[midPoint] Add a second LDAP account to resource for user (Error: already contains account of type 'default' on resource)

Ivan Noris ivan.noris at evolveum.com
Tue Mar 21 10:27:56 CET 2017


Hi Peter,



On 03/20/2017 10:13 PM, Peter Healy wrote:
> Hi Ivan,
> In my use case we have an application that's configured to use an LDAP
> search base in a particular part of the tree to authenticate all users
> ex. uid=usercn=users,o=dev,dc=...
> Rather than having test users in cn=users,o=test, dc=...
>
> We have uid=user-test,cn=user,o=dev,dc=...
> or uid=user1,cn=user,o=dev,dc=...
>

If you must keep all accounts in the same tree, then yes, you need to
modify the DN for the test intent (also maybe for different attributes,
such as cn, uid etc.)

> So what I was originally thinking to do is for the "test" intent to
> generate the uid=user1...,cn=users,o=dev...
> Automatically with the schema handler iteration tokens. 
> But that didn't seem to be the case, what actually triggers the
> iteration token to create a new DN?

The iteration token (by default number starting with 1,2,...) is
automatically added when midPoint detects AlreadyExistsException. This
also assumes you have configured <objectSynchronization> for (both)
intent(s) so that midPoint is able to correlate existing accounts
automatically if this occurs.

>
> Instead I added the following to the schema handler for ri:dn and the
> "test" intent which seems to be working OK for me when adding the
> "test" intent to a role and adding the role to a user:
> <script>
>    <code>
> 'uid=' + name + '-test' + iterationToken + ',cn=users,o=dev,dc=...'
> </code>
> </script>

Yes, that's what you need. But also you may need to create corresponding
"uid" attribute value unless your directory server does this
automatically. (See please our ldap samples, there might be differences
between AD, OpenLDAP etc. Or ask in later emails.)
Also be sure to have <objectSynchronization> for both intents including
conditions - so that midPoint "knows" for existing accounts, what's
their intent. If you are unable to find anything in our samples related
to this, please ask and I will try to paste some sample fragment from
our official training at least.


>
> and I got a second LDAP account with user-test. 
>
> This seems to be fine but, is there another way to do this? Would you
> recommend something different?

It's probably OK, if you cannot distinguish using suffix/tree, using
attribute or DN naming convention is very fine. Just be sure to have
also the objectSynchronization settings.

