From Caspi at seznam.cz Mon Jan 1 20:20:59 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Mon, 01 Jan 2018 20:20:59 +0100 (CET) Subject: [midPoint] ValidFrom and ValidTo Message-ID: <4nl.vHb.5tJBw5nKOCX.1QIeeR@seznam.cz> Hi All, need help with importing date times in MidPoint from CSV. In CSV there is date time in format: "12/31/2000 11:00:00 AM" In resource i have enabled activation capability and I tryed to map value as showwn in config bellow: ri:StartDate true false true false normal $focus/activation/validFrom But it doesnt work to me. I am getting error messages like here: 1001: java.text.ParseException: Unparseable date: "12/31/2000 11:00:00 AM" in expression in mapping in inbound expression for {http://midpoint. evolveum.com/xml/ns/public/resource/instance-3}StartDate in resource:900dd 939-02da-48f2-a7b9-683de6b8d486(HR Feed)({.../common/common-3}input=12/31/ 2000 11:00:00 AM; ) in expression in mapping in inbound expression for {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}StartDate in resource:900dd939-02da-48f2-a7b9-683de6b8d486(HR Feed) Operation Save (GUI) Message java.text.ParseException: Unparseable date: "12/31/2000 11:00:00 AM" in expression in mapping in inbound expression for {http://midpoint.evolveum. com/xml/ns/public/resource/instance-3}StartDate in resource:900dd939-02da-48 f2-a7b9-683de6b8d486(HR Feed)({.../common/common-3}input=12/31/2000 11:00:00 AM; ) in expression in mapping in inbound expression for {http://midpoint. evolveum.com/xml/ns/public/resource/instance-3}StartDate in resource:900dd 939-02da-48f2-a7b9-683de6b8d486(HR Feed) Error java.text.ParseException: Unparseable date: "12/31/2000 11:00:00 AM" in expression in mapping in inbound expression for {http://midpoint.evolveum. com/xml/ns/public/resource/instance-3}StartDate in resource:900dd939-02da-48 f2-a7b9-683de6b8d486(HR Feed)({.../common/common-3}input=12/31/2000 11:00:00 AM; ) in expression in mapping in inbound expression for {http://midpoint. evolveum.com/xml/ns/public/resource/instance-3}StartDate in resource:900dd 939-02da-48f2-a7b9-683de6b8d486(HR Feed) show com.evolveum.midpoint.util.exception.ExpressionEvaluationException: java. text.ParseException: Unparseable date: "12/31/2000 11:00:00 AM" in expression in mapping in inbound expression for {http://midpoint.evolveum. com/xml/ns/public/resource/instance-3}StartDate in resource:900dd939-02da-48 f2-a7b9-683de6b8d486(HR Feed)({.../common/common-3}input=12/31/2000 11:00:00 AM; ) in expression in mapping in inbound expression for {http://midpoint. evolveum.com/xml/ns/public/resource/instance-3}StartDate in resource:900dd 939-02da-48f2-a7b9-683de6b8d486(HR Feed) at com.evolveum.midpoint.model. common.expression.evaluator.AbstractValueTransformationExpressionEvaluator. lambda$evaluateRelativeExpression$0 (AbstractValueTransformationExpressionEvaluator.java:433) at com.evolveum. midpoint.util.MiscUtil.carthesian(MiscUtil.java:370) at com.evolveum. midpoint.util.MiscUtil.carthesian(MiscUtil.java:360) at com.evolveum. midpoint.model.common.expression.evaluator. AbstractValueTransformationExpressionEvaluator.evaluateRelativeExpression (AbstractValueTransformationExpressionEvaluator.java:457) at com.evolveum. midpoint.model.common.expression.evaluator. AbstractValueTransformationExpressionEvaluator.evaluate (AbstractValueTransformationExpressionEvaluator.java:118) at com.evolveum. midpoint.repo.common.expression.Expression.evaluateExpressionEvaluators (Expression.java:213) at com.evolveum.midpoint.repo.common.expression. Expression.evaluate(Expression.java:149) at com.evolveum.midpoint.model. common.mapping.Mapping.evaluateExpression(Mapping.java:1055) at com. evolveum.midpoint.model.common.mapping.Mapping.evaluateBody(Mapping.java: 446) at com.evolveum.midpoint.model.common.mapping.Mapping.evaluate(Mapping. java:372) at com.evolveum.midpoint.model.impl.lens.projector. MappingEvaluator.evaluateMapping(MappingEvaluator.java:140) at com.evolveum. midpoint.model.impl.lens.projector.focus.InboundProcessor. evaluateInboundMapping(InboundProcessor.java:836) at com.evolveum.midpoint. model.impl.lens.projector.focus.InboundProcessor. processInboundMappingsForProjection(InboundProcessor.java:293) at com. evolveum.midpoint.model.impl.lens.projector.focus.InboundProcessor. processInboundFocal(InboundProcessor.java:223) at com.evolveum.midpoint. model.impl.lens.projector.focus.InboundProcessor.processInbound (InboundProcessor.java:165) at com.evolveum.midpoint.model.impl.lens. projector.focus.FocusProcessor.lambda$processFocusFocus$0(FocusProcessor. java:210) at com.evolveum.midpoint.model.impl.lens.LensUtil.partialExecute (LensUtil.java:947) at com.evolveum.midpoint.model.impl.lens.LensUtil. partialExecute(LensUtil.java:934) at com.evolveum.midpoint.model.impl.lens. projector.focus.FocusProcessor.processFocusFocus(FocusProcessor.java:207) at com.evolveum.midpoint.model.impl.lens.projector.focus.FocusProcessor. processFocus(FocusProcessor.java:140) at com.evolveum.midpoint.model.impl. lens.projector.Projector.lambda$projectInternal$1(Projector.java:229) at com.evolveum.midpoint.model.impl.lens.LensUtil.partialExecute(LensUtil.java: 947) at com.evolveum.midpoint.model.impl.lens.projector.Projector. projectInternal(Projector.java:227) at com.evolveum.midpoint.model.impl. lens.projector.Projector.project(Projector.java:116) at com.evolveum. midpoint.model.impl.lens.Clockwork.click(Clockwork.java:445) at com. evolveum.midpoint.model.impl.lens.Clockwork.run(Clockwork.java:202) at com. evolveum.midpoint.model.impl.controller.ModelController.executeChanges (ModelController.java:538) at com.evolveum.midpoint.web.component.progress. ProgressPanel$14.callWithContextPrepared(ProgressPanel.java:605) at com. evolveum.midpoint.web.component.progress.ProgressPanel$14. callWithContextPrepared(ProgressPanel.java:591) at com.evolveum.midpoint. web.component.SecurityContextAwareCallable.call (SecurityContextAwareCallable.java:59) at java.util.concurrent.FutureTask. run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker (Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run (Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: com. evolveum.midpoint.util.exception.ExpressionEvaluationException: java.text. ParseException: Unparseable date: "12/31/2000 11:00:00 AM" in expression in mapping in inbound expression for {http://midpoint.evolveum.com/xml/ns/ public/resource/instance-3}StartDate in resource:900dd939-02da-48f2-a7b9-683 de6b8d486(HR Feed) at com.evolveum.midpoint.model.common.expression.script. jsr223.Jsr223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:120) at com.evolveum.midpoint.model.common.expression.script.ScriptExpression. evaluate(ScriptExpression.java:107) at com.evolveum.midpoint.model.common. expression.script.ScriptExpressionEvaluator.transformSingleValue (ScriptExpressionEvaluator.java:63) at com.evolveum.midpoint.model.common. expression.evaluator.AbstractValueTransformationExpressionEvaluator.lambda$ evaluateRelativeExpression$0(AbstractValueTransformationExpressionEvaluator. java:425) ... 33 more Caused by: javax.script.ScriptException: java.text. ParseException: Unparseable date: "12/31/2000 11:00:00 AM" at org.codehaus. groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:347) at org.codehaus.groovy.jsr223.GroovyCompiledScript.eval (GroovyCompiledScript.java:41) at javax.script.CompiledScript.eval(Unknown Source) at com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr 223ScriptEvaluator.evaluate(Jsr223ScriptEvaluator.java:116) ... 36 more Caused by: java.text.ParseException: Unparseable date: "12/31/2000 11:00:00 AM" at java.text.DateFormat.parse(Unknown Source) at java_text_DateFormat$ parse.call(Unknown Source) at Script41.run(Script41.groovy:8) at org. codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl. java:344) ... 39 more Can someone help me with that? Thanks Jan (http://192.168.2.102:8080/admin/task2/03b67e2f-4b00-420e-a13e-fa897e93586d?635-1.ILinkListener-mainPanel-mainForm-tabPanel-panel-showResult) -------------- next part -------------- An HTML attachment was scrubbed... URL: From valtri at civ.zcu.cz Mon Jan 1 22:38:59 2018 From: valtri at civ.zcu.cz (=?UTF-8?Q?Franti=C5=A1ek_Dvo=C5=99=C3=A1k?=) Date: Mon, 01 Jan 2018 22:38:59 +0100 Subject: [midPoint] ValidFrom and ValidTo In-Reply-To: <4nl.vHb.5tJBw5nKOCX.1QIeeR@seznam.cz> References: <4nl.vHb.5tJBw5nKOCX.1QIeeR@seznam.cz> Message-ID: <1514842739.13683.1.camel@civ.zcu.cz> Hello, just a hint - the problem here is with the locale-dependent SimpleDateFormat in the groovy script - the "AM" string. František Jan Kaspar píše v Po 01. 01. 2018 v 20:20 +0100: > Hi All, > > need help with importing date times in MidPoint from CSV. > > In CSV there is date time in format: "12/31/2000 11:00:00 AM" > > In resource i have enabled activation capability and I tryed to map > value as showwn in config bellow: > > > ri:StartDate > true > false > > true > false > normal > > > > > $focus/activation/validFrom > > > > > But it doesnt work to me. I am getting error messages like here: > > 1001: java.text.ParseException: Unparseable date: "12/31/2000 > 11:00:00 AM" in expression in mapping in inbound expression for {http > ://midpoint.evolveum.com/xml/ns/public/resource/instance-3}StartDate > in resource:900dd939-02da-48f2-a7b9-683de6b8d486(HR > Feed)({.../common/common-3}input=12/31/2000 11:00:00 AM; ) in > expression in mapping in inbound expression for > {http://midpoint.evolveum.com/xml/ns/public/resource/instance- > 3}StartDate in resource:900dd939-02da-48f2-a7b9-683de6b8d486(HR Feed) > Operation > Save (GUI) > Message > java.text.ParseException: Unparseable date: "12/31/2000 11:00:00 AM" > in expression in mapping in inbound expression for {http://midpoint.e > volveum.com/xml/ns/public/resource/instance-3}StartDate in > resource:900dd939-02da-48f2-a7b9-683de6b8d486(HR > Feed)({.../common/common-3}input=12/31/2000 11:00:00 AM; ) in > expression in mapping in inbound expression for > {http://midpoint.evolveum.com/xml/ns/public/resource/instance- > 3}StartDate in resource:900dd939-02da-48f2-a7b9-683de6b8d486(HR Feed) > Error > java.text.ParseException: Unparseable date: "12/31/2000 11:00:00 AM" > in expression in mapping in inbound expression for {http://midpoint.e > volveum.com/xml/ns/public/resource/instance-3}StartDate in > resource:900dd939-02da-48f2-a7b9-683de6b8d486(HR > Feed)({.../common/common-3}input=12/31/2000 11:00:00 AM; ) in > expression in mapping in inbound expression for > {http://midpoint.evolveum.com/xml/ns/public/resource/instance- > 3}StartDate in resource:900dd939-02da-48f2-a7b9-683de6b8d486(HR Feed) > show > com.evolveum.midpoint.util.exception.ExpressionEvaluationException: > java.text.ParseException: Unparseable date: "12/31/2000 11:00:00 AM" > in expression in mapping in inbound expression for {http://midpoint.e > volveum.com/xml/ns/public/resource/instance-3}StartDate in > resource:900dd939-02da-48f2-a7b9-683de6b8d486(HR > Feed)({.../common/common-3}input=12/31/2000 11:00:00 AM; ) in > expression in mapping in inbound expression for > {http://midpoint.evolveum.com/xml/ns/public/resource/instance- > 3}StartDate in resource:900dd939-02da-48f2-a7b9-683de6b8d486(HR Feed) > at > com.evolveum.midpoint.model.common.expression.evaluator.AbstractValue > TransformationExpressionEvaluator.lambda$evaluateRelativeExpression$0 > (AbstractValueTransformationExpressionEvaluator.java:433) > at > com.evolveum.midpoint.util.MiscUtil.carthesian(MiscUtil.java:370) > at > com.evolveum.midpoint.util.MiscUtil.carthesian(MiscUtil.java:360) > at > com.evolveum.midpoint.model.common.expression.evaluator.AbstractValue > TransformationExpressionEvaluator.evaluateRelativeExpression(Abstract > ValueTransformationExpressionEvaluator.java:457) > at > com.evolveum.midpoint.model.common.expression.evaluator.AbstractValue > TransformationExpressionEvaluator.evaluate(AbstractValueTransformatio > nExpressionEvaluator.java:118) > at > com.evolveum.midpoint.repo.common.expression.Expression.evaluateExpre > ssionEvaluators(Expression.java:213) > at > com.evolveum.midpoint.repo.common.expression.Expression.evaluate(Expr > ession.java:149) > at > com.evolveum.midpoint.model.common.mapping.Mapping.evaluateExpression > (Mapping.java:1055) > at > com.evolveum.midpoint.model.common.mapping.Mapping.evaluateBody(Mappi > ng.java:446) > at > com.evolveum.midpoint.model.common.mapping.Mapping.evaluate(Mapping.j > ava:372) > at > com.evolveum.midpoint.model.impl.lens.projector.MappingEvaluator.eval > uateMapping(MappingEvaluator.java:140) > at > com.evolveum.midpoint.model.impl.lens.projector.focus.InboundProcesso > r.evaluateInboundMapping(InboundProcessor.java:836) > at > com.evolveum.midpoint.model.impl.lens.projector.focus.InboundProcesso > r.processInboundMappingsForProjection(InboundProcessor.java:293) > at > com.evolveum.midpoint.model.impl.lens.projector.focus.InboundProcesso > r.processInboundFocal(InboundProcessor.java:223) > at > com.evolveum.midpoint.model.impl.lens.projector.focus.InboundProcesso > r.processInbound(InboundProcessor.java:165) > at > com.evolveum.midpoint.model.impl.lens.projector.focus.FocusProcessor. > lambda$processFocusFocus$0(FocusProcessor.java:210) > at > com.evolveum.midpoint.model.impl.lens.LensUtil.partialExecute(LensUti > l.java:947) > at > com.evolveum.midpoint.model.impl.lens.LensUtil.partialExecute(LensUti > l.java:934) > at > com.evolveum.midpoint.model.impl.lens.projector.focus.FocusProcessor. > processFocusFocus(FocusProcessor.java:207) > at > com.evolveum.midpoint.model.impl.lens.projector.focus.FocusProcessor. > processFocus(FocusProcessor.java:140) > at > com.evolveum.midpoint.model.impl.lens.projector.Projector.lambda$proj > ectInternal$1(Projector.java:229) > at > com.evolveum.midpoint.model.impl.lens.LensUtil.partialExecute(LensUti > l.java:947) > at > com.evolveum.midpoint.model.impl.lens.projector.Projector.projectInte > rnal(Projector.java:227) > at > com.evolveum.midpoint.model.impl.lens.projector.Projector.project(Pro > jector.java:116) > at > com.evolveum.midpoint.model.impl.lens.Clockwork.click(Clockwork.java: > 445) > at > com.evolveum.midpoint.model.impl.lens.Clockwork.run(Clockwork.java:20 > 2) > at > com.evolveum.midpoint.model.impl.controller.ModelController.executeCh > anges(ModelController.java:538) > at > com.evolveum.midpoint.web.component.progress.ProgressPanel$14.callWit > hContextPrepared(ProgressPanel.java:605) > at > com.evolveum.midpoint.web.component.progress.ProgressPanel$14.callWit > hContextPrepared(ProgressPanel.java:591) > at > com.evolveum.midpoint.web.component.SecurityContextAwareCallable.call > (SecurityContextAwareCallable.java:59) > at java.util.concurrent.FutureTask.run(Unknown Source) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown > Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown > Source) > at java.lang.Thread.run(Unknown Source) > Caused by: > com.evolveum.midpoint.util.exception.ExpressionEvaluationException: > java.text.ParseException: Unparseable date: "12/31/2000 11:00:00 AM" > in expression in mapping in inbound expression for {http://midpoint.e > volveum.com/xml/ns/public/resource/instance-3}StartDate in > resource:900dd939-02da-48f2-a7b9-683de6b8d486(HR Feed) > at > com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223Scr > iptEvaluator.evaluate(Jsr223ScriptEvaluator.java:120) > at > com.evolveum.midpoint.model.common.expression.script.ScriptExpression > .evaluate(ScriptExpression.java:107) > at > com.evolveum.midpoint.model.common.expression.script.ScriptExpression > Evaluator.transformSingleValue(ScriptExpressionEvaluator.java:63) > at > com.evolveum.midpoint.model.common.expression.evaluator.AbstractValue > TransformationExpressionEvaluator.lambda$evaluateRelativeExpression$0 > (AbstractValueTransformationExpressionEvaluator.java:425) > ... 33 more > Caused by: javax.script.ScriptException: java.text.ParseException: > Unparseable date: "12/31/2000 11:00:00 AM" > at > org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEn > gineImpl.java:347) > at > org.codehaus.groovy.jsr223.GroovyCompiledScript.eval(GroovyCompiledSc > ript.java:41) > at javax.script.CompiledScript.eval(Unknown Source) > at > com.evolveum.midpoint.model.common.expression.script.jsr223.Jsr223Scr > iptEvaluator.evaluate(Jsr223ScriptEvaluator.java:116) > ... 36 more > Caused by: java.text.ParseException: Unparseable date: "12/31/2000 > 11:00:00 AM" > at java.text.DateFormat.parse(Unknown Source) > at java_text_DateFormat$parse.call(Unknown Source) > at Script41.run(Script41.groovy:8) > at > org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEn > gineImpl.java:344) > ... 39 more > > Can someone help me with that? > > Thanks Jan > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint From o.nekriach at dynatech.lv Tue Jan 2 08:16:35 2018 From: o.nekriach at dynatech.lv (Oleksandr Nekriach) Date: Tue, 2 Jan 2018 09:16:35 +0200 Subject: [midPoint] How to set AD password from Midpoint? In-Reply-To: References: Message-ID: Happy new year! Hi Alcides, Do you use secure communication for AD connection (ldaps) or not? Some AD settings does not allow to manage password via open communications. I had similar issue few years ago with Oracle connector ;) Regards, Oleksandr On 28 December 2017 at 21:30, Alcides Carlos de Moraes Neto wrote: > Hello list, > > I'm trying to create AD users from Midpoint. I'm getting the 53 > WILL_NOT_PERFORM error, which it seems to be related to the password policy. > The AD I'm using does have a password policy. > > So I'm trying to set some literal, strong password as a placeholder, but I > don't think my mapping is working. How should I configure it? I cannot find > any examples. Below are the error I get and the password outbound mapping. > > com.evolveum.midpoint.util.exception.SystemException: Got unexpected > exception: > org.identityconnectors.framework.common.exceptions.PermissionDeniedException: > Error adding LDAP entry CN=JOHN DOE,OU=Users,DC=midpoint,DC=local: > unwillingToPerform: 0000052D: SvcErr: DSID-031A12D2, problem 5003 > (WILL_NOT_PERFORM), data 0?? (53) > > > ri:userPassword > true > false > explicit > > true > false > normal > > Midpoint2018* > > > > > > Thanks and happy new year to all =) > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > -- Best regards, Oleksandr Nekriach | Identity and access management engineer Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia +37125314685 , o.nekriach at dynatech.lv | www.dynatech.lv Stay connected: Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. From wojciech.staszewski at diagnostyka.pl Tue Jan 2 12:07:11 2018 From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski) Date: Tue, 2 Jan 2018 12:07:11 +0100 Subject: [midPoint] Importing entitlements to roles for multiple account intents In-Reply-To: <5f856eb7-eaa3-8b0d-12b7-b7d76edb9d75@diagnostyka.pl> References:

<5f856eb7-eaa3-8b0d-12b7-b7d76edb9d75@diagnostyka.pl> Message-ID: <6421a397-5bb4-f060-8cfe-bc320c9320b0@diagnostyka.pl> Hello! First: Of course the account intent is specified in the association from link inducement, order 2, not in the first order inducement as I wrote before. Sorry for the mistake. Second: After few days of testing, the workaround with multiple ObjectClasses for entitlements is working correctly. I suppose this is not a right way how it should be done according to the midPoint philosophy, but at the moment I have no other idea how to achieve the goal, which is independently given entitlements for each account intent when user has two or more accounts in one resource and use the synchronization flavors of the entitlements for avoiding manual roles editing. Of course I keep my mind open for other soultions. Best regards! WS W dniu 30.12.2017 o 13:36, Wojciech Staszewski pisze: > Hi! > > Yes, but if the user have 2 or more accounts on this resource, all accounts will receive the entitlement. I have to avoid this. > The entitlements must be given indepedently for each account. > > I see some workarounds: > > 1) Manually create the roles for account intents other than default and update them when needed. > -disadvantages: A lot of roles and a lot of changes. There is 100 resources of this kind, some of them contains more than 1 account intent (1,5 average) and 3 entitlement types, every type contains 20 entitlements average. This makes 100 x 1,5 x 3 x 20 = 9000 roles for manual handling. Terrifying... > > That's why I want to use synchronization tasks for importing and updating the roles automatically. > > 2) Create another resource pointing to the same database for another intent, so each account intent is handled by separate (fake) resource. > In this case I can set synchronization tasks for importing and updating the same entitlements for every account intent. > - disadvantages: User changes laboratory, so the account changes intent. It happens. On the resource side this is a simple task: edit user, pick lab from drop-down list, save. How midPoint will see this? The user disappears from one resource and appears on another. With full enforcement policy midPoint will try to fix this situation and create an account for him in old intent. On the second resource new account will be deleted. > Ok, so let's do it on midPoint side: Assign account and entitlements on the second resource and unassign the first one. MidPoint will delete an account on the first and create new one on the second, as for midPoint there are 2 independent resources. This is wrong way. > > 3) This is ScriptedSQL resource. So in the Groovy scripts I can make multiple ObjectClasses for the entitlements pointing to the same database objects. In midPoint I will see the same entitlements multiple times, each with different ObjectClass. So I can use it to import and synchronize roles for different account intents. When the entitlement in resource database is changed, synchronization wil work for every objectClass. > - disadvantages: I have to think a little bit, as I invented it just a moment ago. > > Best regards! > Wojciech Staszewski > > W dniu 29.12.2017 o 19:36, Alcides Carlos de Moraes Neto pisze: >> If you assign a Role that gives Entitlement X to User Y with weak strength, only the existing account(s) for User Y will receive the entitlement. >> Having multiple weak inducements will work I think. >> >> I have a similar setup, but it's the other way around - multiple intents for entitlements induced from Org, only one for account intent associated to User. >> I have multiple inducements in a Meta-role that I assign to Orgs. >> >> You can also using Condition expression to further filter them. >> >> 2017-12-29 13:40 GMT-02:00 Wojciech Staszewski >: >> >> Hi! >> >> I thought about adding multiple first order inducements for each account intent with weak strength to the "associationFromLink" metarole, >> but what if the accounts (of one user in multiple intents) must have different privileges (entilements)? >> When I assign a role that gives entitlement X, it will be applied to every user account on this resource, i think. >> >> Another way I tried is to assign the "associationFromLink" metarole to the role that provisions account creation, >> and the role with linkRef pointing to the entitlement shadow as separate user assignment, but it don't work. >> I think (but I don't know exactly) that "associationFromLink" is limited to one assignment chain so the linkRef and associationFromLink >> must be in the same chain. But maybe I'm wrong...? >> >> I'm stuck here and see no good solution for now. >> >> Best regards! >> WS >> >> >> W dniu 29.12.2017 o 15:08, Alcides Carlos de Moraes Neto pisze: >>> Hi WS, >>> >>> In your role template, have you tried adding multiple inducements with an association for each entitlement? I don't see why that wouldn't work. >>> >>> 2017-12-28 13:54 GMT-02:00 Wojciech Staszewski >: >>> >>> Hello! >>> >>> I'm looking for correct way how to correctly import resource entitlements into midPoint roles. >>> >>> For now I'm doing this as follows: >>> 1) create schema handling for entitlement. >>> 2) create synchronization. >>> 3) At the "unmatched->addFocus" synchronization step I connect a role template. The template assigns metaroles to the imported roles for: >>> a) association from link (as the imported roles are just linkRef only), >>> b) approval schema, >>> c) and assigns correct OrgUnit in the role catalog, based on resource, role type and other "things". >>> >>> That works just perfect, but for one account intent only. The account intent is statically specified in "association from link" metarole in the first order inducement. >>> If is not, the metarole works for "default" account intent. >>> But I have 8 account intents in this resource, and every account must be associated with the entitlements regardless of the intent. >>> >>> I tried to make more than one "unmatched->addFocus" synchronization reaction with different role templates >>> with hope for importing 8 roles from one entitlement for different account intents but midPoint warns me: "Duplicated reactions [...]". >>> I cannot just add multiple "actions" to one reaction because I can apply only one template to one reaction. >>> >>> And I don't know how to do it. >>> Any ideas? >>> Beer is on me for the help! >>> >>> Happy NY! >>> WS >>> _______________________________________________ >>> midPoint mailing list >>> midPoint at lists.evolveum.com >>> http://lists.evolveum.com/mailman/listinfo/midpoint >>> >>> >>> >>> >>> _______________________________________________ >>> midPoint mailing list >>> midPoint at lists.evolveum.com >>> http://lists.evolveum.com/mailman/listinfo/midpoint >> >> -- >> Wojciech Staszewski >> Administrator Systemów Sieciowych >> tel. kom: 663 680 236 >> www.diagnostyka.pl >> Diagnostyka Sp. z o. o. >> ul. Prof. M. Życzkowskiego 16, 31-864 Kraków >> Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS) >> NIP: 675-12-65-009; REGON: 356366975 >> Kapitał zakładowy: 33 756 500 zł. >> >> Pomyśl o środowisku zanim wydrukujesz ten e-mail. >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint >> >> >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > -- Wojciech Staszewski Administrator Systemów Sieciowych tel. kom: 663 680 236 www.diagnostyka.pl Diagnostyka Sp. z o. o. ul. Prof. M. Życzkowskiego 16, 31-864 Kraków Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS) NIP: 675-12-65-009; REGON: 356366975 Kapitał zakładowy: 33 756 500 zł. Pomyśl o środowisku zanim wydrukujesz ten e-mail. From Caspi at seznam.cz Tue Jan 2 14:37:17 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Tue, 02 Jan 2018 14:37:17 +0100 (CET) Subject: [midPoint] ValidFrom and ValidTo Message-ID: Hi again, So now conversion is not giving me an error anymore. But I am still not able to populate validFrom and validTo in midpoint. Used CSV is in attachment. So for me important attributes are validFrom (StartDate), validTo (EndDate), and AdministartiveStatus (Status). In resource configuration i tryed to add following definition in schema handling: ri:StartDate true false true false normal $focus/activation/validFrom Bud it doesnt work, How it shoudl be defined? Can some help me? Regards Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: users1.csv Type: application/vnd.ms-excel Size: 495 bytes Desc: not available URL: From martin.lizner at ami.cz Tue Jan 2 15:47:24 2018 From: martin.lizner at ami.cz (=?UTF-8?Q?Martin_L=C3=ADzner_=2D_AMI_Praha_a=2Es=2E?=) Date: Tue, 2 Jan 2018 15:47:24 +0100 Subject: [midPoint] memory leak issue In-Reply-To: References: Message-ID: Hi, Im having OOM problems on 3.7. Which version are you on? There is Jira for it already and I think it has high priority: https://jira.evolveum.com/browse/MID-4349 M. Martin Lízner solution architect gsm: [+420] 737 745 571 e-mail: martin.lizner at ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI Praha a.s.] Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. 2017-12-28 21:26 GMT+01:00 Juan Manuel Catá : > Greetings > > Im writing in reference to a memory leak issue with my instance of > MidPoint. > > When I try to run MidPoint on my VM (4 cpus, 8gb RAM, 40gb HD) I got > alerts in relation to "critical memory usage". In relation to this, I found > that memory is not managed correctly, and is never released until the > kernel kill the MidPoint process; another problem that i found is that I'm > running out of availables Inodes. ¿Could this be related to some > missconfiguration on my MidPoint instance? Have you noticed these kind of > issues before? > > Any kind of help will be appreciated > > Regards > > -- > *Juan Manuel Catá* > Application Security > Juana Manso 999 - piso 2° - C.A.B.A. > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wojciech.staszewski at diagnostyka.pl Tue Jan 2 16:27:37 2018 From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski) Date: Tue, 2 Jan 2018 16:27:37 +0100 Subject: [midPoint] Entitlements reconciliation errors (v3.7) In-Reply-To: <78f8a50a-60b4-746a-2b20-b699383e46f8@diagnostyka.pl> References: <78f8a50a-60b4-746a-2b20-b699383e46f8@diagnostyka.pl> Message-ID: <91f844f4-08b3-633b-7739-065d73be2e2f@diagnostyka.pl> Hello! The issue update: This error appears not only in the reconciliation tasks. If I enter the resource and browse entitlements (on Resource), midPoint also gives me Null Pointer Exception on non-default-intent entitlements. If I go to the SchemaHandling config and switch default button on the entitlement that previously was causing error, the list is showing correctly and the other ones show error. Most funny thing is that sometimes it works OK without touching anything. But next day, or after tomcat restart, the NPE errors return. Can it be a bug? I don't know if I should make a Jira ticket or not... Regards, WS W dniu 21.12.2017 o 23:18, Wojciech Staszewski pisze: > Hello All! > > I have a problem and I don't know what is causing it: > > I have 3 different types of entitlements in my resource (ScriptedSQL). > > So I configured 3 different objectClasses in the connector scripts: > - CustomRolesObjectClass, > - CustomWorkplacesObjectClass, > - CustomRoomsObjectClass > > and 3 intents in midPoint schema handling: > - role, > - workplace, > - room > > I can mark "default" intent of only one entitlement in schema handling > Wizard step, though the entitlements have different objectClasses. > > and 3 reconciliation tasks. > > And only one task is running good - the task that referencing the intent > marked as default. > So if I check "role" intent as default, reconciliation of roles goes ok > and the other two end with error, > when I check "workplace" intent as default - the reconciliation of > workplaces goes ok, and the other two end with error and so on. > > The error log is attached. > > What am I doing wrong? > Thanks for any help. > > WS > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > From Caspi at seznam.cz Tue Jan 2 20:37:00 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Tue, 02 Jan 2018 20:37:00 +0100 (CET) Subject: [midPoint] ValidFrom and ValidTo Message-ID: <6ZM.vGH.tOnDyoPWKR.1QIzzS@seznam.cz> Hi all, solved by editation of schema. I missed that. Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.hoskin at gmail.com Wed Jan 3 00:02:55 2018 From: christopher.hoskin at gmail.com (Christopher Hoskin) Date: Tue, 2 Jan 2018 23:02:55 +0000 Subject: [midPoint] connector-ldap and SASL-GSSAPI Message-ID: According to the documentation [1], the LDAP Connector should support SASL-GSSAPI as an authentication type. I was wondering if this has actually been implemented? Looking at the code [2],[3], it's not obvious to me that setting authenticationType to SASL-GSSAPI actually has any affect. From a quick scan of [4], I was expecting to find a call to bindSaslGssApi or bindSasl. Is the use of this authenticationType documented anywhere? Thanks. [1] https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Migration [2] https://github.com/Evolveum/connector-ldap/search?l=Java&q=sasl [3] https://github.com/Evolveum/connector-ldap/search?l=Java&q=authenticationType [4] http://directory.apache.org/api/user-guide/5.3-sasl-bind.html Christopher Hoskin -------------- next part -------------- An HTML attachment was scrubbed... URL: From Caspi at seznam.cz Wed Jan 3 08:43:11 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Wed, 03 Jan 2018 08:43:11 +0100 (CET) Subject: [midPoint] Database maintenance Message-ID: Hello, i have a questino about database maintenance. I am using MP 3.7 on windows right now. There is a DB file midpoint.mv.db and curently after one week of tests it has 37GB. How is performed maintenance? Testing was made with few groups and ten users and only two resources. Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From radovan.semancik at evolveum.com Wed Jan 3 12:37:37 2018 From: radovan.semancik at evolveum.com (Radovan Semancik) Date: Wed, 3 Jan 2018 12:37:37 +0100 Subject: [midPoint] connector-ldap and SASL-GSSAPI In-Reply-To: References: Message-ID: <8113d8ca-3f59-0109-304c-926858c919d4@evolveum.com> Hi, SASL-GSSAPI support is mostly a matter of Apache Directory API. That is the LDAP API that the connector is using. I'm not entirely sure whether the API supports SASL-GSSAPI. What I can tell for sure is that I'm not aware of any midPoint deployment that is using that. Anyway, even if it is supported by the directory API it was never tested with midPoint LDAP connector. Therefore it is likely that some connector code changes will be needed. And from my experience there is a slight chance that even Apache Directory API changes might be needed to fully support your use-case. We will gladly accept pull request in case you have the capacity to make the code changes. Otherwise I can recommend to purchase midPoint platform subscription which is designed to address such issues. -- Radovan Semancik Software Architect evolveum.com On 01/03/2018 12:02 AM, Christopher Hoskin wrote: > According to the documentation [1], the LDAP Connector should support > SASL-GSSAPI as an authentication type. > > I was wondering if this has actually been implemented? Looking at the > code [2],[3], it's not obvious to me that setting authenticationType > to SASL-GSSAPI actually has any affect. From a quick scan of [4], I > was expecting to find a call to bindSaslGssApi or bindSasl. > > Is the use of this authenticationType documented anywhere? > > Thanks. > > [1] https://wiki.evolveum.com/display/midPoint/LDAP+Connector+Migration > [2] https://github.com/Evolveum/connector-ldap/search?l=Java&q=sasl > [3] > https://github.com/Evolveum/connector-ldap/search?l=Java&q=authenticationType > [4] http://directory.apache.org/api/user-guide/5.3-sasl-bind.html > > Christopher Hoskin > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From radovan.semancik at evolveum.com Wed Jan 3 12:42:25 2018 From: radovan.semancik at evolveum.com (Radovan Semancik) Date: Wed, 3 Jan 2018 12:42:25 +0100 Subject: [midPoint] Database maintenance In-Reply-To: References: Message-ID: Hi, MidPoint deployment with embedded H2 database is not supported for production use. It is intended only for learning, laboratory use, demonstrations and similar non-production use. Therefore there are no mechanism to ensure that it is sustainable for a long-term usage. The best thing you can do is to migrate your deployment to a real database. -- Radovan Semancik Software Architect evolveum.com On 01/03/2018 08:43 AM, Jan Kaspar wrote: > Hello, > > i have a questino about database maintenance. I am using MP 3.7 on > windows right now. > > There is a DB file midpoint.mv.db and curently after one week of tests > it has 37GB. > > How is performed maintenance? Testing was made with few groups and ten > users and only two resources. > > Jan > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From srpenn at us.ibm.com Wed Jan 3 22:54:32 2018 From: srpenn at us.ibm.com (Sean R Penndorf) Date: Wed, 3 Jan 2018 16:54:32 -0500 Subject: [midPoint] How to Filter HR Input Message-ID: Hi, I'm working on a Midpoint proof of concept for my company. One requirement we have is that a Midpoint user must exist in our HR directory. Employees deleted from HR must disable or delete the Midpoint user within 24 hours. On the surface, sounds easy enough. Here is where I'm having difficulties. The HR directory contains approximately 380,000 employees and other accounts. Our estimated use case for Midpoint for production is currently 5000 users. We have absolutely no authority to update any record in the HR directory. The HR directory has enforced limitations on query sizes (in other words we can't just do a (uid=*)). I need to double-check, but I believe the maximum object query return is 10,000. Because there are thousands of apps that query our HR directory, the limit is there to keep the directory servers from getting bogged down. Currently, when I run a Reconcile task, Midpoint processes about 1000-1200 users or so and then it just hangs. No errors are recorded and the GUI appears as though the task is still running, but it is not updating. Also, it seems rather pointless to have 380,000 shadow objects if we will only have 5000 Midpoint users. Is there a way to filter, limit, or change the logic, so that we only pull (or create shadow objects) from the HR directory for those employees who already have a Midpoint user? (Hope I'm making sense here). If so, how? Let me know if you need more info from me. Thanks! ------------------ Sean Penndorf SaaS Operational Services (SOS) - ID Management IBM Cloud srpenn at us.ibm.com Office: 248-552-4791 TL 623-9966 -------------- next part -------------- An HTML attachment was scrubbed... URL: From alcides.neto at gmail.com Thu Jan 4 01:00:02 2018 From: alcides.neto at gmail.com (Alcides Carlos de Moraes Neto) Date: Wed, 3 Jan 2018 22:00:02 -0200 Subject: [midPoint] How to set AD password from Midpoint? In-Reply-To: References: Message-ID: Hello, Yes, I'm using ldaps. 2018-01-02 5:16 GMT-02:00 Oleksandr Nekriach : > Happy new year! > Hi Alcides, > Do you use secure communication for AD connection (ldaps) or not? > Some AD settings does not allow to manage password via open communications. > I had similar issue few years ago with Oracle connector ;) > > Regards, Oleksandr > > > On 28 December 2017 at 21:30, Alcides Carlos de Moraes Neto > wrote: > > Hello list, > > > > I'm trying to create AD users from Midpoint. I'm getting the 53 > > WILL_NOT_PERFORM error, which it seems to be related to the password > policy. > > The AD I'm using does have a password policy. > > > > So I'm trying to set some literal, strong password as a placeholder, but > I > > don't think my mapping is working. How should I configure it? I cannot > find > > any examples. Below are the error I get and the password outbound > mapping. > > > > com.evolveum.midpoint.util.exception.SystemException: Got unexpected > > exception: > > org.identityconnectors.framework.common.exceptions. > PermissionDeniedException: > > Error adding LDAP entry CN=JOHN DOE,OU=Users,DC=midpoint,DC=local: > > unwillingToPerform: 0000052D: SvcErr: DSID-031A12D2, problem 5003 > > (WILL_NOT_PERFORM), data 0?? (53) > > > > > > ri:userPassword > > true > > false > > explicit > > > > true > > false > > normal > > > > Midpoint2018* > > > > > > > > > > > > Thanks and happy new year to all =) > > > > _______________________________________________ > > midPoint mailing list > > midPoint at lists.evolveum.com > > http://lists.evolveum.com/mailman/listinfo/midpoint > > > > > > -- > Best regards, > > Oleksandr Nekriach | Identity and access management engineer > > Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia > > +37125314685 > , > o.nekriach at dynatech.lv > | > www.dynatech.lv > > > > > Stay connected: > > > Confidentiality Notice: This message contains confidential information > and is intended only for the named recipient(s). If you are not the > addressee you may not copy, distribute or perform any other activities > with this information. If you have received this transmission in > error, please notify us by e-mail immediately. E-mail transmission > cannot be guaranteed to be secure or error-free as information could > be intercepted, corrupted, lost, destroyed, arrive late or incomplete, > or contain viruses. > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > -------------- next part -------------- An HTML attachment was scrubbed... URL: From o.nekriach at dynatech.lv Thu Jan 4 08:39:42 2018 From: o.nekriach at dynatech.lv (Oleksandr Nekriach) Date: Thu, 4 Jan 2018 09:39:42 +0200 Subject: [midPoint] How to set AD password from Midpoint? In-Reply-To: References: Message-ID: Hello, It is strange I was sure that problem is in SSL. See Known Causes - This is caused when you don't use SSL in your LDAP connection and AD enforces SSL connection. - There are password policies in the AD environment In my Midpoint instance I don't use "direct" outbound mapping for userPassword. Instead, I use On 4 January 2018 at 02:00, Alcides Carlos de Moraes Neto wrote: > Hello, > > Yes, I'm using ldaps. > > 2018-01-02 5:16 GMT-02:00 Oleksandr Nekriach : >> >> Happy new year! >> Hi Alcides, >> Do you use secure communication for AD connection (ldaps) or not? >> Some AD settings does not allow to manage password via open >> communications. >> I had similar issue few years ago with Oracle connector ;) >> >> Regards, Oleksandr >> >> >> On 28 December 2017 at 21:30, Alcides Carlos de Moraes Neto >> wrote: >> > Hello list, >> > >> > I'm trying to create AD users from Midpoint. I'm getting the 53 >> > WILL_NOT_PERFORM error, which it seems to be related to the password >> > policy. >> > The AD I'm using does have a password policy. >> > >> > So I'm trying to set some literal, strong password as a placeholder, but >> > I >> > don't think my mapping is working. How should I configure it? I cannot >> > find >> > any examples. Below are the error I get and the password outbound >> > mapping. >> > >> > com.evolveum.midpoint.util.exception.SystemException: Got unexpected >> > exception: >> > >> > org.identityconnectors.framework.common.exceptions.PermissionDeniedException: >> > Error adding LDAP entry CN=JOHN DOE,OU=Users,DC=midpoint,DC=local: >> > unwillingToPerform: 0000052D: SvcErr: DSID-031A12D2, problem 5003 >> > (WILL_NOT_PERFORM), data 0?? (53) >> > >> > >> > ri:userPassword >> > true >> > false >> > explicit >> > >> > true >> > false >> > normal >> > >> > Midpoint2018* >> > >> > >> > >> > >> > >> > Thanks and happy new year to all =) >> > >> > _______________________________________________ >> > midPoint mailing list >> > midPoint at lists.evolveum.com >> > http://lists.evolveum.com/mailman/listinfo/midpoint >> > >> >> >> >> -- >> Best regards, >> >> Oleksandr Nekriach | Identity and access management engineer >> >> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia >> >> +37125314685 >> , >> o.nekriach at dynatech.lv >> | >> www.dynatech.lv >> >> >> >> >> Stay connected: >> >> >> Confidentiality Notice: This message contains confidential information >> and is intended only for the named recipient(s). If you are not the >> addressee you may not copy, distribute or perform any other activities >> with this information. If you have received this transmission in >> error, please notify us by e-mail immediately. E-mail transmission >> cannot be guaranteed to be secure or error-free as information could >> be intercepted, corrupted, lost, destroyed, arrive late or incomplete, >> or contain viruses. >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > -- Best regards, Oleksandr Nekriach | Identity and access management engineer Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia +37125314685 , o.nekriach at dynatech.lv | www.dynatech.lv Stay connected: Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. From petr.gasparik at ami.cz Thu Jan 4 09:11:44 2018 From: petr.gasparik at ami.cz (=?UTF-8?B?UGV0ciBHYcWhcGFyw61rIC0gQU1JIFByYWhhIGEucy4=?=) Date: Thu, 4 Jan 2018 09:11:44 +0100 Subject: [midPoint] How to set AD password from Midpoint? In-Reply-To: References:

Message-ID: Hi, as Oleksandr says, AD disallows manipulating with userPassword directly. Instead, credential tag is used. Also, SSL is a must. in general. WILL_NOT_PERFORM is almost always wrongly set password - in our cases mostly policy violation (weak or no/bad set password) Petr -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.gasparik at ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI Praha a.s.] Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. 2018-01-04 8:39 GMT+01:00 Oleksandr Nekriach : > Hello, > It is strange I was sure that problem is in SSL. > See > Known Causes > - This is caused when you don't use SSL in your LDAP connection and AD > enforces SSL connection. > - There are password policies in the AD environment > > In my Midpoint instance I don't use "direct" outbound mapping for > userPassword. > Instead, I use > > > > > > > > > > > > On 4 January 2018 at 02:00, Alcides Carlos de Moraes Neto > wrote: > > Hello, > > > > Yes, I'm using ldaps. > > > > 2018-01-02 5:16 GMT-02:00 Oleksandr Nekriach : > >> > >> Happy new year! > >> Hi Alcides, > >> Do you use secure communication for AD connection (ldaps) or not? > >> Some AD settings does not allow to manage password via open > >> communications. > >> I had similar issue few years ago with Oracle connector ;) > >> > >> Regards, Oleksandr > >> > >> > >> On 28 December 2017 at 21:30, Alcides Carlos de Moraes Neto > >> wrote: > >> > Hello list, > >> > > >> > I'm trying to create AD users from Midpoint. I'm getting the 53 > >> > WILL_NOT_PERFORM error, which it seems to be related to the password > >> > policy. > >> > The AD I'm using does have a password policy. > >> > > >> > So I'm trying to set some literal, strong password as a placeholder, > but > >> > I > >> > don't think my mapping is working. How should I configure it? I cannot > >> > find > >> > any examples. Below are the error I get and the password outbound > >> > mapping. > >> > > >> > com.evolveum.midpoint.util.exception.SystemException: Got unexpected > >> > exception: > >> > > >> > org.identityconnectors.framework.common.exceptions. > PermissionDeniedException: > >> > Error adding LDAP entry CN=JOHN DOE,OU=Users,DC=midpoint,DC=local: > >> > unwillingToPerform: 0000052D: SvcErr: DSID-031A12D2, problem 5003 > >> > (WILL_NOT_PERFORM), data 0?? (53) > >> > > >> > > >> > ri:userPassword > >> > true > >> > false > >> > explicit > >> > > >> > true > >> > false > >> > normal > >> > > >> > Midpoint2018* > >> > > >> > > >> > > >> > > >> > > >> > Thanks and happy new year to all =) > >> > > >> > _______________________________________________ > >> > midPoint mailing list > >> > midPoint at lists.evolveum.com > >> > http://lists.evolveum.com/mailman/listinfo/midpoint > >> > > >> > >> > >> > >> -- > >> Best regards, > >> > >> Oleksandr Nekriach | Identity and access management engineer > >> > >> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia > >> > >> +37125314685 > >> , > >> o.nekriach at dynatech.lv > >> | > >> www.dynatech.lv > >> > >> > >> > >> > >> Stay connected: > >> > >> > >> Confidentiality Notice: This message contains confidential information > >> and is intended only for the named recipient(s). If you are not the > >> addressee you may not copy, distribute or perform any other activities > >> with this information. If you have received this transmission in > >> error, please notify us by e-mail immediately. E-mail transmission > >> cannot be guaranteed to be secure or error-free as information could > >> be intercepted, corrupted, lost, destroyed, arrive late or incomplete, > >> or contain viruses. > >> _______________________________________________ > >> midPoint mailing list > >> midPoint at lists.evolveum.com > >> http://lists.evolveum.com/mailman/listinfo/midpoint > > > > > > > > _______________________________________________ > > midPoint mailing list > > midPoint at lists.evolveum.com > > http://lists.evolveum.com/mailman/listinfo/midpoint > > > > > > -- > Best regards, > > Oleksandr Nekriach | Identity and access management engineer > > Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia > > +37125314685 > , > o.nekriach at dynatech.lv > | > www.dynatech.lv > > > > > Stay connected: > > > Confidentiality Notice: This message contains confidential information > and is intended only for the named recipient(s). If you are not the > addressee you may not copy, distribute or perform any other activities > with this information. If you have received this transmission in > error, please notify us by e-mail immediately. E-mail transmission > cannot be guaranteed to be secure or error-free as information could > be intercepted, corrupted, lost, destroyed, arrive late or incomplete, > or contain viruses. > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Caspi at seznam.cz Thu Jan 4 20:27:48 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Thu, 04 Jan 2018 20:27:48 +0100 (CET) Subject: [midPoint] Protected Message-ID: Hi all, I have a question about protected objects. I need to exclude multiple OU's in AD. I tryed to do that by adding: stringIgnoreCase declare namespace icfs='http://midpoint.evolveum. com/xml/ns/public/connector/icf-1/resource-schema-3'; attributes/icfs:name ou=Global,dc=hell,dc=local true stringIgnoreCase declare namespace icfs='http://midpoint.evolveum. com/xml/ns/public/connector/icf-1/resource-schema-3'; attributes/icfs:name ou=CZ,dc=hell,dc=local true stringIgnoreCase declare namespace icfs='http://midpoint.evolveum. com/xml/ns/public/connector/icf-1/resource-schema-3'; attributes/icfs:name cz=Users,dc=hell,dc=local true But it doesnt work. I am not able to see account in repository and resource. If htere is only one protected OU then it works. Where is an error? Thanks Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From roman.pudil at ami.cz Thu Jan 4 21:01:52 2018 From: roman.pudil at ami.cz (Roman Pudil - AMI Praha a.s.) Date: Thu, 04 Jan 2018 20:01:52 +0000 Subject: [midPoint] Protected In-Reply-To: References: Message-ID: Hi Jan, try this modified filter: stringIgnoreCase declare namespace icfs='http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3'; attributes/icfs:name ou=Global,dc=hell,dc=local true stringIgnoreCase declare namespace icfs='http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3'; attributes/icfs:name ou=CZ,dc=hell,dc=local true stringIgnoreCase declare namespace icfs='http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3'; attributes/icfs:name cz=Users,dc=hell,dc=local true Regards Roman Pudil solution architect gsm: [+420] 775 663 666 e-mail: roman.pudil at ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel./fax: [+420] 274 783 239 web: www.ami.cz Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. ------ Původní zpráva ------ Od: "Jan Kaspar" Komu: midpoint at lists.evolveum.com Odesláno: 4.1.2018 20:27:48 Předmět: [midPoint] Protected >Hi all, > >I have a question about protected objects. I need to exclude multiple >OU's in AD. > >I tryed to do that by adding: > > > > > stringIgnoreCase > declare namespace >icfs='http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3'; >attributes/icfs:name > ou=Global,dc=hell,dc=local > true > > > > > > > stringIgnoreCase > declare namespace >icfs='http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3'; >attributes/icfs:name > ou=CZ,dc=hell,dc=local > true > > > > > > > stringIgnoreCase > declare namespace >icfs='http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3'; >attributes/icfs:name > cz=Users,dc=hell,dc=local > true > > > > >But it doesnt work. I am not able to see account in repository and >resource. If htere is only one protected OU then it works. >Where is an error? > >Thanks > >Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From Caspi at seznam.cz Thu Jan 4 21:56:42 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Thu, 04 Jan 2018 21:56:42 +0100 (CET) Subject: [midPoint] Protected Message-ID: Hi Roman, I tryed this but still same. bellow is the error. Jan operation.com.evolveum.midpoint.web.component.data. SelectableBeanObjectDataProvider.searchObjects Message Couldn't list objects. Error com.evolveum.midpoint.util.exception.SchemaException: Could not find definition for item attributes/name show com.evolveum.midpoint.util.exception.SystemException: com.evolveum.midpoint. util.exception.SchemaException: Could not find definition for item attributes/name at com.evolveum.midpoint.provisioning.impl.ShadowCache. lambda$searchObjectsIterativeRepository$5(ShadowCache.java:1534) at com. evolveum.midpoint.repo.cache.RepositoryCache$1.handle(RepositoryCache.java: 227) at com.evolveum.midpoint.repo.sql.helpers.ObjectRetriever. searchObjectsIterativeAttempt(ObjectRetriever.java:704) at com.evolveum. midpoint.repo.sql.SqlRepositoryServiceImpl. searchObjectsIterativeBySingleTransaction(SqlRepositoryServiceImpl.java:843) at com.evolveum.midpoint.repo.sql.SqlRepositoryServiceImpl. searchObjectsIterative(SqlRepositoryServiceImpl.java:817) at com.evolveum. midpoint.repo.cache.RepositoryCache.searchObjectsIterative(RepositoryCache. java:230) at com.evolveum.midpoint.provisioning.impl.ShadowManager. searchObjectsIterativeRepository(ShadowManager.java:690) at com.evolveum. midpoint.provisioning.impl.ShadowCache.searchObjectsIterativeRepository (ShadowCache.java:1538) at com.evolveum.midpoint.provisioning.impl. ShadowCache.searchObjectsIterative(ShadowCache.java:1288) at com.evolveum. midpoint.provisioning.impl.ShadowCache.searchObjectsIterative(ShadowCache. java:1276) at com.evolveum.midpoint.provisioning.impl. ProvisioningServiceImpl.searchObjectsIterative(ProvisioningServiceImpl.java: 1036) at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl. searchObjects(ProvisioningServiceImpl.java:483) at com.evolveum.midpoint. model.impl.controller.ModelController.searchObjects(ModelController.java: 781) at com.evolveum.midpoint.web.component.data. SelectableBeanObjectDataProvider.internalIterator (SelectableBeanObjectDataProvider.java:177) at com.evolveum.midpoint.web. component.data.BaseSortableDataProvider.iterator(BaseSortableDataProvider. java:225) at org.apache.wicket.markup.repeater.data.DataViewBase$ ModelIterator.(DataViewBase.java:107) at org.apache.wicket.markup. repeater.data.DataViewBase.getItemModels(DataViewBase.java:74) at org. apache.wicket.markup.repeater.AbstractPageableView.getItemModels (AbstractPageableView.java:101) at org.apache.wicket.markup.repeater. RefreshingView.onPopulate(RefreshingView.java:93) at org.apache.wicket. markup.repeater.AbstractRepeater.onBeforeRender(AbstractRepeater.java:124) at org.apache.wicket.markup.repeater.AbstractPageableView.onBeforeRender (AbstractPageableView.java:115) at org.apache.wicket.Component. internalBeforeRender(Component.java:950) at org.apache.wicket.Component. beforeRender(Component.java:1018) at org.apache.wicket.MarkupContainer. onBeforeRenderChildren(MarkupContainer.java:1825) at org.apache.wicket. Component.onBeforeRender(Component.java:3916) at org.apache.wicket. Component.internalBeforeRender(Component.java:950) at org.apache.wicket. Component.beforeRender(Component.java:1018) at org.apache.wicket. MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) at org. apache.wicket.Component.onBeforeRender(Component.java:3916) at org.apache. wicket.Component.internalBeforeRender(Component.java:950) at org.apache. wicket.Component.beforeRender(Component.java:1018) at org.apache.wicket. MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) at org. apache.wicket.Component.onBeforeRender(Component.java:3916) at org.apache. wicket.Component.internalBeforeRender(Component.java:950) at org.apache. wicket.Component.beforeRender(Component.java:1018) at org.apache.wicket. MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) at org. apache.wicket.Component.onBeforeRender(Component.java:3916) at org.apache. wicket.Component.internalBeforeRender(Component.java:950) at org.apache. wicket.Component.beforeRender(Component.java:1018) at org.apache.wicket. MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) at org. apache.wicket.Component.onBeforeRender(Component.java:3916) at org.apache. wicket.Component.internalBeforeRender(Component.java:950) at org.apache. wicket.Component.beforeRender(Component.java:1018) at org.apache.wicket. MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) at org. apache.wicket.Component.onBeforeRender(Component.java:3916) at org.apache. wicket.markup.html.form.Form.onBeforeRender(Form.java:1810) at org.apache. wicket.Component.internalBeforeRender(Component.java:950) at org.apache. wicket.Component.beforeRender(Component.java:1018) at org.apache.wicket. MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) at org. apache.wicket.Component.onBeforeRender(Component.java:3916) at org.apache. wicket.Component.internalBeforeRender(Component.java:950) at org.apache. wicket.Component.beforeRender(Component.java:1018) at org.apache.wicket. MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) at org. apache.wicket.Component.onBeforeRender(Component.java:3916) at org.apache. wicket.Component.internalBeforeRender(Component.java:950) at org.apache. wicket.Component.beforeRender(Component.java:1018) at org.apache.wicket. MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) at org. apache.wicket.Component.onBeforeRender(Component.java:3916) at org.apache. wicket.markup.html.form.Form.onBeforeRender(Form.java:1810) at org.apache. wicket.Component.internalBeforeRender(Component.java:950) at org.apache. wicket.Component.beforeRender(Component.java:1018) at org.apache.wicket. MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) at org. apache.wicket.Component.onBeforeRender(Component.java:3916) at org.apache. wicket.Component.internalBeforeRender(Component.java:950) at org.apache. wicket.Component.beforeRender(Component.java:1018) at org.apache.wicket. MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) at org. apache.wicket.Component.onBeforeRender(Component.java:3916) at com.evolveum. midpoint.web.component.TabbedPanel.onBeforeRender(TabbedPanel.java:255) at org.apache.wicket.Component.internalBeforeRender(Component.java:950) at org. apache.wicket.Component.beforeRender(Component.java:1018) at org.apache. wicket.Component.internalPrepareForRender(Component.java:2236) at org. apache.wicket.Component.prepareForRender(Component.java:2275) at org.apache. wicket.page.XmlPartialPageUpdate.writeComponent(XmlPartialPageUpdate.java: 98) at org.apache.wicket.page.PartialPageUpdate.writeComponents (PartialPageUpdate.java:248) at org.apache.wicket.page.PartialPageUpdate. writeTo(PartialPageUpdate.java:161) at org.apache.wicket.ajax. AjaxRequestHandler.respond(AjaxRequestHandler.java:358) at org.apache. wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java: 895) at org.apache.wicket.request.RequestHandlerStack.execute (RequestHandlerStack.java:64) at org.apache.wicket.request. RequestHandlerStack.execute(RequestHandlerStack.java:97) at org.apache. wicket.request.cycle.RequestCycle.execute(RequestCycle.java:265) at org. apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java: 222) at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach (RequestCycle.java:293) at org.apache.wicket.protocol.http.WicketFilter. processRequestCycle(WicketFilter.java:261) at org.apache.wicket.protocol. http.WicketFilter.processRequest(WicketFilter.java:203) at org.apache. wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284) at org. apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) at org.apache.catalina.core. ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com. evolveum.midpoint.web.util.MidPointProfilingServletFilter.doFilter (MidPointProfilingServletFilter.java:86) at org.apache.catalina.core. ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter (ApplicationFilterChain.java:166) at org.springframework.security.web. FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor. invoke(FilterSecurityInterceptor.java:127) at org.springframework.security. web.access.intercept.FilterSecurityInterceptor.doFilter (FilterSecurityInterceptor.java:91) at org.springframework.security.web. FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter (ExceptionTranslationFilter.java:114) at org.springframework.security.web. FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.session.SessionManagementFilter.doFilter (SessionManagementFilter.java:137) at org.springframework.security.web. FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.authentication. AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java: 111) at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org. springframework.security.web.servletapi. SecurityContextHolderAwareRequestFilter.doFilter (SecurityContextHolderAwareRequestFilter.java:170) at org.springframework. security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy. java:331) at org.springframework.security.web.savedrequest. RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) at org. springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:331) at org.springframework.security.web.session. ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:155) at org. springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:331) at org.springframework.security.web. authentication.AbstractAuthenticationProcessingFilter.doFilter (AbstractAuthenticationProcessingFilter.java:200) at org.springframework. security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy. java:331) at org.springframework.security.web.authentication.logout. LogoutFilter.doFilter(LogoutFilter.java:116) at org.springframework. security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy. java:331) at org.springframework.security.web.csrf.CsrfFilter. doFilterInternal(CsrfFilter.java:100) at org.springframework.web.filter. OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org. springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:331) at org.springframework.security.web.context. SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter. java:105) at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org. springframework.security.web.context.request.async. WebAsyncManagerIntegrationFilter.doFilterInternal (WebAsyncManagerIntegrationFilter.java:56) at org.springframework.web. filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org. springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter (FilterChainProxy.java:331) at org.springframework.security.web. FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) at org. springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy. java:177) at org.springframework.web.filter.DelegatingFilterProxy. invokeDelegate(DelegatingFilterProxy.java:347) at org.springframework.web. filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) at org.apache.catalina.core. ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org. springframework.web.filter.RequestContextFilter.doFilterInternal (RequestContextFilter.java:99) at org.springframework.web.filter. OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache. catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) at org.apache.catalina.core. ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org. springframework.web.filter.HttpPutFormContentFilter.doFilterInternal (HttpPutFormContentFilter.java:108) at org.springframework.web.filter. OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache. catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) at org.apache.catalina.core. ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org. springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal (HiddenHttpMethodFilter.java:81) at org.springframework.web.filter. OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache. catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:193) at org.apache.catalina.core. ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org. apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java: 199) at org.apache.catalina.core.StandardContextValve.invoke (StandardContextValve.java:96) at org.apache.catalina.authenticator. AuthenticatorBase.invoke(AuthenticatorBase.java:478) at org.apache.catalina. core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache. catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org. apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java: 342) at org.apache.coyote.http11.Http11Processor.service(Http11Processor. java:803) at org.apache.coyote.AbstractProcessorLight.process (AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ ConnectionHandler.process(AbstractProtocol.java:868) at org.apache.tomcat. util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) at org. apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at org. apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java: 61) at java.lang.Thread.run(Unknown Source) Caused by: com.evolveum. midpoint.util.exception.SchemaException: Could not find definition for item attributes/name at com.evolveum.midpoint.prism.query.ValueFilter. getFilterItem(ValueFilter.java:278) at com.evolveum.midpoint.prism.query. SubstringFilter.match(SubstringFilter.java:91) at com.evolveum.midpoint. prism.query.OrFilter.match(OrFilter.java:63) at com.evolveum.midpoint.prism. query.ObjectQuery.match(ObjectQuery.java:98) at com.evolveum.midpoint. common.ResourceObjectPattern.matches(ResourceObjectPattern.java:76) at com. evolveum.midpoint.common.ResourceObjectPattern.matches (ResourceObjectPattern.java:66) at com.evolveum.midpoint.provisioning.util. ProvisioningUtil.isProtectedShadow(ProvisioningUtil.java:336) at com. evolveum.midpoint.provisioning.util.ProvisioningUtil.setProtectedFlag (ProvisioningUtil.java:345) at com.evolveum.midpoint.provisioning.impl. ShadowCache.lambda$searchObjectsIterativeRepository$5(ShadowCache.java:1506) ... 151 more -------------- next part -------------- An HTML attachment was scrubbed... URL: From roman.pudil at ami.cz Thu Jan 4 22:06:09 2018 From: roman.pudil at ami.cz (Roman Pudil - AMI Praha a.s.) Date: Thu, 04 Jan 2018 21:06:09 +0000 Subject: [midPoint] Protected In-Reply-To: References: Message-ID: Hi Jan, try to change attributes/icfs:name to attributes/ri:dn Regards Roman Pudil solution architect gsm: [+420] 775 663 666 e-mail: roman.pudil at ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel./fax: [+420] 274 783 239 web: www.ami.cz Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. ------ Původní zpráva ------ Od: "Jan Kaspar" Komu: midpoint at lists.evolveum.com Odesláno: 4.1.2018 21:56:42 Předmět: [midPoint] Protected >Hi Roman, > >I tryed this but still same. bellow is the error. > >Jan > >operation.com.evolveum.midpoint.web.component.data.SelectableBeanObjectDataProvider.searchObjectsMessageCouldn't >list objects.Errorcom.evolveum.midpoint.util.exception.SchemaException: >Could not find definition for item >attributes/nameshowcom.evolveum.midpoint.util.exception.SystemException: >com.evolveum.midpoint.util.exception.SchemaException: Could not find >definition for item attributes/name at >com.evolveum.midpoint.provisioning.impl.ShadowCache.lambda$searchObjectsIterativeRepository$5(ShadowCache.java:1534) > at >com.evolveum.midpoint.repo.cache.RepositoryCache$1.handle(RepositoryCache.java:227) > at >com.evolveum.midpoint.repo.sql.helpers.ObjectRetriever.searchObjectsIterativeAttempt(ObjectRetriever.java:704) > at >com.evolveum.midpoint.repo.sql.SqlRepositoryServiceImpl.searchObjectsIterativeBySingleTransaction(SqlRepositoryServiceImpl.java:843) > at >com.evolveum.midpoint.repo.sql.SqlRepositoryServiceImpl.searchObjectsIterative(SqlRepositoryServiceImpl.java:817) > at >com.evolveum.midpoint.repo.cache.RepositoryCache.searchObjectsIterative(RepositoryCache.java:230) > at >com.evolveum.midpoint.provisioning.impl.ShadowManager.searchObjectsIterativeRepository(ShadowManager.java:690) > at >com.evolveum.midpoint.provisioning.impl.ShadowCache.searchObjectsIterativeRepository(ShadowCache.java:1538) > at >com.evolveum.midpoint.provisioning.impl.ShadowCache.searchObjectsIterative(ShadowCache.java:1288) > at >com.evolveum.midpoint.provisioning.impl.ShadowCache.searchObjectsIterative(ShadowCache.java:1276) > at >com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.searchObjectsIterative(ProvisioningServiceImpl.java:1036) > at >com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.searchObjects(ProvisioningServiceImpl.java:483) > at >com.evolveum.midpoint.model.impl.controller.ModelController.searchObjects(ModelController.java:781) > at >com.evolveum.midpoint.web.component.data.SelectableBeanObjectDataProvider.internalIterator(SelectableBeanObjectDataProvider.java:177) > at >com.evolveum.midpoint.web.component.data.BaseSortableDataProvider.iterator(BaseSortableDataProvider.java:225) > at >org.apache.wicket.markup.repeater.data.DataViewBase$ModelIterator.(DataViewBase.java:107) > at >org.apache.wicket.markup.repeater.data.DataViewBase.getItemModels(DataViewBase.java:74) > at >org.apache.wicket.markup.repeater.AbstractPageableView.getItemModels(AbstractPageableView.java:101) > at >org.apache.wicket.markup.repeater.RefreshingView.onPopulate(RefreshingView.java:93) > at >org.apache.wicket.markup.repeater.AbstractRepeater.onBeforeRender(AbstractRepeater.java:124) > at >org.apache.wicket.markup.repeater.AbstractPageableView.onBeforeRender(AbstractPageableView.java:115) > at >org.apache.wicket.Component.internalBeforeRender(Component.java:950) > at org.apache.wicket.Component.beforeRender(Component.java:1018) at >org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) > at org.apache.wicket.Component.onBeforeRender(Component.java:3916) at >org.apache.wicket.Component.internalBeforeRender(Component.java:950) > at org.apache.wicket.Component.beforeRender(Component.java:1018) at >org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) > at org.apache.wicket.Component.onBeforeRender(Component.java:3916) at >org.apache.wicket.Component.internalBeforeRender(Component.java:950) > at org.apache.wicket.Component.beforeRender(Component.java:1018) at >org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) > at org.apache.wicket.Component.onBeforeRender(Component.java:3916) at >org.apache.wicket.Component.internalBeforeRender(Component.java:950) > at org.apache.wicket.Component.beforeRender(Component.java:1018) at >org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) > at org.apache.wicket.Component.onBeforeRender(Component.java:3916) at >org.apache.wicket.Component.internalBeforeRender(Component.java:950) > at org.apache.wicket.Component.beforeRender(Component.java:1018) at >org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) > at org.apache.wicket.Component.onBeforeRender(Component.java:3916) at >org.apache.wicket.Component.internalBeforeRender(Component.java:950) > at org.apache.wicket.Component.beforeRender(Component.java:1018) at >org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) > at org.apache.wicket.Component.onBeforeRender(Component.java:3916) at >org.apache.wicket.markup.html.form.Form.onBeforeRender(Form.java:1810) > at >org.apache.wicket.Component.internalBeforeRender(Component.java:950) > at org.apache.wicket.Component.beforeRender(Component.java:1018) at >org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) > at org.apache.wicket.Component.onBeforeRender(Component.java:3916) at >org.apache.wicket.Component.internalBeforeRender(Component.java:950) > at org.apache.wicket.Component.beforeRender(Component.java:1018) at >org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) > at org.apache.wicket.Component.onBeforeRender(Component.java:3916) at >org.apache.wicket.Component.internalBeforeRender(Component.java:950) > at org.apache.wicket.Component.beforeRender(Component.java:1018) at >org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) > at org.apache.wicket.Component.onBeforeRender(Component.java:3916) at >org.apache.wicket.markup.html.form.Form.onBeforeRender(Form.java:1810) > at >org.apache.wicket.Component.internalBeforeRender(Component.java:950) > at org.apache.wicket.Component.beforeRender(Component.java:1018) at >org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) > at org.apache.wicket.Component.onBeforeRender(Component.java:3916) at >org.apache.wicket.Component.internalBeforeRender(Component.java:950) > at org.apache.wicket.Component.beforeRender(Component.java:1018) at >org.apache.wicket.MarkupContainer.onBeforeRenderChildren(MarkupContainer.java:1825) > at org.apache.wicket.Component.onBeforeRender(Component.java:3916) at >com.evolveum.midpoint.web.component.TabbedPanel.onBeforeRender(TabbedPanel.java:255) > at >org.apache.wicket.Component.internalBeforeRender(Component.java:950) > at org.apache.wicket.Component.beforeRender(Component.java:1018) at >org.apache.wicket.Component.internalPrepareForRender(Component.java:2236) > at org.apache.wicket.Component.prepareForRender(Component.java:2275) > at >org.apache.wicket.page.XmlPartialPageUpdate.writeComponent(XmlPartialPageUpdate.java:98) > at >org.apache.wicket.page.PartialPageUpdate.writeComponents(PartialPageUpdate.java:248) > at >org.apache.wicket.page.PartialPageUpdate.writeTo(PartialPageUpdate.java:161) > at >org.apache.wicket.ajax.AjaxRequestHandler.respond(AjaxRequestHandler.java:358) > at >org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:895) > at >org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64) > at >org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:97) > at >org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:265) > at >org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:222) > at >org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:293) > at >org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:261) > at >org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203) > at >org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284) > at >org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > at >org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > at >com.evolveum.midpoint.web.util.MidPointProfilingServletFilter.doFilter(MidPointProfilingServletFilter.java:86) > at >org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > at >org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > at >org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317) > at >org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127) > at >org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) > at >org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at >org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114) > at >org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at >org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) > at >org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at >org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) > at >org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at >org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) > at >org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at >org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) > at >org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at >org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:155) > at >org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at >org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200) > at >org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at >org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) > at >org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at >org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) > at >org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) > at >org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at >org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) > at >org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at >org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) > at >org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) > at >org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at >org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) > at >org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) > at >org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) > at >org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) > at >org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > at >org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > at >org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) > at >org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) > at >org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > at >org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > at >org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:108) > at >org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) > at >org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > at >org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > at >org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) > at >org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) > at >org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > at >org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > at >org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) > at >org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) > at >org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) > at >org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) > at >org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) > at >org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) > at >org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) > at >org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) > at >org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) > at >org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) > at >org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) > at >org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) > at >org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Unknown Source) Caused by: >com.evolveum.midpoint.util.exception.SchemaException: Could not find >definition for item attributes/name at >com.evolveum.midpoint.prism.query.ValueFilter.getFilterItem(ValueFilter.java:278) > at >com.evolveum.midpoint.prism.query.SubstringFilter.match(SubstringFilter.java:91) > at com.evolveum.midpoint.prism.query.OrFilter.match(OrFilter.java:63) > at >com.evolveum.midpoint.prism.query.ObjectQuery.match(ObjectQuery.java:98) > at >com.evolveum.midpoint.common.ResourceObjectPattern.matches(ResourceObjectPattern.java:76) > at >com.evolveum.midpoint.common.ResourceObjectPattern.matches(ResourceObjectPattern.java:66) > at >com.evolveum.midpoint.provisioning.util.ProvisioningUtil.isProtectedShadow(ProvisioningUtil.java:336) > at >com.evolveum.midpoint.provisioning.util.ProvisioningUtil.setProtectedFlag(ProvisioningUtil.java:345) > at >com.evolveum.midpoint.provisioning.impl.ShadowCache.lambda$searchObjectsIterativeRepository$5(ShadowCache.java:1506) > ... 151 more -------------- next part -------------- An HTML attachment was scrubbed... URL: From Caspi at seznam.cz Fri Jan 5 06:45:17 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Fri, 05 Jan 2018 06:45:17 +0100 (CET) Subject: [midPoint] Protected Message-ID: Hi Roman, thanks, that was the problem Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From vilo.repan at evolveum.com Sat Jan 6 00:00:45 2018 From: vilo.repan at evolveum.com (Viliam Repan) Date: Sat, 6 Jan 2018 00:00:45 +0100 Subject: [midPoint] MidPoint DB changes Message-ID: Hi all, I”ve just merged some changes related to hibernate 5 upgrade to MidPoint master branch. These changes will improve write speed of audit records, mainly in cases when there are many records in audit tables. More performance improvements are on the way as well. Current changes unfortunately means some DB changes as well. Simplest solution is to drop and recreate tables: m_audit_ref_value m_audit_prop_value m_audit_item m_audit_delta m_audit_event I’ve also created DB upgrade scripts, which do more intelligent version of upgrade as only “id” column has changed. Now it’s marked as auto_increment/identity column. Pull requests with improvements for SQL scripts are more than welcomed. Best regards, viliam From Caspi at seznam.cz Sat Jan 6 19:59:41 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Sat, 06 Jan 2018 19:59:41 +0100 (CET) Subject: [midPoint] Bulk Password change Message-ID: Hello, I would like to ask for help with creating filter for bulk password change for users. goal is to generate new password in all systems for batch of user based on attribute (employeeType) value. I found that script but filters doesnt work for me. What is correct filter? to filter all user with: employeeType == 'Internal' ObjectType b87eb285-b4ae-43c0-9e4c-7ba651de81fa 469fd663-4492-4c24-8ce3-3907df7ac7ec f9be8006-fd58-43f9-99ff-311935d9d3d3 b2a3f4ad-ad7b-4691-83d9-34d5ebb50a04 60dd9e6b-7403-4075-bcfa-d4566a552d41 generate-value items credentials/password/value true name credentials/password/value true Thanks Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From mederly at evolveum.com Sat Jan 6 20:35:22 2018 From: mederly at evolveum.com (Pavol Mederly) Date: Sat, 6 Jan 2018 20:35:22 +0100 Subject: [midPoint] Bulk Password change In-Reply-To: References: Message-ID: <28cb36aa-fa90-744a-f762-895b1374f53c@evolveum.com> Hello Jan, writing from memory but this should work: employeeType XYZ but take care to use UserType instead of ObjectType as it is in your sample. Best regards, Pavol Mederly Software developer evolveum.com On 06.01.2018 19:59, Jan Kaspar wrote: > Hello, > I would like to ask for help with creating filter for bulk password > change for users. > > goal is to generate new password in all systems for batch of user > based on attribute (employeeType) value. > > I found that script but filters doesnt work for me. > > What is correct filter? to filter all user with: employeeType == > 'Internal' > > |<||s:executeScript| > |xmlns:s||=||"http://midpoint.evolveum.com/xml/ns/public/model/scripting-3" > | > |||xmlns:c||=||"http://midpoint.evolveum.com/xml/ns/public/common/common-3" > | > |||xmlns:xsi||=||"http://www.w3.org/2001/XMLSchema-instance" > | > |||xmlns:api||=||"http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" > ||>| > |||<||s:pipeline||>| > |||<||s:search||>| > |||<||s:type||>ObjectType| > |||<||s:searchFilter||>| > |||<||q:inOid| > |xmlns:q||=||"http://prism.evolveum.com/xml/ns/public/query-3" > ||>| > |||<||q:value||>b87eb285-b4ae-43c0-9e4c-7ba651de81fa > ||| > |||<||q:value||>469fd663-4492-4c24-8ce3-3907df7ac7ec > ||| > |||<||q:value||>f9be8006-fd58-43f9-99ff-311935d9d3d3 > ||| > |||<||q:value||>b2a3f4ad-ad7b-4691-83d9-34d5ebb50a04 > ||| > |||<||q:value||>60dd9e6b-7403-4075-bcfa-d4566a552d41 > ||| > |||| > |||| > |||| > |||<||s:action||>| > |||<||s:type||>generate-value| > |||<||s:parameter||>| > |||<||s:name||>items| > |||<||c:value| |xsi:type||=||"api:PolicyItemsDefinitionType"||>| > |||<||api:policyItemDefinition||>| > |||<||api:target||>| > |||<||api:path||>credentials/password/value| > |||| > |||<||api:execute||>true| > |||| > |||| > |||| > ||| | > |||<||s:filterContent||>| > |||<||s:keep||>name| > |||<||s:keep||>credentials/password/value| > |||| > |||| > |||<||s:options||>| > |||<||s:continueOnAnyError||>true| > |||| > || > | > | > |Thanks Jan| > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From Caspi at seznam.cz Sat Jan 6 21:12:35 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Sat, 06 Jan 2018 21:12:35 +0100 (CET) Subject: [midPoint] Bulk Password change (Pavol Mederly) Message-ID: Hi Pavol, thanks for reply. I also try that but i got error: Couldn't parse bulk action object (http://192.168.4.104:8080/admin/config/bulk?270-1.ILinkListener-feedbackContainer-feedback-list-4-message-detailsBox-downloadXml) Operation operation.performBulkAction Message Couldn't parse bulk action object Error Error parsing XML document The prefix "q" for element "q:equal" is not bound. show java.lang.IllegalStateException: Error parsing XML document The prefix "q" for element "q:equal" is not bound. at com.evolveum.midpoint.util.DOMUtil. parse(DOMUtil.java:255) at com.evolveum.midpoint.prism.lex.dom. DomLexicalProcessor.read(DomLexicalProcessor.java:84) at com.evolveum. midpoint.prism.marshaller.PrismParserImpl.doParseRealValue(PrismParserImpl. java:157) at com.evolveum.midpoint.prism.marshaller.PrismParserImpl. doParseRealValue(PrismParserImpl.java:163) at com.evolveum.midpoint.prism. marshaller.PrismParserImplNoIO.parseRealValue(PrismParserImplNoIO.java:146) at com.evolveum.midpoint.web.page.admin.configuration.PageBulkAction. startPerformed(PageBulkAction.java:117) UserType name jack generate-value items credentials/password/value true name credentials/password/value true Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From Caspi at seznam.cz Sat Jan 6 21:16:28 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Sat, 06 Jan 2018 21:16:28 +0100 (CET) Subject: [midPoint] Bulk Password change Message-ID: Hi again, got it. rmeove Q: and P: solved my problem. Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From Caspi at seznam.cz Sun Jan 7 14:31:39 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Sun, 07 Jan 2018 14:31:39 +0100 (CET) Subject: [midPoint] Condition for role assignement Message-ID: Hi, I am trying to create condition for Org assignement. Basicaly user type have to be a Contractor and must be enabled. Problem with this cone is an AND operator (&&). with this i cannot save the code. I am missing point. In other mappings i am using OR and it works. See code bellow: My Object Template: test assign orgs false strong employeeType activation/effectiveStatus assignment Thanks for Help Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From o.nekriach at dynatech.lv Mon Jan 8 08:38:49 2018 From: o.nekriach at dynatech.lv (Oleksandr Nekriach) Date: Mon, 8 Jan 2018 09:38:49 +0200 Subject: [midPoint] Condition for role assignement In-Reply-To: References: Message-ID: Hello Jan, You should use $amp; instead of & character Best regards, Oleksandr On 7 January 2018 at 15:31, Jan Kaspar wrote: > Hi, > > I am trying to create condition for Org assignement. Basicaly user type have > to be a Contractor and must be enabled. > Problem with this cone is an AND operator (&&). with this i cannot save the > code. I am missing point. In other mappings i am using OR and it works. > > See code bellow: > > > My Object Template: test assign orgs > false > strong > > employeeType > > > activation/effectiveStatus > > > > type="OrgType"/> > > > > assignment > > > > > > > Thanks for Help > > Jan > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > -- Best regards, Oleksandr Nekriach | Identity and access management engineer Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia +37125314685 , o.nekriach at dynatech.lv | www.dynatech.lv Stay connected: Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. From o.nekriach at dynatech.lv Mon Jan 8 08:40:12 2018 From: o.nekriach at dynatech.lv (Oleksandr Nekriach) Date: Mon, 8 Jan 2018 09:40:12 +0200 Subject: [midPoint] Condition for role assignement In-Reply-To: References: Message-ID: Sorry thi one is correct & On 8 January 2018 at 09:38, Oleksandr Nekriach wrote: > Hello Jan, > You should use $amp; instead of & character > > Best regards, Oleksandr > > On 7 January 2018 at 15:31, Jan Kaspar wrote: >> Hi, >> >> I am trying to create condition for Org assignement. Basicaly user type have >> to be a Contractor and must be enabled. >> Problem with this cone is an AND operator (&&). with this i cannot save the >> code. I am missing point. In other mappings i am using OR and it works. >> >> See code bellow: >> >> >> My Object Template: test assign orgs >> false >> strong >> >> employeeType >> >> >> activation/effectiveStatus >> >> >> >> > type="OrgType"/> >> >> >> >> assignment >> >> >> >> >> >> >> Thanks for Help >> >> Jan >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint >> > > > > -- > Best regards, > > Oleksandr Nekriach | Identity and access management engineer > > Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia > > +37125314685 > , > o.nekriach at dynatech.lv > | > www.dynatech.lv > > > > > Stay connected: > > > Confidentiality Notice: This message contains confidential information > and is intended only for the named recipient(s). If you are not the > addressee you may not copy, distribute or perform any other activities > with this information. If you have received this transmission in > error, please notify us by e-mail immediately. E-mail transmission > cannot be guaranteed to be secure or error-free as information could > be intercepted, corrupted, lost, destroyed, arrive late or incomplete, > or contain viruses. -- Best regards, Oleksandr Nekriach | Identity and access management engineer Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia +37125314685 , o.nekriach at dynatech.lv | www.dynatech.lv Stay connected: Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. From o.nekriach at dynatech.lv Mon Jan 8 15:49:58 2018 From: o.nekriach at dynatech.lv (Oleksandr Nekriach) Date: Mon, 8 Jan 2018 16:49:58 +0200 Subject: [midPoint] Principle of Relativity Message-ID: Hi guys, Please answer me whether there is a way to recalculate all the attributes and assignments that are assigned to users according to its ObjectTemplate. Or the principle of Relativity can not be bypassed. Example: We have ObjectTemplate wich is applied during reconciliation. This ObjectTemplate assigns roles to the users. But after some time I have found that the IDM administrators (Help Desk guys) made some changes. And I'm not sure whether all users have those assignments that were automatically calculated according to ObjectTemplates or there is something superfluous. And I would like to remove this unnecessary assignments automatically. -- Best regards, Oleksandr Nekriach | Identity and access management engineer Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia +37125314685 , o.nekriach at dynatech.lv | www.dynatech.lv Stay connected: Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. From Caspi at seznam.cz Tue Jan 9 15:18:25 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Tue, 09 Jan 2018 15:18:25 +0100 (CET) Subject: [midPoint] AD Attributes Message-ID: Hi, I need to be able to edit more attributes in Active Directory. Attrributes are extensionAttribute1-10 for example. We are using them for other applications. How to do that? For now I am using ri:user and ri:group. Thanks Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivan.noris at evolveum.com Tue Jan 9 17:14:32 2018 From: ivan.noris at evolveum.com (Ivan Noris) Date: Tue, 9 Jan 2018 17:14:32 +0100 Subject: [midPoint] AD Attributes In-Reply-To: References: Message-ID: <5d595881-cae9-2ff9-35a6-648a36155b2f@evolveum.com> Hi Jan, if these attributes are not returned by the AD/connector, one possible way is to configure them as operational attribute(s) in your AD/LDAP resource configuration. E.g. this is from one of my projects: . . . extensionAttribute15 . . . Best regards, Ivan On 09.01.2018 15:18, Jan Kaspar wrote: > Hi, > > I need to be able to edit more attributes in Active Directory. > Attrributes are extensionAttribute1-10 for example. > > We are using them for other applications. > How to do that? For now I am using ri:user and ri:group. > > Thanks > > Jan > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Senior Identity Engineer evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From wojciech.staszewski at diagnostyka.pl Tue Jan 9 22:23:48 2018 From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski) Date: Tue, 9 Jan 2018 22:23:48 +0100 Subject: [midPoint] V3.7 - approverRef and ownerRef Message-ID: Hi All! In the new version 3.7 the approverRef and ownerRef are marked by exclamation mark in the role detail GUI as if they were deprecated. But he new tab appeared: "Governance", where I can assign approvers, managers and owners. I assigned an approver to a role, but I cannot find this in the role xml. I can see this only in the user xml in "targetRef/relation=org:approver" section. I want to make a role template where the approver is directly assigned to the imported roles, without using metarole. How should I do it? Thanks! WS -------------- next part -------------- An HTML attachment was scrubbed... URL: From petr.gasparik at ami.cz Tue Jan 9 22:54:39 2018 From: petr.gasparik at ami.cz (=?UTF-8?B?UGV0ciBHYcWhcGFyw61rIC0gQU1JIFByYWhhIGEucy4=?