[midPoint] Org. Structure

[Jan Kaspar]

Hi All,



I need help with setup of Org. Structure. First of all i have prepared demo 
Active Directory with hundrets of users and groups.

User are synced to MidPoint and also Roles are synced to AD as Groups. So it
works.





I would like to try also Org Structure. I watched demo online and after some
adjustments I was able to create Orgs: 

'functional as OU' and 'projects as Groups'.





I am having multiple issues: 




If I create root Org for project, everything is OK. Security Group is 
created in AD. If I try to assign user, then user is added to corresponding 
Group.

But if I try to create child Org type project. I got error:




Can't process shadow: null (OID:null): Generic error in connector: Invalid 
credentials: org.identityconnectors.framework.common.exceptions.
InvalidPasswordException(0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL
_NOT_PERFORM), data 0??: PASSWORD_RESTRICTION: Unable to update the 
password. The value provided for the new password does not meet the length, 
complexity, or history requirement of the domain): Can't process shadow: 
null (OID:null): Generic error in connector: Invalid credentials: org.
identityconnectors.framework.common.exceptions.InvalidPasswordException
(0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0??:
PASSWORD_RESTRICTION: Unable to update the password. The value provided for 
the new password does not meet the length, complexity, or history 
requirement of the domain): Can't process shadow: null (OID:null): Generic 
error in connector: Invalid credentials: org.identityconnectors.framework.
common.exceptions.InvalidPasswordException(0000052D: SvcErr: DSID-031A12D2, 
problem 5003 (WILL_NOT_PERFORM), data 0??: PASSWORD_RESTRICTION: Unable to 
update the password. The value provided for the new password does not meet 
the length, complexity, or history requirement of the domain): Can't process
shadow: null (OID:null): Generic error in connector: Invalid credentials: 
org.identityconnectors.framework.common.exceptions.InvalidPasswordException
(0000052D: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0??:
PASSWORD_RESTRICTION: Unable to update the password. The value provided for 
the new password does not meet the length, complexity, or history 
requirement of the domain)





I see that it is creating object type account :








Activity	Status	Resource object (if applicable)	
Computing projections of the focus object			
Operation on focus object (repository)			
Account (default) on Hell Active Directory (LDAP)		Add:Fatal error -> CN=A2,
 OU=Users,OU=CZ,DC=hell,DC=local	
Considering or starting approval workflows			











I see that it tryes to use correct meta role. 




Successfully finished evaluation of mapping mapping in for association {.../
resource/instance-3}group in role:3154fafb-9f9f-4c3b-93ae-7fffd43796bf(LDAP 
Projects MetaRole) in 7 ms.





When i add manualy metarole to child Org. I got error:








Activity	Status	Resource object (if applicable)	
Computing projections of the focus object			
Operation on focus object (repository)			
Account (default) on Hell Active Directory (LDAP)		Add:Fatal error -> CN=A2,
 OU=Users,OU=CZ,DC=hell,DC=local	
Entitlement (ldapProject) on Hell Active Directory (LDAP)		Add:Success -> cn
 =A2,ou=Projects,dc=hell,dc=local	
Considering or starting approval workflows			





In the end groups is created but it is not correct behaviour. 




Other problem is that when i add someone to child Org. it is added to 
correcsponding group. But not to AD group of root Org.




Hope I described it clearly.  Can Someone please help me with correct 
settings? 




Thank you




Jan


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171208/c7e01aba/attachment.htm>