From arnost.starosta at ami.cz  Mon Jun  1 11:21:21 2020
From: arnost.starosta at ami.cz (=?UTF-8?Q?Arno=C5=A1t_Starosta_=2D_AMI_Praha_a=2Es=2E?=)
Date: Mon, 1 Jun 2020 11:21:21 +0200
Subject: [midPoint] User password expiration notifications
In-Reply-To: <1571258943.5625264.1590690454759.JavaMail.zimbra@csolutions.lv>
References: <24589014.5114809.1590396903451.JavaMail.zimbra@csolutions.lv>
 <CAPXQVkema8VDymG5goPwSDV3yqKSD7mdRV-Bs2i=6QwvcW45OQ@mail.gmail.com>
 <1426186010.5610618.1590674779755.JavaMail.zimbra@csolutions.lv>
 <c02929a9-b061-2103-5c81-4bc7032b51d0@evolveum.com>
 <1571258943.5625264.1590690454759.JavaMail.zimbra@csolutions.lv>
Message-ID: <CAGPA3FLbMNwj5dj=JNi=NBpRiKJKrgxATND3TO4DJFjs7kGfmw@mail.gmail.com>

Hi Vladislavs,

all schema files seem to be part of the source code, the UserType is right
here

https://github.com/Evolveum/midpoint/blob/master/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd

and the rest is somewhere nearby in
http://midpoint/infra/schema/src/main/resources/xml/ns/

I check these all the time for reference.

arnost

čt 28. 5. 2020 v 20:27 odesílatel Vladislavs Filipciks <
vladislavs.filipciks at csolutions.lv> napsal:

> Hello.
>
> Thanks for reply.
>
> Maybe it's possible to extend user schema and map modifyTimestamp to the
> new property? What type activation/validFrom has, is it xsd:date?
> btw, how can i find entire xml schema for user object?
>
> Thanks
>
> *Vladislavs Fiļipčiks*
>
> +371 6784 7766
>
> *SIA “Corporate Solutions”*
>
> Pērnavas 43A-9, Rīga, LV-1009
>
> www.csolutions.lv
>
>
> Šis e-pasts un tā pielikumā esošie dokumenti var saturēt ierobežotas
> pieejamības informāciju, cita starpā fizisko personu datus, kas adresēta
> tikai tā saņēmējam un izmantojama tikai leģitīmiem mērķiem. Ja esat saņēmis
> šo e-pastu kļūdas dēļ, vai nav pamatota mērķa ierobežotas pieejamības
> informācijas, cita starpā fizisko personu datu, apstrādei, Jums nav tiesību
> izmantot vai pārsūtīt šajā e-pastā un tam pievienotajos dokumentos ietverto
> informāciju. Šādā gadījumā nekavējoties neatgriezeniski izdzēsiet šo
> e-pastu.
>
> ------------------------------
> *From: *"Pavol Mederly" <mederly at evolveum.com>
> *To: *"midpoint" <midpoint at lists.evolveum.com>
> *Sent: *Thursday, 28 May, 2020 17:38:40
> *Subject: *Re: [midPoint] User password expiration notifications
>
> Hello Vladislavs,
>
> this is not yet supported. A related case is to be implemented in 4.2 (for
> createTimestamp).
>
> https://jira.evolveum.com/browse/MID-4575
>
> I am not sure if the implementation will deal with modifyTimestamp as well.
>
> Best regards,
>
> Pavol Mederly
> Software developerevolveum.com
>
> On 28/05/2020 16:06, Vladislavs Filipciks wrote:
>
> I've tried Your example with activation/validTo propery, and it works fine.
> When I use credentials/password/metadata/modifyTimestamp in Query
> playground, I got an error:
>
> Couldn't find a proper data item to query, given base entity Ent:RUser
> (jaxb=UserType) and this filter: LESS:
>   PATH: credentials/password/metadata/modifyTimestamp
>   DEF: PPD:{.../common/common-3}modifyTimestamp
> {xsd:}dateTime[0,1],RAM,oper,I
>   VALUE:
>     2020-06-12T16:55:32.120+03:00
>
> query is:
>
> <query>
>     <filter>
>        <less>
>           <path>credentials/password/metadata/modifyTimestamp</path>
>           <expression>
>              <script>
>                 <code>
>                    import javax.xml.datatype.DatatypeFactory;
> calendar = basic.currentDateTime().toGregorianCalendar();
> calendar.add(Calendar.DAY_OF_MONTH, +15);
> xmldate = DatatypeFactory.newInstance().newXMLGregorianCalendar(calendar);
> return xmldate;
>                 </code>
>              </script>
>           </expression>
>        </less>
>     </filter>
> </query>
>
> ------------------------------
> *From: *"Pálos Gustáv" <gustav.palos at gmail.com> <gustav.palos at gmail.com>
> *To: *"midpoint" <midpoint at lists.evolveum.com>
> <midpoint at lists.evolveum.com>
> *Sent: *Monday, 25 May, 2020 12:48:19
> *Subject: *Re: [midPoint] User password expiration notifications
>
> Hi Vladislavs,
> please see:
> https://evolveum.com/how-to-notify-future-account-expiration/
>
> Best regards,
>
> Gustav
>
> po 25. 5. 2020 o 10:55 Vladislavs Filipciks <
> vladislavs.filipciks at csolutions.lv> napísal(a):
>
>> Hello,
>>
>> does MidPoint have any functionality to notify user about soon expiring
>> password, that it should be changed?
>> I found possibility to notify user by e-mail about new password generated
>> for him, but how to handle notification about expiring password? I didn't
>> find any examples or topic in documentation for that.
>>
>> Thank You in advance.
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
>
> --
> s pozdravom
> Gustáv Pálos
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>


-- 

*Arnošt Starosta*
solution architect

gsm: [+420] 603 794 932
e‑mail: arnost.starosta at ami.cz

*AMI Praha a.s.*
Pláničkova 11, 162 00 Praha 6

tel.: [+420] 274 783 239 | web: www.ami.cz

[image: AMI Praha a.s.]

Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.

Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat
důvěrné nebo osobní
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně,
informujte o tom prosím
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
všech jeho příloh. Nakládáním
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200601/c59f9561/attachment.htm>

From jan.minarciny at pan-net.eu  Mon Jun  1 12:43:23 2020
From: jan.minarciny at pan-net.eu (Minarciny, Jan)
Date: Mon, 1 Jun 2020 10:43:23 +0000
Subject: [midPoint] Custom Form elements
Message-ID: <1591008203408.30930@pan-net.eu>

Hi all,


have any of you successfully configured a custom form (https://wiki.evolveum.com/display/midPoint/Custom+forms) to include select with options, buttons with custom functions or anything other than just simple input fields with labels? I didn't find anything in previous mailing lists, wiki, jira or the samples.


Thanks for any feedback!


Regards,

Johny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200601/4bcbc991/attachment.htm>

From anton.shchenev at beeper.ru  Mon Jun  1 15:33:15 2020
From: anton.shchenev at beeper.ru (=?utf-8?B?0KnQtdC90LXQsiDQkNC90YLQvtC9INCS0Y/Rh9C10YHQu9Cw0LLQvtCy0Lg=?= =?utf-8?B?0Yc=?=)
Date: Mon, 1 Jun 2020 13:33:15 +0000
Subject: [midPoint] Winrm credssp
Message-ID: <651689E53CC19841968296084942E1E849E89D4B@ekt-asbt-mxs001.beeper.ru>

Hello,
Strange error I got when used credssp authentication scheme .

Exception occurred while making winrm call <javascript:;>
Parts of log file:
Caused by: javax.xml.ws.WebServiceException: org.apache.cxf.binding.soap.SoapFault: Error reading XMLStreamReader: Unexpected EOF in prolog
at [row,col {unknown-source}]: [1,0]
        at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:159)

Why is there a proxy client?

Where to dig?
Ver.4.0.1


С уважением,
Щенев Антон
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200601/efe7d207/attachment.htm>

From chris at cmwoods.com  Mon Jun  1 21:36:33 2020
From: chris at cmwoods.com (Chris Woods)
Date: Mon, 01 Jun 2020 21:36:33 +0200
Subject: [midPoint] Custom Form elements
In-Reply-To: <1591008203408.30930@pan-net.eu>
References: <1591008203408.30930@pan-net.eu>
Message-ID: <1727162b1e8.278b.b31242745c19d1e738abf173820fc831@cmwoods.com>

Hi Johny,

We did it for our PoC. Here are some examples:

https://github.com/Evolveum/midpoint-overlay-example

Some of the code may need updating for 4.1 though.

Regards,
Chris

Am 1. Juni 2020 12:43:35 schrieb "Minarciny, Jan" <jan.minarciny at pan-net.eu>:
> Hi all,
>
>
>
>
>
> have any of you successfully configured a custom form 
> (https://wiki.evolveum.com/display/midPoint/Custom+forms) to include select 
> with options, buttons with custom functions or anything other than just 
> simple input fields with labels? I didn't find anything in previous mailing 
> lists, wiki, jira or the samples.
>
>
>
>
>
> Thanks for any feedback!
>
>
>
>
>
> Regards,
>
>
> Johny
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200601/50eaad07/attachment.htm>

From anton.shchenev at beeper.ru  Tue Jun  2 07:38:15 2020
From: anton.shchenev at beeper.ru (=?utf-8?B?0KnQtdC90LXQsiDQkNC90YLQvtC9INCS0Y/Rh9C10YHQu9Cw0LLQvtCy0Lg=?= =?utf-8?B?0Yc=?=)
Date: Tue, 2 Jun 2020 05:38:15 +0000
Subject: [midPoint] Winrm credssp
Message-ID: <651689E53CC19841968296084942E1E849E89D98@ekt-asbt-mxs001.beeper.ru>

Ok,
Perhaps the problem is that the request looks like this

https://myserver.example.com:5986/wsman(it is formed by midpoint according to the settings: host - myserver.example.com, port - 5986)

of course it returns empty
How to fix it so that the request looks correct: https://myserver.example.com/wsman:5986 ?




С уважением,
Щенев Антон


From: Щенев Антон Вячеславович
Sent: Monday, June 01, 2020 6:33 PM
To: 'midpoint at lists.evolveum.com'
Subject: Winrm credssp

Hello,
Strange error I got when used credssp authentication scheme .

Exception occurred while making winrm call <javascript:;>
Parts of log file:
Caused by: javax.xml.ws.WebServiceException: org.apache.cxf.binding.soap.SoapFault: Error reading XMLStreamReader: Unexpected EOF in prolog
at [row,col {unknown-source}]: [1,0]
        at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:159)

Why is there a proxy client?

Where to dig?
Ver.4.0.1


С уважением,
Щенев Антон
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200602/3ead750a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1457 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200602/3ead750a/attachment.png>

From anton.shchenev at beeper.ru  Tue Jun  2 08:09:14 2020
From: anton.shchenev at beeper.ru (=?utf-8?B?0KnQtdC90LXQsiDQkNC90YLQvtC9INCS0Y/Rh9C10YHQu9Cw0LLQvtCy0Lg=?= =?utf-8?B?0Yc=?=)
Date: Tue, 2 Jun 2020 06:09:14 +0000
Subject: [midPoint] Winrm credssp
Message-ID: <651689E53CC19841968296084942E1E849E89DD0@ekt-asbt-mxs001.beeper.ru>

I’m wrong
Midpoint forms a link correctly




С уважением,
Щенев Антон
Ведущий инженер по ИБ BEEPER
тел. +7 (343) 300-00-11, доб. 3392

From: Щенев Антон Вячеславович
Sent: Tuesday, June 02, 2020 10:38 AM
To: 'midpoint at lists.evolveum.com'
Subject: RE: Winrm credssp

Ok,
Perhaps the problem is that the request looks like this

https://myserver.example.com:5986/wsman(it is formed by midpoint according to the settings: host - myserver.example.com, port - 5986)

of course it returns empty
How to fix it so that the request looks correct: https://myserver.example.com/wsman:5986 ?