=) Date: Tue, 9 Jan 2018 22:54:39 +0100 Subject: [midPoint] V3.7 - approverRef and ownerRef In-Reply-To: References: Message-ID: Hi Wojciech, I believe this was replaced by assignment type manager, approver, owner, ... See old example: https://wiki.evolveum.com/pages/viewpage.action?pageId=4882466 with link to new example: https://wiki.evolveum.com/display/midPoint/Approval+sample+scenario+1%3A+Multi-level%2C+metarole-driven+approvals -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.gasparik at ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI Praha a.s.] Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. 2018-01-09 22:23 GMT+01:00 Wojciech Staszewski < wojciech.staszewski at diagnostyka.pl>: > Hi All! > > In the new version 3.7 the approverRef and ownerRef are marked by exclamation > mark in the role detail GUI as if they were deprecated. > But he new tab appeared: "Governance", where I can assign approvers, > managers and owners. > > I assigned an approver to a role, but I cannot find this in the role xml. > I can see this only in the user xml in "targetRef/relation=org:approver" > section. > > I want to make a role template where the approver is directly assigned to > the imported roles, without using metarole. > How should I do it? > Thanks! > WS > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wojciech.staszewski at diagnostyka.pl Wed Jan 10 10:27:02 2018 From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski) Date: Wed, 10 Jan 2018 10:27:02 +0100 Subject: [midPoint] V3.7 - approverRef and ownerRef In-Reply-To: References: Message-ID: Sorry but I don't get it. All of these examples use metaroles for approval and I want to assign approver explicitly/directly. So I have to use role autoassignment with approver relation? Regards! WS W dniu 09.01.2018 o 22:23, Wojciech Staszewski pisze: > Hi All! > > In the new version 3.7 the approverRef and ownerRef are marked by exclamation mark in the role detail GUI as if they were deprecated. > But he new tab appeared: "Governance", where I can assign approvers, managers and owners. > > I assigned an approver to a role, but I cannot find this in the role xml. > I can see this only in the user xml in "targetRef/relation=org:approver" section. > > I want to make a role template where the approver is directly assigned to the imported roles, without using metarole. > How should I do it? > > Thanks! > WS > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > From petr.gasparik at ami.cz Wed Jan 10 11:25:40 2018 From: petr.gasparik at ami.cz (=?UTF-8?B?UGV0ciBHYcWhcGFyw61rIC0gQU1JIFByYWhhIGEucy4=?=) Date: Wed, 10 Jan 2018 11:25:40 +0100 Subject: [midPoint] V3.7 - approverRef and ownerRef In-Reply-To: References:

Message-ID: I leave this for Evolveum to answer P. -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.gasparik at ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI Praha a.s.] Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. 2018-01-10 10:27 GMT+01:00 Wojciech Staszewski < wojciech.staszewski at diagnostyka.pl>: > Sorry but I don't get it. All of these examples use metaroles for approval > and I want to assign approver explicitly/directly. > So I have to use role autoassignment with approver relation? > > Regards! > WS > > W dniu 09.01.2018 o 22:23, Wojciech Staszewski pisze: > > Hi All! > > > > In the new version 3.7 the approverRef and ownerRef are marked by > exclamation mark in the role detail GUI as if they were deprecated. > > But he new tab appeared: "Governance", where I can assign approvers, > managers and owners. > > > > I assigned an approver to a role, but I cannot find this in the role xml. > > I can see this only in the user xml in "targetRef/relation=org:approver" > section. > > > > I want to make a role template where the approver is directly assigned > to the imported roles, without using metarole. > > How should I do it? > > > > Thanks! > > WS > > > > > > _______________________________________________ > > midPoint mailing list > > midPoint at lists.evolveum.com > > http://lists.evolveum.com/mailman/listinfo/midpoint > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > -------------- next part -------------- An HTML attachment was scrubbed... URL: From radovan.semancik at evolveum.com Wed Jan 10 13:57:34 2018 From: radovan.semancik at evolveum.com (Radovan Semancik) Date: Wed, 10 Jan 2018 13:57:34 +0100 Subject: [midPoint] MidPoint in 2018 Message-ID: Dear midPoint community, Happy new year! 2018 is here. And it looks like a very exciting year for midPoint. There are new development plans for 2018 but also interesting changes in our business model. There is so much to look forward to in 2018. I would like use this start-of-new-year period to share our plans with you. This is going to be quite a long mail. But there are important information to share with you. So please make yourself comfortable. First let’s have a look back at 2017. This was yet another busy year for midPoint. Especially the Comenius release brought huge amount of new features. This was followed by Darwin which brought a wide range of evolutionary improvements. It means that MidPoint is now much more than just IDM. MidPoint is planted deeply in the identity governance field. In fact it is the first (and only) full-featured identity governance system in existence. Which I guess makes it a best-of-breed solution, doesn’t it? MidPoint is also recognized by major industry analysts and the number of midPoint deployment is growing. So, we can say that we have reached and even exceeded our plans for 2017. And now the plans for 2018. The plan is, as usual, to have two releases. MidPoint 3.8 is planned for early spring, midPoint 3.9 will come in autumn. We have quite precise plans for 3.8, but there are preliminary plans for the whole of 2018. Let’s start at the beginning. The development of midPoint 3.8 is already in full swing. There are two major focus areas: scalability and data protection. The goal is to run midPoint efficiently even for massive deployments. Currently it can handle deployments with few millions of identities – assuming appropriate configuration, environment and quite a bit of patience. But midPoint 3.8 should be able to go beyond that limit. Our team is working on the scalability and performance improvements right now. The second area where midPoint is being developed is data protection. Yes, that means GDPR. Identity management systems are almost ideal tools to support and automate data protection mechanisms. But midPoint goes a step further by introducing features specifically aimed at data protection into the base product. This is still a bit of a secret (as much as anything can really be a secret in an open source world). We are going to unveil the details at FOSDEM conference. So it might be a good idea to head for Brussels in first weekend in February. This is going to be fun: https://fosdem.org/2018/schedule/event/idm_midpoint/ MidPoint 3.8 will be released quite soon, most likely early April. The plan is to get back to our original April/October release schedule. Precise plans for midPoint 3.9 are still open. Significant part of development time is reserved for platform subscribers. But the preliminary plan for this release tentatively aims at improving user experience (UX) of the user interface. There was a gradual evolution of the user interface in every release to date. But current situation asks for a bigger review of the UX principles of midPoint user interface. The extent of the improvements is still not entirely certain. There are a lot of ideas and suggestions and it is quite clear that not all of them will make it to midPoint 3.9. Which improvements will be included mostly depends on preferences expressed by the subscribers. Therefore, it is perhaps a good idea to purchase your subscription now to make sure that your voice will be heard. There are only a few months left before midPoint 3.9 development starts. There are also a couple changes to Evolveum business model. First change affects the lifetime of the releases. Up until now every release was supported for two years since the initial (minor) release. This was a good model when midPoint was young. It was ideal for early adopters that wanted new features very quickly. But now when midPoint is a mature product stability is much more important than rapid feature delivery. Therefore, in 2018 midPoint will be adopting the system of long-term support (LTS) releases. There will be an LTS release every two years and those releases will be supported for a longer time. The other (non-LTS) releases will be supported for a shorter time. There will also be a direct upgrade path between LTS releases. Therefore, the LTS releases are for those that prefer stability. Other feature releases are for those that prefer rapid delivery of new features. There is something for everybody. The other change in our business is the strong preference of subscriptions over sponsoring. Up until now there was a possibility to directly sponsor a specific feature. We will be phasing out this offering during 2018. Sponsoring can pay for the development of a new feature. But it does not cover the maintenance cost. Only subscription can do that. MidPoint is now a mature system and feature stability and continuity is crucial. Therefore, we decided to support this stability with appropriate business model. From now on the right way to get your feature into midPoint is to use platform subscription: https://evolveum.com/services/professional-support/ There is also one change that is very likely to affect this mailing list. Since the beginning of midPoint project back in 2011 we have used this mailing list as a primary means of technological communication. We definitely want to maintain that, and I take it as my personal new year resolution to try to communicate our plans more often and more clearly. The mailing list is also used as a community support forum. Which is good and it is a pleasant sight to see such a vibrant community growing around a product that we have created. However, having Evolveum engineers answer every community question is an enormous drain on our resources. You might have noticed that we have reduced the amount of time that our engineers use for community support during last year. I'm afraid that this is a trend that is very likely to continue. The community gets bigger and it is not possible to answer every question. Therefore we have to prioritize. And of course, midPoint subscribers get absolute priority. We will also try to answer as many community questions as possible, but only to the extent that time availability of our engineers permits. I'm sorry about this, but even our engineers need to get a bit of sleep occasionally. On the other hand as midPoint community grows there are more and more cases when a community question is answered by another community member. And I must say that I'm very happy that midPoint community has this life of its own. Thank you all for that! There is a similar situation when it comes to bug reports. It is always good practice to file a bug report in our Jira. However, I would like to clarify the expectations about the fix. All issues reported by midPoint subscribers will be prioritized. Subscriber issues will be handled as soon as possible. If the subscriber specified a higher priority for the issue then the issue will be fixed in next (minor) midPoint release. If the subscriber indicated that this issues should be part of a maintenance release then we will backport the fix. To summarize: subscriber is a king. Then there are (non-subscriber) community issues. We will prioritize fixing community issues only in two cases: if it is a security issue or if the bug affects huge number of midPoint deployments (security issues will always get highest priority regardless of who has reported them). Other community issues have to wait. We will not work on these issues immediately. We will not ignore the issues, we will just assign lower priority to them. We have a test/bugfix cycle before every midPoint release. That's the time when community issues may get fixed - but only after all the subscriber issues are fixed. However, the experience from recent midPoint releases tells that this time is very limited. Community issues will not block scheduled midPoint release. Therefore it is not realistic to expect that all community issues will get fixed. Unfixed issues are postponed for the next release. But the priority stays the same. So there may be quite a long time before the issues get fixed. In fact there are community issues that are already postponed for several years. I'm sorry for this. We would really like to fix all the issues. But our capacity to fix community issues is limited. At this point I'm quite certain that you are aware where this all leads to. And you are right. Please, get midPoint subscription. That is the right thing to do to keep midPoint project going. So, this is the current state of midPoint project and those are our plans for 2018. MidPoint is the biggest open source IDM system out there. It is actually bigger than all the other open source IDM systems combined – both in the quantity of the code and quality of the features. MidPoint is the only open source system that implements strong identity governance. The midPoint project is a great success. All these years of hard work were worth it. Even though vast majority of the work was done by the core team in Evolveum, the project would not be possible without you: midPoint community. We would like to thank all midPoint contributors and especially midPoint subscribers. MidPoint would not be such a great product without all your support. Thank you! -- Radovan Semancik Software Architect evolveum.com From wojciech.staszewski at diagnostyka.pl Wed Jan 10 14:32:37 2018 From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski) Date: Wed, 10 Jan 2018 14:32:37 +0100 Subject: [midPoint] MidPoint in 2018 In-Reply-To: References: Message-ID: Hello! About this mailing list: As I understand, the list will remain as the main communication channel and there's no plans for a community forum/board? I have nothing against the mailing list, except the fact that our e-mail addresses are exhibited for public access in the archives, for the spam scanners too... :( Best regards! WS W dniu 10.01.2018 o 13:57, Radovan Semancik pisze: > Dear midPoint community, > [...] From radovan.semancik at evolveum.com Wed Jan 10 15:06:26 2018 From: radovan.semancik at evolveum.com (Radovan Semancik) Date: Wed, 10 Jan 2018 15:06:26 +0100 Subject: [midPoint] MidPoint in 2018 In-Reply-To: References:

Message-ID: <221f0e77-54d9-93b4-3709-162e7d7cbef3@evolveum.com> Hi, Yes, the mailing list will remain. We have no specific plans for the forum. Some time ago we have been looking at the options that we have. We definitely want to keep the mailing-list character (mail-based communication) as I believe this brings a level of civility that is rarely seen in Internet forums. But we have not been able to identity any reasonable software that would combine the advantages of mailing list and forum. That would indeed be very attractive. Just we have just found no viable options. But, as always, we are open to suggestions. -- Radovan Semancik Software Architect evolveum.com On 01/10/2018 02:32 PM, Wojciech Staszewski wrote: > Hello! > > About this mailing list: As I understand, the list will remain as the main communication channel and there's no plans for a community forum/board? > I have nothing against the mailing list, except the fact that our e-mail addresses are exhibited for public access in the archives, > for the spam scanners too... :( > > Best regards! > WS > > W dniu 10.01.2018 o 13:57, Radovan Semancik pisze: >> Dear midPoint community, >> > [...] > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint From martin.lizner at ami.cz Wed Jan 10 15:21:54 2018 From: martin.lizner at ami.cz (=?UTF-8?Q?Martin_L=C3=ADzner_=2D_AMI_Praha_a=2Es=2E?=) Date: Wed, 10 Jan 2018 15:21:54 +0100 Subject: [midPoint] V3.7 - approverRef and ownerRef In-Reply-To: References:

Message-ID: Hi, storing approvers in role object is obsoleted indeed. New approach is storing this information as focus (user, role, org) assignment with special relation. This allows new features like delegation and certification. You dont need to use metaroles or autoassignment for role approvers. You can do it via direct assignment from user to role with special relation set (relation=approver). In GUI, you can e.g. set it from role detail - Governance tab. M. Martin Lízner solution architect gsm: [+420] 737 745 571 e-mail: martin.lizner at ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI Praha a.s.] Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. 2018-01-10 10:27 GMT+01:00 Wojciech Staszewski < wojciech.staszewski at diagnostyka.pl>: > Sorry but I don't get it. All of these examples use metaroles for approval > and I want to assign approver explicitly/directly. > So I have to use role autoassignment with approver relation? > > Regards! > WS > > W dniu 09.01.2018 o 22:23, Wojciech Staszewski pisze: > > Hi All! > > > > In the new version 3.7 the approverRef and ownerRef are marked by > exclamation mark in the role detail GUI as if they were deprecated. > > But he new tab appeared: "Governance", where I can assign approvers, > managers and owners. > > > > I assigned an approver to a role, but I cannot find this in the role xml. > > I can see this only in the user xml in "targetRef/relation=org:approver" > section. > > > > I want to make a role template where the approver is directly assigned > to the imported roles, without using metarole. > > How should I do it? > > > > Thanks! > > WS > > > > > > _______________________________________________ > > midPoint mailing list > > midPoint at lists.evolveum.com > > http://lists.evolveum.com/mailman/listinfo/midpoint > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wojciech.staszewski at diagnostyka.pl Wed Jan 10 15:27:35 2018 From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski) Date: Wed, 10 Jan 2018 15:27:35 +0100 Subject: [midPoint] V3.7 - approverRef and ownerRef In-Reply-To: References:

Message-ID: <9e06800d-8746-af38-cd63-5681036882c3@diagnostyka.pl> Hi! I know how to do it in GUI, I want to know how to do it in role template :) Best regards! WS W dniu 10.01.2018 o 15:21, Martin Lízner - AMI Praha a.s. pisze: > Hi, > > storing approvers in role object is obsoleted indeed. New approach is storing this information as focus (user, role, org) assignment with special relation. This allows new features like delegation and certification. > > You dont need to use metaroles or autoassignment for role approvers. You can do it via direct assignment from user to role with special relation set (relation=approver). In GUI, you can e.g. set it from role detail - Governance tab. > > M. > > Martin Lízner > solution architect > > gsm: [+420] 737 745 571 > e-mail: martin.lizner at ami.cz > > > > AMI Praha a.s. > Pláničkova 11 > 162 00 Praha 6 > tel.: [+420] 274 783 239 > web: www.ami.cz > > > > > AMI Praha a.s. > > Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. > jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. > > > > 2018-01-10 10:27 GMT+01:00 Wojciech Staszewski >: > > Sorry but I don't get it. All of these examples use metaroles for approval and I want to assign approver explicitly/directly. > So I have to use role autoassignment with approver relation? > > Regards! > WS > > W dniu 09.01.2018 o 22:23, Wojciech Staszewski pisze: > > Hi All! > > > > In the new version 3.7 the approverRef and ownerRef are marked by exclamation mark in the role detail GUI as if they were deprecated. > > But he new tab appeared: "Governance", where I can assign approvers, managers and owners. > > > > I assigned an approver to a role, but I cannot find this in the role xml. > > I can see this only in the user xml in "targetRef/relation=org:approver" section. > > > > I want to make a role template where the approver is directly assigned to the imported roles, without using metarole. > > How should I do it? > > > > Thanks! > > WS > > > > > > _______________________________________________ > > midPoint mailing list > > midPoint at lists.evolveum.com > > http://lists.evolveum.com/mailman/listinfo/midpoint > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > From martin.lizner at ami.cz Wed Jan 10 15:33:21 2018 From: martin.lizner at ami.cz (=?UTF-8?Q?Martin_L=C3=ADzner_=2D_AMI_Praha_a=2Es=2E?=) Date: Wed, 10 Jan 2018 15:33:21 +0100 Subject: [midPoint] Principle of Relativity In-Reply-To: References: Message-ID: Hi, try using strength=strong for your object template mappings. Should do for most cases. Default is strength=normal, which triggers mapping only when mapping sources are changed. M. Martin Lízner solution architect gsm: [+420] 737 745 571 e-mail: martin.lizner at ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI Praha a.s.] Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. 2018-01-08 15:49 GMT+01:00 Oleksandr Nekriach : > Hi guys, > Please answer me whether there is a way to recalculate all the > attributes and assignments that are assigned to users according to its > ObjectTemplate. Or the principle of Relativity can not be bypassed. > Example: > We have ObjectTemplate wich is applied during reconciliation. This > ObjectTemplate assigns roles to the users. But after some time I have > found that the IDM administrators (Help Desk guys) made some changes. > And I'm not sure whether all users have those assignments that were > automatically calculated according to ObjectTemplates or there is > something superfluous. And I would like to remove this unnecessary > assignments automatically. > > -- > Best regards, > > Oleksandr Nekriach | Identity and access management engineer > > Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia > > +37125314685 > , > o.nekriach at dynatech.lv > | > www.dynatech.lv > > > > > Stay connected: > > > Confidentiality Notice: This message contains confidential information > and is intended only for the named recipient(s). If you are not the > addressee you may not copy, distribute or perform any other activities > with this information. If you have received this transmission in > error, please notify us by e-mail immediately. E-mail transmission > cannot be guaranteed to be secure or error-free as information could > be intercepted, corrupted, lost, destroyed, arrive late or incomplete, > or contain viruses. > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Caspi at seznam.cz Wed Jan 10 16:12:27 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Wed, 10 Jan 2018 16:12:27 +0100 (CET) Subject: [midPoint] Protected OUs Message-ID: Hi All, I have a question about filtering in resource (AD). I have an example of OU structure that contains hundrets of OU on same level. OU=1,OU=Country, DC=Company, DC=local . .. OU=500,OU=Country, DC=Company, DC=local There is a need to work only with OU 1-10. Others must be protected. Is there a way how to accomplish that? There is not posibility to change OU structure. Thanks, Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From o.nekriach at dynatech.lv Wed Jan 10 16:29:03 2018 From: o.nekriach at dynatech.lv (Oleksandr Nekriach) Date: Wed, 10 Jan 2018 17:29:03 +0200 Subject: [midPoint] Principle of Relativity In-Reply-To: References: Message-ID: Hi Martin, I have already tried this approach but had not success in my case. Assigment Agents to Agents Role true strong $user/employeeType formerEmployee $user/extension/formerEmployee assignment On 10 January 2018 at 16:33, Martin Lízner - AMI Praha a.s. < martin.lizner at ami.cz> wrote: > Hi, try using strength=strong for your object template mappings. Should do > for most cases. Default is strength=normal, which triggers mapping only > when mapping sources are changed. M. > > Martin Lízner > solution architect > > gsm: [+420] 737 745 571 <+420%20737%20745%20571> > e-mail: martin.lizner at ami.cz > > > AMI Praha a.s. > Pláničkova 11 > 162 00 Praha 6 > tel.: [+420] 274 783 239 <+420%20274%20783%20239> > web: www.ami.cz > > > > [image: AMI Praha a.s.] > > Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za > společnost AMI Praha a.s. > jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně > písemnou formu. > > > 2018-01-08 15:49 GMT+01:00 Oleksandr Nekriach : > >> Hi guys, >> Please answer me whether there is a way to recalculate all the >> attributes and assignments that are assigned to users according to its >> ObjectTemplate. Or the principle of Relativity can not be bypassed. >> Example: >> We have ObjectTemplate wich is applied during reconciliation. This >> ObjectTemplate assigns roles to the users. But after some time I have >> found that the IDM administrators (Help Desk guys) made some changes. >> And I'm not sure whether all users have those assignments that were >> automatically calculated according to ObjectTemplates or there is >> something superfluous. And I would like to remove this unnecessary >> assignments automatically. >> >> -- >> Best regards, >> >> Oleksandr Nekriach | Identity and access management engineer >> >> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia >> >> +37125314685 >> , >> o.nekriach at dynatech.lv >> | >> www.dynatech.lv >> >> >> >> >> Stay connected: >> >> >> Confidentiality Notice: This message contains confidential information >> and is intended only for the named recipient(s). If you are not the >> addressee you may not copy, distribute or perform any other activities >> with this information. If you have received this transmission in >> error, please notify us by e-mail immediately. E-mail transmission >> cannot be guaranteed to be secure or error-free as information could >> be intercepted, corrupted, lost, destroyed, arrive late or incomplete, >> or contain viruses. >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint >> > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > -- Best regards, Oleksandr Nekriach | Identity and access management engineer Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia +37125314685 <+371%2025%20314%20685> , o.nekriach at dynatech.lv | www.dynatech.lv Stay connected: Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: o.nekriach at dynatech.lv1502777022855-7771 Type: image/png Size: 790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: o.nekriach at dynatech.lv1502777022855-7770 Type: image/png Size: 2602 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: o.nekriach at dynatech.lv1502777022855-7772 Type: image/png Size: 786 bytes Desc: not available URL: From petr.gasparik at ami.cz Wed Jan 10 16:53:26 2018 From: petr.gasparik at ami.cz (=?UTF-8?B?UGV0ciBHYcWhcGFyw61rIC0gQU1JIFByYWhhIGEucy4=?=) Date: Wed, 10 Jan 2018 16:53:26 +0100 Subject: [midPoint] MidPoint in 2018 In-Reply-To: <221f0e77-54d9-93b4-3709-162e7d7cbef3@evolveum.com> References:

