[midPoint] Synchronization situation: DELETED and NPE
Wojciech Staszewski
wojciech.staszewski at diagnostyka.pl
Mon Sep 18 20:48:43 CEST 2017
Hi all!
I'd like to know how to set synchronization and enforcement policy. Let
me show you an example:
1. I got the resource (e.g. Linux server with shell accounts) and
midPoint role inducing an account on this server.
2. I assign the role to the UX admins.
At this moment all is going fine. Admins gets shell accounts on this
machine. But the server is getting old and I replace it with the newer
one. IP address remains the same. But the assigned admins accounts don't
exist (yet) on this machine.
And now I had some fun. First, I made a synchronization rule: DELETED ->
Delete focus.
NEVER, NEVER do it. Replacing the server caused total removing of my all
admins accounts from all assigned resources and from midPoint as well
(fortunately not from the production systems).
So I made some tests: I configured resource, assigned account on this
resource to user and then I removed the account directly from the
resource and see what's gonna happend with different "DELETED"
synchronization situation:
1) I removed "DELETED" synchronization situation at all. Result: Null
Pointer Exception.
2) I added "DELETED" situation with no action. Result: Null Pointer
Exception.
3) I added "DELETED" situation with "Delete shadow" action. Result: Null
Pointer Exception.
The default enforcement policy (relative), more or less says the same as
positive: "If a non-existing account is assigned it will be created". So
I expected that midPoint will recreate the account on the resource. What
are the correct settings to get such behavior?
Best regards,
Wojciech Staszewski.
More information about the midPoint
mailing list