[midPoint] ?==?utf-8?q? Ad synch Group-User failed
TIPA Sylvaire-Kevin
sylvaire-kevin.tipa at mythalesgroup.com
Mon Mar 5 09:29:11 CET 2018
Hey,
I have find my problem, the "strong" option was missing. This is the right meta-role, I think it's good to add it in your sample page (on wiki), I just found it in sample source on github.
add it here : https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO
and here : https://wiki.evolveum.com/display/midPoint/Roles,+Metaroles+and+Generic+Synchronization
<inducement id="2">
<construction>
<resourceRef
oid="41746865-6e61-1000-0001-000000000001"
relation="org:default"
type="c:ResourceType" />
<kind>account</kind>
<intent>default</intent>
<association>
<c:ref>ri:group</c:ref>
<outbound>
<strength>strong</strength>
<expression>
<associationFromLink xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
<projectionDiscriminator>
<kind>entitlement</kind>
<intent>group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
</inducement>
--
Cordialement.
-------- Message original --------
Sujet: [midPoint] Ad synch Group-User failed
Date: Vendredi 2 Mars 2018 12:32 CET
De: "TIPA Sylvaire-Kevin" <sylvaire-kevin.tipa at mythalesgroup.com>
Répondre à: midPoint General Discussion <midpoint at lists.evolveum.com>
Pour: midpoint at lists.evolveum.com
Hello,
I have a really strange event in my AD synch .. I explain, I have the following setup :
- 1 resource Active directory
- 1 Metarole for Group Ad sync (based on sample : https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO)
- 1 Role with assignement on the metarole
- 1 User with assignement on the previous role.
- When I assign metarole to my role : OK, all elements make the job and my role in now a group in my AD
- When I assign a user (with or without AD constrcution already done) to my role : OK, my user have a AD account and this account is memberOf my group
- When I make a reconcile on my role : NOK, Midpoint execute delta for delete all the member (delete the association memberOf, not the member himself)
If i reconcile my user, nothing is do.
My resource and mly metarole are like the sample.. Any Idée ?
METRAROLE :
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="41746865-6e61-2001-0001-000000000010" version="1">
<name>metarole-ad-sync</name>
<activation>
<effectiveStatus>enabled</effectiveStatus>
<enableTimestamp>2017-08-08T14:30:44.995Z</enableTimestamp>
</activation>
<iteration>0</iteration>
<iterationToken/>
<inducement id="1">
<construction>
<resourceRef oid="41746865-6e61-1000-0001-000000000001" relation="org:default" type="c:ResourceType"/>
<kind>entitlement</kind>
<intent>group</intent>
</construction>
</inducement>
<inducement id="2">
<construction>
<resourceRef oid="41746865-6e61-1000-0001-000000000001" relation="org:default" type="c:ResourceType"/>
<kind>account</kind>
<intent>default</intent>
<association>
<c:ref>ri:group</c:ref>
<outbound>
<expression>
<associationFromLink xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
<projectionDiscriminator>
<kind>entitlement</kind>
<intent>group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
</inducement>
</role>
Resource :
<schemaHandling>
<objectType>
<kind>account</kind>
<displayName>User Account</displayName>
<default>true</default>
<objectClass>ri:user</objectClass>
<attribute>
<c:ref>ri:dn</c:ref>
<displayName>Distinguished Name</displayName>
<limitations>
<access>
<read>true</read>
<add>true</add>
<modify>false</modify>
</access>
</limitations>
<tolerant>false</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<authoritative>false</authoritative>
<exclusive>false</exclusive>
<strength>weak</strength>
<source>
<c:path>$user/fullName</c:path>
</source>
<expression>
<script xsi:type="c:ScriptExpressionEvaluatorType">
<code>
'CN=' + fullName + iterationToken + ',OU=Users,OU=AGORA-T PREPROD,DC=users,DC=pprod,DC=agorat,DC=local'
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<c:ref>ri:sAMAccountName</c:ref>
<limitations>
<access>
<read>true</read>
<add>true</add>
<modify>false</modify>
</access>
</limitations>
<matchingRule xmlns:gen730="http://prism.evolveum.com/xml/ns/public/matching-rule-3">gen730:stringIgnoreCase</matchingRule>
<tolerant>false</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<authoritative>false</authoritative>
<exclusive>false</exclusive>
<strength>weak</strength>
<source>
<c:path>$user/name</c:path>
</source>
</outbound>
</attribute>
<attribute>
<c:ref>ri:cn</c:ref>
<limitations>
<minOccurs>0</minOccurs>
</limitations>
<tolerant>false</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<authoritative>false</authoritative>
