[midPoint] New user receives role but inducement doesn't apply until the user is recomputed

Colin Foley caf209 at lehigh.edu
Wed Jul 24 22:03:37 CEST 2019 

Update:

If a new user is created without qualifying for the role, they don't get
the role. If they acquire the correct attributes to get the role, they
appear to have the assignment of the role, but the projection never follows
(as described in the first message). However, if we have a user that
doesn't qualify for the role, and we manually assign them the role, they
receive the role and a projection into the resource, as expected.

All that to say that the automated assignment of the role and projection to
the resource is not working, but manual assignment is fine.

On Wed, Jul 24, 2019 at 3:09 PM Colin Foley <caf209 at lehigh.edu> wrote:

> Hi there,
>
> We have set up inducement to Active Directory through the use of a role.
> We have group synchronization enabled and for existing shadows in AD
> everything seems to be working (group changes reflected etc). But,
> projections aren't automatically created for new midPoint users despite our
> role with the inducement to the resource.
>
> When viewing one of the newly created users, they have the correct
> assignment to the role, but they are missing their roleMembershipRef
> attribute for the role.
>
> Additionally, we receive the following warning when the user is initially
> created:
> 2019-07-24 14:14:50,664 [] [pool-6-thread-59] WARN
> (com.evolveum.midpoint.report.impl.ReportManagerImpl): Probably invalid
> projection context: both old and new objects are null
>
> When we save the user with Force/Reconcile or we make a change to the
> user, their projection in AD is created. Although, we do receive this
> warning:
> 2019-07-24 14:57:01,945 [] [pool-6-thread-64] WARN
> (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor):
> Can't do reconciliation. Account context doesn't contain current version of
> account.
>
> We have another role with an inducement to a resource that works as
> expected: new users are given projections into the resource during creation.
>
> Lastly, in the GUI during the creation of the user with Keep Results
> Displayed, it lists our Account (default) on Active Directory (AD LDAP) as
> an item, but it is the only entry in the table that doesn't get a green
> check-mark under Status and there is no corresponding "Resource object (if
> applicable)" entry.
>
> Has anyone encountered something similar or can anyone provide guidance on
> how to troubleshoot?
>
> --
> Colin A Foley, CISSP
> Information Security Architect
> (610) 758-3072
>


-- 
Colin A Foley, CISSP
Information Security Architect
(610) 758-3072
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190724/3d508389/attachment.htm>

More information about the midPoint mailing list