С уважением,
Щенев Антон

From: Щенев Антон Вячеславович
Sent: Monday, June 01, 2020 6:33 PM
To: 'midpoint at lists.evolveum.com'
Subject: Winrm credssp

Hello,
Strange error I got when used credssp authentication scheme .

Exception occurred while making winrm call <javascript:;>
Parts of log file:
Caused by: javax.xml.ws.WebServiceException: org.apache.cxf.binding.soap.SoapFault: Error reading XMLStreamReader: Unexpected EOF in prolog
at [row,col {unknown-source}]: [1,0]
        at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:159)

Why is there a proxy client?

Where to dig?
Ver.4.0.1


С уважением,
Щенев Антон
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200602/656b99fc/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1457 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200602/656b99fc/attachment.png>

From kir.blood at gmail.com  Wed Jun  3 15:21:30 2020
From: kir.blood at gmail.com (kir.blood at gmail.com)
Date: Wed, 3 Jun 2020 16:21:30 +0300
Subject: [midPoint] CSV connector - exception during import
Message-ID: <CAAvM5gRysT+J7DQpqNXeWVPF6+gP1NGpj30kyioHp7-NYLOC9w@mail.gmail.com>

Hi all,
I use docker image `evolveum/midpoint:4.1`. When I try to import user from
csv resource, I get a error 'Value of attribute '__NAME__' must be a single
value, but it has nullvalues'. But ri:Number that represent __NAME__ is not
null. I used different csv files with different formats, but I got this
error in all cases.
I have attached resource XML, CSV file and logs.
I will really appreciate if anyone help me with this issue.
Regards,
Kirill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200603/673a904b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: resource-hr_feed.xml
Type: text/xml
Size: 26241 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200603/673a904b/attachment.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hr_feed.csv
Type: application/vnd.ms-excel
Size: 358 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200603/673a904b/attachment.xlb>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: midpoint.log
Type: application/octet-stream
Size: 108721 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200603/673a904b/attachment.obj>

From ivan.noris at evolveum.com  Wed Jun  3 15:55:34 2020
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Wed, 3 Jun 2020 15:55:34 +0200
Subject: [midPoint] CSV connector - exception during import
In-Reply-To: <CAAvM5gRysT+J7DQpqNXeWVPF6+gP1NGpj30kyioHp7-NYLOC9w@mail.gmail.com>
References: <CAAvM5gRysT+J7DQpqNXeWVPF6+gP1NGpj30kyioHp7-NYLOC9w@mail.gmail.com>
Message-ID: <62bad3fa-6456-baf1-31b3-15030972632a@evolveum.com>

Hi Kirill,

my first bet would be that you are using <tolerant>false</tolerant> for
your mappings, at least for the one corresponding to the resource
account identifier.

And that makes midPoint to try to delete the value of such attribute.

You should not use tolerant false unless you know what you are doing.


Best regards,

Ivan

On 3. 6. 2020 15:21, kir.blood at gmail.com wrote:
> Hi all,
> I use docker image `evolveum/midpoint:4.1`. When I try to import user
> from csv resource, I get a error 'Value of attribute '__NAME__' must
> be a single value, but it has nullvalues'. But ri:Number that
> represent __NAME__ is not null. I used different csv files with
> different formats, but I got this error in all cases.
> I have attached resource XML, CSV file and logs.
> I will really appreciate if anyone help me with this issue.
> Regards,
> Kirill
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200603/50392a7d/attachment.htm>

From Konstantin.Tikhonov at veeam.com  Wed Jun  3 23:18:12 2020
From: Konstantin.Tikhonov at veeam.com (Konstantin Tikhonov)
Date: Wed, 3 Jun 2020 21:18:12 +0000
Subject: [midPoint] Error 500: Error attaching this container for rendering
Message-ID: <CY4PR14MB1238E5489EF778E135546091F6880@CY4PR14MB1238.namprd14.prod.outlook.com>

Hello Colleagues.

I added one more object type in Scheme Handling section in GUI for Active Directory resource, then clicked "Save and visualize", got the error related to DOT. And after that each time when I'm trying to open Active Directory resource in GUI I always get the error:

org.apache.wicket.WicketRuntimeException: Error attaching this container for rendering: [Page class = com.evolveum.midpoint.web.page.admin.resources.PageResource, id = 128, render count = 1]

Attached the screenshot with it.

Could you please advise how can I fix it? Thanks a lot in advance.

--
Best Regards,

Konstantin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200603/d43ae23d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: MidPoint, 500 error, rendering.png
Type: image/png
Size: 28535 bytes
Desc: MidPoint, 500 error, rendering.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200603/d43ae23d/attachment.png>

From anton.shchenev at beeper.ru  Fri Jun  5 11:39:42 2020
From: anton.shchenev at beeper.ru (=?utf-8?B?0KnQtdC90LXQsiDQkNC90YLQvtC9INCS0Y/Rh9C10YHQu9Cw0LLQvtCy0Lg=?= =?utf-8?B?0Yc=?=)
Date: Fri, 5 Jun 2020 09:39:42 +0000
Subject: [midPoint] Resources: authorization
Message-ID: <651689E53CC19841968296084942E1E849E8A07A@ekt-asbt-mxs001.beeper.ru>

May be anybody needs..


I would like to add the ability to view the configuration
> (“Show using wizard” button)

Need to add this
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#rawOperation


С уважением,
Щенев Антон
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200605/9d100f32/attachment.htm>

From gugalou38 at gmail.com  Sat Jun  6 02:25:18 2020
From: gugalou38 at gmail.com (Gus Lou)
Date: Fri, 5 Jun 2020 21:25:18 -0300
Subject: [midPoint] No association ldapGroup in object class Normal Account
 in construction in role
Message-ID: <CA+XZjGRDbjVs2p=rBX+Sp0Dminaq97mZn4QYUmjknL99ZM0Z3Q@mail.gmail.com>

Hi Guys

I followed the instructions as described in the link:
https://wiki.evolveum.com/display/midPoint/LDAP+PosixAccount+and+PosixGroup+Management

When I add a role (LDAP Group Wiki Users) inside the metarole (LDAP Group
Metarole), the group (wiki-users) is successfully created in openldap

But when I add a user (jsmith) within the role, I get the following
midpoint error:

*No association ldapGroup in object class Normal Account in construction in
role*

Note: I am able to create an account normally in openldap through midpoint
when I assign the user to openladp resource.

Does anyone have any idea what it could be this error?

I want to understand this process in OpenLdap to try replicate in Active
Directory (like this:
https://lists.evolveum.com/pipermail/midpoint/2014-January/000214.html)

Regards
Gus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200605/11bbccd1/attachment.htm>

From Konstantin.Tikhonov at veeam.com  Sun Jun  7 22:43:06 2020
From: Konstantin.Tikhonov at veeam.com (Konstantin Tikhonov)
Date: Sun, 7 Jun 2020 20:43:06 +0000
Subject: [midPoint] Error 500: Error attaching this container for
 rendering
In-Reply-To: <CY4PR14MB1238E5489EF778E135546091F6880@CY4PR14MB1238.namprd14.prod.outlook.com>
References: <CY4PR14MB1238E5489EF778E135546091F6880@CY4PR14MB1238.namprd14.prod.outlook.com>
Message-ID: <CY4PR14MB1238E14AE7F506790A4F4B62F6840@CY4PR14MB1238.namprd14.prod.outlook.com>

Hello.

Managed to fix the problem. When I added the new object type I also changed Intent for existent one. And this led to the error. When I changed Intent back the problem was gone.
But how changing Intent can be related to an error with rendering kept unclear for me. 😊

--
Best Regards,

Konstantin

From: Konstantin Tikhonov
Sent: Thursday, June 4, 2020 12:18 AM
To: midPoint General Discussion
Subject: Error 500: Error attaching this container for rendering

Hello Colleagues.

I added one more object type in Scheme Handling section in GUI for Active Directory resource, then clicked “Save and visualize”, got the error related to DOT. And after that each time when I’m trying to open Active Directory resource in GUI I always get the error:

org.apache.wicket.WicketRuntimeException: Error attaching this container for rendering: [Page class = com.evolveum.midpoint.web.page.admin.resources.PageResource, id = 128, render count = 1]

Attached the screenshot with it.

Could you please advise how can I fix it? Thanks a lot in advance.

--
Best Regards,

Konstantin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200607/8a099dcf/attachment.htm>

From Konstantin.Tikhonov at veeam.com  Sun Jun  7 23:30:19 2020
From: Konstantin.Tikhonov at veeam.com (Konstantin Tikhonov)
Date: Sun, 7 Jun 2020 21:30:19 +0000
Subject: [midPoint] Using CSV resource for accounts import and management of
 them inside midPoint
Message-ID: <CY4PR14MB12380D3A1C57627BD2D6D7BDF6840@CY4PR14MB1238.namprd14.prod.outlook.com>

Hello Colleagues.

We have the following task: a system exports a list of its accounts to a CSV file, then midPoint imports the list and after that an administrator assigns the accounts to users in midPoint or assignment can be done in some automatic way. I could find mention of similar functionality in Semi-Manual resource description<https://wiki.evolveum.com/display/midPoint/Manual+Resource+and+ITSM+Integration> only. But the document doesn't describe how this should be configured in midPoint.

I tried to find it out myself. I created a CSV resource and saw accounts from CSV file but the accounts appeared only in the Resource section of the CSV resource (screenshot attached), no any mention of them in the Repository section. And when I tried to Change Owner for any of the accounts I got the error "No projection definition for kind=UNKNOWN intent=unknown in resource:3b21495d-cc1d-47a8-8f7a-e1f1a02d2c24(Test CSV System 1)".

Could you please let me know what I do wrong? And what are the main steps in midPoint to solve this task?

Thanks a lot in advance.

--
Best Regards,

Konstantin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200607/e6591ce6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: midPoint, accounts in CSV resource.png
Type: image/png
Size: 54197 bytes
Desc: midPoint, accounts in CSV resource.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200607/e6591ce6/attachment.png>

From midpoint at tomseeley.co.uk  Mon Jun  8 17:53:00 2020
From: midpoint at tomseeley.co.uk (Tom Seeley)
Date: Mon, 08 Jun 2020 16:53:00 +0100
Subject: [midPoint] Impiled Account Entitlements
Message-ID: <20200608165300.Horde.C5X5GX3ztYDZKVrTgS4TcTm@tomseeley.co.uk>

Hi

Is this still accurate:

https://wiki.evolveum.com/display/midPoint/Roles+and+Policies+Configuration#RolesandPoliciesConfiguration-ImpliedAccountEntitlements

Specifically:

   "Work in progress

   Entitlements are still work in progress. This section describe  
design of a feature that will be
   implemented in later midPoint releases."

ie this isn't a feature at present?


Also that page says at the top:

"This page contains macros or features from a plugin which requires a  
valid license."

