[midPoint] Prevent AD user deletion when the user is deleted on Midpoint

Fri Jan 27 13:04:07 CET 2017

Hi,

we had a similar problem, but in our case the user is not deleted in midpoint, it just loses the assignment (which contains account creation).
We also have
<activation>
      <existence>
        <outbound>
            <expression>
                <value>true</value>
            </expression>
        </outbound>
    </existence>
</activation>

and solved the issue by adding a “fallback” when calculating dn in outbound expression for <ref>ri:dn</ref>

if (account){
            dn = basic.getAttributeValue(account, 'http://midpoint.evolveum.com/xml/ns/public/resource/instance-3', 'dn')
            return dn
}

Regards, Michael

Von: midPoint [mailto:midpoint-bounces at lists.evolveum.com] Im Auftrag von Martin Besozzi
Gesendet: Donnerstag, 26. Januar 2017 17:15
An: midPoint General Discussion
Betreff: [midPoint] Prevent AD user deletion when the user is deleted on Midpoint

Hi, All.
We want to prevent sending a delete operation to the AD Resource when the user is deleted on Midpoint. We added the following code to the AD Resource activation node:

<activation>
      <existence>
        <outbound>
            <expression>
                <value>true</value>
            </expression>
        </outbound>
    </existence>
</activation>

With this code we prevented the user deletion on the Resource when the user was manualy deleted on Midpoint, but the GUI showed us the following error:

Schema violation during processing shadow: shadow: CN=usertest,OU=xxx,DC=xxx,DC=local (OID:2d534333-cd76-4642-b967-350834cc6ac7): Schema violation: Value of attribute '__NAME__' must be a single value, but it has 0 values

Is there another way to do this?

We also found in the documentation the following code in order to prevent a user deletion.

<activation>
      <existence>
        <outbound>
            <strength>weak</strength>
            <expression>
                <path>$focusExists</path>
            </expression>
        </outbound>
    </existence>
</activation>

In this case, the user is not deleted on the Resource if it loses the resource account. But if we delete the user on Midpoint it doesn't prevent the user deletion on the Resource.

Any help is appreciated. Thanks in advance

Regards.

Ing Martin Besozzi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com<http://www.identicum.com>
WWK Lebensversicherung a. G., Vorstand: Jürgen Schrameier (V.), Rainer Gebhart (stv. V.), Dirk Fassott; Vorsitzender des Aufsichtsrats: Dr. Frank Schindelhauer, Sitz München, Registergericht München HR B 211; WWK Allgemeine Versicherung AG, Vorstand: Jürgen Schrameier (V.), Rainer Gebhart (stv. V.), Dirk Fassott; Vorsitzender des Aufsichtsrats: Werner Quante, Sitz München, Registergericht München HR B 5553; WWK Vermögensverwaltungs und Dienstleistungs GmbH, Geschäftsführer: Karl Ruffing, Stefan Sedlmeir, Sitz München, Registergericht München HR B 76323; WWK Pensionsfonds AG, Vorstand: Ansgar Eckert, Karl Ruffing, Heinrich Schüppert; Vorsitzender des Aufsichtsrats: Dirk Fassott, Sitz München, Registergericht München HR B 146295; Hausanschrift: Marsstraße 37, 80335 München; WWK Investment S.A., Verwaltungsrat: Karl Ruffing (V.), Ansgar Eckert, Stefan Schneider (Hauck & Aufhäuser), Handelsregister: R.C. Luxembourg Nr. B 81 270, Sitz der Gesellschaft: 1c, rue Gabriel Lippmann, L-5365 Munsbach
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170127/95097bd8/attachment.htm>