Regards,
Ivan

>
> Thanks,
> Peter
>
> On Mon, Mar 20, 2017 at 12:33 PM, <midpoint-request at lists.evolveum.com
> <mailto:midpoint-request at lists.evolveum.com>> wrote:
>
>     Send midPoint mailing list submissions to
>             midpoint at lists.evolveum.com
>     <mailto:midpoint at lists.evolveum.com>
>
>     To subscribe or unsubscribe via the World Wide Web, visit
>             http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>     or, via email, send a message with subject or body 'help' to
>             midpoint-request at lists.evolveum.com
>     <mailto:midpoint-request at lists.evolveum.com>
>
>     You can reach the person managing the list at
>             midpoint-owner at lists.evolveum.com
>     <mailto:midpoint-owner at lists.evolveum.com>
>
>     When replying, please edit your Subject line so it is more specific
>     than "Re: Contents of midPoint digest..."
>
>
>     Today's Topics:
>
>        1.  JMS based workflow configuration (Prabhakara Rao Doddapaneni)
>        2. Re: Add a second LDAP account to resource for user (Error:
>           already contains account of type 'default' on resource)
>     (Peter Healy)
>        3. Re: Add a second LDAP account to resource for user (Error:
>           already contains account of type 'default' on resource)
>     (Ivan Noris)
>
>
>     ----------------------------------------------------------------------
>
>     Message: 1
>     Date: Mon, 20 Mar 2017 15:29:20 +0000 (UTC)
>     From: Prabhakara Rao Doddapaneni <dp_rao at yahoo.com
>     <mailto:dp_rao at yahoo.com>>
>     To: "midpoint at lists.evolveum.com
>     <mailto:midpoint at lists.evolveum.com>" <midpoint at lists.evolveum.com
>     <mailto:midpoint at lists.evolveum.com>>
>     Subject: [midPoint]  JMS based workflow configuration
>     Message-ID: <1407184618.3744599.1490023760210 at mail.yahoo.com
>     <mailto:1407184618.3744599.1490023760210 at mail.yahoo.com>>
>     Content-Type: text/plain; charset="utf-8"
>
>     Is this something new I am trying to do with midPoint?
>
>          Date: Mon, 6 Mar 2017 19:30:26 +0000 (UTC)
>     From: Prabhakara Rao Doddapaneni <dp_rao at yahoo.com
>     <mailto:dp_rao at yahoo.com>>
>     To: "midpoint at lists.evolveum.com
>     <mailto:midpoint at lists.evolveum.com>" <midpoint at lists.evolveum.com
>     <mailto:midpoint at lists.evolveum.com>>
>     Subject: [midPoint] JMS based workflow configuration
>     Message-ID: <1001644321.2237664.1488828626312 at mail.yahoo.com
>     <mailto:1001644321.2237664.1488828626312 at mail.yahoo.com>>
>     Content-Type: text/plain; charset="utf-8"
>
>     One of my resources cannot be configured to respond to sync poll. 
>     I plan to send a message in JMS Q so that midpoint can listen to
>     that message and reconcile/add the user into repository.  What is
>     the ideal solution to achieve this?  has anybody come across this
>     situation?
>     Thanks,Prabhakar.
>
>
>
>     -------------- next part --------------
>     An HTML attachment was scrubbed...
>     URL:
>     <http://lists.evolveum.com/pipermail/midpoint/attachments/20170320/b890a3fc/attachment-0001.html
>     <http://lists.evolveum.com/pipermail/midpoint/attachments/20170320/b890a3fc/attachment-0001.html>>
>
>     ------------------------------
>
>     Message: 2
>     Date: Mon, 20 Mar 2017 12:03:55 -0400
>     From: Peter Healy <phealy3330 at gmail.com <mailto:phealy3330 at gmail.com>>
>     To: midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
>     Subject: Re: [midPoint] Add a second LDAP account to resource for user
>             (Error: already contains account of type 'default' on
>     resource)
>     Message-ID:
>            
>     <CADnbc=zAa2oqXDnH0RnyM=inAgqSwJcf76Ybc9E+ADKoy-rmNg at mail.gmail.com
>     <mailto:inAgqSwJcf76Ybc9E%2BADKoy-rmNg at mail.gmail.com>>
>     Content-Type: text/plain; charset="utf-8"
>
>     Hi Ivan,
>     I added a role object as described in example 2 with the OID of the
>     resource I need to add a test account to, when I add that role to
>     a user it
>     does come computation and comes back with success but the user
>     still only
>     has the 1 default projection assigned.
>
>     I was able to navigate back in the browser history and it looks
>     like it
>     assigns the existing shadow on the resource to the "test" intent
>     along with
>     the "default" intent
>
>     Activity Status Resource object (if applicable)
>     Computing projections of the focus object
>     Operation on focus object (repository)
>     Account (default) on AWS DEV OpenLDAP
>     uid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com
>     Account (test) on AWS DEV OpenLDAP
>     uid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com
>     Considering or starting approval workflows
>
>     Is there a way I can specify the uid for the second account or have it