But then doesn't say which feature or macro.  Can that be made clear please?

Regards,

Tom.



From gugalou38 at gmail.com  Tue Jun  9 14:55:13 2020
From: gugalou38 at gmail.com (Gus Lou)
Date: Tue, 9 Jun 2020 09:55:13 -0300
Subject: [midPoint] No association ldapGroup in object class Normal Account
 in construction in role
Message-ID: <CA+XZjGQ7RbVp4Lo8_WqEjPWpDmMrfMnB2i3FQjSygb9gSXaHKg@mail.gmail.com>

Hi Guys

I followed the guidelines in the link below and managed to achieve the
objectives:

https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO

The midpoint is very powerful

Best regards

Gus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200609/0a3ffa28/attachment.htm>

From slavek.licehammer at evolveum.com  Fri Jun 12 14:38:30 2020
From: slavek.licehammer at evolveum.com (Slavek Licehammer)
Date: Fri, 12 Jun 2020 14:38:30 +0200
Subject: [midPoint] Blog: MidPrivacy Features Survey
Message-ID: <b2b5a4f5-b063-f6d4-5f78-ee2fcc7d4dbc@evolveum.com>

Dear midPoint community,

midPrivacy project <https://docs.evolveum.com/midpoint/midprivacy/> is moving forward at a steady pace. Even though the main effort is still aimed towards the project’s fundamental foundation like Axiom <https://docs.evolveum.com/midpoint/midprivacy/phases/01-data-provenance-prototype/axiom/>, we are getting to the phase of first experiments on simple use cases. That will eventually lead to tests on more realistic use cases which will consequently lead to new features for midPoint.

The scope of midPrivacy is vast, and we are well aware of it. We identified use cases and new features for midPoint that fit in midPrivacy scope. During the gathering information about use cases, we discovered that there is not a single one which really stands out among others. That is why we have decided to involve midPoint community to help us steer midPrivacy project and identify the priorities for it. For that, we have prepared a short survey where you can express your interest in some of the features or even comment them with your own thoughts. The result will help us to prioritize which features we should focus on first. Of course, we will have to take into account also technical feasibility as well as as the time required, but will do our best to move towards the way which will be useful for midPoint users.

In case the survey doesn’t cover everything, we would be happy to discuss new ideas, feature suggestion or use cases on midPoint mailing list at midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>.

Thank you all who will take the time to fill in the survey, which is available right here <https://evolveum.limequery.net/572956?lang=en>.

(Reposted from Evolveum blog <https://evolveum.com/data-provenance-milestone-1/>)


-- 
Slavek Licehammer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200612/ff39eeae/attachment.htm>

From atdhe.musliu at zhdk.ch  Sat Jun 13 20:47:54 2020
From: atdhe.musliu at zhdk.ch (Musliu Atdhe)
Date: Sat, 13 Jun 2020 18:47:54 +0000
Subject: [midPoint] Using CSV resource for accounts import and
 management of them inside midPoint
In-Reply-To: <CY4PR14MB12380D3A1C57627BD2D6D7BDF6840@CY4PR14MB1238.namprd14.prod.outlook.com>
References: <CY4PR14MB12380D3A1C57627BD2D6D7BDF6840@CY4PR14MB1238.namprd14.prod.outlook.com>
Message-ID: <1e1f6b24b2fb4d0c91eaef3238b0a347@zhdk.ch>

Hello Konstantin,
Could you send your Resource XML File?
Maybe the Synchronization part is missing or even the SchemaHandling part.

https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling

Best Regards
Atdhe
-
-
Zürcher Hochschule der Künste
Zurich University of the Arts
-
Atdhe Musliu
Mitarbeiter Informationstechnologie-Zentrum
--
www.zhdk.ch<http://www.zhdk.ch>
http://www.zhdk.ch/?itz

Von: midPoint <midpoint-bounces at lists.evolveum.com> Im Auftrag von Konstantin Tikhonov
Gesendet: Sunday, 7 June 2020 23:30
An: midPoint General Discussion <midpoint at lists.evolveum.com>
Betreff: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Colleagues.

We have the following task: a system exports a list of its accounts to a CSV file, then midPoint imports the list and after that an administrator assigns the accounts to users in midPoint or assignment can be done in some automatic way. I could find mention of similar functionality in Semi-Manual resource description<https://wiki.evolveum.com/display/midPoint/Manual+Resource+and+ITSM+Integration> only. But the document doesn't describe how this should be configured in midPoint.

I tried to find it out myself. I created a CSV resource and saw accounts from CSV file but the accounts appeared only in the Resource section of the CSV resource (screenshot attached), no any mention of them in the Repository section. And when I tried to Change Owner for any of the accounts I got the error "No projection definition for kind=UNKNOWN intent=unknown in resource:3b21495d-cc1d-47a8-8f7a-e1f1a02d2c24(Test CSV System 1)".

Could you please let me know what I do wrong? And what are the main steps in midPoint to solve this task?

Thanks a lot in advance.

--
Best Regards,

Konstantin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200613/b2dcf05e/attachment.htm>

From pascal.perichon at u-paris.fr  Mon Jun 15 13:42:19 2020
From: pascal.perichon at u-paris.fr (Pascal Perichon)
Date: Mon, 15 Jun 2020 13:42:19 +0200
Subject: [midPoint] bug in reading LDAP attribute sambaPwdLastSet
In-Reply-To: <1e1f6b24b2fb4d0c91eaef3238b0a347@zhdk.ch>
References: <CY4PR14MB12380D3A1C57627BD2D6D7BDF6840@CY4PR14MB1238.namprd14.prod.outlook.com>
 <1e1f6b24b2fb4d0c91eaef3238b0a347@zhdk.ch>
Message-ID: <ca1de136-affa-568a-e73b-93d60fecaaec@u-paris.fr>

hi,

i have in a LDAP an attribute "sambaPwdLastSet" with the value 
"1363792363240".

Midpoint crashed on reading it:

ERROR ConnId Exception java.lang.NumberFormatException in 
connector:9cb79691-944b-40cf-a95c-6f053d4920db(ConnId 
com.evolveum.polygon.connector.ldap.LdapConnector v3.0): 
ConnectorSpec(resource:u75-connecteur-LDAP-U75proxyP7(LDAP proxy P7), 
name=null, oid=9cb79691-944b-40cf-a95c-6f053d4920db): For input string: 
"1363792363240" java.lang.NumberFormatException: For input string: 
"1363792363240

And midpoint stop reading any other LDAP accounts (and this account is 
in the first one)

The definition of sambaPwdLastSet is:

attributeTypes: ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 
'Timestamp of the last password update' EQUALITY integerMatch SYNTAX 
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-SCHEMA-FILE '05-samba.ldif' )

1.3.6.1.4.1.1466.115.121.1.27 => it's an integer.

1363792363240 is too big a java integer... but a valid integer (maybe a 
java type long).

Then I try that :

/            <attribute>//
//                <ref>ri:sambaPwdLastSet</ref>//
//                <limitations>//
//                    <access>//
//                        <read>false</read>//
//                        <add>false</add>//
//                        <modify>false</modify>//
//                    </access>//
//                </limitations>//
//            </attribute>//
/

but with no effect :(

I must let the the schema loading like that :

/    <schema>/
/        <generationConstraints>/
/              .../
/<generateObjectClass>ri:sambaSamAccount</generateObjectClass>/
/              .../
/        </generationConstraints>/
/    </schema>/

because without midpoint shout.

And I didn't have "/sambaSamAccount"/ class in any "auxiliaryObjectClass"

I read a similar problem in 
https://lists.evolveum.com/pipermail/midpoint/2018-February/004493.html... 
and it seems to be a problem in other attributes

*QUESTION : how can I avoid reading this attribute if midpoint can't 
read it ?*

thanks

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200615/90a3990e/attachment.htm>

From mostrovsky at deloitte.com  Tue Jun 16 23:00:40 2020
From: mostrovsky at deloitte.com (Ostrovsky, Matias)
Date: Tue, 16 Jun 2020 21:00:40 +0000
Subject: [midPoint] entitlement-listing-error
Message-ID: <BYAPR85MB03417B26FF580B16EE1D6F3CB49D0@BYAPR85MB0341.NAMPRD85.PROD.OUTLOOK.COM>

Hi,

My team is working on a role repository solution. When trying to add a new inducement as described below...

[cid:image007.png at 01D64406.9D29C060]







Then trying to add the entitlement (Shadow object) defined in App A,

[cid:image008.png at 01D64406.9D29C060]

[cid:image009.png at 01D64406.9D29C060]





The following empty list appears when clicking the add button. And as you can see, the number of objects are shown, but not the object.

[cid:image010.png at 01D64406.9D29C060]





The objects exist in the connector:

[cid:image012.png at 01D64407.C115CEA0]



Reviewing midpoint.log file. The error is...

[cid:image011.png at 01D64406.9D29C060]



So, my cuestion is, Why is this happening? And how can we fix it?
I hope you can help us with this.

Than you for your time, regards.




Matias Ostrovsky
Consultant | Cyber Risk Services | Risk Advisory
Deloitte & Co. S.A.
Av. Caseros 3563, 5° piso, C1263AAE, Buenos Aires, Argentina
Tel.: +54 (11) 4390 2600 Int: 2854
mostrovsky at deloitte.com<mailto:mostrovsky at deloitte.com> | http://www.deloitte.com/ar
--

[cid:image001.png at 01D59324.E9012610]

[cid:image002.png at 01D59324.E9012610]<https://www.facebook.com/YourFutureatDeloitteArgentina/>[cid:image003.png at 01D59324.E9012610]<https://www.linkedin.com/company/deloitte-argentina> [cid:image004.png at 01D59324.E9012610] <https://twitter.com/deloittearg>  [cid:image005.png at 01D59324.E9012610] <https://www.youtube.com/user/DeloitteArgentina>  [cid:image006.png at 01D59324.E9012610] <https://www.instagram.com/deloitte_ar/>


Deloitte refers to a Deloitte member firm, one of its related entities, or Deloitte Touche Tohmatsu Limited ("DTTL"). Each Deloitte member firm is a separate legal entity and a member of DTTL. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200616/9ccc49fe/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1421 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200616/9ccc49fe/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1363 bytes
Desc: image002.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200616/9ccc49fe/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1416 bytes
Desc: image003.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200616/9ccc49fe/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1398 bytes
Desc: image004.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200616/9ccc49fe/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 1308 bytes
Desc: image005.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200616/9ccc49fe/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 1190 bytes
Desc: image006.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200616/9ccc49fe/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 29895 bytes
Desc: image007.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200616/9ccc49fe/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.png
Type: image/png
Size: 24824 bytes
Desc: image008.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200616/9ccc49fe/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image009.png
Type: image/png
Size: 26631 bytes
Desc: image009.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200616/9ccc49fe/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image010.png
Type: image/png
Size: 10184 bytes
Desc: image010.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200616/9ccc49fe/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image011.png
Type: image/png
Size: 7296 bytes
Desc: image011.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200616/9ccc49fe/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image012.png
Type: image/png
Size: 29217 bytes
Desc: image012.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200616/9ccc49fe/attachment-0011.png>

From jmartinez at identicum.com  Wed Jun 17 16:23:35 2020
From: jmartinez at identicum.com (Javier Martinez)
Date: Wed, 17 Jun 2020 11:23:35 -0300
Subject: [midPoint] Issue with inbound mapping from singled-valued to
 multi-valued attribute
Message-ID: <CAFFw27cT8Vh-t760tR37jhj-6VDqkmWXk=hebsy3u8riUEHZKw@mail.gmail.com>

Hi,
We are having an issue when having an inbound mapping from a single-valued
attribute to a multi-valued attribute. When modifying the value from the
resource, instead of replacing the value, it is adding new values to the
attribute in midPoint. Tested with attributes "organization" and "subtype".
Working OK in midpoint 3.9, but failing with midpoint 4.0.1 and above.
Is there any way to keep this issue from happening?
Regards
-- 
Javier Martínez
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200617/480d8ee0/attachment.htm>

From frederic at lohier.org  Wed Jun 17 18:57:28 2020
From: frederic at lohier.org (=?UTF-8?B?RnLDqWTDqXJpYyBMb2hpZXI=?=)
Date: Wed, 17 Jun 2020 18:57:28 +0200
Subject: [midPoint] Issue with account-entitlement associations (users in
 groups sync to LDAP)
Message-ID: <CALRGK0o2_rdr6fTyA-1ouspVAmteyEoy8SeRooYum=ABurtjiQ@mail.gmail.com>

Hello,



I am trying to setup the outbound synchronization of users and roles and
their association from Midpoint to an openLDAP.



