[midPoint] Case sensitive matching rule
Jan Kaspar
Caspi at seznam.cz
Tue Dec 12 20:38:48 CET 2017
Dear Oskar,
thank you for reply. I am attaching configs I have used. If I use CN for correlation then it works.
If I use sAMAaccountName then it doesnt work. sAMAccountName as you can see in prevous config was configured in both
direction.
><i style='background-color:transparent;font-family:TriviaSeznam,helvetica,arial,sans-serif'> <outbound></i><br>
><i> <authoritative>false</authoritative>
</i>><i> <exclusive>false</exclusive>
</i>><i> <strength>normal</strength>
</i>><i> <source>
</i>><i> <c:path>$user/name</c:path>
</i>><i> </source>
</i>><i> </outbound>
</i>><i> <inbound>
</i>><i> <authoritative>true</authoritative>
</i>><i> <exclusive>false</exclusive>
</i>><i> <strength>normal</strength>
</i>><i> <target>
</i>><i> <c:path>$focus/name</c:path>
</i>><i> </target>
</i>><i> </inbound></i>
In CSV there is no login name or samaccountname. I am using user template to generate this from FirstName and LastName.
<span style='white-space:pre-wrap'> <mapping>
<name>My Object Template: Name for employees</name>
<source>
<c:path>givenName</c:path>
</source>
<source>
<c:path>familyName</c:path>
</source>
<expression>
<script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:ScriptExpressionEvaluatorType">
<code>
tmpGivenName = basic.norm(basic.stringify(givenName))?.tr(' ', '.')
tmpFamilyName = basic.norm(basic.stringify(familyName))?.tr(' ', '.')
return tmpGivenName + '.' + tmpFamilyName + iterationToken
</code>
</script>
</expression>
<target>
<c:path>name</c:path>
</target>
</mapping><br></span>
Can this be a problem? I really dont want to have samAccountName, email, UPN, CN in CSV from HR system.
Now it works in my lab with CN. One adjustment I had to do was remove inbound mapping for SAMACCOUNTNAME.
Thank you for reply,
Jan
-----------------------------------------------------------------------------------------------------------
Dear Jan,<br>
it seems more like a problem with mappings. The error message says that
midpoint tries to put two different values into attribute __NAME__ of
shadow (AD account).
My theory is that inbound mapping from AD gets a different name than
inbound mapping from CSV and midpoint then executes outbound mappings which
have different results in the upper/lower-case. Try it without inbound
mapping in AD resource to confirm it.
Best Regards
Oskar Butovič
2017-12-10 20:36 GMT+01:00 Jan Kaspar <<a href='http://lists.evolveum.com/mailman/listinfo/midpoint'>Caspi at seznam.cz</a>>:
><i> Hi All,
</i>><i>
</i>><i> I have another question for setup. I have two sources CSV and AD LDAP.
</i>><i> I am creating users from CSV in MidPoint and then I am matching it with
</i>><i> existing accounts in AD.
</i>><i> Currently i am expiriencing problem with case sensitivity in correlation
</i>><i> rule.
</i>><i>
</i>><i> Template user (generating username)
</i>><i>
</i>><i> <mapping>
</i>><i> <source>
</i>><i> <c:path>$user/givenName</c:path>
</i>><i> </source>
</i>><i> <source>
</i>><i> <c:path>$user/familyName</c:path>
</i>><i> </source>
</i>><i> <expression>
</i>><i> <script xmlns:xsi="<a href='http://www.w3.org/2001/XMLSchema-instance'>http://www.w3.org/2001/XMLSchema-instance</a>"
</i>><i> xsi:type="c:ScriptExpressionEvaluatorType">
</i>><i> <code>(givenName == null ? '' : givenName) + ' ' + (familyName
</i>><i> == null ? '' : familyName)</code>
</i>><i> </script>
</i>><i> </expression>
</i>><i> <target>
</i>><i> <c:path>fullName</c:path>
</i>><i> </target>
</i>><i> </mapping>
</i>><i>
</i>><i> Attirbute sAMAccountName in AD-LDAP
</i>><i>
</i>><i> <attribute>
</i>><i> <c:ref>ri:sAMAccountName</c:ref>
</i>><i> <displayName>Login name</displayName>
</i>><i> <matchingRule xmlns:gen68="<a href='http://prism/'>http://prism.</a>
</i>><i> evolveum.com/xml/ns/public/matching-rule-3">gen68:stringIgnoreCase</
</i>><i> matchingRule>
</i>><i> <tolerant>true</tolerant>
