[midPoint] effectiveStatus in shadows causing some issues

[Jason Everling]

Not sure if this was fixed in later versions, we are on 3.2 still BUT i ran
into some activation issues when testing my new authoritative resource, it
kept enabling accounts even though their resource account was 'disabled'
and inbound was strong, on every single reconcile.

It took forever to figure it out, it was the same accounts every single
time, I finally found through a ton of logging, the shadow account for the
AD resource had wrong activation information, below.

   <activation>
      <administrativeStatus>disabled</administrativeStatus>
      <effectiveStatus>enabled</effectiveStatus>
      <lockoutStatus>normal</lockoutStatus>
   </activation>
</shadow>

It was that effectiveStatus that kept enabling their midpoint account even
though on AD it is still disabled.

I went through each shadow, one by one, and changed effectiveStatus to
disabled and ran a full recon and it no longer enables the accounts.

In any case, I did this one by one, it took quite a while to do it. I was
hoping I could scan through the database for any I might have missed and
just compare 'administrativeStatus' to 'effectiveStatus' for the shadows
BUT it seems in the shadow table those columns do not exist.

Where are these values stored for a shadow object? Out of all my resources,
the AD resource is the only one that actually has those values, all other
resource shadows contain no activation even though they have
inbound/outbound mappings.

Thanks!
JASON
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170208/ebe47488/attachment.htm>