<exclusive>false</exclusive>
<strength>weak</strength>
<source>
<c:path>fullName</c:path>
</source>
</outbound>
</attribute>
<attribute>
<c:ref>ri:sn</c:ref>
<limitations>
<minOccurs>0</minOccurs>
</limitations>
<outbound>
<source>
<c:path>familyName</c:path>
</source>
</outbound>
</attribute>
<attribute>
<c:ref>ri:givenName</c:ref>
<outbound>
<source>
<c:path>givenName</c:path>
</source>
</outbound>
</attribute>
<attribute>
<c:ref>ri:userPrincipalName</c:ref>
<outbound>
<source>
<c:path>$user/name</c:path>
</source>
<expression>
<script xsi:type="c:ScriptExpressionEvaluatorType">
<code>
name + iterationToken + '@pprod.agora-t.net'
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<c:ref>ri:pwdLastSet</c:ref>
<outbound>
<expression>
<value xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:long">-1</value>
</expression>
</outbound>
</attribute>
<attribute>
<c:ref>ri:createTimeStamp</c:ref>
<fetchStrategy>explicit</fetchStrategy>
</attribute>
<attribute>
<c:ref>ri:nTSecurityDescriptor</c:ref>
<limitations>
<minOccurs>0</minOccurs>
</limitations>
</attribute>
<attribute>
<c:ref>ri:instanceType</c:ref>
<limitations>
<minOccurs>0</minOccurs>
</limitations>
</attribute>
<attribute>
<c:ref>ri:objectCategory</c:ref>
<limitations>
<minOccurs>0</minOccurs>
</limitations>
<outbound>
<expression>
<value>CN=Person,CN=Schema,CN=Configuration,DC=users,DC=pprod,DC=agorat,DC=local</value>
</expression>
</outbound>
</attribute>
<attribute>
<c:ref>ri:displayName</c:ref>
<tolerant>false</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<authoritative>false</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<source>
<c:path>$user/givenName</c:path>
</source>
<source>
<c:path>$user/familyName</c:path>
</source>
<expression>
<script xsi:type="c:ScriptExpressionEvaluatorType">
<code>
(givenName + '.' + familyName).toString().toLowerCase()
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<c:ref>ri:mail</c:ref>
<outbound>
<source>
<c:path>$user/emailAddress</c:path>
</source>
</outbound>
</attribute>
<association>
<c:ref>ri:group</c:ref>
<displayName>AD Group Membership</displayName>
<kind>entitlement</kind>
<intent>group</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
<shortcutValueAttribute>ri:dn</shortcutValueAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
<activation>
<administrativeStatus>
<outbound/>
</administrativeStatus>
</activation>
<credentials>
<password>
<outbound/>
</password>
</credentials>
</objectType>
<objectType>
<kind>entitlement</kind>
<intent>group</intent>
<displayName>Athena Groups</displayName>
<default>true</default>
<objectClass>ri:group</objectClass>
<attribute>
<c:ref>ri:dn</c:ref>
<tolerant>false</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<source>
<c:path>$focus/name</c:path>
</source>
<expression>
<script xsi:type="c:ScriptExpressionEvaluatorType">
<code>
'CN=' + name + ',OU=Groups,OU=AGORA-T PREPROD,DC=users,DC=pprod,DC=agorat,DC=local'
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<c:ref>ri:cn</c:ref>
<tolerant>false</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<source>
<c:path>$focus/name</c:path>
</source>
</outbound>
</attribute>
<attribute>
<c:ref>ri:description</c:ref>
<tolerant>false</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<source>
<c:path>description</c:path>
</source>
</outbound>
</attribute>
<attribute>
<c:ref>ri:member</c:ref>
<displayName>Member</displayName>
<tolerant>false</tolerant>
<exclusiveStrong>false</exclusiveStrong>
</attribute>
<attribute>
<c:ref>ri:groupType</c:ref>
<tolerant>false</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<expression>
<value>-2147483646</value>
</expression>
</outbound>
</attribute>
<attribute>
<c:ref>ri:sAMAccountName</c:ref>
<tolerant>false</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<source>
<c:path>$focus/name</c:path>
</source>
</outbound>
</attribute>
</objectType>
</schemaHandling>
<capabilities>
<cachingMetadata>
<retrievalTimestamp>2017-10-03T08:28:33.067Z</retrievalTimestamp>
<serialNumber>2af0af9006ddad16-bd8b78664df70159</serialNumber>
</cachingMetadata>
<native xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3" xsi:type="c:CapabilityCollectionType">
<cap:schema/>
<cap:liveSync/>
<cap:testConnection/>
<cap:create/>
<cap:read/>
<cap:update/>
<cap:delete/>
<cap:script>
<cap:host>
<cap:type>resource</cap:type>
</cap:host>
<cap:host>
<cap:type>connector</cap:type>
</cap:host>
</cap:script>
<cap:addRemoveAttributeValues/>
<cap:activation>
<cap:status/>
</cap:activation>
<cap:credentials>
<cap:password>