</i>><i> <exclusiveStrong>false</exclusiveStrong>
</i>><i> <outbound>
</i>><i> <authoritative>false</authoritative>
</i>><i> <exclusive>false</exclusive>
</i>><i> <strength>normal</strength>
</i>><i> <source>
</i>><i> <c:path>$user/name</c:path>
</i>><i> </source>
</i>><i> </outbound>
</i>><i> <inbound>
</i>><i> <authoritative>true</authoritative>
</i>><i> <exclusive>false</exclusive>
</i>><i> <strength>normal</strength>
</i>><i> <target>
</i>><i> <c:path>$focus/name</c:path>
</i>><i> </target>
</i>><i> </inbound>
</i>><i> </attribute>
</i>><i>
</i>><i> Sync of accounts:
</i>><i>
</i>><i> <synchronization>
</i>><i> <objectSynchronization>
</i>><i> <name>Account sync</name>
</i>><i> <objectClass>ri:user</objectClass>
</i>><i> <kind>account</kind>
</i>><i> <intent>default</intent>
</i>><i> <enabled>true</enabled>
</i>><i> <correlation>
</i>><i> <q:equal>
</i>><i> <q:matching>polyStringNorm</q:matching>
</i>><i> <q:path>c:name</q:path>
</i>><i> <expression xmlns="">
</i>><i> <path>$shadow/attributes/sAMAccountName</path>
</i>><i> </expression>
</i>><i> </q:equal>
</i>><i> </correlation>
</i>><i> <reconcile>false</reconcile>
</i>><i> <reaction>
</i>><i> <situation>linked</situation>
</i>><i> <synchronize>true</synchronize>
</i>><i> </reaction>
</i>><i> <reaction>
</i>><i> <situation>deleted</situation>
</i>><i> <action ref="<a href='http://midpoint.evolveum.com/xml/ns/public/model/'>http://midpoint.evolveum.com/xml/ns/public/model/</a>
</i>><i> action-3#unlink"/>
</i>><i> </reaction>
</i>><i> <reaction>
</i>><i> <situation>unlinked</situation>
</i>><i> <action ref="<a href='http://midpoint.evolveum.com/xml/ns/public/model/'>http://midpoint.evolveum.com/xml/ns/public/model/</a>
</i>><i> action-3#link"/>
</i>><i> </reaction>
</i>><i> <reaction>
</i>><i> <situation>unmatched</situation>
</i>><i> <action ref="<a href='http://midpoint.evolveum.com/xml/ns/public/model/'>http://midpoint.evolveum.com/xml/ns/public/model/</a>
</i>><i> action-3#addFocus"/>
</i>><i> </reaction>
</i>><i> </objectSynchronization>
</i>><i>
</i>><i> For some users I am getting following error:
</i>><i>
</i>><i> SystemException: Schema violation during processing shadow: shadow:
</i>><i> CN=Gilbert Stephens,OU=Users,OU=CZ,DC=HELL,DC=LOCAL
</i>><i> (OID:afefb716-7cab-4d0f-bd5e-c74bf0e868df): Schema violation: Value of
</i>><i> attribute '__NAME__' must be a single value, but it has 0values: Schema
</i>><i> violation during processing shadow: shadow: CN=Gilbert
</i>><i> Stephens,OU=Users,OU=CZ,DC=HELL,DC=LOCAL (OID:afefb716-7cab-4d0f-bd5e-c74bf0e868df):
</i>><i> Schema violation: Value of attribute '__NAME__' must be a single value, but
</i>><i> it has 0values: Schema violation during processing shadow: shadow:
</i>><i> CN=Gilbert Stephens,OU=Users,OU=CZ,DC=HELL,DC=LOCAL
</i>><i> (OID:afefb716-7cab-4d0f-bd5e-c74bf0e868df): Schema violation: Value of
</i>><i> attribute '__NAME__' must be a single value, but it has 0values: Schema
</i>><i> violation during processing shadow: shadow: CN=Gilbert
</i>><i> Stephens,OU=Users,OU=CZ,DC=HELL,DC=LOCAL (OID:afefb716-7cab-4d0f-bd5e-c74bf0e868df):
</i>><i> Schema violation: Value of attribute '__NAME__' must be a single value, but
</i>><i> it has 0values
</i>><i>
</i>><i> It can be easily solved by changing samaccountname in AD from
</i>><i> "gilbert.stephens" to "Gilbert.Stephens".
</i>><i>
</i>><i> How hadle that? how to prevent to that behaviour?
</i>><i>
</i>><i> Thanks Jan
</i>><i>
</i>><i>
</i>><i> _______________________________________________
</i>><i> midPoint mailing list
</i>><i> <a href='http://lists.evolveum.com/mailman/listinfo/midpoint'>midPoint at lists.evolveum.com</a>
</i>><i> <a href='http://lists.evolveum.com/mailman/listinfo/midpoint'>http://lists.evolveum.com/mailman/listinfo/midpoint</a></i>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171212/51d4ca4b/attachment.htm>
More information about the midPoint
mailing list