[midPoint] Add a second LDAP account to resource for user (Error: already contains account of type 'default' on resource)

Peter Healy phealy3330 at gmail.com
Mon Mar 20 22:13:30 CET 2017


Hi Ivan,
In my use case we have an application that's configured to use an LDAP
search base in a particular part of the tree to authenticate all users ex.
uid=usercn=users,o=dev,dc=...
Rather than having test users in cn=users,o=test, dc=...

We have uid=user-test,cn=user,o=dev,dc=...
or uid=user1,cn=user,o=dev,dc=...

So what I was originally thinking to do is for the "test" intent to
generate the uid=user1...,cn=users,o=dev...
Automatically with the schema handler iteration tokens.
But that didn't seem to be the case, what actually triggers the iteration
token to create a new DN?

Instead I added the following to the schema handler for ri:dn and the
"test" intent which seems to be working OK for me when adding the "test"
intent to a role and adding the role to a user:
<script>
   <code>
'uid=' + name + '-test' + iterationToken + ',cn=users,o=dev,dc=...'
</code>
</script>

and I got a second LDAP account with user-test.

This seems to be fine but, is there another way to do this? Would you
recommend something different?

Thanks,
Peter

On Mon, Mar 20, 2017 at 12:33 PM, <midpoint-request at lists.evolveum.com>
wrote:

