[midPoint] Add a second LDAP account to resource for user (Error: already contains account of type 'default' on resource)

Peter Healy phealy3330 at gmail.com
Fri Mar 31 20:55:35 CEST 2017


Hi Ivan,
Just to follow up: This is working out well for me.

I haven't added the objectSynchronization yet so I don't have the iteration
tokens working but, I modified the "test" intent to generate the dn and uid
with "-test" concatenated onto the user name.

One caveat in case anyone else needs to do this, I took the example code
from the existing default intent so I also had to turn off the inbound
mapping of uid -> name, my midpoint username was changed to add "-test"
when I initially set it up but it's working now.

Thanks again for your help!
-Peter

On Tue, Mar 21, 2017 at 5:28 AM, <midpoint-request at lists.evolveum.com>
wrote:

> Send midPoint mailing list submissions to
>         midpoint at lists.evolveum.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
>         midpoint-request at lists.evolveum.com
>
> You can reach the person managing the list at
>         midpoint-owner at lists.evolveum.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
>
>
> Today's Topics:
>
>    1. Re: Add a second LDAP account to resource for user (Error:
>       already contains account of type 'default' on resource) (Ivan Noris)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 21 Mar 2017 10:27:56 +0100
> From: Ivan Noris <ivan.noris at evolveum.com>
> To: midpoint at lists.evolveum.com
> Subject: Re: [midPoint] Add a second LDAP account to resource for user
>         (Error: already contains account of type 'default' on resource)
> Message-ID: <54eb2245-f9fa-b73d-9c05-90fd5dc62172 at evolveum.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Peter,
>
>
>
> On 03/20/2017 10:13 PM, Peter Healy wrote:
> > Hi Ivan,
> > In my use case we have an application that's configured to use an LDAP
> > search base in a particular part of the tree to authenticate all users
> > ex. uid=usercn=users,o=dev,dc=...
> > Rather than having test users in cn=users,o=test, dc=...
> >
> > We have uid=user-test,cn=user,o=dev,dc=...
> > or uid=user1,cn=user,o=dev,dc=...
> >
>
> If you must keep all accounts in the same tree, then yes, you need to
> modify the DN for the test intent (also maybe for different attributes,
> such as cn, uid etc.)
>
> > So what I was originally thinking to do is for the "test" intent to
> > generate the uid=user1...,cn=users,o=dev...
> > Automatically with the schema handler iteration tokens.
> > But that didn't seem to be the case, what actually triggers the
> > iteration token to create a new DN?
>
> The iteration token (by default number starting with 1,2,...) is
> automatically added when midPoint detects AlreadyExistsException. This
> also assumes you have configured <objectSynchronization> for (both)
> intent(s) so that midPoint is able to correlate existing accounts
> automatically if this occurs.
>
> >
> > Instead I added the following to the schema handler for ri:dn and the
> > "test" intent which seems to be working OK for me when adding the
> > "test" intent to a role and adding the role to a user:
> > <script>
> >    <code>
> > 'uid=' + name + '-test' + iterationToken + ',cn=users,o=dev,dc=...'
> > </code>
> > </script>
>
> Yes, that's what you need. But also you may need to create corresponding
> "uid" attribute value unless your directory server does this
> automatically. (See please our ldap samples, there might be differences
> between AD, OpenLDAP etc. Or ask in later emails.)
> Also be sure to have <objectSynchronization> for both intents including
> conditions - so that midPoint "knows" for existing accounts, what's
> their intent. If you are unable to find anything in our samples related
> to this, please ask and I will try to paste some sample fragment from
> our official training at least.
>
>
> >
> > and I got a second LDAP account with user-test.
> >
> > This seems to be fine but, is there another way to do this? Would you
> > recommend something different?
>
> It's probably OK, if you cannot distinguish using suffix/tree, using
> attribute or DN naming convention is very fine. Just be sure to have
> also the objectSynchronization settings.
