri: terminalServer ri: thumbnailLogo ri: thumbnailPhoto ri: title ri: uid ri: url ri: userAccountControl ri: userCertificate ri: userParameters ri: userPassword ri: userPKCS12 ri: userPrincipalName ri: userSharedFolder ri: userSharedFolderOther ri: userSMIMECertificate ri: userWorkstations ri: uSNChanged ri: uSNCreated ri: uSNDSALastObjRemoved ri: USNIntersite ri: uSNLastObjRem ri: uSNSource ri: wbemPath ri: wellKnownObjects ri: whenChanged ri: whenCreated ri: wWWHomePage ri: x121Address ri: x500uniqueIdentifier
+ Display name-
espessialy yes ) but i test in stock.
just for myself had trying to modify
offtop why is description field is requared to user in midpoint&
Extension
description *
>Понедельник, 3 октября 2016, 17:16 +03:00 от Ivan Noris <ivan.noris at evolveum.com>:
>
>Well this is strange. I've revived my master midpoint instance
with the same resource and provisioning by adding projection
works. No "ri:distinguishedName required" problem.
>The mandatory attr for the connector is ri:dn (this is equivalent
to icfs:name in old connector). ri:distinguishedName is not used
in schema handling. (Although such attribute seems to be valid for
AD - I can see it as readonly in returned object.)
>What version of AD LDAP connector are you using? Also please
check if you are doing anything with ri:distinguishedName
attribute in your schemaHandling...
>Ivan
>
>On 10/03/2016 03:50 PM, oleg okunev
wrote:
>>from your answer
>>https://jira.evolveum.com/browse/MID-3092?focusedCommentId=17980&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17980
>>
>>i use it (with ssl)
>>https://github.com/Evolveum/midpoint/blob/fb5f9c431708dbda75f2096dd8a4e6e7295f144c/testing/conntest/src/test/resources/ad-ldap/resource-medusa.xml
>>
>>and one more thing when i open accounts on resourse it shows only
users , and no one group
>>
>>>Понедельник, 3 октября 2016, 15:55 +03:00
от Ivan Noris <ivan.noris at evolveum.com> :
>>>
>>>Hi,
>>>which sample resource have you used please?
>>>Regards,
>>>Ivan
>>>
>>>On 09/29/2016 02:15 PM, oleg okunev wrote:
>>>>Hi
>>>>
>>>>interesting thing
>>>>when i add projection of ad ldap to user in midpoint
>>>>it says 'distinguishedName' is required.
>>>>
>>>>1.my config
>>>>Active Directory Medusa (MS AD LDAPS)
>>>>---
>>>><attribute>
>>>><ref>ri:dn</ref>
>>>><displayName>distinguishedName</displayName>
>>>><matchingRule>mr:distinguishedName</matchingRule>
>>>><outbound>
>>>><source>
>>>><path>$user/fullName</path>
>>>></source>
>>>><expression>
>>>><script>
>>>><code>
>>>>'CN=' +
fullName + iterationToken +
',CN=Users,DC=abb-test,DC=com'
>>>></code>
>>>></script>
>>>></expression>
>>>></outbound>
>>>></attribute>
>>>>---
>>>>
>>>>2.field with asterisk
>>>>distinguishedName *
>>>>and i find this in GUI
>>>>look image/
>>>>
>>>>i think something wrong with matching rule
>>>>
>>>>also if i manualy write this field it works and after
show me in projection TWO same fields
>>>>
>>>>
>>>>
>>>>Name
>>>>Display
name
>>>>Native
attribute name
>>>>Min/max
occurs
>>>>Order
>>>>Returned
by default
>>>>Displaying
31 to 40 of 334 matching result.
>>>>departmentNumber
>>>>departmentNumber
>>>>0/-1
>>>>1860
>>>>description
>>>>description
>>>>0/-1
>>>>590
>>>>esktopProfile
>>>>desktopProfile
>>>>0/1
>>>>3120
>>>>destinationIndicator
>>>>destinationIndicator
>>>>0/-1
>>>>2160
>>>>directReports
>>>>directReports
>>>>0/-1
>>>>1420
>>>>displayName
>>>>displayName
>>>>0/1
>>>>1080
>>>>displayNamePrintable
>>>>displayNamePrintable
>>>>0/1
>>>>2480
>>>>distinguishedName
>>>>distinguishedName
>>>>0/1
>>>>3360
>>>>division
>>>>division
>>>>0/1
>>>>1410
>>>>dn
>>>>distinguishedName
>>>>dn
>>>>1/1
>>>>110
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>_______________________________________________
midPoint mailing list
>>>>midPoint at lists.evolveum.com
>>>>http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>--
Ivan Noris
Senior Identity Engineer
evolveum.com
>>>_______________________________________________
>>>midPoint mailing list
>>>midPoint at lists.evolveum.com
>>>http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>_______________________________________________
midPoint mailing list
>>midPoint at lists.evolveum.com
>>http://lists.evolveum.com/mailman/listinfo/midpoint
>
>--
Ivan Noris
Senior Identity Engineer
evolveum.com
>_______________________________________________
>midPoint mailing list
>midPoint at lists.evolveum.com
>http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161003/e6ba00aa/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ExportedData_ResourceType_1475505511757.xml
Type: application/octet-stream
Size: 362175 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161003/e6ba00aa/attachment.obj>
More information about the midPoint
mailing list