> Send midPoint mailing list submissions to
>         midpoint at lists.evolveum.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
>         midpoint-request at lists.evolveum.com
>
> You can reach the person managing the list at
>         midpoint-owner at lists.evolveum.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
>
>
> Today's Topics:
>
>    1.  JMS based workflow configuration (Prabhakara Rao Doddapaneni)
>    2. Re: Add a second LDAP account to resource for user (Error:
>       already contains account of type 'default' on resource) (Peter Healy)
>    3. Re: Add a second LDAP account to resource for user (Error:
>       already contains account of type 'default' on resource) (Ivan Noris)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 20 Mar 2017 15:29:20 +0000 (UTC)
> From: Prabhakara Rao Doddapaneni <dp_rao at yahoo.com>
> To: "midpoint at lists.evolveum.com" <midpoint at lists.evolveum.com>
> Subject: [midPoint]  JMS based workflow configuration
> Message-ID: <1407184618.3744599.1490023760210 at mail.yahoo.com>
> Content-Type: text/plain; charset="utf-8"
>
> Is this something new I am trying to do with midPoint?
>
>      Date: Mon, 6 Mar 2017 19:30:26 +0000 (UTC)
> From: Prabhakara Rao Doddapaneni <dp_rao at yahoo.com>
> To: "midpoint at lists.evolveum.com" <midpoint at lists.evolveum.com>
> Subject: [midPoint] JMS based workflow configuration
> Message-ID: <1001644321.2237664.1488828626312 at mail.yahoo.com>
> Content-Type: text/plain; charset="utf-8"
>
> One of my resources cannot be configured to respond to sync poll.  I plan
> to send a message in JMS Q so that midpoint can listen to that message and
> reconcile/add the user into repository.  What is the ideal solution to
> achieve this?  has anybody come across this situation?
> Thanks,Prabhakar.
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.evolveum.com/pipermail/midpoint/
> attachments/20170320/b890a3fc/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 20 Mar 2017 12:03:55 -0400
> From: Peter Healy <phealy3330 at gmail.com>
> To: midpoint at lists.evolveum.com
> Subject: Re: [midPoint] Add a second LDAP account to resource for user
>         (Error: already contains account of type 'default' on resource)
> Message-ID:
>         <CADnbc=zAa2oqXDnH0RnyM=inAgqSwJcf76Ybc9E+ADKoy-rmNg at mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Ivan,
> I added a role object as described in example 2 with the OID of the
> resource I need to add a test account to, when I add that role to a user it
> does come computation and comes back with success but the user still only
> has the 1 default projection assigned.
>
> I was able to navigate back in the browser history and it looks like it
> assigns the existing shadow on the resource to the "test" intent along with
> the "default" intent
>
> Activity Status Resource object (if applicable)
> Computing projections of the focus object
> Operation on focus object (repository)
> Account (default) on AWS DEV OpenLDAP
> uid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com
> Account (test) on AWS DEV OpenLDAP
> uid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com
> Considering or starting approval workflows
>
> Is there a way I can specify the uid for the second account or have it
> follow some kind of iteration rule?
>
> Thanks again,
> Peter
>
> On Mon, Mar 20, 2017 at 10:32 AM, <midpoint-request at lists.evolveum.com>
> wrote:
>
> > Send midPoint mailing list submissions to
> >         midpoint at lists.evolveum.com
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >         http://lists.evolveum.com/mailman/listinfo/midpoint
> > or, via email, send a message with subject or body 'help' to
> >         midpoint-request at lists.evolveum.com
> >
> > You can reach the person managing the list at
> >         midpoint-owner at lists.evolveum.com
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of midPoint digest..."
> >
> >
> > Today's Topics:
> >
> >    1. Re: Add a second LDAP account to resource for user (Error:
> >       already contains account of type 'default' on resource) (Ivan
> Noris)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Mon, 20 Mar 2017 15:31:36 +0100
> > From: Ivan Noris <ivan.noris at evolveum.com>
> > To: midpoint at lists.evolveum.com
> > Subject: Re: [midPoint] Add a second LDAP account to resource for user
> >         (Error: already contains account of type 'default' on resource)
> > Message-ID: <fc626f42-1372-8fd9-79fa-1fcd09f8cef8 at evolveum.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi Peter,
> >
> > GUI currently cannot use Add projection for other-than-default intents.
> >
> > But it's very easy to create a role:
> >
> > Example 1: role to create default account on resource with given oid
> >
> >
> > <role oid="2dfa0d20-3263-11e6-838d-3c970e44b9e2"
> >         xmlns="http://midpoint.evolveum.com/xml/ns/public/
> common/common-3"
> >         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/
> > common/common-3"
> >
> > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
> ">
> >     <name>CSV-1 Default account</name>
> >     <description>
> >      This role assigns CSV-1 (Simulated App 1) resource and creates a
> > test account.
> >     </description>
> >     <inducement>
> >         <construction>
> >             <!-- The c: prefix in type must be there due to a JAXB bug
> -->
> >             <resourceRef oid="10000000-9999-9999-0000-a000ff000002"
> > type="c:ResourceType"/>
> >                 <kind>account</kind>
> >         </construction>
> >     </inducement>
> > </role>
> >
> > Example 2: role to create account with intent test on resource with
> > given oid
> >
> > <role oid="2dfa0d20-3263-11e6-838d-3c970e44b9e2"
> >         xmlns="http://midpoint.evolveum.com/xml/ns/public/
> common/common-3"
> >         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/
> > common/common-3"
> >
> > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
> ">
> >     <name>CSV-1 Tester</name>
> >     <description>
> >      This role assigns CSV-1 (Simulated App 1) resource and creates a
> > test account.
> >     </description>
> >     <inducement>
> >         <construction>
> >             <!-- The c: prefix in type must be there due to a JAXB bug
> -->
> >             <resourceRef oid="10000000-9999-9999-0000-a000ff000002"
> > type="c:ResourceType"/>
> >                 <kind>account</kind>
> >                 <intent>test</intent>
> >         </construction>
> >     </inducement>
> > </role>
> >
> > Then just add one or both roles to your user in midpoint and the
> > corresponding account(s) should be created. Just be sure to use your
> > resource oid and correct intent.
> >
> > Regards,
> >
> > Ivan
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.evolveum.com/pipermail/midpoint/
> attachments/20170320/a91ed915/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 20 Mar 2017 17:33:42 +0100
> From: Ivan Noris <ivan.noris at evolveum.com>
> To: midpoint at lists.evolveum.com
> Subject: Re: [midPoint] Add a second LDAP account to resource for user