<221f0e77-54d9-93b4-3709-162e7d7cbef3@evolveum.com> Message-ID: Google groups combine this, mail+web interface, you can use both. See Apereo maillist :) -- s pozdravem Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.gasparik at ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI Praha a.s.] Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. 2018-01-10 15:06 GMT+01:00 Radovan Semancik : > Hi, > > Yes, the mailing list will remain. We have no specific plans for the > forum. Some time ago we have been looking at the options that we have. We > definitely want to keep the mailing-list character (mail-based > communication) as I believe this brings a level of civility that is rarely > seen in Internet forums. But we have not been able to identity any > reasonable software that would combine the advantages of mailing list and > forum. That would indeed be very attractive. Just we have just found no > viable options. But, as always, we are open to suggestions. > > -- > Radovan Semancik > Software Architect > evolveum.com > > > > On 01/10/2018 02:32 PM, Wojciech Staszewski wrote: > >> Hello! >> >> About this mailing list: As I understand, the list will remain as the >> main communication channel and there's no plans for a community forum/board? >> I have nothing against the mailing list, except the fact that our e-mail >> addresses are exhibited for public access in the archives, >> for the spam scanners too... :( >> >> Best regards! >> WS >> >> W dniu 10.01.2018 o 13:57, Radovan Semancik pisze: >> >>> Dear midPoint community, >>> >>> [...] >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint >> > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Caspi at seznam.cz Thu Jan 11 00:07:54 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Thu, 11 Jan 2018 00:07:54 +0100 (CET) Subject: [midPoint] remove roles from disabled users Message-ID: <1YG.vMi.5eUEY1pvU2p.1QLfpA@seznam.cz> Hello All, can someone help me with change of following script? Script is removing roles from users that were administratively marked as disabled (activation status -> combobox). I would like to have it also in case that user is disabled by Valid To attribute. Remove assignments from disabled users secondary c:UserType Thanks Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From caspi at caspi.cz Wed Jan 10 13:36:00 2018 From: caspi at caspi.cz (=?UTF-8?Q?Jan_Ka=C5=A1par?=) Date: Wed, 10 Jan 2018 13:36:00 +0100 Subject: [midPoint] AD Attributes Message-ID: Hi Ivan, thank you very much. It works! S pozdravem Jan Kašpar -------------- next part -------------- An HTML attachment was scrubbed... URL: From Caspi at seznam.cz Thu Jan 11 09:17:11 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Thu, 11 Jan 2018 09:17:11 +0100 (CET) Subject: [midPoint] remove roles from disabled users Message-ID: <1sT.vMm.2euxT8KfU61.1QLns7@seznam.cz> Hi, Found solution. Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From o.nekriach at dynatech.lv Thu Jan 11 09:26:07 2018 From: o.nekriach at dynatech.lv (Oleksandr Nekriach) Date: Thu, 11 Jan 2018 10:26:07 +0200 Subject: [midPoint] remove roles from disabled users In-Reply-To: <1sT.vMm.2euxT8KfU61.1QLns7@seznam.cz> References: <1sT.vMm.2euxT8KfU61.1QLns7@seznam.cz> Message-ID: Hi, Jan What is correct one? On 11 January 2018 at 10:17, Jan Kaspar wrote: > Hi, > > Found solution. > > Jan > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > -- Best regards, Oleksandr Nekriach | Identity and access management engineer Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia +37125314685 , o.nekriach at dynatech.lv | www.dynatech.lv Stay connected: Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. From ivan.noris at evolveum.com Thu Jan 11 10:19:16 2018 From: ivan.noris at evolveum.com (Ivan Noris) Date: Thu, 11 Jan 2018 10:19:16 +0100 Subject: [midPoint] Principle of Relativity In-Reply-To: References: Message-ID: Hi Oleksandr, one thing is to have strong mappings for assigning the roles through the template. But to really apply anything to target systems you also have to have strong mappings in schema handling/roles (outbound mappings) in all resources where you want this. Then reconciliation (or any other synchronization, including provisioning) will always try to push the values which should be in the target system account attributes. The default mapping strength is normal as Martin said; that means, only changes are synchronized. Regards, Ivan On 10.01.2018 16:29, Oleksandr Nekriach wrote: > Hi Martin, > I have already tried this approach but had not success in my case. > > > Assigment Agents to Agents Role > true > strong > > $user/employeeType > > > formerEmployee > $user/extension/formerEmployee > > > > type="c:RoleType"/> > > > > assignment > > > > > > > On 10 January 2018 at 16:33, Martin Lízner - AMI Praha a.s. > > wrote: > > Hi, try using strength=strong for your object template mappings. > Should do for most cases. Default is strength=normal, which > triggers mapping only when mapping sources are changed. M. > > Martin Lízner > solution architect > > gsm: [+420] 737 745 571 > e-mail: martin.lizner at ami.cz > > > > AMI Praha a.s. > Pláničkova 11 > 162 00 Praha 6 > tel.: [+420] 274 783 239 > web: www.ami.cz > > > > > > AMI Praha a.s. > > Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá > za společnost AMI Praha a.s. > jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít > výhradně písemnou formu. > > > > 2018-01-08 15:49 GMT+01:00 Oleksandr Nekriach > >: > > Hi guys, > Please answer me whether there is a way to recalculate all the > attributes and assignments that are assigned to users > according to its > ObjectTemplate. Or the principle of Relativity can not be > bypassed. > Example: > We have ObjectTemplate wich is applied during reconciliation. This > ObjectTemplate assigns roles to the users. But after some > time I have > found that the IDM administrators (Help Desk guys) made some > changes. > And I'm not sure whether all users have those assignments that > were > automatically calculated according to ObjectTemplates or there is > something superfluous. And I would like to remove this unnecessary > assignments automatically. > > -- > Best regards, > > Oleksandr Nekriach | Identity and access management engineer > > Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia > > +37125314685 > , > o.nekriach at dynatech.lv > | > www.dynatech.lv > > > > > Stay connected: > > > Confidentiality Notice: This message contains confidential > information > and is intended only for the named recipient(s). If you are > not the > addressee you may not copy, distribute or perform any other > activities > with this information. If you have received this transmission in > error, please notify us by e-mail immediately. E-mail transmission > cannot be guaranteed to be secure or error-free as information > could > be intercepted, corrupted, lost, destroyed, arrive late or > incomplete, > or contain viruses. > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > > > > > -- > Best regards, > > Oleksandr Nekriach | Identity and access management engineer > > Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia > > +37125314685 > , > o.nekriach at dynatech.lv > | > www.dynatech.lv > > > > > Stay connected: > > > > > Confidentiality Notice: This message contains confidential information > and is intended only for the named recipient(s). If you are not the > addressee you may not copy, distribute or perform any other activities > with this information. If you have received this transmission in > error, please notify us by e-mail immediately. E-mail transmission > cannot be guaranteed to be secure or error-free as information could > be intercepted, corrupted, lost, destroyed, arrive late or incomplete, > or contain viruses. > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Senior Identity Engineer evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: o.nekriach at dynatech.lv1502777022855-7770 Type: image/png Size: 2602 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: o.nekriach at dynatech.lv1502777022855-7771 Type: image/png Size: 790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: o.nekriach at dynatech.lv1502777022855-7772 Type: image/png Size: 786 bytes Desc: not available URL: From Caspi at seznam.cz Thu Jan 11 11:41:49 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Thu, 11 Jan 2018 11:41:49 +0100 (CET) Subject: [midPoint] remove roles from disabled users Message-ID: <2Cw.vMu.1Xhk25JW}ou.1QLpzj@seznam.cz> Hi Oleksandr, I just change : ActivationStatusType administrativeStatus = user.getActivation(). getEffectiveStatus(); Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From gustav.palos at evolveum.com Thu Jan 11 12:27:00 2018 From: gustav.palos at evolveum.com (=?UTF-8?B?UMOhbG9zIEd1c3TDoXY=?=) Date: Thu, 11 Jan 2018 12:27:00 +0100 Subject: [midPoint] Cannot sync attributes to AD In-Reply-To: References: Message-ID: Hi Jan, try to use maxOccurs=1, like: ri:description Description 0 1 ..... 2017-12-29 18:19 GMT+01:00 Jan Kaspar : > Hi all, > > I have latest midpoint 3.7 version and I am expiriencing an error with > syncing description on user and group object ou to AD. > When object in AD has null value of description attribute it works. I can > easily add description and suffix " - managed by MidPoint" > Problem is when i change the value to difedrent one, or in ad there is > already some value. > > then i got and error: > OperationAdd attribute values (Icf)MessageInvalid attribute: > org.identityconnectors.framework.common.exceptions. > InvalidAttributeValueException(Error modifying LDAP entry > CN=Blanca.Parker,OU=Users,OU=CZ,DC=HELL,DC=LOCAL: [add:description: > pepina1 - Managed by MidPoint,]: attributeOrValueExists: 00002081: AtrErr: > DSID-030F181A, #1:??0: 00002081: DSID-030F181A, problem 1006 > (ATT_OR_VALUE_EXISTS), data 0, Att d (description)?? (20))Parameters > uid [e61d0dc3-33dc-4ba1-a623-a243edbdfa52] > objectClass [crOCD ({http://midpoint.evolveum.com/xml/ns/public/resource/ > instance-3}user)] > options [OperationOptions: {}] > attributes [[Attribute: {Name=description, Value=[pepina1 - Managed by > MidPoint]}]]Context > connector [class org.identityconnectors.framework.impl.api.local. > LocalConnectorFacadeImpl]ErrorInvalid attribute: org.identityconnectors. > framework.common.exceptions.InvalidAttributeValueException(Error > modifying LDAP entry CN=Blanca.Parker,OU=Users,OU=CZ,DC=HELL,DC=LOCAL: > [add:description: pepina1 - Managed by MidPoint,]: attributeOrValueExists: > 00002081: AtrErr: DSID-030F181A, #1:??0: 00002081: DSID-030F181A, problem > 1006 (ATT_OR_VALUE_EXISTS), data 0, Att d (description)?? (20))show > com.evolveum.midpoint.util.exception.SchemaException: Invalid attribute: > org.identityconnectors.framework.common.exceptions. > InvalidAttributeValueException(Error modifying LDAP entry > CN=Blanca.Parker,OU=Users,OU=CZ,DC=HELL,DC=LOCAL: [add:description: > pepina1 - Managed by MidPoint,]: attributeOrValueExists: 00002081: AtrErr: > DSID-030F181A, #1:??0: 00002081: DSID-030F181A, problem 1006 > (ATT_OR_VALUE_EXISTS), data 0, Att d (description)?? (20)) at > com.evolveum.midpoint.provisioning.ucf.impl.connid. > ConnIdUtil.lookForKnownCause(ConnIdUtil.java:352) at > com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil. > processConnIdException(ConnIdUtil.java:215) at com.evolveum.midpoint. > provisioning.ucf.impl.connid.ConnectorInstanceConnIdImpl.modifyObject( > ConnectorInstanceConnIdImpl.java:1715) at com.evolveum.midpoint. > provisioning.impl.ResourceObjectConverter.executeModify( > ResourceObjectConverter.java:769) at com.evolveum.midpoint. > provisioning.impl.ResourceObjectConverter.modifyResourceObject( > ResourceObjectConverter.java:571) at com.evolveum.midpoint. > provisioning.impl.ShadowCache.modifyShadow(ShadowCache.java:745) at > com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl. > modifyObject(ProvisioningServiceImpl.java:671) at > com.evolveum.midpoint.model.impl.lens.ChangeExecutor. > modifyProvisioningObject(ChangeExecutor.java:1495) at > com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeModification(ChangeExecutor.java:1369) > at com.evolveum.midpoint.model.impl.lens.ChangeExecutor. > executeDelta(ChangeExecutor.java:909) at com.evolveum.midpoint.model. > impl.lens.ChangeExecutor.executeChanges(ChangeExecutor.java:318) at > com.evolveum.midpoint.model.impl.lens.Clockwork.lambda$ > processSecondary$0(Clockwork.java:635) at com.evolveum.midpoint.model. > impl.lens.LensUtil.partialExecute(LensUtil.java:947) at > com.evolveum.midpoint.model.impl.lens.LensUtil. > partialExecute(LensUtil.java:934) at com.evolveum.midpoint.model. > impl.lens.Clockwork.processSecondary(Clockwork.java:633) at > com.evolveum.midpoint.model.impl.lens.Clockwork.click(Clockwork.java:479) > at com.evolveum.midpoint.model.impl.lens.Clockwork.run(Clockwork.java:202) > at com.evolveum.midpoint.model.impl.controller.ModelController. > executeChanges(ModelController.java:538) at com.evolveum.midpoint.web. > component.progress.ProgressPanel$14.callWithContextPrepared(ProgressPanel.java:605) > at com.evolveum.midpoint.web.component.progress.ProgressPanel$14. > callWithContextPrepared(ProgressPanel.java:591) at > com.evolveum.midpoint.web.component.SecurityContextAwareCallable.call( > SecurityContextAwareCallable.java:59) at java.util.concurrent.FutureTask.run(Unknown > Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown > Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown > Source) at java.lang.Thread.run(Unknown Source) > > Thanks Jan > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > -- Gustáv Pálos Identity Engineer evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From o.nekriach at dynatech.lv Fri Jan 12 09:10:39 2018 From: o.nekriach at dynatech.lv (Oleksandr Nekriach) Date: Fri, 12 Jan 2018 10:10:39 +0200 Subject: [midPoint] Issue with midPoint cluster (Cannot connect to the remote node: no such object in table) Message-ID: Dear colleagues, Please help me to solve the issue with cluster deployment. I have setup midpoint cluster on tomcat servers with two nodes NodeA and NodeB (using Sun JDK 8). Everything seems correct in logs during startup only INFO messages are there. 2018-01-12 07:23:18,152 [] [localhost-startStop-1] INFO (com.evolveum.midpoint.task.quartzimpl.cluster.NodeRegistrar): Registering this node in th e repository as NodeB at sec-idm2:20001 2018-01-12 07:23:19,071 [] [localhost-startStop-1] INFO (com.evolveum.midpoint.task.quartzimpl.execution.LocalNodeManager): Initializing Quartz sc heduler (but not starting it yet). 2018-01-12 07:23:19,151 [] [localhost-startStop-1] INFO (com.evolveum.midpoint.task.quartzimpl.execution.LocalNodeManager): ... Quartz scheduler i nitialized. 2018-01-12 07:23:19,153 [] [localhost-startStop-1] INFO (com.evolveum.midpoint.task.quartzimpl.execution.TaskSynchronizer): Synchronizing Quartz j ob store with midPoint repository. But when I navigate to Server tasks (in administrative interface) I receive error messages in logs (see below) and status messages in interface Cannot connect to the remote node NodeA at sec-idm1:20001: no such object in table sec-idm2:~# telnet sec-idm1 20001 Trying 10.176.0.11... Connected to sec-idm1. Escape character is '^]'. The same situation when I try it from the second NodeB. In this case Cannot connect to the remote node NodeB at sec-idm2:20001: no such object in table sec-idm1:~# telnet sec-idm2 20001 Trying 10.176.1.11... Connected to sec-idm2. Escape character is '^]'. 2018-01-12 07:58:38,045 [] [http-nio-8080-exec-8] ERROR (com.evolveum.midpoint.task.quartzimpl.execution.RemoteNodesManager): Cannot connect to the remote node NodeA at sec-idm1:20001. java.rmi.NoSuchObjectException: no such object in table at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:283) ~[na:1.8.0_151] at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:260) ~[na:1.8.0_151] at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:161) ~[na:1.8.0_151] at java.rmi.server.RemoteObjectInvocationHandler.invokeRemoteMethod(RemoteObjectInvocationHandler.java:227) ~[na:1.8.0_151] at java.rmi.server.RemoteObjectInvocationHandler.invoke(RemoteObjectInvocationHandler.java:179) ~[na:1.8.0_151] at com.sun.proxy.$Proxy182.newClient(Unknown Source) ~[na:na] at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2430) ~[na:1.8.0_151] at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:308) ~[na:1.8.0_151] at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270) ~[na:1.8.0_151] at com.evolveum.midpoint.task.quartzimpl.execution.JmxClient$1.run(JmxClient.java:45) ~[task-quartz-impl-3.6.1.jar:na] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[na:1.8.0_151] at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_151] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[na:1.8.0_151] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[na:1.8.0_151] at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151] -- Best regards, Oleksandr Nekriach | Identity and access management engineer Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia +37125314685 , o.nekriach at dynatech.lv | www.dynatech.lv Stay connected: Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. From m.benucci at nsr.it Fri Jan 12 09:50:00 2018 From: m.benucci at nsr.it (Marco Benucci) Date: Fri, 12 Jan 2018 09:50:00 +0100 Subject: [midPoint] password storage method "hash" and users with empty password Message-ID: Hi, we are running midpoint 3.6 and we would like to switch the password storage method from enrcyption to hash. Now, if we create a new user with an empty password from the gui, we got this error: java.lang.IllegalStateException: Subresult com.evolveum.midpoint.model.impl.lens.ChangeExecutor.execute of operation com.evolveum.midpoint.model.api.ModelService.executeChanges is still UNKNOWN during cleanup; during handling of exception java.lang.NullPointerException at com.evolveum.midpoint.schema.result.OperationResult.cleanupResult(OperationResult.java:1277) at com.evolveum.midpoint.model.impl.controller.ModelUtils.recordFatalError(ModelUtils.java:75) at com.evolveum.midpoint.model.impl.controller.ModelUtils.recordFatalError(ModelUtils.java:66) at com.evolveum.midpoint.model.impl.controller.ModelController.executeChanges(ModelController.java:596) at sun.reflect.GeneratedMethodAccessor1772.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.wicket.proxy.LazyInitProxyFactory$JdkHandler.invoke(LazyInitProxyFactory.java:507) at com.sun.proxy.$Proxy166.executeChanges(Unknown Source) at com.evolveum.midpoint.web.component.progress.ProgressReporter.lambda$executeChangesAsync$0(ProgressReporter.java:187) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NullPointerException at com.evolveum.midpoint.model.impl.lens.projector.credentials.CredentialsProcessor.transformFocusExectionDeltaCredential(CredentialsProcessor.java:232) at com.evolveum.midpoint.model.impl.lens.projector.credentials.CredentialsProcessor.transformFocusExectionDelta(CredentialsProcessor.java:207) at com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeChanges(ChangeExecutor.java:187) at com.evolveum.midpoint.model.impl.lens.Clockwork.lambda$processSecondary$0(Clockwork.java:481) at com.evolveum.midpoint.model.impl.lens.LensUtil.partialExecute(LensUtil.java:1253) at com.evolveum.midpoint.model.impl.lens.LensUtil.partialExecute(LensUtil.java:1240) at com.evolveum.midpoint.model.impl.lens.Clockwork.processSecondary(Clockwork.java:479) at com.evolveum.midpoint.model.impl.lens.Clockwork.click(Clockwork.java:327) at com.evolveum.midpoint.model.impl.lens.Clockwork.run(Clockwork.java:203) at com.evolveum.midpoint.model.impl.controller.ModelController.executeChanges(ModelController.java:569) with encryption method this error does not happen and one can create a new user from the gui without add the password. Is this a bug? -------------- next part -------------- An HTML attachment was scrubbed... URL: From o.nekriach at dynatech.lv Fri Jan 12 13:52:44 2018 From: o.nekriach at dynatech.lv (Oleksandr Nekriach) Date: Fri, 12 Jan 2018 14:52:44 +0200 Subject: [midPoint] Issue with midPoint cluster (Cannot connect to the remote node: no such object in table) In-Reply-To: References: Message-ID: Hello guys. I have found cause. It was my fault I have missed to configure dataSource atttribute for taskManager in config.xml On 12 January 2018 at 10:10, Oleksandr Nekriach wrote: > Dear colleagues, > Please help me to solve the issue with cluster deployment. > I have setup midpoint cluster on tomcat servers with two nodes NodeA > and NodeB (using Sun JDK 8). > Everything seems correct in logs during startup only INFO messages are there. > 2018-01-12 07:23:18,152 [] [localhost-startStop-1] INFO > (com.evolveum.midpoint.task.quartzimpl.cluster.NodeRegistrar): > Registering this node in th > e repository as NodeB at sec-idm2:20001 > 2018-01-12 07:23:19,071 [] [localhost-startStop-1] INFO > (com.evolveum.midpoint.task.quartzimpl.execution.LocalNodeManager): > Initializing Quartz sc > heduler (but not starting it yet). > 2018-01-12 07:23:19,151 [] [localhost-startStop-1] INFO > (com.evolveum.midpoint.task.quartzimpl.execution.LocalNodeManager): > ... Quartz scheduler i > nitialized. > 2018-01-12 07:23:19,153 [] [localhost-startStop-1] INFO > (com.evolveum.midpoint.task.quartzimpl.execution.TaskSynchronizer): > Synchronizing Quartz j > ob store with midPoint repository. > > But when I navigate to Server tasks (in administrative interface) I > receive error messages in logs (see below) and status messages in > interface Cannot connect to the remote node NodeA at sec-idm1:20001: > no such object in table > sec-idm2:~# telnet sec-idm1 20001 > Trying 10.176.0.11... > Connected to sec-idm1. > Escape character is '^]'. > The same situation when I try it from the second NodeB. In this case > Cannot connect to the remote node NodeB at sec-idm2:20001: no such > object in table > sec-idm1:~# telnet sec-idm2 20001 > Trying 10.176.1.11... > Connected to sec-idm2. > Escape character is '^]'. > > 2018-01-12 07:58:38,045 [] [http-nio-8080-exec-8] ERROR > (com.evolveum.midpoint.task.quartzimpl.execution.RemoteNodesManager): > Cannot connect to the remote node NodeA at sec-idm1:20001. > java.rmi.NoSuchObjectException: no such object in table > at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:283) > ~[na:1.8.0_151] > at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:260) > ~[na:1.8.0_151] > at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:161) ~[na:1.8.0_151] > at java.rmi.server.RemoteObjectInvocationHandler.invokeRemoteMethod(RemoteObjectInvocationHandler.java:227) > ~[na:1.8.0_151] > at java.rmi.server.RemoteObjectInvocationHandler.invoke(RemoteObjectInvocationHandler.java:179) > ~[na:1.8.0_151] > at com.sun.proxy.$Proxy182.newClient(Unknown Source) ~[na:na] > at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2430) > ~[na:1.8.0_151] > at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:308) > ~[na:1.8.0_151] > at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270) > ~[na:1.8.0_151] > at com.evolveum.midpoint.task.quartzimpl.execution.JmxClient$1.run(JmxClient.java:45) > ~[task-quartz-impl-3.6.1.jar:na] > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > ~[na:1.8.0_151] > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > ~[na:1.8.0_151] > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > ~[na:1.8.0_151] > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > ~[na:1.8.0_151] > at java.lang.Thread.run(Thread.java:748) [na:1.8.0_151] > > > -- > Best regards, > > Oleksandr Nekriach | Identity and access management engineer > > Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia > > +37125314685 > , > o.nekriach at dynatech.lv > | > www.dynatech.lv > > > > > Stay connected: > > > Confidentiality Notice: This message contains confidential information > and is intended only for the named recipient(s). If you are not the > addressee you may not copy, distribute or perform any other activities > with this information. If you have received this transmission in > error, please notify us by e-mail immediately. E-mail transmission > cannot be guaranteed to be secure or error-free as information could > be intercepted, corrupted, lost, destroyed, arrive late or incomplete, > or contain viruses. -- Best regards, Oleksandr Nekriach | Identity and access management engineer Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia +37125314685 , o.nekriach at dynatech.lv | www.dynatech.lv Stay connected: Confidentiality Notice: This message contains confidential information and is intended only for the named recipient(s). If you are not the addressee you may not copy, distribute or perform any other activities with this information. If you have received this transmission in error, please notify us by e-mail immediately. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. From Caspi at seznam.cz Sat Jan 13 14:25:09 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Sat, 13 Jan 2018 14:25:09 +0100 (CET) Subject: [midPoint] Group Membership Message-ID: <5JH.vLN.6u6J10yrrKt.1QMWYr@seznam.cz> Hello All, I have a question about group membership. I have hundrets of groups in AD. For begining I would like to force membership only for selected groups. I tryed to do that with tolerancy but it is resource wide configuration. So all groups are affected. Is there a way how to do that? Thanks Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From Caspi at seznam.cz Sat Jan 13 18:20:08 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Sat, 13 Jan 2018 18:20:08 +0100 (CET) Subject: [midPoint] AD groups import Message-ID: <5XP.vLZ.725ZuPwYU2U.1QMZ}8@seznam.cz> Hi All, I need help with AD group import to Midpoint. I have MP 3.7 installed and sync of users from CSV and matching to AD is working OK. Problem is with groups. We have hundrets of groups and I need to import groups and start to manage them. If I try to import groups to MP it cause also deleting of those group in AD. I tryed to create in schema handling only IN direction for name and description. But it didnt helped it still delete groups in AD. I am attaching resourse config. Hope i described correctly. Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ExportedData_ResourceType_1515857588240 (1).xml Type: text/xml Size: 680977 bytes Desc: not available URL: From mederly at evolveum.com Sat Jan 13 20:21:45 2018 From: mederly at evolveum.com (Pavol Mederly) Date: Sat, 13 Jan 2018 20:21:45 +0100 Subject: [midPoint] AD groups import In-Reply-To: <5XP.vLZ.725ZuPwYU2U.1QMZ}8@seznam.cz> References: <5XP.vLZ.725ZuPwYU2U.1QMZ}8@seznam.cz> Message-ID: Hello Jan. What is your assignmentPolicyEnforcement setting? Please see check in the system configuration. Best regards, Pavol Mederly Software developer evolveum.com On 13.01.2018 18:20, Jan Kaspar wrote: > Hi All, > > I need help with AD group import to Midpoint. I have MP 3.7 installed > and sync of users from CSV and matching to AD is working OK. > > Problem is with groups. We have hundrets of groups and I need to > import groups and start to manage them. If I try to import groups to > MP it cause also deleting of those group in AD. I tryed to create in > schema handling only IN direction for name and description. But it > didnt helped it still delete groups in AD. > > I am attaching resourse config. > > Hope i described correctly. > > Jan > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From mederly at evolveum.com Sat Jan 13 20:43:33 2018 From: mederly at evolveum.com (Pavol Mederly) Date: Sat, 13 Jan 2018 20:43:33 +0100 Subject: [midPoint] AD groups import In-Reply-To: References: <5XP.vLZ.725ZuPwYU2U.1QMZ}8@seznam.cz> Message-ID: Not sure that I will be at a computer during the rest of weekend. So, please check it is not FULL. It should be the default (I think it is "relative"). Pavol Mederly Software developer evolveum.com On 13.01.2018 20:21, Pavol Mederly wrote: > > Hello Jan. > > What is your assignmentPolicyEnforcement setting? Please see check in > the system configuration. > > Best regards, > > Pavol Mederly > Software developer > evolveum.com > On 13.01.2018 18:20, Jan Kaspar wrote: >> Hi All, >> >> I need help with AD group import to Midpoint. I have MP 3.7 installed >> and sync of users from CSV and matching to AD is working OK. >> >> Problem is with groups. We have hundrets of groups and I need to >> import groups and start to manage them. If I try to import groups to >> MP it cause also deleting of those group in AD. I tryed to create in >> schema handling only IN direction for name and description. But it >> didnt helped it still delete groups in AD. >> >> I am attaching resourse config. >> >> Hope i described correctly. >> >> Jan >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From Caspi at seznam.cz Sat Jan 13 21:23:39 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Sat, 13 Jan 2018 21:23:39 +0100 (CET) Subject: [midPoint] AD groups import Message-ID: <5ld.vLj.2GoYh0N5cmW.1QMchB@seznam.cz> Hi All, I have it tested with 3.6 and it works with same configuration. So there is some bug in connector v1.5.1. Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From Caspi at seznam.cz Sat Jan 13 22:52:05 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Sat, 13 Jan 2018 22:52:05 +0100 (CET) Subject: [midPoint] AD groups import Message-ID: <5po.vLt.6U96}5PnrEV.1QMd{5@seznam.cz> Hi Pavol, thank you! you are right. I hav configured Full assignement policy enforcement Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From oskar.butovic at ami.cz Mon Jan 15 11:08:07 2018 From: oskar.butovic at ami.cz (=?UTF-8?Q?Oskar_Butovi=C4=8D_=2D_AMI_Praha_a=2Es=2E?=) Date: Mon, 15 Jan 2018 11:08:07 +0100 Subject: [midPoint] Group Membership In-Reply-To: <5JH.vLN.6u6J10yrrKt.1QMWYr@seznam.cz> References: <5JH.vLN.6u6J10yrrKt.1QMWYr@seznam.cz> Message-ID: Hello Jan, for this type of problem, I suggest first reconcile group membership from AD to midpoint by inbound mapping. After that, you can do pretty much anything with assignments in midpoint and provision them strong and tolerant false to AD.(use midPoint as authoritative source after initial sync.) Best Regards Oskar Butovič 2018-01-13 14:25 GMT+01:00 Jan Kaspar : > Hello All, > > I have a question about group membership. I have hundrets of groups in AD. > > For begining I would like to force membership only for selected groups. > > I tryed to do that with tolerancy but it is resource wide configuration. > So all groups are affected. > > Is there a way how to do that? > > Thanks Jan > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > -- Oskar Butovič solution architect gsm: [+420] 774 480 101 e-mail: oskar.butovic at ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI Praha a.s.] [image: AMI Praha a.s.] Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. -------------- next part -------------- An HTML attachment was scrubbed... URL: From srpenn at us.ibm.com Mon Jan 15 17:40:42 2018 From: srpenn at us.ibm.com (Sean R Penndorf) Date: Mon, 15 Jan 2018 16:40:42 +0000 Subject: [midPoint] Can't get a link resource to user Message-ID: Hello Community, I have a pre-existing user in Midpoint. When I run a reconcile against our HR database, I never get it to link up the resource record (shadow?) to the user. I'm trying to match based on employeeNumber. I gotta be missing something very simple. Could someone review my XML and give me any pointers? THANKS!!!! ------------------ Sean Penndorf SaaS Operational Services (SOS) - ID Management IBM Cloud srpenn at us.ibm.com Office: 248-552-4791 TL 623-9966 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: User.xml Type: application/octet-stream Size: 1187 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Resource.xml Type: application/octet-stream Size: 10692 bytes Desc: not available URL: From oskar.butovic at ami.cz Mon Jan 15 17:46:12 2018 From: oskar.butovic at ami.cz (=?UTF-8?Q?Oskar_Butovi=C4=8D_=2D_AMI_Praha_a=2Es=2E?=) Date: Mon, 15 Jan 2018 17:46:12 +0100 Subject: [midPoint] Can't get a link resource to user In-Reply-To: References: Message-ID: Hello Sean, your correlation should look probably like this: employeeNumber $shadow/attributes/ri:serialnumber Best Regards Oskar Butovič 2018-01-15 17:40 GMT+01:00 Sean R Penndorf : > Hello Community, > > I have a pre-existing user in Midpoint. > When I run a reconcile against our HR database, I never get it to link up > the resource record (shadow?) to the user. > I'm trying to match based on employeeNumber. > > I gotta be missing something very simple. > > Could someone review my XML and give me any pointers? THANKS!!!! > > > > > > ------------------ > *Sean Penndorf* > SaaS Operational Services (SOS) - ID Management > IBM Cloud > srpenn at us.ibm.com > Office: 248-552-4791 <(248)%20552-4791> TL 623-9966 > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > -- Oskar Butovič solution architect gsm: [+420] 774 480 101 e-mail: oskar.butovic at ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI Praha a.s.] [image: AMI Praha a.s.] Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. -------------- next part -------------- An HTML attachment was scrubbed... URL: From srpenn at us.ibm.com Mon Jan 15 18:22:25 2018 From: srpenn at us.ibm.com (Sean R Penndorf) Date: Mon, 15 Jan 2018 12:22:25 -0500 Subject: [midPoint] Can't get a link resource to user In-Reply-To: References:

