[midPoint] Refreshing uuids in ldap shadow objects

Pertti Kellomäki pertti.kellomaki at datactica.fi
Tue Dec 5 06:40:45 CET 2017


Hi, I deleted the shadows and did a user recompute, and that did the trick. Thanks!


Pertti

________________________________
Lähettäjä: midPoint <midpoint-bounces at lists.evolveum.com> käyttäjän puolestaPertti Kellomäki <pertti.kellomaki at datactica.fi>
Lähetetty: 1. joulukuuta 2017 13:03
Vastaanottaja: midpoint at lists.evolveum.com
Aihe: Re: [midPoint] Refreshing uuids in ldap shadow objects


Hi Ivan,


I cannot test right now, but deleting the shadows and recreating them sounds about right, and exactly what I was looking for. I'll report later how it went.


Pertti

________________________________
Lähettäjä: midPoint <midpoint-bounces at lists.evolveum.com> käyttäjän puolestaIvan Noris <ivan.noris at evolveum.com>
Lähetetty: 1. joulukuuta 2017 12:16
Vastaanottaja: midpoint at lists.evolveum.com
Aihe: Re: [midPoint] Refreshing uuids in ldap shadow objects


Hi Pertti,


if I understand that correctly, the groups are not linked to any focus objects (Orgs or Roles) in midPoint. (The Shadows Details page should display no owners for that shadows).


So reconciliation of the groups should fix it (with unmatched->no reaction). But this requires you to have at least simple objectType and objectSynchronization defined for the groups (without mappings) in that resource.


I'm thinking... As an alternative you may also just delete all shadows corresponding to the groups where entryuuid changed, and then going to Resource->your resource->Entitlements - selecting object class and clicking Resource tab should display groups from the resource and re-create shadow objects for them...


Also getting rid of that incorrect shadow objects and then editing some user-projections-associations should display correctly (and it will recreate the group shadow).


No other ideas now.


Best regards,

Ivan

On 01.12.2017 11:00, Pertti Kellomäki wrote:

Hi,


The groups are managed externally, though with hindsight it would have been better to let midPoint create them. Association is done using associationTargetSearch with a bit of groovy code that constructs the name of the appropriate ldap group.


Pertti

________________________________
Lähettäjä: midPoint <midpoint-bounces at lists.evolveum.com><mailto:midpoint-bounces at lists.evolveum.com> käyttäjän puolestaIvan Noris <ivan.noris at evolveum.com><mailto:ivan.noris at evolveum.com>
Lähetetty: 30. marraskuuta 2017 16:25
Vastaanottaja: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Aihe: Re: [midPoint] Refreshing uuids in ldap shadow objects


Hi Pertti,


are the groups actually created by midPoint, or they are managed externally?
How are you assiociating the LDAP accounts with the groups? Using associationTargetSearch or associationFromLink?



_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint



--
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171205/81b35948/attachment.htm>


More information about the midPoint mailing list