Everything is working except for the association between account shadows
and entitlements that is working only under a strange condition : the
meta-role “LDAP Role” inducing the construction of the account and the
association of the entitlement to the account has to be DIRECTLY assigned
to the midpoint roles I want to synchronize to the LDAP.



If I INDIRECTLY assign this meta-role through an Archetype, I can see the
indirect assignment in the role assignment tab, but when I reconcile a user
assigned to a role with this (indirect) meta-role, the association between
the account and entitlement is removed and the account is removed from the
group in the LDAP. The account and the group are still on the LDAP and
properly synced.



Any idea why my meta-role works OK when directly assigned and not when
indirectly assigned?



Below is a simplified version of my meta-role and archetype :



<role oid="001">

<name>LDAP group meta-role</name>

<inducement>

<construction>

<resourceRef oid="000-000-0000-0000" relation="org:default"
type="c:ResourceType">

</resourceRef>

<kind>entitlement</kind>

<intent>group</intent>

</construction>

<order>1</order>

</inducement>

<inducement>

<construction>

<resourceRef oid="000-000-0000-0000" relation="org:default"
type="c:ResourceType">

</resourceRef>

<kind>account</kind>

<intent>default</intent>

<association>

<ref>ri:group</ref>

<outbound>

<expression>

<associationFromLink>

<projectionDiscriminator>

<kind>entitlement</kind>

<intent>group</intent>

</projectionDiscriminator>

</associationFromLink>

</expression>

<strength>strong</strength>

</outbound>

</association>

</construction>

<order>2</order>

</inducement>

<requestable>false</requestable>

</role>



<archetype>

<name>Group</name>

<assignment>

<activation>

<effectiveStatus>enabled</effectiveStatus>

</activation>

<assignmentRelation>

<holderType>RoleType</holderType>

</assignmentRelation>

</assignment>

<inducement>

<description>Induction of the “LDAP group meta-role” role to all role
assigned to this archetype</description>

<targetRef oid="001" relation="default" type="RoleType"/>

</inducement>

<iteration>0</iteration>

<iterationToken/>

<activation>

<effectiveStatus>enabled</effectiveStatus>

</activation>

<archetypePolicy>

<display>

<label>Group</label>

<pluralLabel>Groups</pluralLabel>

<color>#4a148c</color>

<icon>

<cssClass>fe fe-role_icon</cssClass>

<color>#4a148c</color>

</icon>

</display>

</archetypePolicy>

</archetype>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200617/11c26957/attachment.htm>

From chris at cmwoods.com  Wed Jun 17 20:00:22 2020
From: chris at cmwoods.com (chris at cmwoods.com)
Date: Wed, 17 Jun 2020 18:00:22 +0000
Subject: [midPoint] Issue with account-entitlement associations (users
 in groups sync to LDAP)
In-Reply-To: <CALRGK0o2_rdr6fTyA-1ouspVAmteyEoy8SeRooYum=ABurtjiQ@mail.gmail.com>
References: <CALRGK0o2_rdr6fTyA-1ouspVAmteyEoy8SeRooYum=ABurtjiQ@mail.gmail.com>
Message-ID: <9e327693b7047a6b03f6cfd497c313e2@mail.cmwoods.com>

Hi Frédéric,

I had the same issue. What fixed it for me was adding 1

This is our associationFromLink:
	  entitlement Group  1   
before that I had exactly the same behaviour that you are describing.

Regards,
Chris
June 17, 2020 6:57 PM, "Frédéric Lohier"  wrote:
	Hello, 

	I am trying to setup the outbound synchronization of users and roles and their association from Midpoint to an openLDAP. 

	Everything is working except for the association between account shadows and entitlements that is working only under a strange condition : the meta-role “LDAP Role” inducing the construction of the account and the association of the entitlement to the account has to be DIRECTLY assigned to the midpoint roles I want to synchronize to the LDAP. 

	If I INDIRECTLY assign this meta-role through an Archetype, I can see the indirect assignment in the role assignment tab, but when I reconcile a user assigned to a role with this (indirect) meta-role, the association between the account and entitlement is removed and the account is removed from the group in the LDAP. The account and the group are still on the LDAP and properly synced. 

	Any idea why my meta-role works OK when directly assigned and not when indirectly assigned? 

	Below is a simplified version of my meta-role and archetype : 
	LDAP group meta-role 
	entitlement 

	group 
	1 
	account 

	default 
	ri:group 
	entitlement 

	group 
	strong 
	2 
	false 
	Group 
	enabled 
	RoleType 
	Induction of the “LDAP group meta-role” role to all role assigned to this archetype 
	0 
	enabled 
	Group 

	Groups 

	#4a148c 
	fe fe-role_icon 

	#4a148c
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200617/3bdbee94/attachment.htm>

From Konstantin.Tikhonov at veeam.com  Wed Jun 17 20:07:06 2020
From: Konstantin.Tikhonov at veeam.com (Konstantin Tikhonov)
Date: Wed, 17 Jun 2020 18:07:06 +0000
Subject: [midPoint] Using CSV resource for accounts import and
 management of them inside midPoint
In-Reply-To: <1e1f6b24b2fb4d0c91eaef3238b0a347@zhdk.ch>
References: <CY4PR14MB12380D3A1C57627BD2D6D7BDF6840@CY4PR14MB1238.namprd14.prod.outlook.com>
 <1e1f6b24b2fb4d0c91eaef3238b0a347@zhdk.ch>
Message-ID: <CY4PR14MB12386419E7BFE550A9D6AADDF69A0@CY4PR14MB1238.namprd14.prod.outlook.com>

Hello Colleagues.

Thank you very much for your feedback. XML config of the resource is attached to the e-mail.

SchemaHandling part is configured but I didn't configured Synchronization part because as far as I understood it's related to automatic assigning to a user but we need to assign accounts to users manually on this step.

--
Best Regards,

Konstantin Tikhonov

From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of Musliu Atdhe
Sent: Saturday, June 13, 2020 9:48 PM
To: 'midPoint General Discussion'
Subject: Re: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Konstantin,
Could you send your Resource XML File?
Maybe the Synchronization part is missing or even the SchemaHandling part.

https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling

Best Regards
Atdhe
-
-
Zürcher Hochschule der Künste
Zurich University of the Arts
-
Atdhe Musliu
Mitarbeiter Informationstechnologie-Zentrum
--
www.zhdk.ch<http://www.zhdk.ch>
http://www.zhdk.ch/?itz

Von: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> Im Auftrag von Konstantin Tikhonov
Gesendet: Sunday, 7 June 2020 23:30
An: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Betreff: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Colleagues.

We have the following task: a system exports a list of its accounts to a CSV file, then midPoint imports the list and after that an administrator assigns the accounts to users in midPoint or assignment can be done in some automatic way. I could find mention of similar functionality in Semi-Manual resource description<https://wiki.evolveum.com/display/midPoint/Manual+Resource+and+ITSM+Integration> only. But the document doesn't describe how this should be configured in midPoint.

I tried to find it out myself. I created a CSV resource and saw accounts from CSV file but the accounts appeared only in the Resource section of the CSV resource (screenshot attached), no any mention of them in the Repository section. And when I tried to Change Owner for any of the accounts I got the error "No projection definition for kind=UNKNOWN intent=unknown in resource:3b21495d-cc1d-47a8-8f7a-e1f1a02d2c24(Test CSV System 1)".

Could you please let me know what I do wrong? And what are the main steps in midPoint to solve this task?

Thanks a lot in advance.

--
Best Regards,

Konstantin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200617/68ac7dc2/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ExportedData_ResourceType_2020_06_17_20_41_41.xml
Type: application/xml
Size: 15547 bytes
Desc: ExportedData_ResourceType_2020_06_17_20_41_41.xml
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200617/68ac7dc2/attachment.xml>

From gugalou38 at gmail.com  Fri Jun 19 03:42:39 2020
From: gugalou38 at gmail.com (Gus Lou)
Date: Thu, 18 Jun 2020 22:42:39 -0300
Subject: [midPoint] Value of attribute '_NAME_'must be a single value,
 but it has nullvalues
Message-ID: <CA+XZjGQoa4Fg+5iyOJDJmfB_rQh=wbR3v-jobrv8W2JOCiUoWQ@mail.gmail.com>

I'm doing a proof of concept with Midpoint 4.1
I configured a resource with a CSV connector (I tested versions 2.3 and 2.4
of the connectors)
My CSV file has the following fields:
login (linked to midpoint field name)
func_num_cpf (linked to midpoint employeeNumber) it is Unique attribute name

Whenever I add or modify a record in my csv file, I get the following error
when executing the task:

*Value of attribute '_NAME_'must be a single value, but it has nullvalues*

I have already remade the settings, I searched the forum for something
similar, but I didn't find it. I know the error message is very clear, but
I don't know what else to do.
I attached my resource settings and csv file if anyone can help. I
appreciate any help

Best Regards
Gus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200618/809d552f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ExportedData_ResourceType_2020_06_18_22_28_52.xml
Type: text/xml
Size: 21152 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200618/809d552f/attachment.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hr4.csv
Type: text/csv
Size: 361 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200618/809d552f/attachment.csv>

From ivan.noris at evolveum.com  Fri Jun 19 10:37:28 2020
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Fri, 19 Jun 2020 10:37:28 +0200
Subject: [midPoint] Value of attribute '_NAME_'must be a single value,
 but it has nullvalues
In-Reply-To: <CA+XZjGQoa4Fg+5iyOJDJmfB_rQh=wbR3v-jobrv8W2JOCiUoWQ@mail.gmail.com>
References: <CA+XZjGQoa4Fg+5iyOJDJmfB_rQh=wbR3v-jobrv8W2JOCiUoWQ@mail.gmail.com>
Message-ID: <f100e2bd-04ba-bedd-23f6-d939d73ecb93@evolveum.com>

Hi Gus,

please don't use <tolerant>false</tolerant>.

This means that midpoint does not tolerate values of the (resource)
attribute other than given by midpoint.

But this is inbound connector, so midpoint does not put any values to
the resource attribute at all.

That means, midpoint attempts to clear the values.

That's why tolerant set to false for inbound connectors is not useful.