Message-ID: Thank you Oskar! That put me on the right track. Turns out the attribute name also was case sensitive. $shadow/attributes/ri:serialNumber (I needed a capital N) ------------------ Sean Penndorf SaaS Operational Services (SOS) - ID Management IBM Cloud srpenn at us.ibm.com Office: 248-552-4791 TL 623-9966 From: Oskar Butovič - AMI Praha a.s. To: midPoint General Discussion Date: 01/15/2018 11:48 AM Subject: Re: [midPoint] Can't get a link resource to user Sent by: "midPoint" Hello Sean, your correlation should look probably like this: employeeNumber $shadow/attributes/ri:serialnumber Best Regards Oskar Butovič 2018-01-15 17:40 GMT+01:00 Sean R Penndorf : Hello Community, I have a pre-existing user in Midpoint. When I run a reconcile against our HR database, I never get it to link up the resource record (shadow?) to the user. I'm trying to match based on employeeNumber. I gotta be missing something very simple. Could someone review my XML and give me any pointers? THANKS!!!! ------------------ Sean Penndorf SaaS Operational Services (SOS) - ID Management IBM Cloud srpenn at us.ibm.com Office: 248-552-4791 TL 623-9966 _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint -- Oskar Butovič solution architect gsm: [+420] 774 480 101 e-mail: oskar.butovic at ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=qEACHutvsppyidQwf1kYntDY-ZKom0n1kiWqpNpwVXg&m=pHHy0Hn4L4ctXKLUpDwYvqjfzXhbm5-1xaLDgGaw9co&s=2AJ3jezKsWfBunz1b5jo0UQoLs-1mnzTOwrUcA_OUHg&e= -------------- next part -------------- An HTML attachment was scrubbed... URL: From caspi at caspi.cz Tue Jan 16 11:47:01 2018 From: caspi at caspi.cz (=?UTF-8?Q?Jan_Ka=C5=A1par?=) Date: Tue, 16 Jan 2018 11:47:01 +0100 Subject: [midPoint] Group Membership Message-ID: Hi Oskar, All, Yes i know that, this is what i already have. Hundrets of groups were already imported. But now i would like to force group memberships only to some groups. So apply tolerance only for groups I define. S pozdravem Jan Kašpar -------------- next part -------------- An HTML attachment was scrubbed... URL: From oskar.butovic at ami.cz Tue Jan 16 13:28:18 2018 From: oskar.butovic at ami.cz (=?UTF-8?Q?Oskar_Butovi=C4=8D_=2D_AMI_Praha_a=2Es=2E?=) Date: Tue, 16 Jan 2018 13:28:18 +0100 Subject: [midPoint] Group Membership In-Reply-To: References: Message-ID: Hi Jan, so you have all the users and groups. Do you also have assignments? That every role is assigned to same users in Idm in the same way as in external system? What I suggested is to sync assignments also. And after that, the assignment mess is same in IdM as in external system you can clear it from Idm. By some hook or template or bulk task. Best Regards Oskar Butovič 2018-01-16 11:47 GMT+01:00 Jan Kašpar : > Hi Oskar, All, > > Yes i know that, this is what i already have. Hundrets of groups were > already imported. > But now i would like to force group memberships only to some groups. > > So apply tolerance only for groups I define. > > > S pozdravem > > Jan Kašpar > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > -- Oskar Butovič solution architect gsm: [+420] 774 480 101 e-mail: oskar.butovic at ami.cz AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz [image: AMI Praha a.s.] [image: AMI Praha a.s.] Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ethan at unc.edu Tue Jan 16 15:07:50 2018 From: ethan at unc.edu (Kromhout, Ethan A.) Date: Tue, 16 Jan 2018 14:07:50 +0000 Subject: [midPoint] Upgrades and version consistency Message-ID: If someone were to fail to run database upgrade scripts, but did deploy and upgrade war file in the scenario described in upgrade "Type 1" at the wiki page https://wiki.evolveum.com/display/midPoint/Upgrade+HOWTO, either through carelessness or because of a technical problem. Would the application check the database version and refuse to start, or would the error be more subtle? Is there a way to query to check that the database scripts have been run and are on the correct version? This is just a rhetorical question to clarify what might happen in different upgrade scenarios as we'll be working with some campus's on upgrade procedures and wanted to document possible failure modes. Thanks, Ethan From wojciech.staszewski at diagnostyka.pl Tue Jan 16 15:29:12 2018 From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski) Date: Tue, 16 Jan 2018 15:29:12 +0100 Subject: [midPoint] Upgrades and version consistency In-Reply-To: References: Message-ID: <2b80be60-2daa-164c-24b8-83e9968a9bc2@diagnostyka.pl> Hello! This is a great idea. I'm using software where the update is handled beautifuly. First, database is versioned. Second, The SQL update script lifts up the db version after each correctly ended query. If the update script is finished OK, the database is in version XXX. If the update failed for some reason (eg. DB tables partitioning), I know exactly which step failed and after I fix the problem I can run whole script once again and it starts from the failed step. Third: DB version is checked on application startup. Application won't run if DB version is incorrect. Simple and nerve-saving. I'd like to see something like that in MP. Regards, WS W dniu 16.01.2018 o 15:07, Kromhout, Ethan A. pisze: > If someone were to fail to run database upgrade scripts, but did deploy and upgrade war file in the scenario described in upgrade "Type 1" at the wiki page https://wiki.evolveum.com/display/midPoint/Upgrade+HOWTO, either through carelessness or because of a technical problem. Would the application check the database version and refuse to start, or would the error be more subtle? Is there a way to query to check that the database scripts have been run and are on the correct version? > > This is just a rhetorical question to clarify what might happen in different upgrade scenarios as we'll be working with some campus's on upgrade procedures and wanted to document possible failure modes. > > Thanks, > > Ethan > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > From ivan.noris at evolveum.com Tue Jan 16 15:45:56 2018 From: ivan.noris at evolveum.com (Ivan Noris) Date: Tue, 16 Jan 2018 15:45:56 +0100 Subject: [midPoint] Upgrades and version consistency In-Reply-To: References: Message-ID: <028c30a4-3bdc-759e-6613-f8fd45cce3ac@evolveum.com> Hi Ethan, from my experience, everytime I forgot to run upgrade scripts (read: during experimenting with midpoint; did not happen in production), midPoint refused to start and there will be an error in idm.log / midpoint.log. So midPoint will not start. I think it's connected to "validate" option in config.xml: validate (for embedded H2 repository this can be set to "update" and it will update the db structure). Best regards, Ivan On 16.01.2018 15:07, Kromhout, Ethan A. wrote: > If someone were to fail to run database upgrade scripts, but did deploy and upgrade war file in the scenario described in upgrade "Type 1" at the wiki page https://wiki.evolveum.com/display/midPoint/Upgrade+HOWTO, either through carelessness or because of a technical problem. Would the application check the database version and refuse to start, or would the error be more subtle? Is there a way to query to check that the database scripts have been run and are on the correct version? > > This is just a rhetorical question to clarify what might happen in different upgrade scenarios as we'll be working with some campus's on upgrade procedures and wanted to document possible failure modes. > > Thanks, > > Ethan > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Senior Identity Engineer evolveum.com From ethan at unc.edu Tue Jan 16 16:07:57 2018 From: ethan at unc.edu (Kromhout, Ethan A.) Date: Tue, 16 Jan 2018 15:07:57 +0000 Subject: [midPoint] Upgrades and version consistency In-Reply-To: <028c30a4-3bdc-759e-6613-f8fd45cce3ac@evolveum.com> References: , <028c30a4-3bdc-759e-6613-f8fd45cce3ac@evolveum.com> Message-ID: Thanks very much Ivan, this is exactly the information I was looking for. Ethan ________________________________________ From: midPoint on behalf of Ivan Noris Sent: Tuesday, January 16, 2018 9:45 AM To: midpoint at lists.evolveum.com Subject: Re: [midPoint] Upgrades and version consistency Hi Ethan, from my experience, everytime I forgot to run upgrade scripts (read: during experimenting with midpoint; did not happen in production), midPoint refused to start and there will be an error in idm.log / midpoint.log. So midPoint will not start. I think it's connected to "validate" option in config.xml: validate (for embedded H2 repository this can be set to "update" and it will update the db structure). Best regards, Ivan On 16.01.2018 15:07, Kromhout, Ethan A. wrote: > If someone were to fail to run database upgrade scripts, but did deploy and upgrade war file in the scenario described in upgrade "Type 1" at the wiki page https://wiki.evolveum.com/display/midPoint/Upgrade+HOWTO, either through carelessness or because of a technical problem. Would the application check the database version and refuse to start, or would the error be more subtle? Is there a way to query to check that the database scripts have been run and are on the correct version? > > This is just a rhetorical question to clarify what might happen in different upgrade scenarios as we'll be working with some campus's on upgrade procedures and wanted to document possible failure modes. > > Thanks, > > Ethan > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Senior Identity Engineer evolveum.com _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint From mederly at evolveum.com Tue Jan 16 16:23:07 2018 From: mederly at evolveum.com (Pavol Mederly) Date: Tue, 16 Jan 2018 16:23:07 +0100 Subject: [midPoint] Upgrades and version consistency In-Reply-To: References: <028c30a4-3bdc-759e-6613-f8fd45cce3ac@evolveum.com> Message-ID: To be honest, the error message is a bit cryptic. But, nevertheless, midPoint will not start. And yes, it requires the "validate" option to be set. It is the default for all databases other than H2. Pavol Mederly Software developer evolveum.com On 16.01.2018 16:07, Kromhout, Ethan A. wrote: > Thanks very much Ivan, this is exactly the information I was looking for. > > Ethan > ________________________________________ > From: midPoint on behalf of Ivan Noris > Sent: Tuesday, January 16, 2018 9:45 AM > To: midpoint at lists.evolveum.com > Subject: Re: [midPoint] Upgrades and version consistency > > Hi Ethan, > > from my experience, everytime I forgot to run upgrade scripts (read: > during experimenting with midpoint; did not happen in production), > midPoint refused to start and there will be an error in idm.log / > midpoint.log. So midPoint will not start. > > I think it's connected to "validate" option in config.xml: > > validate > (for embedded H2 repository this can be set to "update" and it will > update the db structure). > > Best regards, > > Ivan > > > On 16.01.2018 15:07, Kromhout, Ethan A. wrote: >> If someone were to fail to run database upgrade scripts, but did deploy and upgrade war file in the scenario described in upgrade "Type 1" at the wiki page https://wiki.evolveum.com/display/midPoint/Upgrade+HOWTO, either through carelessness or because of a technical problem. Would the application check the database version and refuse to start, or would the error be more subtle? Is there a way to query to check that the database scripts have been run and are on the correct version? >> >> This is just a rhetorical question to clarify what might happen in different upgrade scenarios as we'll be working with some campus's on upgrade procedures and wanted to document possible failure modes. >> >> Thanks, >> >> Ethan >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint > -- > Ivan Noris > Senior Identity Engineer > evolveum.com > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint From srpenn at us.ibm.com Tue Jan 16 16:24:20 2018 From: srpenn at us.ibm.com (Sean R Penndorf) Date: Tue, 16 Jan 2018 10:24:20 -0500 Subject: [midPoint] No definition for 'manager' in user Message-ID: Hi Community, Clearly, I'm missing something simple here....running Midpoint 3.7 I have an extended attribute "manager", it shows up in the GUI when looking at User properties. But I keep getting an error with my inbound mapping: "No definition for 'manager' in user." I've tried a number of variations in the inbound mapping, but I can't get the field to populate. Any assistance is greatly appreciated. ** Extended Attribute: ** true manager ** Inbound Mapping: ** ri:manager gen316:distinguishedName true true explicit true true strong $user/extension/ext:manager ext:manager ------------------ Sean Penndorf SaaS Operational Services (SOS) - ID Management IBM Cloud srpenn at us.ibm.com Office: 248-552-4791 TL 623-9966 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivan.noris at evolveum.com Tue Jan 16 17:28:07 2018 From: ivan.noris at evolveum.com (Ivan Noris) Date: Tue, 16 Jan 2018 17:28:07 +0100 Subject: [midPoint] No definition for 'manager' in user In-Reply-To: References: Message-ID: <34cccc18-acf2-e07a-13a9-1648d8edecec@evolveum.com> Hi Sean, the extension looks ok. The inbound is incorrect. It should look similar to this: ri:cn . . . ... $user/extension/manager This artificial example takes "cn" attribute from LDAP and copies it to $user/extension/manager. Best regards, Ivan On 16.01.2018 16:24, Sean R Penndorf wrote: > Hi Community, > > Clearly, I'm missing something simple here....running Midpoint 3.7 > I have an extended attribute "manager", it shows up in the GUI when > looking at User properties. > But I keep getting an error with my inbound mapping: "No definition > for 'manager' in user." > I've tried a number of variations in the inbound mapping, but I can't > get the field to populate. > Any assistance is greatly appreciated. > > > ** Extended Attribute: ** > > > > targetNamespace="http://sos.ibm.com/xml/ns/sosSchema" > xmlns:tns="http://sos.ibm.com/xml/ns/sosSchema" > xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3" > > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" > xmlns:xsd="http://www.w3.org/2001/XMLSchema"> > > > > > > > > > minOccurs="0" maxOccurs="1"> > > > true > manager > > > > > > > > > ** Inbound Mapping: ** > > > ri:manager > xmlns:gen316="http://prism.evolveum.com/xml/ns/public/matching-rule-3">gen316:distinguishedName > true > true > explicit > > true > true > strong > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > > xsi:type="t:ItemPathType">$user/extension/ext:manager > > > xmlns:ext="http://sos.ibm.com/xml/ns/sosSchema">ext:manager > > > > > > > > > > > > > ------------------ > *Sean Penndorf* > SaaS Operational Services (SOS) - ID Management > IBM Cloud > srpenn at us.ibm.com > Office: 248-552-4791 TL 623-9966 > > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Senior Identity Engineer evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From srpenn at us.ibm.com Tue Jan 16 20:22:51 2018 From: srpenn at us.ibm.com (Sean R Penndorf) Date: Tue, 16 Jan 2018 14:22:51 -0500 Subject: [midPoint] No definition for 'manager' in user In-Reply-To: <34cccc18-acf2-e07a-13a9-1648d8edecec@evolveum.com> References: <34cccc18-acf2-e07a-13a9-1648d8edecec@evolveum.com> Message-ID: Unfortunately that did not work. Any other ideas? ------------------ Sean Penndorf SaaS Operational Services (SOS) - ID Management IBM Cloud srpenn at us.ibm.com Office: 248-552-4791 TL 623-9966 From: Ivan Noris To: midpoint at lists.evolveum.com Date: 01/16/2018 11:39 AM Subject: Re: [midPoint] No definition for 'manager' in user Sent by: "midPoint" Hi Sean, the extension looks ok. The inbound is incorrect. It should look similar to this: ri:cn . . . ... $user/extension/manager This artificial example takes "cn" attribute from LDAP and copies it to $user/extension/manager. Best regards, Ivan On 16.01.2018 16:24, Sean R Penndorf wrote: Hi Community, Clearly, I'm missing something simple here....running Midpoint 3.7 I have an extended attribute "manager", it shows up in the GUI when looking at User properties. But I keep getting an error with my inbound mapping: "No definition for 'manager' in user." I've tried a number of variations in the inbound mapping, but I can't get the field to populate. Any assistance is greatly appreciated. ** Extended Attribute: ** true manager ** Inbound Mapping: ** ri:manager gen316:distinguishedName true true explicit true true strong $user/extension/ext:manager ext:manager ------------------ Sean Penndorf SaaS Operational Services (SOS) - ID Management IBM Cloud srpenn at us.ibm.com Office: 248-552-4791 TL 623-9966 _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Senior Identity Engineer evolveum.com _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=qEACHutvsppyidQwf1kYntDY-ZKom0n1kiWqpNpwVXg&m=mxBoJ1lXgvvfo5l-Tjy10yyDc2y8S5YU7eMgXL9B6BQ&s=YqKtO-IFuxFGGiIQqHy-7o7tAszxg427o-T2utRX374&e= -------------- next part -------------- An HTML attachment was scrubbed... URL: From wojciech.staszewski at diagnostyka.pl Tue Jan 16 23:22:53 2018 From: wojciech.staszewski at diagnostyka.pl (Wojciech Staszewski) Date: Tue, 16 Jan 2018 23:22:53 +0100 Subject: [midPoint] No definition for 'manager' in user In-Reply-To: References: <34cccc18-acf2-e07a-13a9-1648d8edecec@evolveum.com> Message-ID: Or just "extension/manager" as below: ri:manager true false normal extension/manager On 16.01.2018 20:22, Sean R Penndorf wrote: > Unfortunately that did not work. > Any other ideas? > > ------------------ > *Sean Penndorf* > SaaS Operational Services (SOS) - ID Management > IBM Cloud > srpenn at us.ibm.com > Office: 248-552-4791 TL 623-9966 > > > > > > From: Ivan Noris > To: midpoint at lists.evolveum.com > Date: 01/16/2018 11:39 AM > Subject: Re: [midPoint] No definition for 'manager' in user > Sent by: "midPoint" > ------------------------------------------------------------------------ > > > > Hi Sean, > the extension looks ok. > The inbound is incorrect. > It should look similar to this: > > ri:cn > . . . > > > ... > > $user/extension/manager > > > This artificial example takes "cn" attribute from LDAP and copies it > to $user/extension/manager. > Best regards, > Ivan > > On 16.01.2018 16:24, Sean R Penndorf wrote: > Hi Community, > > Clearly, I'm missing something simple here....running Midpoint 3.7 > I have an extended attribute "manager", it shows up in the GUI when > looking at User properties. > But I keep getting an error with my inbound mapping: "No definition > for 'manager' in user." > I've tried a number of variations in the inbound mapping, but I can't > get the field to populate. > Any assistance is greatly appreciated. > > > ** Extended Attribute: ** > > > > targetNamespace="_http://sos.ibm.com/xml/ns/sosSchema_" > xmlns:tns="_http://sos.ibm.com/xml/ns/sosSchema_" > > xmlns:a="_http://prism.evolveum.com/xml/ns/public/annotation-3_ > " > > xmlns:c="_http://midpoint.evolveum.com/xml/ns/public/common/common-3_ > " > xmlns:xsd="_http://www.w3.org/2001/XMLSchema_ > "> > > > > > > > > > minOccurs="0" maxOccurs="1"> > > > true > manager > > > > > > > > > ** Inbound Mapping: ** > > > ri:manager > xmlns:gen316="_http://prism.evolveum.com/xml/ns/public/matching-rule-3_ > ">gen316:distinguishedName > true > true > explicit > > true > true > strong > > xmlns:ext="_http://sos.ibm.com/xml/ns/sosSchema_" > > xmlns:xsi="_http://www.w3.org/2001/XMLSchema-instance_ > " > > xsi:type="t:ItemPathType">$user/extension/ext:manager > > > xmlns:ext="_http://sos.ibm.com/xml/ns/sosSchema_">ext:manager > > > > > > > > > > > > > ------------------* > Sean Penndorf* > SaaS Operational Services (SOS) - ID Management > IBM Cloud_ > __srpenn at us.ibm.com_ > Office: 248-552-4791 TL 623-9966 > > > > > _______________________________________________ > midPoint mailing list > _midPoint at lists.evolveum.com_ > _http://lists.evolveum.com/mailman/listinfo/midpoint_ > > > > -- > Ivan Noris > Senior Identity Engineer > evolveum.com > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=qEACHutvsppyidQwf1kYntDY-ZKom0n1kiWqpNpwVXg&m=mxBoJ1lXgvvfo5l-Tjy10yyDc2y8S5YU7eMgXL9B6BQ&s=YqKtO-IFuxFGGiIQqHy-7o7tAszxg427o-T2utRX374&e= > > > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Wojciech Staszewski Administrator Systemów Sieciowych tel. kom: 663 680 236 www.diagnostyka.pl Diagnostyka Sp. z o. o. ul. Prof. M. Życzkowskiego 16, 31-864 Kraków Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS) NIP: 675-12-65-009; REGON: 356366975 Kapitał zakładowy: 33 756 500 zł. Pomyśl o środowisku zanim wydrukujesz ten e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Caspi at seznam.cz Wed Jan 17 06:06:23 2018 From: Caspi at seznam.cz (Jan Kaspar) Date: Wed, 17 Jan 2018 06:06:23 +0100 (CET) Subject: [midPoint] Group Membership Message-ID: Hi Oskar, I have only users and groups (roles) without members imported. I found this http://lists.evolveum.com/pipermail/midpoint/2016-May/001884. html as a posible solution. But now i am stucked in user template. My extension is filled by DN and i shoudl parse it and get CN from that. I am trying to use regex, but still not working. In other languages no problem to parse this, but in groovy still no luck. Do you have this template done? Can you share this? Jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From caspi at caspi.cz Tue Jan 16 20:28:58 2018 From: caspi at caspi.cz (=?UTF-8?Q?Jan_Ka=C5=A1par?=) Date: Tue, 16 Jan 2018 20:28:58 +0100 Subject: [midPoint] Group Membership Message-ID: Hi Oskar, I have only users and groups without membership. I didnt found sway how to import groups includint membership. If you have some config please share this. In documentation there are no examples. S pozdravem Jan Kašpar -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivan.noris at evolveum.com Wed Jan 17 09:54:28 2018 From: ivan.noris at evolveum.com (Ivan Noris) Date: Wed, 17 Jan 2018 09:54:28 +0100 Subject: [midPoint] No definition for 'manager' in user In-Reply-To: References: <34cccc18-acf2-e07a-13a9-1648d8edecec@evolveum.com> Message-ID: Hi, what was your error message in this case after my proposed change..? Ivan On 16.01.2018 20:22, Sean R Penndorf wrote: > Unfortunately that did not work. > Any other ideas? > > ------------------ > *Sean Penndorf* > SaaS Operational Services (SOS) - ID Management > IBM Cloud > srpenn at us.ibm.com > Office: 248-552-4791 TL 623-9966 > > > > > > From: Ivan Noris > To: midpoint at lists.evolveum.com > Date: 01/16/2018 11:39 AM > Subject: Re: [midPoint] No definition for 'manager' in user > Sent by: "midPoint" > ------------------------------------------------------------------------ > > > > Hi Sean, > the extension looks ok. > The inbound is incorrect. > It should look similar to this: > > ri:cn > . . . > > > ... > > $user/extension/manager > > > This artificial example takes "cn" attribute from LDAP and copies it > to $user/extension/manager. > Best regards, > Ivan > > On 16.01.2018 16:24, Sean R Penndorf wrote: > Hi Community, > > Clearly, I'm missing something simple here....running Midpoint 3.7 > I have an extended attribute "manager", it shows up in the GUI when > looking at User properties. > But I keep getting an error with my inbound mapping: "No definition > for 'manager' in user." > I've tried a number of variations in the inbound mapping, but I can't > get the field to populate. > Any assistance is greatly appreciated. > > > ** Extended Attribute: ** > > > > targetNamespace="_http://sos.ibm.com/xml/ns/sosSchema_" > xmlns:tns="_http://sos.ibm.com/xml/ns/sosSchema_" > > xmlns:a="_http://prism.evolveum.com/xml/ns/public/annotation-3_ > " > > xmlns:c="_http://midpoint.evolveum.com/xml/ns/public/common/common-3_ > " > xmlns:xsd="_http://www.w3.org/2001/XMLSchema_ > "> > > > > > > > > > minOccurs="0" maxOccurs="1"> > > > true > manager > > > > > > > > > ** Inbound Mapping: ** > > > ri:manager > xmlns:gen316="_http://prism.evolveum.com/xml/ns/public/matching-rule-3_ > ">gen316:distinguishedName > true > true > explicit > > true > true > strong > > xmlns:ext="_http://sos.ibm.com/xml/ns/sosSchema_" > > xmlns:xsi="_http://www.w3.org/2001/XMLSchema-instance_ > " > > xsi:type="t:ItemPathType">$user/extension/ext:manager > > > xmlns:ext="_http://sos.ibm.com/xml/ns/sosSchema_">ext:manager > > > > > > > > > > > > > ------------------* > Sean Penndorf* > SaaS Operational Services (SOS) - ID Management > IBM Cloud_ > __srpenn at us.ibm.com_ > Office: 248-552-4791 TL 623-9966 > > > > > _______________________________________________ > midPoint mailing list > _midPoint at lists.evolveum.com_ > _http://lists.evolveum.com/mailman/listinfo/midpoint_ > > > > -- > Ivan Noris > Senior Identity Engineer > evolveum.com > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=qEACHutvsppyidQwf1kYntDY-ZKom0n1kiWqpNpwVXg&m=mxBoJ1lXgvvfo5l-Tjy10yyDc2y8S5YU7eMgXL9B6BQ&s=YqKtO-IFuxFGGiIQqHy-7o7tAszxg427o-T2utRX374&e= > > > > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -- Ivan Noris Senior Identity Engineer evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From radovan.semancik at evolveum.com Wed Jan 17 10:04:04 2018 From: radovan.semancik at evolveum.com (Radovan Semancik) Date: Wed, 17 Jan 2018 10:04:04 +0100 Subject: [midPoint] Upgrades and version consistency In-Reply-To: References: Message-ID: <43e75a06-8e44-3eb3-4010-c9092f79209e@evolveum.com> Hi, There will be an error on startup if the database model is not compatible (e.g. there are missing columns). However, I would say that midPoint will continue to operate if the database model is compatible, e.g. tables were extended with additional (non-mandatory) columns. -- Radovan Semancik Software Architect evolveum.com On 01/16/2018 03:07 PM, Kromhout, Ethan A. wrote: > If someone were to fail to run database upgrade scripts, but did deploy and upgrade war file in the scenario described in upgrade "Type 1" at the wiki page https://wiki.evolveum.com/display/midPoint/Upgrade+HOWTO, either through carelessness or because of a technical problem. Would the application check the database version and refuse to start, or would the error be more subtle? Is there a way to query to check that the database scripts have been run and are on the correct version? > > This is just a rhetorical question to clarify what might happen in different upgrade scenarios as we'll be working with some campus's on upgrade procedures and wanted to document possible failure modes. > > Thanks, > > Ethan > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint From radovan.semancik at evolveum.com Wed Jan 17 10:06:20 2018 From: radovan.semancik at evolveum.com (Radovan Semancik) Date: Wed, 17 Jan 2018 10:06:20 +0100 Subject: [midPoint] Upgrades and version consistency In-Reply-To: <2b80be60-2daa-164c-24b8-83e9968a9bc2@diagnostyka.pl> References: <2b80be60-2daa-164c-24b8-83e9968a9bc2@diagnostyka.pl> Message-ID: Hello, Indeed, that would be a nice feature. Anybody willing to use his/her platform subscription to endorse this feature? -- Radovan Semancik Software Architect evolveum.com On 01/16/2018 03:29 PM, Wojciech Staszewski wrote: > Hello! > > This is a great idea. > I'm using software where the update is handled beautifuly. > > First, database is versioned. > > Second, The SQL update script lifts up the db version after each correctly ended query. > If the update script is finished OK, the database is in version XXX. > If the update failed for some reason (eg. DB tables partitioning), I know exactly which step failed and after I fix the problem I can run whole script once again and > it starts from the failed step. > > Third: DB version is checked on application startup. Application won't run if DB version is incorrect. > > Simple and nerve-saving. I'd like to see something like that in MP. > > Regards, > WS > > W dniu 16.01.2018 o 15:07, Kromhout, Ethan A. pisze: >> If someone were to fail to run database upgrade scripts, but did deploy and upgrade war file in the scenario described in upgrade "Type 1" at the wiki page https://wiki.evolveum.com/display/midPoint/Upgrade+HOWTO, either through carelessness or because of a technical problem. Would the application check the database version and refuse to start, or would the error be more subtle? Is there a way to query to check that the database scripts have been run and are on the correct version? >> >> This is just a rhetorical question to clarify what might happen in different upgrade scenarios as we'll be working with some campus's on upgrade procedures and wanted to document possible failure modes. >> >> Thanks, >> >> Ethan >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> http://lists.evolveum.com/mailman/listinfo/midpoint >> > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint From petr.kulheim at ibacz.eu Wed Jan 17 12:34:48 2018 From: petr.kulheim at ibacz.eu (petr.kulheim at ibacz.eu) Date: Wed, 17 Jan 2018 12:34:48 +0100 Subject: [midPoint] Fw: Null parent for value PCV(1) Exception during reconciliation after upgrade of midpoint from 3.5.1 to 3.6.1 Message-ID: hi guys, we have customer's test environment where we have upgraded midpoint from 3.5.1 to 3.6.1 After this upgrade we have some users, about 30, having following Exception during reconsiliation: 2018-01-15 17:33:30,325 [] [Thread-77] ERROR (com.evolveum.midpoint.web.component.progress.ProgressReporter): Error executing changes. java.lang.IllegalStateException: Null parent for value PCV(1):[PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation )]]], PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, targetType={.../common/common-3}RoleType, relation={.../common/org-3}default)], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]] in item PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3 }assignment):[PCV(1):[PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation )]]], PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, targetType={.../common/common-3}RoleType, relation={.../common/org-3}default)], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]] (assignment in user:09cff951-c031-4033-95a9-de85812ccc46(testovic)); in current user in LensFocusContext(UserType:09cff951-c031-4033-95a9-de85812ccc46) at com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:495) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:461) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensFocusContext.checkConsistence(LensFocusContext.java:459) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:453) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensContext.checkConsistence(LensContext.java:678) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.projector.FocusProcessor.processFocusFocus(FocusProcessor.java:398) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.projector.FocusProcessor.processFocus(FocusProcessor.java:173) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.projector.Projector.lambda$projectInternal$1(Projector.java:227) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensUtil.partialExecute(LensUtil.java:1254) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.projector.Projector.projectInternal(Projector.java:225) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.projector.Projector.project(Projector.java:114) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.Clockwork.click(Clockwork.java:440) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.Clockwork.run(Clockwork.java:197) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.controller.ModelController.executeChanges(ModelController.java:572) ~[model-impl-3.6.1.jar:na] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_111] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_111] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_111] at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_111] at org.apache.wicket.proxy.LazyInitProxyFactory$JdkHandler.invoke(LazyInitProxyFactory.java:507) ~[wicket-ioc-7.6.0.jar:7.6.0] at com.sun.proxy.$Proxy164.executeChanges(Unknown Source) ~[na:na] at com.evolveum.midpoint.web.component.progress.ProgressReporter.lambda$executeChangesAsync$0(ProgressReporter.java:187) ~[classes/:na] at java.lang.Thread.run(Thread.java:745) ~[na:1.8.0_111] Caused by: java.lang.IllegalStateException: Null parent for value PCV(1):[PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation )]]], PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, targetType={.../common/common-3}RoleType, relation={.../common/org-3}default)], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]] in item PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3 }assignment):[PCV(1):[PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation )]]], PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, targetType={.../common/common-3}RoleType, relation={.../common/org-3}default)], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]] (assignment in user:09cff951-c031-4033-95a9-de85812ccc46(testovic)) at com.evolveum.midpoint.prism.Item.checkConsistenceInternal(Item.java:748) ~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.PrismContainer.checkConsistenceInternal(PrismContainer.java:688) ~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.PrismContainerValue.checkConsistenceInternal(PrismContainerValue.java:1271) ~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.Item.checkConsistenceInternal(Item.java:754) ~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.PrismContainer.checkConsistenceInternal(PrismContainer.java:688) ~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.PrismObject.checkConsistenceInternal(PrismObject.java:409) ~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.Item.checkConsistence(Item.java:709) ~[prism-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:491) ~[model-impl-3.6.1.jar:na] ... 21 common frames omitted I have found it comes from com.evolveum.midpoint.prism.Item radek 748, if (val.getParent() == null) { throw new IllegalStateException("Null parent for value "+val+" in item "+this+" ("+path+" in "+rootItem+")"); } So far we haven't found any suspicious Users/Accounts metadata. Likely it is related to AD resource. Any hint or advice would be appreciated. Thx Petr Kulheim JEE Developer IBA CZ, s.r.o. Office: Petržílkova 2565/23, 158 00 Praha, CZ Phone: +420 603 272826 E-mail: petr.kulheim at ibacz.eu Disclaimer: The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to ict at ibacz.eu and then delete it from your system. IBA Group is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 48578 bytes Desc: not available URL: From mederly at evolveum.com Wed Jan 17 16:01:05 2018 From: mederly at evolveum.com (Pavol Mederly) Date: Wed, 17 Jan 2018 16:01:05 +0100 Subject: [midPoint] Fw: Null parent for value PCV(1) Exception during reconciliation after upgrade of midpoint from 3.5.1 to 3.6.1 In-Reply-To: References: Message-ID: <248efbb6-ffb6-dd87-5bb0-d2cccdf0d56f@evolveum.com> Hello Petr, just to make sure: You wrote that the exception occurs during reconciliation. I assume you mean reconciliation task. But the stack trace corresponds to a GUI operation. So, what's the case? Does it occur within a task or in GUI? If in GUI, is it replicable? Pavol Mederly Software developer evolveum.com On 17.01.2018 12:34, petr.kulheim at ibacz.eu wrote: > hi guys, > > we have customer's test environment where we have upgraded midpoint > from 3.5.1 to 3.6.1 > After this upgrade we have some users, about 30, having following > Exception during reconsiliation: > > 2018-01-15 17:33:30,325 [] [Thread-77] ERROR > (com.evolveum.midpoint.web.component.progress.ProgressReporter): Error > executing changes. > java.lang.IllegalStateException: Null parent for value > PCV(1):[PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation)]]], > PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, > targetType={.../common/common-3}RoleType, > relation={.../common/org-3}default)], > PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]] > in item > PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}assignment):[PCV(1):[PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation)]]], > PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, > targetType={.../common/common-3}RoleType, > relation={.../common/org-3}default)], > PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]] > (assignment in user:09cff951-c031-4033-95a9-de85812ccc46(testovic)); > in current user in > LensFocusContext(UserType:09cff951-c031-4033-95a9-de85812ccc46) > at > com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:495) > ~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:461) > ~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensFocusContext.checkConsistence(LensFocusContext.java:459) > ~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:453) > ~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensContext.checkConsistence(LensContext.java:678) > ~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.projector.FocusProcessor.processFocusFocus(FocusProcessor.java:398) > ~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.projector.FocusProcessor.processFocus(FocusProcessor.java:173) > ~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.projector.Projector.lambda$projectInternal$1(Projector.java:227) > ~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensUtil.partialExecute(LensUtil.java:1254) > ~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.projector.Projector.projectInternal(Projector.java:225) > ~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.projector.Projector.project(Projector.java:114) > ~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.Clockwork.click(Clockwork.java:440) > ~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.Clockwork.run(Clockwork.java:197) > ~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.controller.ModelController.executeChanges(ModelController.java:572) > ~[model-impl-3.6.1.jar:na] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[na:1.8.0_111] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[na:1.8.0_111] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[na:1.8.0_111] > at java.lang.reflect.Method.invoke(Method.java:498) > ~[na:1.8.0_111] > at > org.apache.wicket.proxy.LazyInitProxyFactory$JdkHandler.invoke(LazyInitProxyFactory.java:507) > ~[wicket-ioc-7.6.0.jar:7.6.0] > at com.sun.proxy.$Proxy164.executeChanges(Unknown Source) > ~[na:na] > at > com.evolveum.midpoint.web.component.progress.ProgressReporter.lambda$executeChangesAsync$0(ProgressReporter.java:187) > ~[classes/:na] > at java.lang.Thread.run(Thread.java:745) ~[na:1.8.0_111] > Caused by: java.lang.IllegalStateException: Null parent for value > PCV(1):[PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation)]]], > PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, > targetType={.../common/common-3}RoleType, > relation={.../common/org-3}default)], > PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]] > in item > PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}assignment):[PCV(1):[PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation)]]], > PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, > targetType={.../common/common-3}RoleType, > relation={.../common/org-3}default)], > PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]] > (assignment in user:09cff951-c031-4033-95a9-de85812ccc46(testovic)) > at > com.evolveum.midpoint.prism.Item.checkConsistenceInternal(Item.java:748) > ~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.PrismContainer.checkConsistenceInternal(PrismContainer.java:688) > ~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.PrismContainerValue.checkConsistenceInternal(PrismContainerValue.java:1271) > ~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.Item.checkConsistenceInternal(Item.java:754) > ~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.PrismContainer.checkConsistenceInternal(PrismContainer.java:688) > ~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.PrismObject.checkConsistenceInternal(PrismObject.java:409) > ~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.Item.checkConsistence(Item.java:709) > ~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:491) > ~[model-impl-3.6.1.jar:na] > ... 21 common frames omitted > > > I have found it comes from > com.evolveum.midpoint.prism.Item radek 748, > > if (val.getParent() == null) { > throw new IllegalStateException("Null parent for value "+val+" > in item "+this+" ("+path+" in "+rootItem+")"); > } > > > So far we haven't found any suspicious Users/Accounts metadata. > Likely it is related to AD resource. > Any hint or advice would be appreciated. > > Thx > > Petr Kulheim > JEE Developer > > IBA CZ, s.r.o. > Office: Petržílkova 2565/23, 158 00 Praha, CZ > Phone: +420 603 272826 > E-mail: petr.kulheim at ibacz.eu > > IBACZ email signature > > > ------------------------------------------------------------------------ > Disclaimer: > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. > It may contain confidential or legally privileged information. > If you are not the intended recipient you are hereby notified that any > disclosure, copying, distribution or taking any action in reliance on > the contents of this information is strictly prohibited and may be > unlawful. > If you have received this communication in error, please notify us > immediately by forwarding this email to ict at ibacz.eu and then delete > it from your system. > IBA Group is neither liable for the proper and complete transmission > of the information contained in this communication nor for any delay > in its receipt. > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jbmkejinghegchdf.png Type: image/png Size: 48578 bytes Desc: not available URL: From petr.kulheim at ibacz.eu Wed Jan 17 17:10:37 2018 From: petr.kulheim at ibacz.eu (petr.kulheim at ibacz.eu) Date: Wed, 17 Jan 2018 17:10:37 +0100 Subject: [midPoint] Fw: Null parent for value PCV(1) Exception during reconciliation after upgrade of midpoint from 3.5.1 to 3.6.1 In-Reply-To: <248efbb6-ffb6-dd87-5bb0-d2cccdf0d56f@evolveum.com> References: <248efbb6-ffb6-dd87-5bb0-d2cccdf0d56f@evolveum.com> Message-ID: Hi Pavol, provided exception bellow is from GUI action SAVE, with reconsiliation checkbox checked, no changed done. It is replicable. If we run recosiliation task, there are about 30 errors in com.evolveum.midpoint.common.operation.reconciliation.errors not_applicable 1000000000000030110 Last 30 failures: com.evolveum.midpoint.common.operation.reconciliation.errors not_applicable 1000000000000030110 Last 30 failures: CN=Jan novak,OU=BRC,DC=wintest,DC=bbb,DC=sk: java.lang.IllegalStateException: Null parent for value PCV(1):[PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:22.972+01:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:23.027+01:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import )]]], PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, targetType={.../common/common-3}RoleType, relation={.../common/org-3}default)], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]] in item PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3 }assignment):[PCV(1):[PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:22.972+01:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:23.027+01:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import )]]], PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, targetType={.../common/common-3}RoleType, relation={.../common/org-3}default)], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]], PCV(2):[PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:22.972+01:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:23.027+01:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import )]]], PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3 }construction):[PCV(null):[PrismReference({.../common/common-3}resourceRef):[PRV(oid=feed0000-0000-0000-0000-000000000001, targetType={.../common/common-3}ResourceType, relation={.../common/org-3}default)]]], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]] (assignment in user:f259bab2-48eb-4e0f-b426-6b58445fdbae(jnovak)); in current user in LensFocusContext(UserType:f259bab2-48eb-4e0f-b426-6b58445fdbae) ..... Looks like the same error as from GUI action, but no stack trace. thx a lot Petr From: Pavol Mederly To: midpoint at lists.evolveum.com Date: 17/01/2018 16:05 Subject: Re: [midPoint] Fw: Null parent for value PCV(1) Exception during reconciliation after upgrade of midpoint from 3.5.1 to 3.6.1 Sent by: "midPoint" Hello Petr, just to make sure: You wrote that the exception occurs during reconciliation. I assume you mean reconciliation task. But the stack trace corresponds to a GUI operation. So, what's the case? Does it occur within a task or in GUI? If in GUI, is it replicable? Pavol Mederly Software developer evolveum.com On 17.01.2018 12:34, petr.kulheim at ibacz.eu wrote: hi guys, we have customer's test environment where we have upgraded midpoint from 3.5.1 to 3.6.1 After this upgrade we have some users, about 30, having following Exception during reconsiliation: 2018-01-15 17:33:30,325 [] [Thread-77] ERROR (com.evolveum.midpoint.web.component.progress.ProgressReporter): Error executing changes. java.lang.IllegalStateException: Null parent for value PCV(1):[PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation )]]], PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, targetType={.../common/common-3}RoleType, relation={.../common/org-3}default)], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]] in item PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3 }assignment):[PCV(1):[PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation )]]], PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, targetType={.../common/common-3}RoleType, relation={.../common/org-3}default)], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]] (assignment in user:09cff951-c031-4033-95a9-de85812ccc46(testovic)); in current user in LensFocusContext(UserType:09cff951-c031-4033-95a9-de85812ccc46) at com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:495) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:461) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensFocusContext.checkConsistence(LensFocusContext.java:459) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:453) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensContext.checkConsistence(LensContext.java:678) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.projector.FocusProcessor.processFocusFocus(FocusProcessor.java:398) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.projector.FocusProcessor.processFocus(FocusProcessor.java:173) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.projector.Projector.lambda$projectInternal$1(Projector.java:227) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensUtil.partialExecute(LensUtil.java:1254) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.projector.Projector.projectInternal(Projector.java:225) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.projector.Projector.project(Projector.java:114) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.Clockwork.click(Clockwork.java:440) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.Clockwork.run(Clockwork.java:197) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.controller.ModelController.executeChanges(ModelController.java:572) ~[model-impl-3.6.1.jar:na] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_111] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_111] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_111] at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_111] at org.apache.wicket.proxy.LazyInitProxyFactory$JdkHandler.invoke(LazyInitProxyFactory.java:507) ~[wicket-ioc-7.6.0.jar:7.6.0] at com.sun.proxy.$Proxy164.executeChanges(Unknown Source) ~[na:na] at com.evolveum.midpoint.web.component.progress.ProgressReporter.lambda$executeChangesAsync$0(ProgressReporter.java:187) ~[classes/:na] at java.lang.Thread.run(Thread.java:745) ~[na:1.8.0_111] Caused by: java.lang.IllegalStateException: Null parent for value PCV(1):[PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation )]]], PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, targetType={.../common/common-3}RoleType, relation={.../common/org-3}default)], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]] in item PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3 }assignment):[PCV(1):[PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation )]]], PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, targetType={.../common/common-3}RoleType, relation={.../common/org-3}default)], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]] (assignment in user:09cff951-c031-4033-95a9-de85812ccc46(testovic)) at com.evolveum.midpoint.prism.Item.checkConsistenceInternal(Item.java:748) ~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.PrismContainer.checkConsistenceInternal(PrismContainer.java:688) ~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.PrismContainerValue.checkConsistenceInternal(PrismContainerValue.java:1271) ~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.Item.checkConsistenceInternal(Item.java:754) ~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.PrismContainer.checkConsistenceInternal(PrismContainer.java:688) ~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.PrismObject.checkConsistenceInternal(PrismObject.java:409) ~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.Item.checkConsistence(Item.java:709) ~[prism-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:491) ~[model-impl-3.6.1.jar:na] ... 21 common frames omitted I have found it comes from com.evolveum.midpoint.prism.Item radek 748, if (val.getParent() == null) { throw new IllegalStateException("Null parent for value "+val+" in item "+this+" ("+path+" in "+rootItem+")"); } So far we haven't found any suspicious Users/Accounts metadata. Likely it is related to AD resource. Any hint or advice would be appreciated. Thx Petr Kulheim JEE Developer IBA CZ, s.r.o. Office: Petržílkova 2565/23, 158 00 Praha, CZ Phone: +420 603 272826 E-mail: petr.kulheim at ibacz.eu Disclaimer: The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to ict at ibacz.eu and then delete it from your system. IBA Group is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint Disclaimer: The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to ict at ibacz.eu and then delete it from your system. IBA Group is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 48578 bytes Desc: not available URL: From mederly at evolveum.com Wed Jan 17 17:23:17 2018 From: mederly at evolveum.com (Pavol Mederly) Date: Wed, 17 Jan 2018 17:23:17 +0100 Subject: [midPoint] Fw: Null parent for value PCV(1) Exception during reconciliation after upgrade of midpoint from 3.5.1 to 3.6.1 In-Reply-To: References: <248efbb6-ffb6-dd87-5bb0-d2cccdf0d56f@evolveum.com> Message-ID: <0ddd3193-f6b7-bc58-e7f6-7329384c77a1@evolveum.com> Petr, thanks for the information. I think I understood. So, let's have a look at it: The problem is related to the assignment of a role with OID feed0000-0000-0000-0003-000000000001. How was that assignment created? Manually through a GUI? I assume it was created via some mapping. Can you post here the mapping? Pavol Mederly Software developer evolveum.com On 17.01.2018 17:10, petr.kulheim at ibacz.eu wrote: > Hi Pavol, > provided exception bellow is from GUI action SAVE, with reconsiliation > checkbox checked, no changed done. It is replicable. > > If we run recosiliation task, there are about 30 errors in > > com.evolveum.midpoint.common.operation.reconciliation.errors > not_applicable > 1000000000000030110 > Last 30 failures: > > com.evolveum.midpoint.common.operation.reconciliation.errors > not_applicable > 1000000000000030110 > Last 30 failures: > CN=Jan novak,OU=BRC,DC=wintest,DC=bbb,DC=sk: > java.lang.IllegalStateException: Null parent for value > PCV(1):[PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:22.972+01:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:23.027+01:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import)]]], > PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, > targetType={.../common/common-3}RoleType, > relation={.../common/org-3}default)], > PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]] > in item > PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}assignment):[PCV(1):[PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:22.972+01:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:23.027+01:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import)]]], > PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, > targetType={.../common/common-3}RoleType, > relation={.../common/org-3}default)], > PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]], > PCV(2):[PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:22.972+01:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:23.027+01:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import)]]], > PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}construction):[PCV(null):[PrismReference({.../common/common-3}resourceRef):[PRV(oid=feed0000-0000-0000-0000-000000000001, > targetType={.../common/common-3}ResourceType, > relation={.../common/org-3}default)]]], > PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]] > (assignment in user:f259bab2-48eb-4e0f-b426-6b58445fdbae(jnovak)); in > current user in > LensFocusContext(UserType:f259bab2-48eb-4e0f-b426-6b58445fdbae) > ..... > > > Looks like the same error as from GUI action, but no stack trace. > thx a lot > > Petr > > > > > > > From: Pavol Mederly > To: midpoint at lists.evolveum.com > Date: 17/01/2018 16:05 > Subject: Re: [midPoint] Fw: Null parent for value PCV(1) Exception > during reconciliation after upgrade of midpoint from 3.5.1 to 3.6.1 > Sent by: "midPoint" > ------------------------------------------------------------------------ > > > > Hello Petr, > > just to make sure: You wrote that the exception occurs during > reconciliation. I assume you mean reconciliation task. > > But the stack trace corresponds to a GUI operation. > > So, what's the case? Does it occur within a task or in GUI? If in GUI, > is it replicable? > > Pavol Mederly > Software developer > evolveum.com > > On 17.01.2018 12:34, _petr.kulheim at ibacz.eu_ > wrote: > hi guys, > > we have customer's test environment where we have upgraded midpoint > from 3.5.1 to 3.6.1 > After this upgrade we have some users, about 30, having following > Exception during reconsiliation: > > 2018-01-15 17:33:30,325 [] [Thread-77] ERROR > (com.evolveum.midpoint.web.component.progress.ProgressReporter): Error > executing changes. > java.lang.IllegalStateException: Null parent for value > PCV(1):[PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:_http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation_)]]], > PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, > targetType={.../common/common-3}RoleType, > relation={.../common/org-3}default)], > PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]] > in item > PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}assignment):[PCV(1):[PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:_http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation_)]]], > PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, > targetType={.../common/common-3}RoleType, > relation={.../common/org-3}default)], > PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]] > (assignment in user:09cff951-c031-4033-95a9-de85812ccc46(testovic)); > in current user in > LensFocusContext(UserType:09cff951-c031-4033-95a9-de85812ccc46) > at > com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:495)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:461)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensFocusContext.checkConsistence(LensFocusContext.java:459)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:453)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensContext.checkConsistence(LensContext.java:678)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.projector.FocusProcessor.processFocusFocus(FocusProcessor.java:398)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.projector.FocusProcessor.processFocus(FocusProcessor.java:173)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.projector.Projector.lambda$projectInternal$1(Projector.java:227)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensUtil.partialExecute(LensUtil.java:1254)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.projector.Projector.projectInternal(Projector.java:225)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.projector.Projector.project(Projector.java:114)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.Clockwork.click(Clockwork.java:440)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.Clockwork.run(Clockwork.java:197) > ~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.controller.ModelController.executeChanges(ModelController.java:572)~[model-impl-3.6.1.jar:na] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[na:1.8.0_111] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)~[na:1.8.0_111] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)~[na:1.8.0_111] > at java.lang.reflect.Method.invoke(Method.java:498) > ~[na:1.8.0_111] > at > org.apache.wicket.proxy.LazyInitProxyFactory$JdkHandler.invoke(LazyInitProxyFactory.java:507)~[wicket-ioc-7.6.0.jar:7.6.0] > at com.sun.proxy.