>
> Regards,
> Ivan
>
> >
> > Thanks,
> > Peter
> >
> > On Mon, Mar 20, 2017 at 12:33 PM, <midpoint-request at lists.evolveum.com
> > <mailto:midpoint-request at lists.evolveum.com>> wrote:
> >
> >     Send midPoint mailing list submissions to
> >             midpoint at lists.evolveum.com
> >     <mailto:midpoint at lists.evolveum.com>
> >
> >     To subscribe or unsubscribe via the World Wide Web, visit
> >             http://lists.evolveum.com/mailman/listinfo/midpoint
> >     <http://lists.evolveum.com/mailman/listinfo/midpoint>
> >     or, via email, send a message with subject or body 'help' to
> >             midpoint-request at lists.evolveum.com
> >     <mailto:midpoint-request at lists.evolveum.com>
> >
> >     You can reach the person managing the list at
> >             midpoint-owner at lists.evolveum.com
> >     <mailto:midpoint-owner at lists.evolveum.com>
> >
> >     When replying, please edit your Subject line so it is more specific
> >     than "Re: Contents of midPoint digest..."
> >
> >
> >     Today's Topics:
> >
> >        1.  JMS based workflow configuration (Prabhakara Rao Doddapaneni)
> >        2. Re: Add a second LDAP account to resource for user (Error:
> >           already contains account of type 'default' on resource)
> >     (Peter Healy)
> >        3. Re: Add a second LDAP account to resource for user (Error:
> >           already contains account of type 'default' on resource)
> >     (Ivan Noris)
> >
> >
> >     ------------------------------------------------------------
> ----------
> >
> >     Message: 1
> >     Date: Mon, 20 Mar 2017 15:29:20 +0000 (UTC)
> >     From: Prabhakara Rao Doddapaneni <dp_rao at yahoo.com
> >     <mailto:dp_rao at yahoo.com>>
> >     To: "midpoint at lists.evolveum.com
> >     <mailto:midpoint at lists.evolveum.com>" <midpoint at lists.evolveum.com
> >     <mailto:midpoint at lists.evolveum.com>>
> >     Subject: [midPoint]  JMS based workflow configuration
> >     Message-ID: <1407184618.3744599.1490023760210 at mail.yahoo.com
> >     <mailto:1407184618.3744599.1490023760210 at mail.yahoo.com>>
> >     Content-Type: text/plain; charset="utf-8"
> >
> >     Is this something new I am trying to do with midPoint?
> >
> >          Date: Mon, 6 Mar 2017 19:30:26 +0000 (UTC)
> >     From: Prabhakara Rao Doddapaneni <dp_rao at yahoo.com
> >     <mailto:dp_rao at yahoo.com>>
> >     To: "midpoint at lists.evolveum.com
> >     <mailto:midpoint at lists.evolveum.com>" <midpoint at lists.evolveum.com
> >     <mailto:midpoint at lists.evolveum.com>>
> >     Subject: [midPoint] JMS based workflow configuration
> >     Message-ID: <1001644321.2237664.1488828626312 at mail.yahoo.com
> >     <mailto:1001644321.2237664.1488828626312 at mail.yahoo.com>>
> >     Content-Type: text/plain; charset="utf-8"
> >
> >     One of my resources cannot be configured to respond to sync poll.
> >     I plan to send a message in JMS Q so that midpoint can listen to
> >     that message and reconcile/add the user into repository.  What is
> >     the ideal solution to achieve this?  has anybody come across this
> >     situation?
> >     Thanks,Prabhakar.
> >
> >
> >
> >     -------------- next part --------------
> >     An HTML attachment was scrubbed...
> >     URL:
> >     <http://lists.evolveum.com/pipermail/midpoint/
> attachments/20170320/b890a3fc/attachment-0001.html
> >     <http://lists.evolveum.com/pipermail/midpoint/
> attachments/20170320/b890a3fc/attachment-0001.html>>
> >
> >     ------------------------------
> >
> >     Message: 2
> >     Date: Mon, 20 Mar 2017 12:03:55 -0400
> >     From: Peter Healy <phealy3330 at gmail.com <mailto:phealy3330 at gmail.com
> >>
> >     To: midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
> >     Subject: Re: [midPoint] Add a second LDAP account to resource for
> user
> >             (Error: already contains account of type 'default' on
> >     resource)
> >     Message-ID:
> >
> >     <CADnbc=zAa2oqXDnH0RnyM=inAgqSwJcf76Ybc9E+ADKoy-rmNg at mail.gmail.com
> >     <mailto:inAgqSwJcf76Ybc9E%2BADKoy-rmNg at mail.gmail.com>>
> >     Content-Type: text/plain; charset="utf-8"
> >
> >     Hi Ivan,
> >     I added a role object as described in example 2 with the OID of the
> >     resource I need to add a test account to, when I add that role to
> >     a user it
> >     does come computation and comes back with success but the user
> >     still only
> >     has the 1 default projection assigned.