This is not the first time I see this issue, so two questions:

1. are you using wizard? I assume yes

2. was the tolerant implicitly set to false by wizard or did you set
that to false by yourself?

Thanks.

Best rehards,

Ivan

On 19. 6. 2020 3:42, Gus Lou wrote:
> I'm doing a proof of concept with Midpoint 4.1
> I configured a resource with a CSV connector (I tested versions 2.3
> and 2.4 of the connectors)
> My CSV file has the following fields:
> login (linked to midpoint field name)
> func_num_cpf (linked to midpoint employeeNumber) it is Unique
> attribute name
>
> Whenever I add or modify a record in my csv file, I get the following
> error when executing the task:
>
> /*Value of attribute '_NAME_'must be a single value, but it has
> nullvalues*/
>
> I have already remade the settings, I searched the forum for something
> similar, but I didn't find it. I know the error message is very clear,
> but I don't know what else to do.
> I attached my resource settings and csv file if anyone can help. I
> appreciate any help
>
> Best Regards
> Gus
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/f00f28d2/attachment.htm>

From frederic at lohier.org  Fri Jun 19 11:46:40 2020
From: frederic at lohier.org (=?UTF-8?B?RnLDqWTDqXJpYyBMb2hpZXI=?=)
Date: Fri, 19 Jun 2020 11:46:40 +0200
Subject: [midPoint] Issue with account-entitlement associations (users
 in groups sync to LDAP)
In-Reply-To: <9e327693b7047a6b03f6cfd497c313e2@mail.cmwoods.com>
References: <CALRGK0o2_rdr6fTyA-1ouspVAmteyEoy8SeRooYum=ABurtjiQ@mail.gmail.com>
 <9e327693b7047a6b03f6cfd497c313e2@mail.cmwoods.com>
Message-ID: <CALRGK0oqyOKDmyL4M9oqduNVyqGTO=CxC=Zs3AEiJyZxeocwkA@mail.gmail.com>

Hello Chris,

Thank you so much for your help! This fixed my issue, this was very tricky
to find!

-Frederic


On Wed, Jun 17, 2020, 20:00 <chris at cmwoods.com> wrote:

> Hi Frédéric,
>
> I had the same issue. What fixed it for me was adding
> <assignmentPathIndex>1</assignmentPathIndex>
>
> This is our associationFromLink:
>
> <associationFromLink xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xsi:type="c:AssociationFromLinkExpressionEvaluatorType"> <projectionDiscriminator xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:ShadowDiscriminatorType"> <kind>entitlement</kind> <intent>Group</intent> </projectionDiscriminator> <assignmentPathIndex>1</assignmentPathIndex> </associationFromLink>
>
>
> before that I had exactly the same behaviour that you are describing.
>
> Regards,
> Chris
>
>
> June 17, 2020 6:57 PM, "Frédéric Lohier" <frederic at lohier.org
> <%22Fr%C3%A9d%C3%A9ric%20Lohier%22%20%3Cfrederic at lohier.org%3E>> wrote:
>
> Hello,
>
> I am trying to setup the outbound synchronization of users and roles and
> their association from Midpoint to an openLDAP.
>
> Everything is working except for the association between account shadows
> and entitlements that is working only under a strange condition : the
> meta-role “LDAP Role” inducing the construction of the account and the
> association of the entitlement to the account has to be DIRECTLY assigned
> to the midpoint roles I want to synchronize to the LDAP.
>
> If I INDIRECTLY assign this meta-role through an Archetype, I can see the
> indirect assignment in the role assignment tab, but when I reconcile a user
> assigned to a role with this (indirect) meta-role, the association between
> the account and entitlement is removed and the account is removed from the
> group in the LDAP. The account and the group are still on the LDAP and
> properly synced.
>
> Any idea why my meta-role works OK when directly assigned and not when
> indirectly assigned?
>
> Below is a simplified version of my meta-role and archetype :
>
> <role oid="001">
>
> <name>LDAP group meta-role</name>
>
> <inducement>
>
> <construction>
>
> <resourceRef oid="000-000-0000-0000" relation="org:default"
> type="c:ResourceType">
>
> </resourceRef>
>
> <kind>entitlement</kind>
>
> <intent>group</intent>
>
> </construction>
>
> <order>1</order>
>
> </inducement>
>
> <inducement>
>
> <construction>
>
> <resourceRef oid="000-000-0000-0000" relation="org:default"
> type="c:ResourceType">
>
> </resourceRef>
>
> <kind>account</kind>
>
> <intent>default</intent>
>
> <association>
>
> <ref>ri:group</ref>
>
> <outbound>
>
> <expression>
>
> <associationFromLink>
>
> <projectionDiscriminator>
>
> <kind>entitlement</kind>
>
> <intent>group</intent>
>
> </projectionDiscriminator>
>
> </associationFromLink>
>
> </expression>
>
> <strength>strong</strength>
>
> </outbound>
>
> </association>
>
> </construction>
>
> <order>2</order>
>
> </inducement>
>
> <requestable>false</requestable>
>
> </role>
>
> <archetype>
>
> <name>Group</name>
>
> <assignment>
>
> <activation>
>
> <effectiveStatus>enabled</effectiveStatus>
>
> </activation>
>
> <assignmentRelation>
>
> <holderType>RoleType</holderType>
>
> </assignmentRelation>
>
> </assignment>
>
> <inducement>
>
> <description>Induction of the “LDAP group meta-role” role to all role
> assigned to this archetype</description>
>
> <targetRef oid="001" relation="default" type="RoleType"/>
>
> </inducement>
>
> <iteration>0</iteration>
>
> <iterationToken/>
>
> <activation>
>
> <effectiveStatus>enabled</effectiveStatus>
>
> </activation>
>
> <archetypePolicy>
>
> <display>
>
> <label>Group</label>
>
> <pluralLabel>Groups</pluralLabel>
>
> <color>#4a148c</color>
>
> <icon>
>
> <cssClass>fe fe-role_icon</cssClass>
>
> <color>#4a148c</color>
>
> </icon>
>
> </display>
>
> </archetypePolicy>
>
> </archetype>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/014f0ecf/attachment.htm>

From ivan.noris at evolveum.com  Fri Jun 19 12:19:07 2020
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Fri, 19 Jun 2020 12:19:07 +0200
Subject: [midPoint] Issue with inbound mapping from singled-valued to
 multi-valued attribute
In-Reply-To: <CAFFw27cT8Vh-t760tR37jhj-6VDqkmWXk=hebsy3u8riUEHZKw@mail.gmail.com>
References: <CAFFw27cT8Vh-t760tR37jhj-6VDqkmWXk=hebsy3u8riUEHZKw@mail.gmail.com>
Message-ID: <a1fa4c97-8f5e-fd31-122c-4ec55c3a3ec1@evolveum.com>

Hi Javier,

yes, you can use ranges to fix that:

                <attribute>
                    <ref>ri:department</ref>
                    <displayName>Department name</displayName>
                    <limitations>
                        <access>
                            <read>true</read>
                            <add>false</add>
                            <modify>false</modify>
                        </access>
                    </limitations>
                    <inbound>
                      <target>
                        <path>organizationalUnit</path>
*                        <!-- Range used to REPLACE instead of ADD the
value**
**                        (organizationalUnit is multi-value) -->**
**                        <set>**
**                            <predefined>all</predefined>**
**                        </set>*
                      </target>
                    </inbound>

                </attribute>

See also:
https://wiki.evolveum.com/display/midPoint/Inbound+Mapping#InboundMapping-RangeOfInboundMappings

See also:
https://wiki.evolveum.com/display/midPoint/Mapping#Mapping-MappingRange

I think the default was changed between 3.9 and 4.0.

Best regards,

Ivan

On 17. 6. 2020 16:23, Javier Martinez wrote:
> Hi,
> We are having an issue when having an inbound mapping from a
> single-valued attribute to a multi-valued attribute. When modifying
> the value from the resource, instead of replacing the value, it is
> adding new values to the attribute in midPoint. Tested with attributes
> "organization" and "subtype".
> Working OK in midpoint 3.9, but failing with midpoint 4.0.1 and above.
> Is there any way to keep this issue from happening?
> Regards
> -- 
> Javier Martínez
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com <http://www.identicum.com/>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/e4c53edf/attachment.htm>

From gugalou38 at gmail.com  Fri Jun 19 14:11:22 2020
From: gugalou38 at gmail.com (Gus Lou)
Date: Fri, 19 Jun 2020 09:11:22 -0300
Subject: [midPoint] Value of attribute '_NAME_'must be a single value,
 but it has nullvalues
In-Reply-To: <f100e2bd-04ba-bedd-23f6-d939d73ecb93@evolveum.com>
References: <CA+XZjGQoa4Fg+5iyOJDJmfB_rQh=wbR3v-jobrv8W2JOCiUoWQ@mail.gmail.com>
 <f100e2bd-04ba-bedd-23f6-d939d73ecb93@evolveum.com>
Message-ID: <CA+XZjGTNj0WBzhiwtuGh=bjaWaThuVJSYbF4RGVkL07yLV7iNw@mail.gmail.com>

Hi Ivan

My answers:

1. are you using wizard?

Yes I used the wizard, but I imported the resource (
https://github.com/Evolveum/midpoint-samples/blob/master/samples/book/8/resource-csv-hr.xml)
to compare the settings. I don't think I left the identical settings

2. was the tolerant implicitly set to false by wizard or did you set that
to false by yourself?

Honestly I don't know, sorry.

I will review the points mentioned by you.
Thank you very much for the support, I didn't know what to do.

Thanks a lot

Gus

Em sex., 19 de jun. de 2020 às 05:37, Ivan Noris <ivan.noris at evolveum.com>
escreveu:

> Hi Gus,
>
> please don't use <tolerant>false</tolerant>.
>
> This means that midpoint does not tolerate values of the (resource)
> attribute other than given by midpoint.
>
> But this is inbound connector, so midpoint does not put any values to the
> resource attribute at all.
>
> That means, midpoint attempts to clear the values.
>
> That's why tolerant set to false for inbound connectors is not useful.
>
> This is not the first time I see this issue, so two questions:
>
> 1. are you using wizard? I assume yes
>
> 2. was the tolerant implicitly set to false by wizard or did you set that
> to false by yourself?
>
> Thanks.
>
> Best rehards,
>
> Ivan
> On 19. 6. 2020 3:42, Gus Lou wrote:
>
> I'm doing a proof of concept with Midpoint 4.1
> I configured a resource with a CSV connector (I tested versions 2.3 and
> 2.4 of the connectors)
> My CSV file has the following fields:
> login (linked to midpoint field name)
> func_num_cpf (linked to midpoint employeeNumber) it is Unique attribute
> name
>
> Whenever I add or modify a record in my csv file, I get the following
> error when executing the task:
>
> *Value of attribute '_NAME_'must be a single value, but it has nullvalues*
>
> I have already remade the settings, I searched the forum for something
> similar, but I didn't find it. I know the error message is very clear,
> but I don't know what else to do.
> I attached my resource settings and csv file if anyone can help. I
> appreciate any help
>
> Best Regards
> Gus
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/6deb1d3c/attachment.htm>

From gugalou38 at gmail.com  Fri Jun 19 14:39:54 2020
From: gugalou38 at gmail.com (Gus Lou)
Date: Fri, 19 Jun 2020 09:39:54 -0300
Subject: [midPoint] Value of attribute '_NAME_'must be a single value,
 but it has nullvalues
In-Reply-To: <f100e2bd-04ba-bedd-23f6-d939d73ecb93@evolveum.com>
References: <CA+XZjGQoa4Fg+5iyOJDJmfB_rQh=wbR3v-jobrv8W2JOCiUoWQ@mail.gmail.com>
 <f100e2bd-04ba-bedd-23f6-d939d73ecb93@evolveum.com>
Message-ID: <CA+XZjGS1R1WpVR_=0Fs+z3yGe+-_1U1T-PmEy_Xe31sQGjBtUA@mail.gmail.com>

Hi Ivan

*Great news!!!*

I removed the <tolerant> false </tolerant> option from each field in Schema
Handling and now the import and update of the data from the CSV file is
going smoothly.
I'm ashamed to have made that mistake. I wanted to follow the wizard to
understand each step of the configuration and ended up making mistakes.
Anyway thank you very much for the guidelines.

