[midPoint] New user receives role but inducement doesn't apply until the user is recomputed

[Colin Foley]

Hi there,

We have set up inducement to Active Directory through the use of a role. We
have group synchronization enabled and for existing shadows in AD
everything seems to be working (group changes reflected etc). But,
projections aren't automatically created for new midPoint users despite our
role with the inducement to the resource.

When viewing one of the newly created users, they have the correct
assignment to the role, but they are missing their roleMembershipRef
attribute for the role.

Additionally, we receive the following warning when the user is initially
created:
2019-07-24 14:14:50,664 [] [pool-6-thread-59] WARN
(com.evolveum.midpoint.report.impl.ReportManagerImpl): Probably invalid
projection context: both old and new objects are null

When we save the user with Force/Reconcile or we make a change to the user,
their projection in AD is created. Although, we do receive this warning:
2019-07-24 14:57:01,945 [] [pool-6-thread-64] WARN
(com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor):
Can't do reconciliation. Account context doesn't contain current version of
account.

We have another role with an inducement to a resource that works as
expected: new users are given projections into the resource during creation.

Lastly, in the GUI during the creation of the user with Keep Results
Displayed, it lists our Account (default) on Active Directory (AD LDAP) as
an item, but it is the only entry in the table that doesn't get a green
check-mark under Status and there is no corresponding "Resource object (if
applicable)" entry.

Has anyone encountered something similar or can anyone provide guidance on
how to troubleshoot?

-- 
Colin A Foley, CISSP
Information Security Architect
(610) 758-3072
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190724/2561804b/attachment.htm>