[midPoint] distinguishedName required to outbound - WHY?
Ivan Noris
ivan.noris at evolveum.com
Tue Oct 4 08:39:11 CEST 2016
Hi Oleg,
distinguishedName with asterisk is actually ri:dn attribute from schema
handling. If you look into the schema handling, displayName for that
attribute is "Distinguished Name". And it's mandatory.
<attribute>
<c:ref
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:dn</c:ref>
*<displayName>distinguishedName</displayName>*
<matchingRule
xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:distinguishedName</matchingRule>
<outbound>
<source>
<c:path>$user/*fullName*</c:path>
</source>
<expression>
<script>
<code>
'CN=' + fullName + iterationToken +
',CN=Users,DC=abb-test,DC=akbars,DC=ru'
</code>
</script>
</expression>
</outbound>
</attribute>
Also, the mapping is using *fullName* user's attribute. So if in your
case "null" is used, your user does not have fullName filled. Either
ensure your users have fullName, or change the mapping to generate DN
from different attributes. Otherwise midPoint can complain while
provisioning to AD (which may also be your case as manual entering of
value fixes the problem...)
We are usually using outbound mappings to set all required/mandatory
values in resource schema handling, so that the roles are only
constructing the account and giving groups. Assigning the role is better
than just adding projection, because it represents "desired state".
Adding projection is only creating the account and link to that account,
but if the account on the resource is deleted manually, midPoint doesn't
know if the account should exist or not - roles are representing this.
See also: https://wiki.evolveum.com/display/midPoint/Assigning+vs+Linking
>From the version of the connector you are probably using older midPoint.
In midPoint 3.4.x, AD connector 1.4.18 is used. I don't have duplicate
distinguishedName in my case. I would recommend to use last stable
version of midPoint and check if the problem persists.
As for "extension mandatory attribute description" I don't have any
clue. Please check you schema extension that you are using. They are
located in "midpoint.home/schema/" directory as *.xsd file(s).
Best regards,
Ivan
On 10/03/2016 04:42 PM, oleg okunev wrote:
>
>
>
> my steps
> 1.add new user (give only name and pass)
> 2. save
> 3. edit user
> 4. add projection Active Directory Medusa (LDAPS)
> it shows all empty fields
> all with otbound mapping mark BUT distinguishedName with asterisk
> cn
> distinguishedName *
> givenName
> objectCategory
> pwdLastSet
> sAMAccountName
> showInAdvancedViewOnly
> sn
> userPrincipalName
>
> nothig filling.
>
> 5. so when i try to save it says field distinguishedName is requared!
>
> BUT if i push on name of projection (Active Directory Medusa (LDAPS))
> all fields are minimize and after that i can save successfully
>
> and shows that after save.
>
> distinguishedName *
>
>
>
>
>
> distinguishedName
>
>
>
>
>
>
>
>
> i can make print screen)
>
> im using MS AD.
>
>
>
> and NO i didnt modify config
> Attributes
>
>
>
>
>
> Attribute
>
> Display name
>
>
> espessialy yes ) but i test in stock.
> just for myself had trying to modify
>
>
>
> offtop why is description field is requared to user in midpoint&
>
> Extension
> description *
>
>
>
>
> Понедельник, 3 октября 2016, 17:16 +03:00 от Ivan Noris
> <ivan.noris at evolveum.com>:
>
> Well this is strange. I've revived my master midpoint instance
> with the same resource and provisioning by adding projection
> works. No "ri:distinguishedName required" problem.
>
> The mandatory attr for the connector is ri:dn (this is equivalent
> to icfs:name in old connector). ri:distinguishedName is not used
> in schema handling. (Although such attribute seems to be valid for
> AD - I can see it as readonly in returned object.)
>
> What version of AD LDAP connector are you using? Also please check
> if you are doing anything with ri:distinguishedName attribute in
> your schemaHandling...
>
> Ivan
>
>
> On 10/03/2016 03:50 PM, oleg okunev wrote:
>> from your answer
>> https://jira.evolveum.com/browse/MID-3092?focusedCommentId=17980&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17980
>>
>> i use it (with ssl)
>> https://github.com/Evolveum/midpoint/blob/fb5f9c431708dbda75f2096dd8a4e6e7295f144c/testing/conntest/src/test/resources/ad-ldap/resource-medusa.xml
>>
>> and one more thing when i open accounts on resourse it shows only
>> users , and no one group
>>
>> Понедельник, 3 октября 2016, 15:55 +03:00 от Ivan Noris
>> <ivan.noris at evolveum.com> <mailto:ivan.noris at evolveum.com>:
>>
>> Hi,
>>
>> which sample resource have you used please?
>>
>> Regards,
>>
>> Ivan
>>
>>
>> On 09/29/2016 02:15 PM, oleg okunev wrote:
>>> Hi
>>>
>>> interesting thing
>>> when i add projection of ad ldap to user in midpoint
>>> it says 'distinguishedName' is required.
>>>
>>> 1.my config
>>> Active Directory Medusa (MS AD LDAPS)
>>>
>>> ---
>>> <attribute>
>>> <ref>ri:dn</ref>
>>> <displayName>distinguishedName</displayName>
>>> <matchingRule>mr:distinguishedName</matchingRule>
>>> <outbound>
>>> <source>
>>> <path>$user/fullName</path>
>>> </source>
>>> <expression>
>>> <script>
>>> <code>
>>> 'CN=' + fullName + iterationToken +
>>> ',CN=Users,DC=abb-test,DC=com'
>>> </code>
>>> </script>
>>> </expression>
>>> </outbound>
>>> </attribute>
>>> ---
>>>
>>> 2.field with asterisk
>>> distinguishedName *
>>>
>>> and i find this in GUI
>>> look image/
>>>
>>> i think something wrong with matching rule
>>>
>>> also if i manualy write this field it works and after show
>>> me in projection TWO same fields
>>>
>>>
>>>
>>> Name
>>>
>>> Display name
>>>
>>> Native attribute name
>>>
>>> Min/max occurs
>>>
>>> Order
>>>
>>> Returned by default
>>> Displaying 31 to 40 of 334 matching result.
>>> departmentNumber
>>>
>>> departmentNumber
>>>
>>> 0/-1
>>>
>>> 1860
>>>
>>> description
>>>
>>> description
>>>
>>> 0/-1
>>>
>>> 590
>>>
>>> esktopProfile
>>>
>>> desktopProfile
>>>
>>> 0/1
>>>
>>> 3120
>>>
>>> destinationIndicator
>>>
>>> destinationIndicator
>>>
>>> 0/-1
>>>
>>> 2160
>>>
>>> directReports
>>>
>>> directReports
>>>
>>> 0/-1
>>>
>>> 1420
>>>
>>> displayName
>>>
>>> displayName
>>>
>>> 0/1
>>>
>>> 1080
>>>
>>> displayNamePrintable
>>>
>>> displayNamePrintable
>>>
>>> 0/1
>>>
>>> 2480
>>>
>>> distinguishedName
>>>
>>> distinguishedName
>>>
>>> 0/1
>>>
>>> 3360
>>>
>>> division
>>>
>>> division
>>>
>>> 0/1
>>>
>>> 1410
>>>
>>> dn
>>>
>>> distinguishedName
>>>
>>> dn
>>>
>>> 1/1
>>>
>>> 110
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> <//e.mail.ru/compose/?mailto=mailto%3amidPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ivan Noris
>> Senior Identity Engineer
>> evolveum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> <//e.mail.ru/compose/?mailto=mailto%3amidPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161004/8ad2f03f/attachment.htm>
More information about the midPoint
mailing list