> >
> >     I was able to navigate back in the browser history and it looks
> >     like it
> >     assigns the existing shadow on the resource to the "test" intent
> >     along with
> >     the "default" intent
> >
> >     Activity Status Resource object (if applicable)
> >     Computing projections of the focus object
> >     Operation on focus object (repository)
> >     Account (default) on AWS DEV OpenLDAP
> >     uid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com
> >     Account (test) on AWS DEV OpenLDAP
> >     uid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com
> >     Considering or starting approval workflows
> >
> >     Is there a way I can specify the uid for the second account or have
> it
> >     follow some kind of iteration rule?
> >
> >     Thanks again,
> >     Peter
> >
> >     On Mon, Mar 20, 2017 at 10:32 AM,
> >     <midpoint-request at lists.evolveum.com
> >     <mailto:midpoint-request at lists.evolveum.com>>
> >     wrote:
> >
> >     > Send midPoint mailing list submissions to
> >     >         midpoint at lists.evolveum.com
> >     <mailto:midpoint at lists.evolveum.com>
> >     >
> >     > To subscribe or unsubscribe via the World Wide Web, visit
> >     >         http://lists.evolveum.com/mailman/listinfo/midpoint
> >     <http://lists.evolveum.com/mailman/listinfo/midpoint>
> >     > or, via email, send a message with subject or body 'help' to
> >     >         midpoint-request at lists.evolveum.com
> >     <mailto:midpoint-request at lists.evolveum.com>
> >     >
> >     > You can reach the person managing the list at
> >     >         midpoint-owner at lists.evolveum.com
> >     <mailto:midpoint-owner at lists.evolveum.com>
> >     >
> >     > When replying, please edit your Subject line so it is more specific
> >     > than "Re: Contents of midPoint digest..."
> >     >
> >     >
> >     > Today's Topics:
> >     >
> >     >    1. Re: Add a second LDAP account to resource for user (Error:
> >     >       already contains account of type 'default' on resource)
> >     (Ivan Noris)
> >     >
> >     >
> >     >
> >     ------------------------------------------------------------
> ----------
> >     >
> >     > Message: 1
> >     > Date: Mon, 20 Mar 2017 15:31:36 +0100
> >     > From: Ivan Noris <ivan.noris at evolveum.com
> >     <mailto:ivan.noris at evolveum.com>>
> >     > To: midpoint at lists.evolveum.com <mailto:midpoint at lists.
> evolveum.com>
> >     > Subject: Re: [midPoint] Add a second LDAP account to resource
> >     for user
> >     >         (Error: already contains account of type 'default' on
> >     resource)
> >     > Message-ID: <fc626f42-1372-8fd9-79fa-1fcd09f8cef8 at evolveum.com
> >     <mailto:fc626f42-1372-8fd9-79fa-1fcd09f8cef8 at evolveum.com>>
> >     > Content-Type: text/plain; charset="utf-8"
> >     >
> >     > Hi Peter,
> >     >
> >     > GUI currently cannot use Add projection for other-than-default
> >     intents.
> >     >
> >     > But it's very easy to create a role:
> >     >
> >     > Example 1: role to create default account on resource with given
> oid
> >     >
> >     >
> >     > <role oid="2dfa0d20-3263-11e6-838d-3c970e44b9e2"
> >     >
> >      xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3
> >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>"
> >     >         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/
> >     <http://midpoint.evolveum.com/xml/ns/public/>
> >     > common/common-3"
> >     >
> >     >
> >     xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/
> resource/instance-3
> >     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>">
> >     >     <name>CSV-1 Default account</name>
> >     >     <description>
> >     >      This role assigns CSV-1 (Simulated App 1) resource and
> >     creates a
> >     > test account.