>     follow some kind of iteration rule?
>
>     Thanks again,
>     Peter
>
>     On Mon, Mar 20, 2017 at 10:32 AM,
>     <midpoint-request at lists.evolveum.com
>     <mailto:midpoint-request at lists.evolveum.com>>
>     wrote:
>
>     > Send midPoint mailing list submissions to
>     >         midpoint at lists.evolveum.com
>     <mailto:midpoint at lists.evolveum.com>
>     >
>     > To subscribe or unsubscribe via the World Wide Web, visit
>     >         http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>     > or, via email, send a message with subject or body 'help' to
>     >         midpoint-request at lists.evolveum.com
>     <mailto:midpoint-request at lists.evolveum.com>
>     >
>     > You can reach the person managing the list at
>     >         midpoint-owner at lists.evolveum.com
>     <mailto:midpoint-owner at lists.evolveum.com>
>     >
>     > When replying, please edit your Subject line so it is more specific
>     > than "Re: Contents of midPoint digest..."
>     >
>     >
>     > Today's Topics:
>     >
>     >    1. Re: Add a second LDAP account to resource for user (Error:
>     >       already contains account of type 'default' on resource)
>     (Ivan Noris)
>     >
>     >
>     >
>     ----------------------------------------------------------------------
>     >
>     > Message: 1
>     > Date: Mon, 20 Mar 2017 15:31:36 +0100
>     > From: Ivan Noris <ivan.noris at evolveum.com
>     <mailto:ivan.noris at evolveum.com>>
>     > To: midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
>     > Subject: Re: [midPoint] Add a second LDAP account to resource
>     for user
>     >         (Error: already contains account of type 'default' on
>     resource)
>     > Message-ID: <fc626f42-1372-8fd9-79fa-1fcd09f8cef8 at evolveum.com
>     <mailto:fc626f42-1372-8fd9-79fa-1fcd09f8cef8 at evolveum.com>>
>     > Content-Type: text/plain; charset="utf-8"
>     >
>     > Hi Peter,
>     >
>     > GUI currently cannot use Add projection for other-than-default
>     intents.
>     >
>     > But it's very easy to create a role:
>     >
>     > Example 1: role to create default account on resource with given oid
>     >
>     >
>     > <role oid="2dfa0d20-3263-11e6-838d-3c970e44b9e2"
>     >       
>      xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>"
>     >         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/
>     <http://midpoint.evolveum.com/xml/ns/public/>
>     > common/common-3"
>     >
>     >
>     xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
>     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>">
>     >     <name>CSV-1 Default account</name>
>     >     <description>
>     >      This role assigns CSV-1 (Simulated App 1) resource and
>     creates a
>     > test account.
>     >     </description>
>     >     <inducement>
>     >         <construction>
>     >             <!-- The c: prefix in type must be there due to a
>     JAXB bug -->
>     >             <resourceRef oid="10000000-9999-9999-0000-a000ff000002"
>     > type="c:ResourceType"/>
>     >                 <kind>account</kind>
>     >         </construction>
>     >     </inducement>
>     > </role>
>     >
>     > Example 2: role to create account with intent test on resource with
>     > given oid
>     >
>     > <role oid="2dfa0d20-3263-11e6-838d-3c970e44b9e2"
>     >       
>      xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>"
>     >         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/
>     <http://midpoint.evolveum.com/xml/ns/public/>
>     > common/common-3"
>     >
>     >
>     xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
>     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>">
>     >     <name>CSV-1 Tester</name>
>     >     <description>
>     >      This role assigns CSV-1 (Simulated App 1) resource and
>     creates a
>     > test account.
>     >     </description>
>     >     <inducement>
>     >         <construction>
>     >             <!-- The c: prefix in type must be there due to a
>     JAXB bug -->
>     >             <resourceRef oid="10000000-9999-9999-0000-a000ff000002"
>     > type="c:ResourceType"/>
>     >                 <kind>account</kind>
>     >                 <intent>test</intent>
>     >         </construction>
>     >     </inducement>
>     > </role>
>     >
>     > Then just add one or both roles to your user in midpoint and the
>     > corresponding account(s) should be created. Just be sure to use your
>     > resource oid and correct intent.
>     >
>     > Regards,
>     >
>     > Ivan
>     >
>     >
>     -------------- next part --------------
>     An HTML attachment was scrubbed...
>     URL:
>     <http://lists.evolveum.com/pipermail/midpoint/attachments/20170320/a91ed915/attachment-0001.html
>     <http://lists.evolveum.com/pipermail/midpoint/attachments/20170320/a91ed915/attachment-0001.html>>
>