<cap:returnedByDefault>false</cap:returnedByDefault>
</cap:password>
</cap:credentials>
<cap:auxiliaryObjectClasses/>
<cap:pagedSearch/>
</native>
<configured xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3" xsi:type="c:CapabilityCollectionType">
<cap:liveSync>
<cap:enabled>true</cap:enabled>
</cap:liveSync>
<cap:testConnection>
<cap:enabled>true</cap:enabled>
</cap:testConnection>
<cap:create>
<cap:enabled>true</cap:enabled>
</cap:create>
<cap:read>
<cap:enabled>true</cap:enabled>
</cap:read>
<cap:update>
<cap:enabled>true</cap:enabled>
</cap:update>
<cap:delete>
<cap:enabled>true</cap:enabled>
</cap:delete>
<cap:script>
<cap:enabled>true</cap:enabled>
<cap:host>
<cap:type>resource</cap:type>
</cap:host>
<cap:host>
<cap:type>connector</cap:type>
</cap:host>
</cap:script>
<cap:addRemoveAttributeValues>
<cap:enabled>true</cap:enabled>
</cap:addRemoveAttributeValues>
<cap:activation>
<cap:enabled>true</cap:enabled>
<cap:status>
<cap:enabled>true</cap:enabled>
<cap:returnedByDefault>true</cap:returnedByDefault>
<cap:ignoreAttribute>true</cap:ignoreAttribute>
</cap:status>
<cap:validFrom>
<cap:enabled>false</cap:enabled>
<cap:returnedByDefault>false</cap:returnedByDefault>
</cap:validFrom>
<cap:validTo>
<cap:enabled>false</cap:enabled>
<cap:returnedByDefault>false</cap:returnedByDefault>
</cap:validTo>
<cap:lockoutStatus>
<cap:enabled>false</cap:enabled>
<cap:returnedByDefault>false</cap:returnedByDefault>
<cap:ignoreAttribute>true</cap:ignoreAttribute>
</cap:lockoutStatus>
</cap:activation>
<cap:credentials>
<cap:enabled>true</cap:enabled>
<cap:password>
<cap:enabled>true</cap:enabled>
<cap:returnedByDefault>false</cap:returnedByDefault>
</cap:password>
</cap:credentials>
<cap:auxiliaryObjectClasses>
<cap:enabled>true</cap:enabled>
</cap:auxiliaryObjectClasses>
</configured>
</capabilities>
<scripts>
<script>
<host>resource</host>
<language>powershell</language>
<argument>
<c:path xsi:type="t:ItemPathType">$user/name</c:path>
<name>identity</name>
</argument>
<code>powershell "D:\midpoint\create-certificate\create-certificate.ps1 $identity"</code>
<operation>add</operation>
<kind>account</kind>
<order>after</order>
</script>
</scripts>
<synchronization>
<objectSynchronization>
<name>Account sync</name>
<objectClass>ri:user</objectClass>
<kind>account</kind>
<intent>default</intent>
<focusType>c:UserType</focusType>
<enabled>true</enabled>
<correlation>
<q:equal>
<q:path>c:name</q:path>
<expression xmlns="">
<path>$user/sAMAccountName</path>
</expression>
</q:equal>
</correlation>
<reconcile>false</reconcile>
<opportunistic>true</opportunistic>
<reaction>
<situation>linked</situation>
<synchronize>true</synchronize>
<reconcile>false</reconcile>
</reaction>
<reaction>
<situation>deleted</situation>
<reconcile>false</reconcile>
<action ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink">
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteFocus</handlerUri>
</action>
</reaction>
<reaction>
<situation>unlinked</situation>
<reconcile>false</reconcile>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
</action>
</reaction>
<reaction>
<situation>unmatched</situation>
<channel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</channel>
<synchronize>true</synchronize>
<reconcile>false</reconcile>
<objectTemplateRef oid="41746865-6e61-9001-0000-000000000010" type="c:ObjectTemplateType">
<targetName>Athena User Template</targetName>
</objectTemplateRef>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
</action>
</reaction>
</objectSynchronization>
<objectSynchronization>
<name>Athena Transversal Group sync</name>
<objectClass>ri:group</objectClass>
<kind>entitlement</kind>
<intent>group</intent>
<focusType>c:RoleType</focusType>
<enabled>true</enabled>
<correlation>
<q:equal>
<q:path>c:name</q:path>
<expression>
<path>$shadow/attributes/cn</path>
</expression>
</q:equal>
</correlation>
<reconcile>false</reconcile>
<reaction>
<situation>linked</situation>
<synchronize>true</synchronize>
<reconcile>false</reconcile>
</reaction>
<reaction>
<situation>deleted</situation>
<reconcile>false</reconcile>
<action/>
</reaction>
<reaction>
<situation>unlinked</situation>
<reconcile>false</reconcile>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
</action>
</reaction>
<reaction>
<situation>unmatched</situation>
<reconcile>false</reconcile>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
</action>
</reaction>
</objectSynchronization>
</synchronization>
</resource>
--
Cordialement.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180305/dd4b2ce8/attachment.htm>
More information about the midPoint
mailing list