Best Regards

Gus

Em sex., 19 de jun. de 2020 às 05:37, Ivan Noris <ivan.noris at evolveum.com>
escreveu:

> Hi Gus,
>
> please don't use <tolerant>false</tolerant>.
>
> This means that midpoint does not tolerate values of the (resource)
> attribute other than given by midpoint.
>
> But this is inbound connector, so midpoint does not put any values to the
> resource attribute at all.
>
> That means, midpoint attempts to clear the values.
>
> That's why tolerant set to false for inbound connectors is not useful.
>
> This is not the first time I see this issue, so two questions:
>
> 1. are you using wizard? I assume yes
>
> 2. was the tolerant implicitly set to false by wizard or did you set that
> to false by yourself?
>
> Thanks.
>
> Best rehards,
>
> Ivan
> On 19. 6. 2020 3:42, Gus Lou wrote:
>
> I'm doing a proof of concept with Midpoint 4.1
> I configured a resource with a CSV connector (I tested versions 2.3 and
> 2.4 of the connectors)
> My CSV file has the following fields:
> login (linked to midpoint field name)
> func_num_cpf (linked to midpoint employeeNumber) it is Unique attribute
> name
>
> Whenever I add or modify a record in my csv file, I get the following
> error when executing the task:
>
> *Value of attribute '_NAME_'must be a single value, but it has nullvalues*
>
> I have already remade the settings, I searched the forum for something
> similar, but I didn't find it. I know the error message is very clear,
> but I don't know what else to do.
> I attached my resource settings and csv file if anyone can help. I
> appreciate any help
>
> Best Regards
> Gus
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/ddb1d29f/attachment.htm>

From ivan.noris at evolveum.com  Fri Jun 19 14:44:27 2020
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Fri, 19 Jun 2020 14:44:27 +0200
Subject: [midPoint] Value of attribute '_NAME_'must be a single value,
 but it has nullvalues
In-Reply-To: <CA+XZjGS1R1WpVR_=0Fs+z3yGe+-_1U1T-PmEy_Xe31sQGjBtUA@mail.gmail.com>
References: <CA+XZjGQoa4Fg+5iyOJDJmfB_rQh=wbR3v-jobrv8W2JOCiUoWQ@mail.gmail.com>
 <f100e2bd-04ba-bedd-23f6-d939d73ecb93@evolveum.com>
 <CA+XZjGS1R1WpVR_=0Fs+z3yGe+-_1U1T-PmEy_Xe31sQGjBtUA@mail.gmail.com>
Message-ID: <4e369643-c41c-c022-10a7-9ea21a198f90@evolveum.com>

Hi Gus,

there is nothing to be ashamed. Trying midPoint and asking for help is
natural and if we can help you, it's good for all of us.

I was asking about wizard/tolerance because several people already had
this problem (including me) knowing that could lead to better
documentation, tooltips, wizard etc.

Best regards,

Ivan

On 19. 6. 2020 14:39, Gus Lou wrote:
> Hi Ivan
>
> *Great news!!!*
>
> I removed the <tolerant> false </tolerant> option from each field in
> Schema Handling and now the import and update of the data from the CSV
> file is going smoothly.
> I'm ashamed to have made that mistake. I wanted to follow the wizard
> to understand each step of the configuration and ended up making mistakes.
> Anyway thank you very much for the guidelines.
>
> Best Regards
>
> Gus
>
> Em sex., 19 de jun. de 2020 às 05:37, Ivan Noris
> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> escreveu:
>
>     Hi Gus,
>
>     please don't use <tolerant>false</tolerant>.
>
>     This means that midpoint does not tolerate values of the
>     (resource) attribute other than given by midpoint.
>
>     But this is inbound connector, so midpoint does not put any values
>     to the resource attribute at all.
>
>     That means, midpoint attempts to clear the values.
>
>     That's why tolerant set to false for inbound connectors is not useful.
>
>     This is not the first time I see this issue, so two questions:
>
>     1. are you using wizard? I assume yes
>
>     2. was the tolerant implicitly set to false by wizard or did you
>     set that to false by yourself?
>
>     Thanks.
>
>     Best rehards,
>
>     Ivan
>
>     On 19. 6. 2020 3:42, Gus Lou wrote:
>>     I'm doing a proof of concept with Midpoint 4.1
>>     I configured a resource with a CSV connector (I tested versions
>>     2.3 and 2.4 of the connectors)
>>     My CSV file has the following fields:
>>     login (linked to midpoint field name)
>>     func_num_cpf (linked to midpoint employeeNumber) it is Unique
>>     attribute name
>>
>>     Whenever I add or modify a record in my csv file, I get the
>>     following error when executing the task:
>>
>>     /*Value of attribute '_NAME_'must be a single value, but it has
>>     nullvalues*/
>>
>>     I have already remade the settings, I searched the forum for
>>     something similar, but I didn't find it. I know the error message
>>     is very clear, but I don't know what else to do.
>>     I attached my resource settings and csv file if anyone can help.
>>     I appreciate any help
>>
>>     Best Regards
>>     Gus
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     https://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>     Ivan Noris
>     Senior Identity Engineer
>     evolveum.com <http://evolveum.com>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/82086fe7/attachment.htm>

From atdhe.musliu at zhdk.ch  Fri Jun 19 15:24:52 2020
From: atdhe.musliu at zhdk.ch (Musliu Atdhe)
Date: Fri, 19 Jun 2020 13:24:52 +0000
Subject: [midPoint] Using CSV resource for accounts import and
 management of them inside midPoint
In-Reply-To: <CY4PR14MB12386419E7BFE550A9D6AADDF69A0@CY4PR14MB1238.namprd14.prod.outlook.com>
References: <CY4PR14MB12380D3A1C57627BD2D6D7BDF6840@CY4PR14MB1238.namprd14.prod.outlook.com>
 <1e1f6b24b2fb4d0c91eaef3238b0a347@zhdk.ch>
 <CY4PR14MB12386419E7BFE550A9D6AADDF69A0@CY4PR14MB1238.namprd14.prod.outlook.com>
Message-ID: <e5c3d61cf83a4e0d899f8ede1a06d7f4@zhdk.ch>

Hello Konstantin,
Can you try and set  default to «true» in the SchemaHandling section, and then test it again.

Best Regards
Atdhe


-
-
Zürcher Hochschule der Künste
Zurich University of the Arts
-
Atdhe Musliu
Mitarbeiter Informationstechnologie-Zentrum
--
www.zhdk.ch<http://www.zhdk.ch>
http://www.zhdk.ch/?itz

Von: midPoint <midpoint-bounces at lists.evolveum.com> Im Auftrag von Konstantin Tikhonov
Gesendet: Wednesday, 17 June 2020 20:07
An: midPoint General Discussion <midpoint at lists.evolveum.com>
Betreff: Re: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Colleagues.

Thank you very much for your feedback. XML config of the resource is attached to the e-mail.

SchemaHandling part is configured but I didn't configured Synchronization part because as far as I understood it's related to automatic assigning to a user but we need to assign accounts to users manually on this step.

--
Best Regards,

Konstantin Tikhonov

From: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> On Behalf Of Musliu Atdhe
Sent: Saturday, June 13, 2020 9:48 PM
To: 'midPoint General Discussion'
Subject: Re: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Konstantin,
Could you send your Resource XML File?
Maybe the Synchronization part is missing or even the SchemaHandling part.

https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling

Best Regards
Atdhe
-
-
Zürcher Hochschule der Künste
Zurich University of the Arts
-
Atdhe Musliu
Mitarbeiter Informationstechnologie-Zentrum
--
www.zhdk.ch<http://www.zhdk.ch>
http://www.zhdk.ch/?itz

Von: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> Im Auftrag von Konstantin Tikhonov
Gesendet: Sunday, 7 June 2020 23:30
An: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Betreff: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Colleagues.

We have the following task: a system exports a list of its accounts to a CSV file, then midPoint imports the list and after that an administrator assigns the accounts to users in midPoint or assignment can be done in some automatic way. I could find mention of similar functionality in Semi-Manual resource description<https://wiki.evolveum.com/display/midPoint/Manual+Resource+and+ITSM+Integration> only. But the document doesn't describe how this should be configured in midPoint.

I tried to find it out myself. I created a CSV resource and saw accounts from CSV file but the accounts appeared only in the Resource section of the CSV resource (screenshot attached), no any mention of them in the Repository section. And when I tried to Change Owner for any of the accounts I got the error "No projection definition for kind=UNKNOWN intent=unknown in resource:3b21495d-cc1d-47a8-8f7a-e1f1a02d2c24(Test CSV System 1)".

Could you please let me know what I do wrong? And what are the main steps in midPoint to solve this task?

Thanks a lot in advance.

--
Best Regards,

Konstantin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/4ffc9250/attachment.htm>

From atdhe.musliu at zhdk.ch  Fri Jun 19 15:47:32 2020
From: atdhe.musliu at zhdk.ch (Musliu Atdhe)
Date: Fri, 19 Jun 2020 13:47:32 +0000
Subject: [midPoint] Using CSV resource for accounts import and
 management of them inside midPoint
In-Reply-To: <e5c3d61cf83a4e0d899f8ede1a06d7f4@zhdk.ch>
References: <CY4PR14MB12380D3A1C57627BD2D6D7BDF6840@CY4PR14MB1238.namprd14.prod.outlook.com>
 <1e1f6b24b2fb4d0c91eaef3238b0a347@zhdk.ch>
 <CY4PR14MB12386419E7BFE550A9D6AADDF69A0@CY4PR14MB1238.namprd14.prod.outlook.com>
 <e5c3d61cf83a4e0d899f8ede1a06d7f4@zhdk.ch>
Message-ID: <0ed527439f1e4158bb75c467acf08e30@zhdk.ch>

Hello Konstantin,
I added the Synchronization part on the CSV Connector, and then it worked.

<synchronization>
        <objectSynchronization>
            <name>Default</name>
            <objectClass>AccountObjectClass</objectClass>
            <kind>account</kind>
            <focusType>c:UserType</focusType>
            <enabled>true</enabled>
            <reconcile>false</reconcile>
        </objectSynchronization>
    </synchronization>

I don't know if it should be like this or not.

