[midPoint] Reconciliation modify object gives an error

Dilek Gider dilek.gider at basistek.com
Wed Mar 8 09:40:05 CET 2017


Thank you very much Ivan...
Have a good day...

On Wed, Mar 8, 2017 at 11:33 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

> Hi Dilek,
>
> ri (resource instance) prefix is used for all normal resource attributes
>
> c (common) prefix is used for midPoint user attributes in this case
>
> but there are two special resource attributes icfs:name (unique
> identifier, that can be changed, e.g. login or DN) and icfs:uid (unique
> identifier, that cannot be changed, like generated primary key in database
> or entryUUID in directory system).
>
> For all but new LDAP connector, icfs:name and icfs:uid are commonly used
> in correlation. You will see also mappings for them in the schema handling.
> But there are also situations where you use ri:employeeNumber to correlate
> with c:employeeNumber. Everything is possible.
>
> For the new LDAP connector, ri:dn is used instead of icfs:name and
> ri:entryUUID is used instead of icfs:uid for standard directory servers.
>
> The special names icfs:name and icfs:uid are from the original ICF design.
> The connector sees them as __NAME__ / __UID__ attributes. I could find some
> (connector-related) hins here: https://wiki.evolveum.com/
> display/midPoint/Connector+Development+Guide
> Best regards,
> Ivan
>
> On 03/08/2017 09:19 AM, Dilek Gider wrote:
>
> You are greattt!!
> Thank you ver much. I think I still didn't understand logic of resouce xml.
> I thought that "ri" is row of coming from database, and "c:name" is record
> in midpoint database.
> I thought midpoint is comparing them, so it was wrong.
>
> Thank you again, i am trying to solve this for two days.
>
> On Wed, Mar 8, 2017 at 11:08 AM, Oskar Butovič - AMI Praha a.s. <
> oskar.butovic at ami.cz> wrote:
>
>> Hello Dilek,
>>
>> there is ri:name in your correlation rule but icfs:name in your schema
>> handling in your resource. That might be the problem. Try icfs:name in both.
>>
>> 2017-03-08 8:49 GMT+01:00 Dilek Gider <dilek.gider at basistek.com>:
>>
>>> Hi Oskar,
>>>
>>> Thank you for your response. Yes I think second reconciliation does not
>>> match but I dont know why.
>>> I send you my resource xml and SearchScript.groovy. You can see on
>>> SerachScript.groovy, I concat two database column as "name".
>>>
>>> I will appreciate for your help.
>>>
>>> On Tue, Mar 7, 2017 at 5:38 PM, Oskar Butovič - AMI Praha a.s. <
>>> oskar.butovic at ami.cz> wrote:
>>>
>>>> Hello,
>>>>
>>>> it seems like names which are created during first reconciliation are
>>>> not matched by corelation rule during second reconciliation. What is your
>>>> mapping which creates users name?
>>>>
>>>> Best Regards
>>>>
>>>> Oskar Butovič
>>>>
>>>> 2017-03-07 12:52 GMT+01:00 Dilek Gider <dilek.gider at basistek.com>:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have reconciliation task in scriptedSQL connector, it creates users
>>>>> in midpoint.  First of all, users are created with this task. But when I
>>>>> run task twice or more, it gives an error like below for all users:
>>>>>
>>>>> Error processing focus(user:null(TR45187127836)): constraint
>>>>> violation: Found conflicting existing object with property
>>>>> {.../common/common-3}name = PP({.../common/common-3}name):[PPV(PolyString:TR45187127836,
>>>>> origin: INBOUND:resource:ef2bc59b-76e0-48e2-86d6-3d4f02d420db(TirsanScriptedSQLResource))]:
>>>>> user:96dd9828-e16f-4a7c-bebe-74c4d184b340(TR45187127836)
>>>>>
>>>>> Correlation rule has PolyStringNorm such as:
>>>>>
>>>>> <synchronization>
>>>>>       <objectSynchronization>
>>>>>          <objectClass>ri:AccountObjectClass</objectClass>
>>>>>          <kind>account</kind>