>     ------------------------------
>
>     Message: 3
>     Date: Mon, 20 Mar 2017 17:33:42 +0100
>     From: Ivan Noris <ivan.noris at evolveum.com
>     <mailto:ivan.noris at evolveum.com>>
>     To: midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
>     Subject: Re: [midPoint] Add a second LDAP account to resource for user
>             (Error: already contains account of type 'default' on
>     resource)
>     Message-ID: <57fd8bd1-c8b1-dd43-4e0d-160e16127afb at evolveum.com
>     <mailto:57fd8bd1-c8b1-dd43-4e0d-160e16127afb at evolveum.com>>
>     Content-Type: text/plain; charset="utf-8"
>
>     Hi Peter,
>
>     If you add both roles to the same user and you have correct
>     resourceRef
>     oid and the name of the intent, midPoint should use the correct schema
>     handling configurations for both accounts and both should be created.
>     The schema handling also specified how the accounts names (DN) are
>     constructed.
>
>     But wait a minute. It looks like *both* your accounts are
>     configured to
>     have the *same DN*
>     (***uid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com*). This can't
>     be, the test account must have different identifier. Either change the
>     suffix (like cn=test instead of cn=users for the testing accounts) or
>     something like that.
>
>     So fix your icfs:name (ri:dn) mapping in the schema handling for the
>     "test" intent and try again.
>
>     Regards,
>
>     Ivan
>
>
>     On 03/20/2017 05:03 PM, Peter Healy wrote:
>     > Hi Ivan,
>     > I added a role object as described in example 2 with the OID of the
>     > resource I need to add a test account to, when I add that role to a
>     > user it does come computation and comes back with success but
>     the user
>     > still only has the 1 default projection assigned.
>     >
>     > I was able to navigate back in the browser history and it looks like
>     > it assigns the existing shadow on the resource to the "test" intent
>     > along with the "default" intent
>     >
>     > ActivityStatusResource object (if applicable)
>     > Computing projections of the focus object
>     > Operation on focus object (repository)
>     > Account (default) on AWS DEV
>     > OpenLDAPuid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com
>     > Account (test) on AWS DEV
>     > OpenLDAPuid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com
>     > Considering or starting approval workflows
>     > Is there a way I can specify the uid for the second account or
>     have it
>     > follow some kind of iteration rule?
>     > Thanks again,
>     > Peter
>     >
>     > On Mon, Mar 20, 2017 at 10:32 AM,
>     <midpoint-request at lists.evolveum.com
>     <mailto:midpoint-request at lists.evolveum.com>
>     > <mailto:midpoint-request at lists.evolveum.com
>     <mailto:midpoint-request at lists.evolveum.com>>> wrote:
>     >
>     >     Send midPoint mailing list submissions to
>     >             midpoint at lists.evolveum.com
>     <mailto:midpoint at lists.evolveum.com>
>     >     <mailto:midpoint at lists.evolveum.com
>     <mailto:midpoint at lists.evolveum.com>>
>     >
>     >     To subscribe or unsubscribe via the World Wide Web, visit
>     >             http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>     >     <http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint>>
>     >     or, via email, send a message with subject or body 'help' to
>     >             midpoint-request at lists.evolveum.com
>     <mailto:midpoint-request at lists.evolveum.com>
>     >     <mailto:midpoint-request at lists.evolveum.com
>     <mailto:midpoint-request at lists.evolveum.com>>
>     >
>     >     You can reach the person managing the list at
>     >             midpoint-owner at lists.evolveum.com
>     <mailto:midpoint-owner at lists.evolveum.com>
>     >     <mailto:midpoint-owner at lists.evolveum.com
>     <mailto:midpoint-owner at lists.evolveum.com>>
>     >
>     >     When replying, please edit your Subject line so it is more
>     specific
>     >     than "Re: Contents of midPoint digest..."
>     >
>     >
>     >     Today's Topics:
>     >
>     >        1. Re: Add a second LDAP account to resource for user (Error:
>     >           already contains account of type 'default' on resource)
>     >     (Ivan Noris)
>     >
>     >
>     >   
>      ----------------------------------------------------------------------
>     >
>     >     Message: 1
>     >     Date: Mon, 20 Mar 2017 15:31:36 +0100
>     >     From: Ivan Noris <ivan.noris at evolveum.com
>     <mailto:ivan.noris at evolveum.com>
>     >     <mailto:ivan.noris at evolveum.com
>     <mailto:ivan.noris at evolveum.com>>>
>     >     To: midpoint at lists.evolveum.com
>     <mailto:midpoint at lists.evolveum.com>
>     <mailto:midpoint at lists.evolveum.com
>     <mailto:midpoint at lists.evolveum.com>>