Best Regards
Atdhe

-
-
Zürcher Hochschule der Künste
Zurich University of the Arts
-
Atdhe Musliu
Mitarbeiter Informationstechnologie-Zentrum
-
-
www.zhdk.ch<http://www.zhdk.ch>
http://www.zhdk.ch/?itz

Von: midPoint <midpoint-bounces at lists.evolveum.com> Im Auftrag von Musliu Atdhe
Gesendet: Friday, 19 June 2020 15:25
An: 'midPoint General Discussion' <midpoint at lists.evolveum.com>
Betreff: Re: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Konstantin,
Can you try and set  default to «true» in the SchemaHandling section, and then test it again.

Best Regards
Atdhe


-
-
Zürcher Hochschule der Künste
Zurich University of the Arts
-
Atdhe Musliu
Mitarbeiter Informationstechnologie-Zentrum
--
www.zhdk.ch<http://www.zhdk.ch>
http://www.zhdk.ch/?itz

Von: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> Im Auftrag von Konstantin Tikhonov
Gesendet: Wednesday, 17 June 2020 20:07
An: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Betreff: Re: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Colleagues.

Thank you very much for your feedback. XML config of the resource is attached to the e-mail.

SchemaHandling part is configured but I didn't configured Synchronization part because as far as I understood it's related to automatic assigning to a user but we need to assign accounts to users manually on this step.

--
Best Regards,

Konstantin Tikhonov

From: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> On Behalf Of Musliu Atdhe
Sent: Saturday, June 13, 2020 9:48 PM
To: 'midPoint General Discussion'
Subject: Re: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Konstantin,
Could you send your Resource XML File?
Maybe the Synchronization part is missing or even the SchemaHandling part.

https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling

Best Regards
Atdhe
-
-
Zürcher Hochschule der Künste
Zurich University of the Arts
-
Atdhe Musliu
Mitarbeiter Informationstechnologie-Zentrum
--
www.zhdk.ch<http://www.zhdk.ch>
http://www.zhdk.ch/?itz

Von: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> Im Auftrag von Konstantin Tikhonov
Gesendet: Sunday, 7 June 2020 23:30
An: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Betreff: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Colleagues.

We have the following task: a system exports a list of its accounts to a CSV file, then midPoint imports the list and after that an administrator assigns the accounts to users in midPoint or assignment can be done in some automatic way. I could find mention of similar functionality in Semi-Manual resource description<https://wiki.evolveum.com/display/midPoint/Manual+Resource+and+ITSM+Integration> only. But the document doesn't describe how this should be configured in midPoint.

I tried to find it out myself. I created a CSV resource and saw accounts from CSV file but the accounts appeared only in the Resource section of the CSV resource (screenshot attached), no any mention of them in the Repository section. And when I tried to Change Owner for any of the accounts I got the error "No projection definition for kind=UNKNOWN intent=unknown in resource:3b21495d-cc1d-47a8-8f7a-e1f1a02d2c24(Test CSV System 1)".

Could you please let me know what I do wrong? And what are the main steps in midPoint to solve this task?

Thanks a lot in advance.

--
Best Regards,

Konstantin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/06159503/attachment.htm>

From Konstantin.Tikhonov at veeam.com  Fri Jun 19 15:55:48 2020
From: Konstantin.Tikhonov at veeam.com (Konstantin Tikhonov)
Date: Fri, 19 Jun 2020 13:55:48 +0000
Subject: [midPoint] Using CSV resource for accounts import and
 management of them inside midPoint
In-Reply-To: <0ed527439f1e4158bb75c467acf08e30@zhdk.ch>
References: <CY4PR14MB12380D3A1C57627BD2D6D7BDF6840@CY4PR14MB1238.namprd14.prod.outlook.com>
 <1e1f6b24b2fb4d0c91eaef3238b0a347@zhdk.ch>
 <CY4PR14MB12386419E7BFE550A9D6AADDF69A0@CY4PR14MB1238.namprd14.prod.outlook.com>
 <e5c3d61cf83a4e0d899f8ede1a06d7f4@zhdk.ch>
 <0ed527439f1e4158bb75c467acf08e30@zhdk.ch>
Message-ID: <CY4PR14MB12388A8C01EE64B6C544B304F6980@CY4PR14MB1238.namprd14.prod.outlook.com>

Hello Atdhe.

Thank you very much for your help.

I tried to add your synchronization section to my CSV resource and when tried to save it got the error:

Attempt to store multiple values in single-valued property {http://midpoint.evolveum.com/xml/ns/public/common/common-3}synchronization

I attached XML of the current CSV resource to the email. What am I doing wrong?

Thank you in advance.

--
Best Regards,

Konstantin Tikhonov

From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of Musliu Atdhe
Sent: Friday, June 19, 2020 4:48 PM
To: 'midPoint General Discussion'
Subject: Re: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Konstantin,
I added the Synchronization part on the CSV Connector, and then it worked.

<synchronization>
        <objectSynchronization>
            <name>Default</name>
            <objectClass>AccountObjectClass</objectClass>
            <kind>account</kind>
            <focusType>c:UserType</focusType>
            <enabled>true</enabled>
            <reconcile>false</reconcile>
        </objectSynchronization>
    </synchronization>

I don't know if it should be like this or not.

Best Regards
Atdhe

-
-
Zürcher Hochschule der Künste
Zurich University of the Arts
-
Atdhe Musliu
Mitarbeiter Informationstechnologie-Zentrum
-
-
www.zhdk.ch<http://www.zhdk.ch>
http://www.zhdk.ch/?itz

Von: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> Im Auftrag von Musliu Atdhe
Gesendet: Friday, 19 June 2020 15:25
An: 'midPoint General Discussion' <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Betreff: Re: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Konstantin,
Can you try and set  default to «true» in the SchemaHandling section, and then test it again.

Best Regards
Atdhe


-
-
Zürcher Hochschule der Künste
Zurich University of the Arts
-
Atdhe Musliu
Mitarbeiter Informationstechnologie-Zentrum
--
www.zhdk.ch<http://www.zhdk.ch>
http://www.zhdk.ch/?itz

Von: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> Im Auftrag von Konstantin Tikhonov
Gesendet: Wednesday, 17 June 2020 20:07
An: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Betreff: Re: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Colleagues.

Thank you very much for your feedback. XML config of the resource is attached to the e-mail.

SchemaHandling part is configured but I didn't configured Synchronization part because as far as I understood it's related to automatic assigning to a user but we need to assign accounts to users manually on this step.

--
Best Regards,

Konstantin Tikhonov

From: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> On Behalf Of Musliu Atdhe
Sent: Saturday, June 13, 2020 9:48 PM
To: 'midPoint General Discussion'
Subject: Re: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Konstantin,
Could you send your Resource XML File?
Maybe the Synchronization part is missing or even the SchemaHandling part.

https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling

Best Regards
Atdhe
-
-
Zürcher Hochschule der Künste
Zurich University of the Arts
-
Atdhe Musliu
Mitarbeiter Informationstechnologie-Zentrum
--
www.zhdk.ch<http://www.zhdk.ch>
http://www.zhdk.ch/?itz

Von: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> Im Auftrag von Konstantin Tikhonov
Gesendet: Sunday, 7 June 2020 23:30
An: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Betreff: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Colleagues.

We have the following task: a system exports a list of its accounts to a CSV file, then midPoint imports the list and after that an administrator assigns the accounts to users in midPoint or assignment can be done in some automatic way. I could find mention of similar functionality in Semi-Manual resource description<https://wiki.evolveum.com/display/midPoint/Manual+Resource+and+ITSM+Integration> only. But the document doesn't describe how this should be configured in midPoint.

I tried to find it out myself. I created a CSV resource and saw accounts from CSV file but the accounts appeared only in the Resource section of the CSV resource (screenshot attached), no any mention of them in the Repository section. And when I tried to Change Owner for any of the accounts I got the error "No projection definition for kind=UNKNOWN intent=unknown in resource:3b21495d-cc1d-47a8-8f7a-e1f1a02d2c24(Test CSV System 1)".

Could you please let me know what I do wrong? And what are the main steps in midPoint to solve this task?

Thanks a lot in advance.

--
Best Regards,

Konstantin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/0f607c95/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ExportedData_ResourceType_2020_06_19_16_42_45.xml
Type: application/xml
Size: 15717 bytes
Desc: ExportedData_ResourceType_2020_06_19_16_42_45.xml
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/0f607c95/attachment.xml>

From gugalou38 at gmail.com  Fri Jun 19 15:59:47 2020
From: gugalou38 at gmail.com (Gus Lou)
Date: Fri, 19 Jun 2020 10:59:47 -0300
Subject: [midPoint] Value of attribute '_NAME_'must be a single value,
 but it has nullvalues
In-Reply-To: <4e369643-c41c-c022-10a7-9ea21a198f90@evolveum.com>
References: <CA+XZjGQoa4Fg+5iyOJDJmfB_rQh=wbR3v-jobrv8W2JOCiUoWQ@mail.gmail.com>
 <f100e2bd-04ba-bedd-23f6-d939d73ecb93@evolveum.com>
 <CA+XZjGS1R1WpVR_=0Fs+z3yGe+-_1U1T-PmEy_Xe31sQGjBtUA@mail.gmail.com>
 <4e369643-c41c-c022-10a7-9ea21a198f90@evolveum.com>
Message-ID: <CA+XZjGRUFMP2aCaB1xtoV+vtcav+4dASG3+Jcqtm9OD8EC9bkA@mail.gmail.com>

Hi Ivan

Thanks again for your patience and collaboration, in the future I hope to
also help the community by answering questions and challenges in my journey
of implementing IAG Midpoint.

Best Regards

Gus

Em sex., 19 de jun. de 2020 às 09:44, Ivan Noris <ivan.noris at evolveum.com>
escreveu:

> Hi Gus,
>
> there is nothing to be ashamed. Trying midPoint and asking for help is
> natural and if we can help you, it's good for all of us.
>
> I was asking about wizard/tolerance because several people already had
> this problem (including me) knowing that could lead to better
> documentation, tooltips, wizard etc.
>
> Best regards,
>
> Ivan
> On 19. 6. 2020 14:39, Gus Lou wrote:
>
> Hi Ivan
>
> *Great news!!!*
>
> I removed the <tolerant> false </tolerant> option from each field in
> Schema Handling and now the import and update of the data from the CSV file
> is going smoothly.
> I'm ashamed to have made that mistake. I wanted to follow the wizard to
> understand each step of the configuration and ended up making mistakes.
> Anyway thank you very much for the guidelines.
>
> Best Regards
>
> Gus
>
> Em sex., 19 de jun. de 2020 às 05:37, Ivan Noris <ivan.noris at evolveum.com>
> escreveu:
>
>> Hi Gus,
>>
>> please don't use <tolerant>false</tolerant>.
>>
>> This means that midpoint does not tolerate values of the (resource)
>> attribute other than given by midpoint.
>>
>> But this is inbound connector, so midpoint does not put any values to the
>> resource attribute at all.
>>
>> That means, midpoint attempts to clear the values.
>>
>> That's why tolerant set to false for inbound connectors is not useful.
>>
>> This is not the first time I see this issue, so two questions:
>>
>> 1. are you using wizard? I assume yes
>>
>> 2. was the tolerant implicitly set to false by wizard or did you set that
>> to false by yourself?
>>
>> Thanks.
>>
>> Best rehards,
>>
>> Ivan
>> On 19. 6. 2020 3:42, Gus Lou wrote:
>>
>> I'm doing a proof of concept with Midpoint 4.1
>> I configured a resource with a CSV connector (I tested versions 2.3 and
>> 2.4 of the connectors)
>> My CSV file has the following fields:
>> login (linked to midpoint field name)
>> func_num_cpf (linked to midpoint employeeNumber) it is Unique attribute
>> name
>>
>> Whenever I add or modify a record in my csv file, I get the following
>> error when executing the task:
>>
>> *Value of attribute '_NAME_'must be a single value, but it has nullvalues*
>>
>> I have already remade the settings, I searched the forum for something
>> similar, but I didn't find it. I know the error message is very clear,
>> but I don't know what else to do.
>> I attached my resource settings and csv file if anyone can help. I
>> appreciate any help
>>
>> Best Regards
>> Gus
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ivan Noris
>> Senior Identity Engineerevolveum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/4830e709/attachment.htm>