> >     >     </description>
> >     >     <inducement>
> >     >         <construction>
> >     >             <!-- The c: prefix in type must be there due to a
> >     JAXB bug -->
> >     >             <resourceRef oid="10000000-9999-9999-0000-
> a000ff000002"
> >     > type="c:ResourceType"/>
> >     >                 <kind>account</kind>
> >     >         </construction>
> >     >     </inducement>
> >     > </role>
> >     >
> >     > Example 2: role to create account with intent test on resource with
> >     > given oid
> >     >
> >     > <role oid="2dfa0d20-3263-11e6-838d-3c970e44b9e2"
> >     >
> >      xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3
> >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>"
> >     >         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/
> >     <http://midpoint.evolveum.com/xml/ns/public/>
> >     > common/common-3"
> >     >
> >     >
> >     xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/
> resource/instance-3
> >     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>">
> >     >     <name>CSV-1 Tester</name>
> >     >     <description>
> >     >      This role assigns CSV-1 (Simulated App 1) resource and
> >     creates a
> >     > test account.
> >     >     </description>
> >     >     <inducement>
> >     >         <construction>
> >     >             <!-- The c: prefix in type must be there due to a
> >     JAXB bug -->
> >     >             <resourceRef oid="10000000-9999-9999-0000-
> a000ff000002"
> >     > type="c:ResourceType"/>
> >     >                 <kind>account</kind>
> >     >                 <intent>test</intent>
> >     >         </construction>
> >     >     </inducement>
> >     > </role>
> >     >
> >     > Then just add one or both roles to your user in midpoint and the
> >     > corresponding account(s) should be created. Just be sure to use
> your
> >     > resource oid and correct intent.
> >     >
> >     > Regards,
> >     >
> >     > Ivan
> >     >
> >     >
> >     -------------- next part --------------
> >     An HTML attachment was scrubbed...
> >     URL:
> >     <http://lists.evolveum.com/pipermail/midpoint/
> attachments/20170320/a91ed915/attachment-0001.html
> >     <http://lists.evolveum.com/pipermail/midpoint/
> attachments/20170320/a91ed915/attachment-0001.html>>
> >
> >     ------------------------------
> >
> >     Message: 3
> >     Date: Mon, 20 Mar 2017 17:33:42 +0100
> >     From: Ivan Noris <ivan.noris at evolveum.com
> >     <mailto:ivan.noris at evolveum.com>>
> >     To: midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
> >     Subject: Re: [midPoint] Add a second LDAP account to resource for
> user
> >             (Error: already contains account of type 'default' on
> >     resource)
> >     Message-ID: <57fd8bd1-c8b1-dd43-4e0d-160e16127afb at evolveum.com
> >     <mailto:57fd8bd1-c8b1-dd43-4e0d-160e16127afb at evolveum.com>>
> >     Content-Type: text/plain; charset="utf-8"
> >
> >     Hi Peter,
> >
> >     If you add both roles to the same user and you have correct
> >     resourceRef
> >     oid and the name of the intent, midPoint should use the correct
> schema
> >     handling configurations for both accounts and both should be created.
> >     The schema handling also specified how the accounts names (DN) are
> >     constructed.
> >
> >     But wait a minute. It looks like *both* your accounts are
> >     configured to
> >     have the *same DN*
> >     (***uid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com*). This
> can't
> >     be, the test account must have different identifier. Either change
> the
> >     suffix (like cn=test instead of cn=users for the testing accounts) or
> >     something like that.
> >
> >     So fix your icfs:name (ri:dn) mapping in the schema handling for the
> >     "test" intent and try again.
> >
> >     Regards,
> >
> >     Ivan
> >
> >
> >     On 03/20/2017 05:03 PM, Peter Healy wrote:
> >     > Hi Ivan,
> >     > I added a role object as described in example 2 with the OID of the
> >     > resource I need to add a test account to, when I add that role to a
> >     > user it does come computation and comes back with success but
> >     the user
> >     > still only has the 1 default projection assigned.