>     >     Subject: Re: [midPoint] Add a second LDAP account to
>     resource for user
>     >             (Error: already contains account of type 'default' on
>     >     resource)
>     >     Message-ID:
>     <fc626f42-1372-8fd9-79fa-1fcd09f8cef8 at evolveum.com
>     <mailto:fc626f42-1372-8fd9-79fa-1fcd09f8cef8 at evolveum.com>
>     >     <mailto:fc626f42-1372-8fd9-79fa-1fcd09f8cef8 at evolveum.com
>     <mailto:fc626f42-1372-8fd9-79fa-1fcd09f8cef8 at evolveum.com>>>
>     >     Content-Type: text/plain; charset="utf-8"
>     >
>     >     Hi Peter,
>     >
>     >     GUI currently cannot use Add projection for other-than-default
>     >     intents.
>     >
>     >     But it's very easy to create a role:
>     >
>     >     Example 1: role to create default account on resource with
>     given oid
>     >
>     >
>     >     <role oid="2dfa0d20-3263-11e6-838d-3c970e44b9e2"
>     >
>     >   
>      xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>     >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>"
>     >
>     >   
>      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>     >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>"
>     >
>     >   
>      xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
>     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>
>     >   
>      <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
>     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>>">
>     >         <name>CSV-1 Default account</name>
>     >         <description>
>     >          This role assigns CSV-1 (Simulated App 1) resource and
>     creates a
>     >     test account.
>     >         </description>
>     >         <inducement>
>     >             <construction>
>     >                 <!-- The c: prefix in type must be there due to
>     a JAXB
>     >     bug -->
>     >                 <resourceRef
>     oid="10000000-9999-9999-0000-a000ff000002"
>     >     type="c:ResourceType"/>
>     >                     <kind>account</kind>
>     >             </construction>
>     >         </inducement>
>     >     </role>
>     >
>     >     Example 2: role to create account with intent test on
>     resource with
>     >     given oid
>     >
>     >     <role oid="2dfa0d20-3263-11e6-838d-3c970e44b9e2"
>     >
>     >   
>      xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>     >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>"
>     >
>     >   
>      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>     >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3
>     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>"
>     >
>     >   
>      xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
>     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>
>     >   
>      <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
>     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>>">
>     >         <name>CSV-1 Tester</name>
>     >         <description>
>     >          This role assigns CSV-1 (Simulated App 1) resource and
>     creates a
>     >     test account.
>     >         </description>
>     >         <inducement>
>     >             <construction>
>     >                 <!-- The c: prefix in type must be there due to
>     a JAXB
>     >     bug -->
>     >                 <resourceRef
>     oid="10000000-9999-9999-0000-a000ff000002"
>     >     type="c:ResourceType"/>
>     >                     <kind>account</kind>
>     >                     <intent>test</intent>
>     >             </construction>
>     >         </inducement>
>     >     </role>
>     >
>     >     Then just add one or both roles to your user in midpoint and the
>     >     corresponding account(s) should be created. Just be sure to
>     use your
>     >     resource oid and correct intent.
>     >
>     >     Regards,
>     >
>     >     Ivan
>     >
>     >
>     >
>     > _______________________________________________
>     > midPoint mailing list
>     > midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     > http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>     --
>     Ivan Noris
>     Senior Identity Engineer
>     evolveum.com <http://evolveum.com>
>
>     -------------- next part --------------
>     An HTML attachment was scrubbed...
>     URL:
>     <http://lists.evolveum.com/pipermail/midpoint/attachments/20170320/236a6297/attachment.html
>     <http://lists.evolveum.com/pipermail/midpoint/attachments/20170320/236a6297/attachment.html>>
>
>     ------------------------------
>
>     Subject: Digest Footer
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>     ------------------------------
>
>     End of midPoint Digest, Vol 59, Issue 116
>     *****************************************
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170321/3dd981bc/attachment.htm>


More information about the midPoint mailing list