>         (Error: already contains account of type 'default' on resource)
> Message-ID: <57fd8bd1-c8b1-dd43-4e0d-160e16127afb at evolveum.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Peter,
>
> If you add both roles to the same user and you have correct resourceRef
> oid and the name of the intent, midPoint should use the correct schema
> handling configurations for both accounts and both should be created.
> The schema handling also specified how the accounts names (DN) are
> constructed.
>
> But wait a minute. It looks like *both* your accounts are configured to
> have the *same DN*
> (***uid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com*). This can't
> be, the test account must have different identifier. Either change the
> suffix (like cn=test instead of cn=users for the testing accounts) or
> something like that.
>
> So fix your icfs:name (ri:dn) mapping in the schema handling for the
> "test" intent and try again.
>
> Regards,
>
> Ivan
>
>
> On 03/20/2017 05:03 PM, Peter Healy wrote:
> > Hi Ivan,
> > I added a role object as described in example 2 with the OID of the
> > resource I need to add a test account to, when I add that role to a
> > user it does come computation and comes back with success but the user
> > still only has the 1 default projection assigned.
> >
> > I was able to navigate back in the browser history and it looks like
> > it assigns the existing shadow on the resource to the "test" intent
> > along with the "default" intent
> >
> > ActivityStatusResource object (if applicable)
> > Computing projections of the focus object
> > Operation on focus object (repository)
> > Account (default) on AWS DEV
> > OpenLDAPuid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com
> > Account (test) on AWS DEV
> > OpenLDAPuid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com
> > Considering or starting approval workflows
> > Is there a way I can specify the uid for the second account or have it
> > follow some kind of iteration rule?
> > Thanks again,
> > Peter
> >
> > On Mon, Mar 20, 2017 at 10:32 AM, <midpoint-request at lists.evolveum.com
> > <mailto:midpoint-request at lists.evolveum.com>> wrote:
> >
> >     Send midPoint mailing list submissions to
> >             midpoint at lists.evolveum.com
> >     <mailto:midpoint at lists.evolveum.com>
> >
> >     To subscribe or unsubscribe via the World Wide Web, visit
> >             http://lists.evolveum.com/mailman/listinfo/midpoint
> >     <http://lists.evolveum.com/mailman/listinfo/midpoint>
> >     or, via email, send a message with subject or body 'help' to
> >             midpoint-request at lists.evolveum.com
> >     <mailto:midpoint-request at lists.evolveum.com>
> >
> >     You can reach the person managing the list at
> >             midpoint-owner at lists.evolveum.com
> >     <mailto:midpoint-owner at lists.evolveum.com>
> >
> >     When replying, please edit your Subject line so it is more specific
> >     than "Re: Contents of midPoint digest..."
> >
> >
> >     Today's Topics:
> >
> >        1. Re: Add a second LDAP account to resource for user (Error:
> >           already contains account of type 'default' on resource)
> >     (Ivan Noris)
> >
> >
> >     ------------------------------------------------------------
> ----------
> >
> >     Message: 1
> >     Date: Mon, 20 Mar 2017 15:31:36 +0100
> >     From: Ivan Noris <ivan.noris at evolveum.com
> >     <mailto:ivan.noris at evolveum.com>>
> >     To: midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
> >     Subject: Re: [midPoint] Add a second LDAP account to resource for
> user
> >             (Error: already contains account of type 'default' on
> >     resource)
> >     Message-ID: <fc626f42-1372-8fd9-79fa-1fcd09f8cef8 at evolveum.com
> >     <mailto:fc626f42-1372-8fd9-79fa-1fcd09f8cef8 at evolveum.com>>
> >     Content-Type: text/plain; charset="utf-8"
> >
> >     Hi Peter,
> >
> >     GUI currently cannot use Add projection for other-than-default
> >     intents.
> >
> >     But it's very easy to create a role:
> >
> >     Example 1: role to create default account on resource with given oid
> >
> >
> >     <role oid="2dfa0d20-3263-11e6-838d-3c970e44b9e2"
> >
> >     xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3
> >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>"
> >
> >     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
> >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>"
> >
> >     xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/
> resource/instance-3
> >     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>">
> >         <name>CSV-1 Default account</name>
> >         <description>
> >          This role assigns CSV-1 (Simulated App 1) resource and creates a
> >     test account.
> >         </description>
> >         <inducement>
> >             <construction>
> >                 <!-- The c: prefix in type must be there due to a JAXB
> >     bug -->
> >                 <resourceRef oid="10000000-9999-9999-0000-a000ff000002"
> >     type="c:ResourceType"/>
> >                     <kind>account</kind>
> >             </construction>
> >         </inducement>
> >     </role>
> >
> >     Example 2: role to create account with intent test on resource with
> >     given oid
> >
> >     <role oid="2dfa0d20-3263-11e6-838d-3c970e44b9e2"
> >
> >     xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3
> >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>"
> >
> >     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
> >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>"
> >
> >     xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/
> resource/instance-3
> >     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>">
> >         <name>CSV-1 Tester</name>
> >         <description>
> >          This role assigns CSV-1 (Simulated App 1) resource and creates a
> >     test account.
> >         </description>
> >         <inducement>
> >             <construction>
> >                 <!-- The c: prefix in type must be there due to a JAXB
> >     bug -->
> >                 <resourceRef oid="10000000-9999-9999-0000-a000ff000002"
> >     type="c:ResourceType"/>
> >                     <kind>account</kind>
> >                     <intent>test</intent>
> >             </construction>
> >         </inducement>
> >     </role>
> >
> >     Then just add one or both roles to your user in midpoint and the
> >     corresponding account(s) should be created. Just be sure to use your
> >     resource oid and correct intent.
> >
> >     Regards,
> >
> >     Ivan
> >
> >
> >
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.evolveum.com/pipermail/midpoint/
> attachments/20170320/236a6297/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> ------------------------------
>
> End of midPoint Digest, Vol 59, Issue 116
> *****************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170320/94049fdb/attachment.htm>


More information about the midPoint mailing list