$Proxy164.executeChanges(Unknown Source) ~[na:na] > at > com.evolveum.midpoint.web.component.progress.ProgressReporter.lambda$executeChangesAsync$0(ProgressReporter.java:187)~[classes/:na] > at java.lang.Thread.run(Thread.java:745) ~[na:1.8.0_111] > Caused by: java.lang.IllegalStateException: Null parent for value > PCV(1):[PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:_http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation_)]]], > PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, > targetType={.../common/common-3}RoleType, > relation={.../common/org-3}default)], > PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]] > in item > PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}assignment):[PCV(1):[PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:_http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation_)]]], > PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, > targetType={.../common/common-3}RoleType, > relation={.../common/org-3}default)], > PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]] > (assignment in user:09cff951-c031-4033-95a9-de85812ccc46(testovic)) > at > com.evolveum.midpoint.prism.Item.checkConsistenceInternal(Item.java:748) > ~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.PrismContainer.checkConsistenceInternal(PrismContainer.java:688)~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.PrismContainerValue.checkConsistenceInternal(PrismContainerValue.java:1271)~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.Item.checkConsistenceInternal(Item.java:754) > ~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.PrismContainer.checkConsistenceInternal(PrismContainer.java:688)~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.PrismObject.checkConsistenceInternal(PrismObject.java:409)~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.Item.checkConsistence(Item.java:709) > ~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:491)~[model-impl-3.6.1.jar:na] > ... 21 common frames omitted > > > I have found it comes from > com.evolveum.midpoint.prism.Item radek 748, > > if (val.getParent() == null) { > throw new IllegalStateException("Null parent for value > "+val+" in item "+this+" ("+path+" in "+rootItem+")"); > } > > > So far we haven't found any suspicious Users/Accounts metadata. > Likely it is related to AD resource. > Any hint or advice would be appreciated. > > Thx > > Petr Kulheim > JEE Developer > > IBA CZ, s.r.o. > Office: Petržílkova 2565/23, 158 00 Praha, CZ > Phone: +420 603 272826 > E-mail: _petr.kulheim at ibacz.eu_ > > IBACZ email signature > > ------------------------------------------------------------------------ > Disclaimer: > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. > It may contain confidential or legally privileged information. > If you are not the intended recipient you are hereby notified that any > disclosure, copying, distribution or taking any action in reliance on > the contents of this information is strictly prohibited and may be > unlawful. > If you have received this communication in error, please notify us > immediately by forwarding this email to _ict at ibacz.eu_ > and then delete it from your system. > IBA Group is neither liable for the proper and complete transmission > of the information contained in this communication nor for any delay > in its receipt. > > > _______________________________________________ > midPoint mailing list > _midPoint at lists.evolveum.com_ > _http://lists.evolveum.com/mailman/listinfo/midpoint_ > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > > > ------------------------------------------------------------------------ > Disclaimer: > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. > It may contain confidential or legally privileged information. > If you are not the intended recipient you are hereby notified that any > disclosure, copying, distribution or taking any action in reliance on > the contents of this information is strictly prohibited and may be > unlawful. > If you have received this communication in error, please notify us > immediately by forwarding this email to ict at ibacz.eu and then delete > it from your system. > IBA Group is neither liable for the proper and complete transmission > of the information contained in this communication nor for any delay > in its receipt. > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: mjcmdmkokdlphcep.png Type: image/png Size: 48578 bytes Desc: not available URL: From petr.kulheim at ibacz.eu Wed Jan 17 17:50:34 2018 From: petr.kulheim at ibacz.eu (petr.kulheim at ibacz.eu) Date: Wed, 17 Jan 2018 17:50:34 +0100 Subject: [midPoint] Fw: Null parent for value PCV(1) Exception during reconciliation after upgrade of midpoint from 3.5.1 to 3.6.1 In-Reply-To: <0ddd3193-f6b7-bc58-e7f6-7329384c77a1@evolveum.com> References: <248efbb6-ffb6-dd87-5bb0-d2cccdf0d56f@evolveum.com> <0ddd3193-f6b7-bc58-e7f6-7329384c77a1@evolveum.com> Message-ID: Pavol, I guess it was assigned by User's object template mapping, pls see here: Zamestnanec role assignment strong $user/employeeType c:RoleType feed0000-0000-0000-0003-000000000001 assignment and also I attaching the Role definition. Thx Petr From: Pavol Mederly To: midpoint at lists.evolveum.com Date: 17/01/2018 17:26 Subject: Re: [midPoint] Fw: Null parent for value PCV(1) Exception during reconciliation after upgrade of midpoint from 3.5.1 to 3.6.1 Sent by: "midPoint" Petr, thanks for the information. I think I understood. So, let's have a look at it: The problem is related to the assignment of a role with OID feed0000-0000-0000-0003-000000000001. How was that assignment created? Manually through a GUI? I assume it was created via some mapping. Can you post here the mapping? Pavol Mederly Software developer evolveum.com On 17.01.2018 17:10, petr.kulheim at ibacz.eu wrote: Hi Pavol, provided exception bellow is from GUI action SAVE, with reconsiliation checkbox checked, no changed done. It is replicable. If we run recosiliation task, there are about 30 errors in com.evolveum.midpoint.common.operation.reconciliation.errors not_applicable 1000000000000030110 Last 30 failures: com.evolveum.midpoint.common.operation.reconciliation.errors not_applicable 1000000000000030110 Last 30 failures: CN=Jan novak,OU=BRC,DC=wintest,DC=bbb,DC=sk: java.lang.IllegalStateException: Null parent for value PCV(1):[PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:22.972+01:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:23.027+01:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import )]]], PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, targetType={.../common/common-3}RoleType, relation={.../common/org-3}default)], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]] in item PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3 }assignment):[PCV(1):[PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:22.972+01:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:23.027+01:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import )]]], PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, targetType={.../common/common-3}RoleType, relation={.../common/org-3}default)], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]], PCV(2):[PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:22.972+01:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:23.027+01:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import )]]], PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3 }construction):[PCV(null):[PrismReference({.../common/common-3}resourceRef):[PRV(oid=feed0000-0000-0000-0000-000000000001, targetType={.../common/common-3}ResourceType, relation={.../common/org-3}default)]]], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]] (assignment in user:f259bab2-48eb-4e0f-b426-6b58445fdbae(jnovak)); in current user in LensFocusContext(UserType:f259bab2-48eb-4e0f-b426-6b58445fdbae) ..... Looks like the same error as from GUI action, but no stack trace. thx a lot Petr From: Pavol Mederly To: midpoint at lists.evolveum.com Date: 17/01/2018 16:05 Subject: Re: [midPoint] Fw: Null parent for value PCV(1) Exception during reconciliation after upgrade of midpoint from 3.5.1 to 3.6.1 Sent by: "midPoint" Hello Petr, just to make sure: You wrote that the exception occurs during reconciliation. I assume you mean reconciliation task. But the stack trace corresponds to a GUI operation. So, what's the case? Does it occur within a task or in GUI? If in GUI, is it replicable? Pavol Mederly Software developer evolveum.com On 17.01.2018 12:34, petr.kulheim at ibacz.eu wrote: hi guys, we have customer's test environment where we have upgraded midpoint from 3.5.1 to 3.6.1 After this upgrade we have some users, about 30, having following Exception during reconsiliation: 2018-01-15 17:33:30,325 [] [Thread-77] ERROR (com.evolveum.midpoint.web.component.progress.ProgressReporter): Error executing changes. java.lang.IllegalStateException: Null parent for value PCV(1):[PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation )]]], PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, targetType={.../common/common-3}RoleType, relation={.../common/org-3}default)], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]] in item PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3 }assignment):[PCV(1):[PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation )]]], PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, targetType={.../common/common-3}RoleType, relation={.../common/org-3}default)], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]] (assignment in user:09cff951-c031-4033-95a9-de85812ccc46(testovic)); in current user in LensFocusContext(UserType:09cff951-c031-4033-95a9-de85812ccc46) at com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:495)~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:461)~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensFocusContext.checkConsistence(LensFocusContext.java:459)~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:453)~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensContext.checkConsistence(LensContext.java:678)~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.projector.FocusProcessor.processFocusFocus(FocusProcessor.java:398)~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.projector.FocusProcessor.processFocus(FocusProcessor.java:173)~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.projector.Projector.lambda$projectInternal$1(Projector.java:227)~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensUtil.partialExecute(LensUtil.java:1254)~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.projector.Projector.projectInternal(Projector.java:225)~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.projector.Projector.project(Projector.java:114)~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.Clockwork.click(Clockwork.java:440)~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.Clockwork.run(Clockwork.java:197) ~[model-impl-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.controller.ModelController.executeChanges(ModelController.java:572)~[model-impl-3.6.1.jar:na] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_111] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)~[na:1.8.0_111] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)~[na:1.8.0_111] at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_111] at org.apache.wicket.proxy.LazyInitProxyFactory$JdkHandler.invoke(LazyInitProxyFactory.java:507)~[wicket-ioc-7.6.0.jar:7.6.0] at com.sun.proxy.$Proxy164.executeChanges(Unknown Source) ~[na:na] at com.evolveum.midpoint.web.component.progress.ProgressReporter.lambda$executeChangesAsync$0(ProgressReporter.java:187)~[classes/:na] at java.lang.Thread.run(Thread.java:745) ~[na:1.8.0_111] Caused by: java.lang.IllegalStateException: Null parent for value PCV(1):[PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation )]]], PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, targetType={.../common/common-3}RoleType, relation={.../common/org-3}default)], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]] in item PC({http://midpoint.evolveum.com/xml/ns/public/common/common-3 }assignment):[PCV(1):[PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, targetType={.../common/common-3}UserType, relation={.../common/org-3}default)], PP({.../common/common-3}createChannel):[PPV(String: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation )]]], PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, targetType={.../common/common-3}RoleType, relation={.../common/org-3}default)], PC({ http://midpoint.evolveum.com/xml/ns/public/common/common-3 }activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]] (assignment in user:09cff951-c031-4033-95a9-de85812ccc46(testovic)) at com.evolveum.midpoint.prism.Item.checkConsistenceInternal(Item.java:748) ~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.PrismContainer.checkConsistenceInternal(PrismContainer.java:688)~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.PrismContainerValue.checkConsistenceInternal(PrismContainerValue.java:1271)~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.Item.checkConsistenceInternal(Item.java:754) ~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.PrismContainer.checkConsistenceInternal(PrismContainer.java:688)~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.PrismObject.checkConsistenceInternal(PrismObject.java:409)~[prism-3.6.1.jar:na] at com.evolveum.midpoint.prism.Item.checkConsistence(Item.java:709) ~[prism-3.6.1.jar:na] at com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:491)~[model-impl-3.6.1.jar:na] ... 21 common frames omitted I have found it comes from com.evolveum.midpoint.prism.Item radek 748, if (val.getParent() == null) { throw new IllegalStateException("Null parent for value "+val+" in item "+this+" ("+path+" in "+rootItem+")"); } So far we haven't found any suspicious Users/Accounts metadata. Likely it is related to AD resource. Any hint or advice would be appreciated. Thx Petr Kulheim JEE Developer IBA CZ, s.r.o. Office: Petržílkova 2565/23, 158 00 Praha, CZ Phone: +420 603 272826 E-mail: petr.kulheim at ibacz.eu Disclaimer: The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to ict at ibacz.eu and then delete it from your system. IBA Group is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint Disclaimer: The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to ict at ibacz.eu and then delete it from your system. IBA Group is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint Disclaimer: The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to ict at ibacz.eu and then delete it from your system. IBA Group is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 48578 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ExportedData_RoleType_1516161790929.xml Type: application/octet-stream Size: 3300 bytes Desc: not available URL: From mederly at evolveum.com Wed Jan 17 18:38:21 2018 From: mederly at evolveum.com (Pavol Mederly) Date: Wed, 17 Jan 2018 18:38:21 +0100 Subject: [midPoint] Fw: Null parent for value PCV(1) Exception during reconciliation after upgrade of midpoint from 3.5.1 to 3.6.1 In-Reply-To: References: <248efbb6-ffb6-dd87-5bb0-d2cccdf0d56f@evolveum.com> <0ddd3193-f6b7-bc58-e7f6-7329384c77a1@evolveum.com> Message-ID: <9e03ee25-8d84-3cd7-28f1-17d13bfae393@evolveum.com> Interesting. Please, could you send here one such user that causes midPoint to fail when recomputed? (after removing personal information - if any) Thank you. Pavol Mederly Software developer evolveum.com On 17.01.2018 17:50, petr.kulheim at ibacz.eu wrote: > Pavol, > I guess it was assigned by User's object template mapping, pls see here: > > > Zamestnanec role assignment > strong > > $user/employeeType > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:type="c:SearchObjectRefExpressionEvaluatorType"> > c:RoleType > feed0000-0000-0000-0003-000000000001 > > > > assignment > > > > > > > and also I attaching the Role definition. > > > Thx > Petr > > > > > > > From: Pavol Mederly > To: midpoint at lists.evolveum.com > Date: 17/01/2018 17:26 > Subject: Re: [midPoint] Fw: Null parent for value PCV(1) Exception > during reconciliation after upgrade of midpoint from 3.5.1 to 3.6.1 > Sent by: "midPoint" > ------------------------------------------------------------------------ > > > > Petr, > > thanks for the information. I think I understood. So, let's have a > look at it: > > The problem is related to the assignment of a role with OID > feed0000-0000-0000-0003-000000000001. > > How was that assignment created? Manually through a GUI? I assume it > was created via some mapping. Can you post here the mapping? > > Pavol Mederly > Software developer > evolveum.com > > On 17.01.2018 17:10, _petr.kulheim at ibacz.eu_ > wrote: > Hi Pavol, > provided exception bellow is from GUI action SAVE, with reconsiliation > checkbox checked, no changed done. It is replicable. > > If we run recosiliation task, there are about 30 errors in > > com.evolveum.midpoint.common.operation.reconciliation.errors > not_applicable > 1000000000000030110 > Last 30 failures: > > com.evolveum.midpoint.common.operation.reconciliation.errors > not_applicable > 1000000000000030110 > Last 30 failures: > CN=Jan novak,OU=BRC,DC=wintest,DC=bbb,DC=sk: > java.lang.IllegalStateException: Null parent for value > PCV(1):[PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:22.972+01:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:23.027+01:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:_http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import_)]]], > PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, > targetType={.../common/common-3}RoleType, > relation={.../common/org-3}default)], > PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]] > in item > PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}assignment):[PCV(1):[PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:22.972+01:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:23.027+01:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:_http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import_)]]], > PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, > targetType={.../common/common-3}RoleType, > relation={.../common/org-3}default)], > PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]], > PCV(2):[PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:22.972+01:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-03T12:11:23.027+01:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:_http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import_)]]], > PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}construction):[PCV(null):[PrismReference({.../common/common-3}resourceRef):[PRV(oid=feed0000-0000-0000-0000-000000000001, > targetType={.../common/common-3}ResourceType, > relation={.../common/org-3}default)]]], > PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]] > (assignment in user:f259bab2-48eb-4e0f-b426-6b58445fdbae(jnovak)); in > current user in > LensFocusContext(UserType:f259bab2-48eb-4e0f-b426-6b58445fdbae) > ..... > > > Looks like the same error as from GUI action, but no stack trace. > thx a lot > > Petr > > > > > > > From: Pavol Mederly __ > To: _midpoint at lists.evolveum.com_ > Date: 17/01/2018 16:05 > Subject: Re: [midPoint] Fw: Null parent for value PCV(1) Exception > during reconciliation after upgrade of midpoint from 3.5.1 to 3.6.1 > Sent by: "midPoint" __ > > > ------------------------------------------------------------------------ > > > > Hello Petr, > > just to make sure: You wrote that the exception occurs during > reconciliation. I assume you mean reconciliation task. > > But the stack trace corresponds to a GUI operation. > > So, what's the case? Does it occur within a task or in GUI? If in GUI, > is it replicable? > > Pavol Mederly > Software developer > evolveum.com > > On 17.01.2018 12:34, _petr.kulheim at ibacz.eu_ > wrote: > hi guys, > > we have customer's test environment where we have upgraded midpoint > from 3.5.1 to 3.6.1 > After this upgrade we have some users, about 30, having following > Exception during reconsiliation: > > 2018-01-15 17:33:30,325 [] [Thread-77] ERROR > (com.evolveum.midpoint.web.component.progress.ProgressReporter): Error > executing changes. > java.lang.IllegalStateException: Null parent for value > PCV(1):[PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:_http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation_)]]], > PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, > targetType={.../common/common-3}RoleType, > relation={.../common/org-3}default)], > PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]] > in item > PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}assignment):[PCV(1):[PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:_http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation_)]]], > PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, > targetType={.../common/common-3}RoleType, > relation={.../common/org-3}default)], > PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]] > (assignment in user:09cff951-c031-4033-95a9-de85812ccc46(testovic)); > in current user in > LensFocusContext(UserType:09cff951-c031-4033-95a9-de85812ccc46) > at > com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:495)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:461)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensFocusContext.checkConsistence(LensFocusContext.java:459)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:453)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensContext.checkConsistence(LensContext.java:678)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.projector.FocusProcessor.processFocusFocus(FocusProcessor.java:398)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.projector.FocusProcessor.processFocus(FocusProcessor.java:173)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.projector.Projector.lambda$projectInternal$1(Projector.java:227)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensUtil.partialExecute(LensUtil.java:1254)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.projector.Projector.projectInternal(Projector.java:225)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.projector.Projector.project(Projector.java:114)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.Clockwork.click(Clockwork.java:440)~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.Clockwork.run(Clockwork.java:197) > ~[model-impl-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.controller.ModelController.executeChanges(ModelController.java:572)~[model-impl-3.6.1.jar:na] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[na:1.8.0_111] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)~[na:1.8.0_111] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)~[na:1.8.0_111] > at java.lang.reflect.Method.invoke(Method.java:498) > ~[na:1.8.0_111] > at > org.apache.wicket.proxy.LazyInitProxyFactory$JdkHandler.invoke(LazyInitProxyFactory.java:507)~[wicket-ioc-7.6.0.jar:7.6.0] > at com.sun.proxy.$Proxy164.executeChanges(Unknown Source) ~[na:na] > at > com.evolveum.midpoint.web.component.progress.ProgressReporter.lambda$executeChangesAsync$0(ProgressReporter.java:187)~[classes/:na] > at java.lang.Thread.run(Thread.java:745) ~[na:1.8.0_111] > Caused by: java.lang.IllegalStateException: Null parent for value > PCV(1):[PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:_http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation_)]]], > PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, > targetType={.../common/common-3}RoleType, > relation={.../common/org-3}default)], > PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]] > in item > PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}assignment):[PCV(1):[PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:13.965+02:00)], > PrismReference({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2017-03-29T11:17:14.092+02:00)], > PrismReference({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002, > targetType={.../common/common-3}UserType, > relation={.../common/org-3}default)], > PP({.../common/common-3}createChannel):[PPV(String:_http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation_)]]], > PrismReference({.../common/common-3}targetRef):[PRV(oid=feed0000-0000-0000-0003-000000000001, > targetType={.../common/common-3}RoleType, > relation={.../common/org-3}default)], > PC({_http://midpoint.evolveum.com/xml/ns/public/common/common-3_}activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]] > (assignment in user:09cff951-c031-4033-95a9-de85812ccc46(testovic)) > at > com.evolveum.midpoint.prism.Item.checkConsistenceInternal(Item.java:748) > ~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.PrismContainer.checkConsistenceInternal(PrismContainer.java:688)~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.PrismContainerValue.checkConsistenceInternal(PrismContainerValue.java:1271)~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.Item.checkConsistenceInternal(Item.java:754) > ~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.PrismContainer.checkConsistenceInternal(PrismContainer.java:688)~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.PrismObject.checkConsistenceInternal(PrismObject.java:409)~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.prism.Item.checkConsistence(Item.java:709) > ~[prism-3.6.1.jar:na] > at > com.evolveum.midpoint.model.impl.lens.LensElementContext.checkConsistence(LensElementContext.java:491)~[model-impl-3.6.1.jar:na] > ... 21 common frames omitted > > > I have found it comes from > com.evolveum.midpoint.prism.Item radek 748, > > if (val.getParent() == null) { > throw new IllegalStateException("Null parent for value > "+val+" in item "+this+" ("+path+" in "+rootItem+")"); > } > > > So far we haven't found any suspicious Users/Accounts metadata. > Likely it is related to AD resource. > Any hint or advice would be appreciated. > > Thx > > Petr Kulheim > JEE Developer > > IBA CZ, s.r.o. > Office: Petržílkova 2565/23, 158 00 Praha, CZ > Phone: +420 603 272826 > E-mail: _petr.kulheim at ibacz.eu_ > > IBACZ email signature > > ------------------------------------------------------------------------ > Disclaimer: > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. > It may contain confidential or legally privileged information. > If you are not the intended recipient you are hereby notified that any > disclosure, copying, distribution or taking any action in reliance on > the contents of this information is strictly prohibited and may be > unlawful. > If you have received this communication in error, please notify us > immediately by forwarding this email to _ict at ibacz.eu_ > and then delete it from your system. > IBA Group is neither liable for the proper and complete transmission > of the information contained in this communication nor for any delay > in its receipt. > > > _______________________________________________ > midPoint mailing list_ > __midPoint at lists.evolveum.com_ _ > __http://lists.evolveum.com/mailman/listinfo/midpoint_ > > _______________________________________________ > midPoint mailing list_ > __midPoint at lists.evolveum.com_ _ > __http://lists.evolveum.com/mailman/listinfo/midpoint_ > > > > ------------------------------------------------------------------------ > Disclaimer: > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. > It may contain confidential or legally privileged information. > If you are not the intended recipient you are hereby notified that any > disclosure, copying, distribution or taking any action in reliance on > the contents of this information is strictly prohibited and may be > unlawful. > If you have received this communication in error, please notify us > immediately by forwarding this email to _ict at ibacz.eu_ > and then delete it from your system. > IBA Group is neither liable for the proper and complete transmission > of the information contained in this communication nor for any delay > in its receipt. > > > _______________________________________________ > midPoint mailing list > _midPoint at lists.evolveum.com_ > _http://lists.evolveum.com/mailman/listinfo/midpoint_ > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint > > > > ------------------------------------------------------------------------ > Disclaimer: > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. > It may contain confidential or legally privileged information. > If you are not the intended recipient you are hereby notified that any > disclosure, copying, distribution or taking any action in reliance on > the contents of this information is strictly prohibited and may be > unlawful. > If you have received this communication in error, please notify us > immediately by forwarding this email to ict at ibacz.eu and then delete > it from your system. > IBA Group is neither liable for the proper and complete transmission > of the information contained in this communication nor for any delay > in its receipt. > > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > http://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: hmfkinifecahokig.png Type: image/png Size: 48578 bytes Desc: not available URL: