[midPoint] Add a second LDAP account to resource for user (Error: already contains account of type 'default' on resource)

Ivan Noris ivan.noris at evolveum.com
Mon Mar 20 17:33:42 CET 2017


Hi Peter,

If you add both roles to the same user and you have correct resourceRef
oid and the name of the intent, midPoint should use the correct schema
handling configurations for both accounts and both should be created.
The schema handling also specified how the accounts names (DN) are
constructed.

But wait a minute. It looks like *both* your accounts are configured to
have the *same DN*
(***uid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com*). This can't
be, the test account must have different identifier. Either change the
suffix (like cn=test instead of cn=users for the testing accounts) or
something like that.

So fix your icfs:name (ri:dn) mapping in the schema handling for the
"test" intent and try again.

Regards,

Ivan


On 03/20/2017 05:03 PM, Peter Healy wrote:
> Hi Ivan,
> I added a role object as described in example 2 with the OID of the
> resource I need to add a test account to, when I add that role to a
> user it does come computation and comes back with success but the user
> still only has the 1 default projection assigned. 
>
> I was able to navigate back in the browser history and it looks like
> it assigns the existing shadow on the resource to the "test" intent
> along with the "default" intent
>
> ActivityStatusResource object (if applicable)
> Computing projections of the focus object
> Operation on focus object (repository)
> Account (default) on AWS DEV
> OpenLDAPuid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com
> Account (test) on AWS DEV
> OpenLDAPuid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com
> Considering or starting approval workflows
> Is there a way I can specify the uid for the second account or have it
> follow some kind of iteration rule?
> Thanks again,
> Peter
>
> On Mon, Mar 20, 2017 at 10:32 AM, <midpoint-request at lists.evolveum.com
> <mailto:midpoint-request at lists.evolveum.com>> wrote:
>
>     Send midPoint mailing list submissions to
>             midpoint at lists.evolveum.com
>     <mailto:midpoint at lists.evolveum.com>
>
>     To subscribe or unsubscribe via the World Wide Web, visit
>             http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>     or, via email, send a message with subject or body 'help' to
>             midpoint-request at lists.evolveum.com
>     <mailto:midpoint-request at lists.evolveum.com>
>
>     You can reach the person managing the list at
>             midpoint-owner at lists.evolveum.com
>     <mailto:midpoint-owner at lists.evolveum.com>
>
>     When replying, please edit your Subject line so it is more specific
>     than "Re: Contents of midPoint digest..."
>
>
>     Today's Topics:
>
>        1. Re: Add a second LDAP account to resource for user (Error:
>           already contains account of type 'default' on resource)
>     (Ivan Noris)
>
>
>     ----------------------------------------------------------------------
>
>     Message: 1
>     Date: Mon, 20 Mar 2017 15:31:36 +0100
>     From: Ivan Noris <ivan.noris at evolveum.com
>     <mailto:ivan.noris at evolveum.com>>
>     To: midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
>     Subject: Re: [midPoint] Add a second LDAP account to resource for user
>             (Error: already contains account of type 'default' on
>     resource)
>     Message-ID: <fc626f42-1372-8fd9-79fa-1fcd09f8cef8 at evolveum.com
>     <mailto:fc626f42-1372-8fd9-79fa-1fcd09f8cef8 at evolveum.com>>
>     Content-Type: text/plain; charset="utf-8"
>
>     Hi Peter,
>
>     GUI currently cannot use Add projection for other-than-default
>     intents.
>
>     But it's very easy to create a role:
>
>     Example 1: role to create default account on resource with given oid
>
>
>     <role oid="2dfa0d20-3263-11e6-838d-3c970e44b9e2"
>            
>     xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>"
>            
>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>"
>
>     xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
>     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>">
>         <name>CSV-1 Default account</name>
>         <description>
>          This role assigns CSV-1 (Simulated App 1) resource and creates a
>     test account.
>         </description>
>         <inducement>
>             <construction>
>                 <!-- The c: prefix in type must be there due to a JAXB
>     bug -->
>                 <resourceRef oid="10000000-9999-9999-0000-a000ff000002"
>     type="c:ResourceType"/>
>                     <kind>account</kind>
>             </construction>
>         </inducement>
>     </role>
>
>     Example 2: role to create account with intent test on resource with
>     given oid
>
>     <role oid="2dfa0d20-3263-11e6-838d-3c970e44b9e2"
>            
>     xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>"
>            
>     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>"
>
>     xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
>     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>">
>         <name>CSV-1 Tester</name>
>         <description>
>          This role assigns CSV-1 (Simulated App 1) resource and creates a
>     test account.
>         </description>
>         <inducement>
>             <construction>
>                 <!-- The c: prefix in type must be there due to a JAXB
>     bug -->
>                 <resourceRef oid="10000000-9999-9999-0000-a000ff000002"
>     type="c:ResourceType"/>
>                     <kind>account</kind>
>                     <intent>test</intent>
>             </construction>
>         </inducement>
>     </role>
>
>     Then just add one or both roles to your user in midpoint and the
>     corresponding account(s) should be created. Just be sure to use your
>     resource oid and correct intent.
>
>     Regards,
>
>     Ivan
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170320/236a6297/attachment.htm>


More information about the midPoint mailing list