>>>>>          <intent>default</intent>
>>>>>          <enabled>true</enabled>
>>>>>          <correlation>
>>>>>             <q:description>
>>>>>                    Correlation expression is a search query.
>>>>>                    Following search query will look for users that
>>>>> have "name"
>>>>>                    equal to the "name" attribute of the account.
>>>>> Simply speaking,
>>>>>                    it will look for match in usernames in the IDM and
>>>>> the resource.
>>>>>                    The correlation rule always looks for users, so it
>>>>> will not match
>>>>>                    any other object type.
>>>>> </q:description>
>>>>>             <q:equal>
>>>>>                <q:matching>PolyStringNorm</q:matching>
>>>>>                <q:path>c:name</q:path>
>>>>>                <expression>
>>>>>                   <c:path>declare namespace ri='
>>>>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3';
>>>>> $account/attributes/ri:name</c:path>
>>>>>                </expression>
>>>>>             </q:equal>
>>>>>          </correlation>
>>>>>          <reaction>
>>>>>             <situation>linked</situation>
>>>>>             <action>
>>>>>                <handlerUri>http://midpoint.e
>>>>> volveum.com/xml/ns/public/model/action-3#modifyUser</handlerUri>
>>>>>             </action>
>>>>>          </reaction>
>>>>>          <reaction>
>>>>>             <situation>deleted</situation>
>>>>>             <action>
>>>>>                <handlerUri>http://midpoint.e
>>>>> volveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
>>>>>             </action>
>>>>>          </reaction>
>>>>>          <reaction>
>>>>>             <situation>unlinked</situation>
>>>>>             <objectTemplateRef oid="e63e1118-cbe5-11e5-b08e-3
>>>>> c970e44b9e2"/>
>>>>>             <action>
>>>>>                <handlerUri>http://midpoint.e
>>>>> volveum.com/xml/ns/public/model/action-3#link</handlerUri>
>>>>>             </action>
>>>>>          </reaction>
>>>>>          <reaction>
>>>>>             <situation>unmatched</situation>
>>>>>             <objectTemplateRef oid="e63e1118-cbe5-11e5-b08e-3
>>>>> c970e44b9e2"/>
>>>>>             <action>
>>>>>                <handlerUri>http://midpoint.e
>>>>> volveum.com/xml/ns/public/model/action-3#addUser</handlerUri>
>>>>>             </action>
>>>>>          </reaction>
>>>>>       </objectSynchronization>
>>>>>    </synchronization>
>>>>>
>>>>> What can be a problem? Thanks in advance.
>>>>>
>>>>> Dilek.
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Oskar Butovič
>>>> solution architect
>>>>
>>>> gsm: [+420] 774 480 101 <+420%20774%20480%20101>
>>>> e-mail: oskar.butovic at ami.cz
>>>>
>>>>
>>>> AMI Praha a.s.
>>>> Pláničkova 11
>>>> 162 00 Praha 6
>>>> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
>>>> web: www.ami.cz
>>>>
>>>>
>>>> [image: AMI Praha a.s.]
>>>>
>>>> [image: AMI Praha a.s.]
>>>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>>>
>>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>>>> společnost AMI Praha a.s.
>>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>>> výhradně písemnou formu.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>> --
>>
>> Oskar Butovič
>> solution architect
>>
>> gsm: [+420] 774 480 101 <+420%20774%20480%20101>
>> e-mail: oskar.butovic at ami.cz
>>
>>
>> AMI Praha a.s.
>> Pláničkova 11
>> 162 00 Praha 6
>> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
>> web: www.ami.cz
>>
>>
>> [image: AMI Praha a.s.]
>>
>> [image: AMI Praha a.s.]
>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>> společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
>> písemnou formu.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170308/5fbda4d3/attachment.htm>


More information about the midPoint mailing list