[midPoint] Connecting multi-domain active directory forrest - intents help a little

Radovan Semancik radovan.semancik at evolveum.com
Thu Feb 23 11:58:57 CET 2017 

Hi,

On 02/22/2017 04:34 PM, Arnošt Starosta - AMI Praha a.s. wrote:
> But when that subdomain data/shadows are processed further in the 
> subdomain intent task the objectSynchronization configurations for 
> different intents seem to collide and no accounts for subdomains are 
> created. The subdomain shadow objects are reported on the progress tab 
> as "(ACCOUNT - default - user)" instead of "(ACCOUNT - subdomain - 
> user)".
>
> It seems only the first objectSynchronization element is considered 
> and renders the object "not applicable".

Please make sure that you have set kind/intent also in the 
synchronization section. And that you have correct conditions in the 
synchronization section. The conditions may be needed to sort the 
imported accounts to the "intents". As the multi-domain is seen as one 
resource, midPoint has no practical way how to sort the accounts to 
intents automatically. At least not now.

It is described here: 
https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration

N.B.: The split of configuration to schemaHandling and synchronization 
was one the historical mistakes in the midPoint configuration design. It 
does not make much sense now. I have already regretted that design 
choice several times. But it is there almost from the begining, long 
before we had intents. This is the cost of evolution. And now we 
strongly prefer compatibility and upgradeability, so there is no easy 
way to fix that. The plan is to fix this and similar issues in midPoint 
4 ... whenever that may be.

> Is that a bug or is my 'objectSynchronization per intent' wrong?

I would guess that it is configuration issue. You probably need to add 
the conditions to synchronization sections. It is unlikely that this is 
a bug as this is a tested setup. But of course, I cannot completely rule 
out the possibility that there is a bug.

> Btw trying to 'import' the accounts from subdomains doesn't even try 
> to fetch the data. I always have to 'reconcile'. Don't know if that 
> indicates something or not.

This one is quite strange. Import and reconcile are almost the same in 
this aspect. Both are based on account search. But again, I would guess 
that this suggest either wrong configuration or a very strange bug.

-- 
Radovan Semancik
Software Architect
evolveum.com

More information about the midPoint mailing list