[midPoint] effectiveStatus in shadows causing some issues

Ivan Noris ivan.noris at evolveum.com
Mon Feb 13 13:37:57 CET 2017


Hi Jason,

AFAIK somewhere between 3.2 and 3.4 there was a change and this is no
longer stored in Shadows. Only metadata e.g. activation/enableTimestamp,
but not the state. (Just looking to my shadows on midpoint 3.5.x)

Regards,

Ivan


On 02/08/2017 06:52 PM, Jason Everling wrote:
> Not sure if this was fixed in later versions, we are on 3.2 still BUT
> i ran into some activation issues when testing my new authoritative
> resource, it kept enabling accounts even though their resource account
> was 'disabled' and inbound was strong, on every single reconcile.
>
> It took forever to figure it out, it was the same accounts every
> single time, I finally found through a ton of logging, the shadow
> account for the AD resource had wrong activation information, below.
>
>    <activation>
>       <administrativeStatus>disabled</administrativeStatus>
>       <effectiveStatus>enabled</effectiveStatus>
>       <lockoutStatus>normal</lockoutStatus>
>    </activation>
> </shadow>
>
> It was that effectiveStatus that kept enabling their midpoint account
> even though on AD it is still disabled.
>
> I went through each shadow, one by one, and changed effectiveStatus to
> disabled and ran a full recon and it no longer enables the accounts.
>
> In any case, I did this one by one, it took quite a while to do it. I
> was hoping I could scan through the database for any I might have
> missed and just compare 'administrativeStatus' to 'effectiveStatus'
> for the shadows BUT it seems in the shadow table those columns do not
> exist.
>
> Where are these values stored for a shadow object? Out of all my
> resources, the AD resource is the only one that actually has those
> values, all other resource shadows contain no activation even though
> they have inbound/outbound mappings.
>
> Thanks!
> JASON
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170213/d8329e06/attachment.htm>


More information about the midPoint mailing list