[midPoint] Case sensitive matching rule

Oskar Butovič - AMI Praha a.s. oskar.butovic at ami.cz
Mon Dec 11 10:15:29 CET 2017 

Dear Jan,

it seems more like a problem with mappings. The error message says that
midpoint tries to put two different values into attribute __NAME__ of
shadow (AD account).

My theory is that inbound mapping from AD gets a different name than
inbound mapping from CSV and midpoint then executes outbound mappings which
have different results in the upper/lower-case. Try it without inbound
mapping in AD resource to confirm it.

Best Regards
Oskar Butovič

2017-12-10 20:36 GMT+01:00 Jan Kaspar <Caspi at seznam.cz>:

> Hi All,
>
> I have another question for setup. I have two sources CSV and AD LDAP.
> I am creating users from CSV in MidPoint and then I am matching it with
> existing accounts in AD.
> Currently i am expiriencing problem with case sensitivity in correlation
> rule.
>
> Template user (generating username)
>
>    <mapping>
>       <source>
>          <c:path>$user/givenName</c:path>
>       </source>
>       <source>
>          <c:path>$user/familyName</c:path>
>       </source>
>       <expression>
>          <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                  xsi:type="c:ScriptExpressionEvaluatorType">
>             <code>(givenName == null ? '' : givenName) + ' ' + (familyName
> == null ? '' : familyName)</code>
>          </script>
>       </expression>
>       <target>
>          <c:path>fullName</c:path>
>       </target>
>    </mapping>
>
> Attirbute sAMAccountName in AD-LDAP
>
> <attribute>
>             <c:ref>ri:sAMAccountName</c:ref>
>             <displayName>Login name</displayName>
>             <matchingRule xmlns:gen68="http://prism.
> evolveum.com/xml/ns/public/matching-rule-3">gen68:stringIgnoreCase</
> matchingRule>
>             <tolerant>true</tolerant>
>             <exclusiveStrong>false</exclusiveStrong>
>             <outbound>
>                <authoritative>false</authoritative>
>                <exclusive>false</exclusive>
>                <strength>normal</strength>
>                <source>
>                   <c:path>$user/name</c:path>
>                </source>
>             </outbound>
>             <inbound>
>                <authoritative>true</authoritative>
>                <exclusive>false</exclusive>
>                <strength>normal</strength>
>                <target>
>                   <c:path>$focus/name</c:path>
>                </target>
>             </inbound>
>          </attribute>
>
> Sync of accounts:
>
>    <synchronization>
>       <objectSynchronization>
>          <name>Account sync</name>
>          <objectClass>ri:user</objectClass>
>          <kind>account</kind>
>          <intent>default</intent>
>          <enabled>true</enabled>
>          <correlation>
>             <q:equal>
>                <q:matching>polyStringNorm</q:matching>
>                <q:path>c:name</q:path>
>                <expression xmlns="">
>                   <path>$shadow/attributes/sAMAccountName</path>
>                </expression>
>             </q:equal>
>          </correlation>
>          <reconcile>false</reconcile>
>          <reaction>
>             <situation>linked</situation>
>             <synchronize>true</synchronize>
>          </reaction>
>          <reaction>
>             <situation>deleted</situation>
>             <action ref="http://midpoint.evolveum.com/xml/ns/public/model/
> action-3#unlink"/>
>          </reaction>
>          <reaction>
>             <situation>unlinked</situation>
>             <action ref="http://midpoint.evolveum.com/xml/ns/public/model/
> action-3#link"/>
>          </reaction>
>          <reaction>
>             <situation>unmatched</situation>
>             <action ref="http://midpoint.evolveum.com/xml/ns/public/model/
> action-3#addFocus"/>
>          </reaction>
>       </objectSynchronization>
>
> For some users I am getting following error:
>
> SystemException: Schema violation during processing shadow: shadow:
> CN=Gilbert Stephens,OU=Users,OU=CZ,DC=HELL,DC=LOCAL
> (OID:afefb716-7cab-4d0f-bd5e-c74bf0e868df): Schema violation: Value of
> attribute '__NAME__' must be a single value, but it has 0values: Schema
> violation during processing shadow: shadow: CN=Gilbert
> Stephens,OU=Users,OU=CZ,DC=HELL,DC=LOCAL (OID:afefb716-7cab-4d0f-bd5e-c74bf0e868df):
> Schema violation: Value of attribute '__NAME__' must be a single value, but
> it has 0values: Schema violation during processing shadow: shadow:
> CN=Gilbert Stephens,OU=Users,OU=CZ,DC=HELL,DC=LOCAL
> (OID:afefb716-7cab-4d0f-bd5e-c74bf0e868df): Schema violation: Value of
> attribute '__NAME__' must be a single value, but it has 0values: Schema
> violation during processing shadow: shadow: CN=Gilbert
> Stephens,OU=Users,OU=CZ,DC=HELL,DC=LOCAL (OID:afefb716-7cab-4d0f-bd5e-c74bf0e868df):
> Schema violation: Value of attribute '__NAME__' must be a single value, but
> it has 0values
>
> It can be easily solved by changing samaccountname in AD from
> "gilbert.stephens" to "Gilbert.Stephens".
>
> How hadle that? how to prevent to that behaviour?
>
> Thanks Jan
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>


-- 

Oskar Butovič
solution architect

gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171211/88cad516/attachment.htm>

More information about the midPoint mailing list