> >     >
> >     > I was able to navigate back in the browser history and it looks
> like
> >     > it assigns the existing shadow on the resource to the "test" intent
> >     > along with the "default" intent
> >     >
> >     > ActivityStatusResource object (if applicable)
> >     > Computing projections of the focus object
> >     > Operation on focus object (repository)
> >     > Account (default) on AWS DEV
> >     > OpenLDAPuid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com
> >     > Account (test) on AWS DEV
> >     > OpenLDAPuid=Testuser6,cn=users,o=dev,dc=odhsolutions,dc=com
> >     > Considering or starting approval workflows
> >     > Is there a way I can specify the uid for the second account or
> >     have it
> >     > follow some kind of iteration rule?
> >     > Thanks again,
> >     > Peter
> >     >
> >     > On Mon, Mar 20, 2017 at 10:32 AM,
> >     <midpoint-request at lists.evolveum.com
> >     <mailto:midpoint-request at lists.evolveum.com>
> >     > <mailto:midpoint-request at lists.evolveum.com
> >     <mailto:midpoint-request at lists.evolveum.com>>> wrote:
> >     >
> >     >     Send midPoint mailing list submissions to
> >     >             midpoint at lists.evolveum.com
> >     <mailto:midpoint at lists.evolveum.com>
> >     >     <mailto:midpoint at lists.evolveum.com
> >     <mailto:midpoint at lists.evolveum.com>>
> >     >
> >     >     To subscribe or unsubscribe via the World Wide Web, visit
> >     >             http://lists.evolveum.com/mailman/listinfo/midpoint
> >     <http://lists.evolveum.com/mailman/listinfo/midpoint>
> >     >     <http://lists.evolveum.com/mailman/listinfo/midpoint
> >     <http://lists.evolveum.com/mailman/listinfo/midpoint>>
> >     >     or, via email, send a message with subject or body 'help' to
> >     >             midpoint-request at lists.evolveum.com
> >     <mailto:midpoint-request at lists.evolveum.com>
> >     >     <mailto:midpoint-request at lists.evolveum.com
> >     <mailto:midpoint-request at lists.evolveum.com>>
> >     >
> >     >     You can reach the person managing the list at
> >     >             midpoint-owner at lists.evolveum.com
> >     <mailto:midpoint-owner at lists.evolveum.com>
> >     >     <mailto:midpoint-owner at lists.evolveum.com
> >     <mailto:midpoint-owner at lists.evolveum.com>>
> >     >
> >     >     When replying, please edit your Subject line so it is more
> >     specific
> >     >     than "Re: Contents of midPoint digest..."
> >     >
> >     >
> >     >     Today's Topics:
> >     >
> >     >        1. Re: Add a second LDAP account to resource for user
> (Error:
> >     >           already contains account of type 'default' on resource)
> >     >     (Ivan Noris)
> >     >
> >     >
> >     >
> >      ------------------------------------------------------------
> ----------
> >     >
> >     >     Message: 1
> >     >     Date: Mon, 20 Mar 2017 15:31:36 +0100
> >     >     From: Ivan Noris <ivan.noris at evolveum.com
> >     <mailto:ivan.noris at evolveum.com>
> >     >     <mailto:ivan.noris at evolveum.com
> >     <mailto:ivan.noris at evolveum.com>>>
> >     >     To: midpoint at lists.evolveum.com
> >     <mailto:midpoint at lists.evolveum.com>
> >     <mailto:midpoint at lists.evolveum.com
> >     <mailto:midpoint at lists.evolveum.com>>
> >     >     Subject: Re: [midPoint] Add a second LDAP account to
> >     resource for user
> >     >             (Error: already contains account of type 'default' on
> >     >     resource)
> >     >     Message-ID:
> >     <fc626f42-1372-8fd9-79fa-1fcd09f8cef8 at evolveum.com
> >     <mailto:fc626f42-1372-8fd9-79fa-1fcd09f8cef8 at evolveum.com>
> >     >     <mailto:fc626f42-1372-8fd9-79fa-1fcd09f8cef8 at evolveum.com
> >     <mailto:fc626f42-1372-8fd9-79fa-1fcd09f8cef8 at evolveum.com>>>
> >     >     Content-Type: text/plain; charset="utf-8"
> >     >
> >     >     Hi Peter,
> >     >
> >     >     GUI currently cannot use Add projection for other-than-default
> >     >     intents.
