[midPoint] Reconciliation modify object gives an error
Ivan Noris
ivan.noris at evolveum.com
Wed Mar 8 09:33:53 CET 2017
Hi Dilek,
ri (resource instance) prefix is used for all normal resource attributes
c (common) prefix is used for midPoint user attributes in this case
but there are two special resource attributes icfs:name (unique
identifier, that can be changed, e.g. login or DN) and icfs:uid (unique
identifier, that cannot be changed, like generated primary key in
database or entryUUID in directory system).
For all but new LDAP connector, icfs:name and icfs:uid are commonly used
in correlation. You will see also mappings for them in the schema
handling. But there are also situations where you use ri:employeeNumber
to correlate with c:employeeNumber. Everything is possible.
For the new LDAP connector, ri:dn is used instead of icfs:name and
ri:entryUUID is used instead of icfs:uid for standard directory servers.
The special names icfs:name and icfs:uid are from the original ICF
design. The connector sees them as __NAME__ / __UID__ attributes. I
could find some (connector-related) hins here:
https://wiki.evolveum.com/display/midPoint/Connector+Development+Guide
Best regards,
Ivan
On 03/08/2017 09:19 AM, Dilek Gider wrote:
> You are greattt!!
> Thank you ver much. I think I still didn't understand logic of resouce
> xml.
> I thought that "ri" is row of coming from database, and "c:name" is
> record in midpoint database.
> I thought midpoint is comparing them, so it was wrong.
>
> Thank you again, i am trying to solve this for two days.
>
> On Wed, Mar 8, 2017 at 11:08 AM, Oskar Butovič - AMI Praha a.s.
> <oskar.butovic at ami.cz <mailto:oskar.butovic at ami.cz>> wrote:
>
> Hello Dilek,
>
> there is ri:name in your correlation rule but icfs:name in your
> schema handling in your resource. That might be the problem. Try
> icfs:name in both.
>
> 2017-03-08 8:49 GMT+01:00 Dilek Gider <dilek.gider at basistek.com
> <mailto:dilek.gider at basistek.com>>:
>
> Hi Oskar,
>
> Thank you for your response. Yes I think second reconciliation
> does not match but I dont know why.
> I send you my resource xml and SearchScript.groovy. You can
> see on SerachScript.groovy, I concat two database column as
> "name".
>
> I will appreciate for your help.
>
> On Tue, Mar 7, 2017 at 5:38 PM, Oskar Butovič - AMI Praha a.s.
> <oskar.butovic at ami.cz <mailto:oskar.butovic at ami.cz>> wrote:
>
> Hello,
>
> it seems like names which are created during first
> reconciliation are not matched by corelation rule during
> second reconciliation. What is your mapping which creates
> users name?
>
> Best Regards
>
> Oskar Butovič
>
> 2017-03-07 12:52 GMT+01:00 Dilek Gider
> <dilek.gider at basistek.com <mailto:dilek.gider at basistek.com>>:
>
> Hi,
>
> I have reconciliation task in scriptedSQL connector,
> it creates users in midpoint. First of all, users are
> created with this task. But when I run task twice or
> more, it gives an error like below for all users:
>
> Error processing focus(user:null(TR45187127836)):
> constraint violation: Found conflicting existing
> object with property {.../common/common-3}name =
> PP({.../common/common-3}name):[PPV(PolyString:TR45187127836,
> origin:
> INBOUND:resource:ef2bc59b-76e0-48e2-86d6-3d4f02d420db(TirsanScriptedSQLResource))]:
> user:96dd9828-e16f-4a7c-bebe-74c4d184b340(TR45187127836)
>
> Correlation rule has PolyStringNorm such as:
>
> <synchronization>
> <objectSynchronization>
> <objectClass>ri:AccountObjectClass</objectClass>
> <kind>account</kind>
> <intent>default</intent>
> <enabled>true</enabled>
> <correlation>
> <q:description>
> Correlation expression is a search
> query.
> Following search query will look
> for users that have "name"
> equal to the "name" attribute of
> the account. Simply speaking,
> it will look for match in usernames
> in the IDM and the resource.
> The correlation rule always looks
> for users, so it will not match
> any other object type.
> </q:description>
> <q:equal>
> <q:matching>PolyStringNorm</q:matching>
> <q:path>c:name</q:path>
> <expression>
> <c:path>declare namespace
> ri='http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>';
> $account/attributes/ri:name</c:path>
> </expression>
> </q:equal>
> </correlation>
> <reaction>
> <situation>linked</situation>
> <action>
>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#modifyUser
> <http://midpoint.evolveum.com/xml/ns/public/model/action-3#modifyUser></handlerUri>
> </action>
> </reaction>
> <reaction>
> <situation>deleted</situation>
> <action>
>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink
> <http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink></handlerUri>
> </action>
> </reaction>
> <reaction>
> <situation>unlinked</situation>
> <objectTemplateRef
> oid="e63e1118-cbe5-11e5-b08e-3c970e44b9e2"/>
> <action>
>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link
> <http://midpoint.evolveum.com/xml/ns/public/model/action-3#link></handlerUri>
> </action>
> </reaction>
> <reaction>
> <situation>unmatched</situation>
> <objectTemplateRef
> oid="e63e1118-cbe5-11e5-b08e-3c970e44b9e2"/>
> <action>
>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser
> <http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser></handlerUri>
> </action>
> </reaction>
> </objectSynchronization>
> </synchronization>
>
> What can be a problem? Thanks in advance.
>
> Dilek.
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
>
> --
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101 <tel:+420%20774%20480%20101>
> e-mail: oskar.butovic at ami.cz <mailto:oskar.butovic at ami.cz>
>
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239 <tel:+420%20274%20783%20239>
> web: www.ami.cz <http://www.ami.cz/>
>
>
>
> AMI Praha a.s.
>
>
> AMI Praha a.s.
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani
> neuzavírá za společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena,
> musí mít výhradně písemnou formu.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
>
> --
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101 <tel:+420%20774%20480%20101>
> e-mail: oskar.butovic at ami.cz <mailto:oskar.butovic at ami.cz>
>
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239 <tel:+420%20274%20783%20239>
> web: www.ami.cz <http://www.ami.cz/>
>
>
>
> AMI Praha a.s.
>
>
> AMI Praha a.s.
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá
> za společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
> výhradně písemnou formu.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170308/3b841324/attachment.htm>
More information about the midPoint
mailing list