> >     >
> >     >     But it's very easy to create a role:
> >     >
> >     >     Example 1: role to create default account on resource with
> >     given oid
> >     >
> >     >
> >     >     <role oid="2dfa0d20-3263-11e6-838d-3c970e44b9e2"
> >     >
> >     >
> >      xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3
> >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >     >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3
> >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>"
> >     >
> >     >
> >      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
> >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >     >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3
> >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>"
> >     >
> >     >
> >      xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/
> resource/instance-3
> >     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>
> >     >
> >      <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
> >     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>>">
> >     >         <name>CSV-1 Default account</name>
> >     >         <description>
> >     >          This role assigns CSV-1 (Simulated App 1) resource and
> >     creates a
> >     >     test account.
> >     >         </description>
> >     >         <inducement>
> >     >             <construction>
> >     >                 <!-- The c: prefix in type must be there due to
> >     a JAXB
> >     >     bug -->
> >     >                 <resourceRef
> >     oid="10000000-9999-9999-0000-a000ff000002"
> >     >     type="c:ResourceType"/>
> >     >                     <kind>account</kind>
> >     >             </construction>
> >     >         </inducement>
> >     >     </role>
> >     >
> >     >     Example 2: role to create account with intent test on
> >     resource with
> >     >     given oid
> >     >
> >     >     <role oid="2dfa0d20-3263-11e6-838d-3c970e44b9e2"
> >     >
> >     >
> >      xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3
> >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >     >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3
> >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>"
> >     >
> >     >
> >      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
> >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> >     >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3
> >     <http://midpoint.evolveum.com/xml/ns/public/common/common-3>>"
> >     >
> >     >
> >      xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/
> resource/instance-3
> >     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>
> >     >
> >      <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
> >     <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>>">
> >     >         <name>CSV-1 Tester</name>
> >     >         <description>
> >     >          This role assigns CSV-1 (Simulated App 1) resource and
> >     creates a
> >     >     test account.
> >     >         </description>
> >     >         <inducement>
> >     >             <construction>
> >     >                 <!-- The c: prefix in type must be there due to
> >     a JAXB
> >     >     bug -->
> >     >                 <resourceRef
> >     oid="10000000-9999-9999-0000-a000ff000002"
> >     >     type="c:ResourceType"/>
> >     >                     <kind>account</kind>
> >     >                     <intent>test</intent>
> >     >             </construction>
> >     >         </inducement>
> >     >     </role>
> >     >
> >     >     Then just add one or both roles to your user in midpoint and
> the
> >     >     corresponding account(s) should be created. Just be sure to
> >     use your
> >     >     resource oid and correct intent.
> >     >
> >     >     Regards,
> >     >
> >     >     Ivan
> >     >
> >     >
> >     >
> >     > _______________________________________________
> >     > midPoint mailing list
> >     > midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> >     > http://lists.evolveum.com/mailman/listinfo/midpoint
> >     <http://lists.evolveum.com/mailman/listinfo/midpoint>
> >
> >     --
> >     Ivan Noris
> >     Senior Identity Engineer
> >     evolveum.com <http://evolveum.com>
> >
> >     -------------- next part --------------
> >     An HTML attachment was scrubbed...
> >     URL:
> >     <http://lists.evolveum.com/pipermail/midpoint/
> attachments/20170320/236a6297/attachment.html
> >     <http://lists.evolveum.com/pipermail/midpoint/
> attachments/20170320/236a6297/attachment.html>>
> >
> >     ------------------------------
> >
> >     Subject: Digest Footer
> >
> >     _______________________________________________
> >     midPoint mailing list
> >     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> >     http://lists.evolveum.com/mailman/listinfo/midpoint
> >     <http://lists.evolveum.com/mailman/listinfo/midpoint>
> >
> >
> >     ------------------------------
> >
> >     End of midPoint Digest, Vol 59, Issue 116
> >     *****************************************
> >
> >
> >
> >
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.evolveum.com/pipermail/midpoint/
> attachments/20170321/3dd981bc/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> ------------------------------
>
> End of midPoint Digest, Vol 59, Issue 118
> *****************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170331/22b2d403/attachment.htm>


More information about the midPoint mailing list