From Konstantin.Tikhonov at veeam.com  Fri Jun 19 16:11:14 2020
From: Konstantin.Tikhonov at veeam.com (Konstantin Tikhonov)
Date: Fri, 19 Jun 2020 14:11:14 +0000
Subject: [midPoint] Using CSV resource for accounts import and
 management of them inside midPoint
In-Reply-To: <CY4PR14MB12388A8C01EE64B6C544B304F6980@CY4PR14MB1238.namprd14.prod.outlook.com>
References: <CY4PR14MB12380D3A1C57627BD2D6D7BDF6840@CY4PR14MB1238.namprd14.prod.outlook.com>
 <1e1f6b24b2fb4d0c91eaef3238b0a347@zhdk.ch>
 <CY4PR14MB12386419E7BFE550A9D6AADDF69A0@CY4PR14MB1238.namprd14.prod.outlook.com>
 <e5c3d61cf83a4e0d899f8ede1a06d7f4@zhdk.ch>
 <0ed527439f1e4158bb75c467acf08e30@zhdk.ch>
 <CY4PR14MB12388A8C01EE64B6C544B304F6980@CY4PR14MB1238.namprd14.prod.outlook.com>
Message-ID: <CY4PR14MB1238B5665CD02F2C18F54D34F6980@CY4PR14MB1238.namprd14.prod.outlook.com>

Atdhe.

It’s a magic! 😊

I added a synchronization object via GUI and it’s configured exactly the same:

    <synchronization>
        <objectSynchronization>
            <objectClass>AccountObjectClass</objectClass>
            <kind>account</kind>
            <intent>Default</intent>
            <focusType>c:UserType</focusType>
            <enabled>true</enabled>
            <reconcile>false</reconcile>
        </objectSynchronization>
    </synchronization>

but was added after Capabilities section. Then I did Schema refresh and delete old shadows. And after that everything got worked!
Now I see all accounts in the CSV resource with Default intent and I’m able to assign it to users.

Thank you very much for your assistance!

--
Best Regards,

Konstantin Tikhonov

From: Konstantin Tikhonov
Sent: Friday, June 19, 2020 4:56 PM
To: midPoint General Discussion
Subject: RE: Using CSV resource for accounts import and management of them inside midPoint

Hello Atdhe.

Thank you very much for your help.

I tried to add your synchronization section to my CSV resource and when tried to save it got the error:

Attempt to store multiple values in single-valued property {http://midpoint.evolveum.com/xml/ns/public/common/common-3}synchronization

I attached XML of the current CSV resource to the email. What am I doing wrong?

Thank you in advance.

--
Best Regards,

Konstantin Tikhonov

From: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> On Behalf Of Musliu Atdhe
Sent: Friday, June 19, 2020 4:48 PM
To: 'midPoint General Discussion'
Subject: Re: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Konstantin,
I added the Synchronization part on the CSV Connector, and then it worked.

<synchronization>
        <objectSynchronization>
            <name>Default</name>
            <objectClass>AccountObjectClass</objectClass>
            <kind>account</kind>
            <focusType>c:UserType</focusType>
            <enabled>true</enabled>
            <reconcile>false</reconcile>
        </objectSynchronization>
    </synchronization>

I don’t know if it should be like this or not.

Best Regards
Atdhe

—
—
Zürcher Hochschule der Künste
Zurich University of the Arts
—
Atdhe Musliu
Mitarbeiter Informationstechnologie-Zentrum
—
—
www.zhdk.ch<http://www.zhdk.ch>
http://www.zhdk.ch/?itz

Von: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> Im Auftrag von Musliu Atdhe
Gesendet: Friday, 19 June 2020 15:25
An: 'midPoint General Discussion' <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Betreff: Re: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Konstantin,
Can you try and set  default to «true» in the SchemaHandling section, and then test it again.

Best Regards
Atdhe


—
—
Zürcher Hochschule der Künste
Zurich University of the Arts
—
Atdhe Musliu
Mitarbeiter Informationstechnologie-Zentrum
——
www.zhdk.ch<http://www.zhdk.ch>
http://www.zhdk.ch/?itz

Von: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> Im Auftrag von Konstantin Tikhonov
Gesendet: Wednesday, 17 June 2020 20:07
An: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Betreff: Re: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Colleagues.

Thank you very much for your feedback. XML config of the resource is attached to the e-mail.

SchemaHandling part is configured but I didn’t configured Synchronization part because as far as I understood it’s related to automatic assigning to a user but we need to assign accounts to users manually on this step.

--
Best Regards,

Konstantin Tikhonov

From: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> On Behalf Of Musliu Atdhe
Sent: Saturday, June 13, 2020 9:48 PM
To: 'midPoint General Discussion'
Subject: Re: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Konstantin,
Could you send your Resource XML File?
Maybe the Synchronization part is missing or even the SchemaHandling part.

https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling

Best Regards
Atdhe
—
—
Zürcher Hochschule der Künste
Zurich University of the Arts
—
Atdhe Musliu
Mitarbeiter Informationstechnologie-Zentrum
——
www.zhdk.ch<http://www.zhdk.ch>
http://www.zhdk.ch/?itz

Von: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> Im Auftrag von Konstantin Tikhonov
Gesendet: Sunday, 7 June 2020 23:30
An: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Betreff: [midPoint] Using CSV resource for accounts import and management of them inside midPoint

Hello Colleagues.

We have the following task: a system exports a list of its accounts to a CSV file, then midPoint imports the list and after that an administrator assigns the accounts to users in midPoint or assignment can be done in some automatic way. I could find mention of similar functionality in Semi-Manual resource description<https://wiki.evolveum.com/display/midPoint/Manual+Resource+and+ITSM+Integration> only. But the document doesn’t describe how this should be configured in midPoint.

I tried to find it out myself. I created a CSV resource and saw accounts from CSV file but the accounts appeared only in the Resource section of the CSV resource (screenshot attached), no any mention of them in the Repository section. And when I tried to Change Owner for any of the accounts I got the error “No projection definition for kind=UNKNOWN intent=unknown in resource:3b21495d-cc1d-47a8-8f7a-e1f1a02d2c24(Test CSV System 1)”.

Could you please let me know what I do wrong? And what are the main steps in midPoint to solve this task?

Thanks a lot in advance.

--
Best Regards,

Konstantin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/7d2af33a/attachment.htm>

From gugalou38 at gmail.com  Fri Jun 19 17:41:54 2020
From: gugalou38 at gmail.com (Gus Lou)
Date: Fri, 19 Jun 2020 12:41:54 -0300
Subject: [midPoint] Value of attribute '_NAME_'must be a single value,
 but it has nullvalues
In-Reply-To: <4e369643-c41c-c022-10a7-9ea21a198f90@evolveum.com>
References: <CA+XZjGQoa4Fg+5iyOJDJmfB_rQh=wbR3v-jobrv8W2JOCiUoWQ@mail.gmail.com>
 <f100e2bd-04ba-bedd-23f6-d939d73ecb93@evolveum.com>
 <CA+XZjGS1R1WpVR_=0Fs+z3yGe+-_1U1T-PmEy_Xe31sQGjBtUA@mail.gmail.com>
 <4e369643-c41c-c022-10a7-9ea21a198f90@evolveum.com>
Message-ID: <CA+XZjGQY-xFXrwNy8mhtSXaiLhMyK+XVVygtQqcJWDFCXBPtEA@mail.gmail.com>

Hi Ivan

I think I have identified a possible bug. Whenever I configure something in
Schema Handling in my CSV Resource, the option <tolerant> false </tolerant>
returns in the XML configuration.
In the Tolerant checkbox it remains unchecked.

Regards

Gus

Em sex., 19 de jun. de 2020 às 09:44, Ivan Noris <ivan.noris at evolveum.com>
escreveu:

> Hi Gus,
>
> there is nothing to be ashamed. Trying midPoint and asking for help is
> natural and if we can help you, it's good for all of us.
>
> I was asking about wizard/tolerance because several people already had
> this problem (including me) knowing that could lead to better
> documentation, tooltips, wizard etc.
>
> Best regards,
>
> Ivan
> On 19. 6. 2020 14:39, Gus Lou wrote:
>
> Hi Ivan
>
> *Great news!!!*
>
> I removed the <tolerant> false </tolerant> option from each field in
> Schema Handling and now the import and update of the data from the CSV file
> is going smoothly.
> I'm ashamed to have made that mistake. I wanted to follow the wizard to
> understand each step of the configuration and ended up making mistakes.
> Anyway thank you very much for the guidelines.
>
> Best Regards
>
> Gus
>
> Em sex., 19 de jun. de 2020 às 05:37, Ivan Noris <ivan.noris at evolveum.com>
> escreveu:
>
>> Hi Gus,
>>
>> please don't use <tolerant>false</tolerant>.
>>
>> This means that midpoint does not tolerate values of the (resource)
>> attribute other than given by midpoint.
>>
>> But this is inbound connector, so midpoint does not put any values to the
>> resource attribute at all.
>>
>> That means, midpoint attempts to clear the values.
>>
>> That's why tolerant set to false for inbound connectors is not useful.
>>
>> This is not the first time I see this issue, so two questions:
>>
>> 1. are you using wizard? I assume yes
>>
>> 2. was the tolerant implicitly set to false by wizard or did you set that
>> to false by yourself?
>>
>> Thanks.
>>
>> Best rehards,
>>
>> Ivan
>> On 19. 6. 2020 3:42, Gus Lou wrote:
>>
>> I'm doing a proof of concept with Midpoint 4.1
>> I configured a resource with a CSV connector (I tested versions 2.3 and
>> 2.4 of the connectors)
>> My CSV file has the following fields:
>> login (linked to midpoint field name)
>> func_num_cpf (linked to midpoint employeeNumber) it is Unique attribute
>> name
>>
>> Whenever I add or modify a record in my csv file, I get the following
>> error when executing the task:
>>
>> *Value of attribute '_NAME_'must be a single value, but it has nullvalues*
>>
>> I have already remade the settings, I searched the forum for something
>> similar, but I didn't find it. I know the error message is very clear,
>> but I don't know what else to do.
>> I attached my resource settings and csv file if anyone can help. I
>> appreciate any help
>>
>> Best Regards
>> Gus
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ivan Noris
>> Senior Identity Engineerevolveum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/f68f82b7/attachment.htm>

From PFSJ at senado.leg.br  Fri Jun 19 18:01:15 2020
From: PFSJ at senado.leg.br (Paulo Fernandes de Souza Junior)
Date: Fri, 19 Jun 2020 16:01:15 +0000
Subject: [midPoint] Issue with inbound mapping from singled-valued to
 multi-valued attribute
In-Reply-To: <CAFFw27cT8Vh-t760tR37jhj-6VDqkmWXk=hebsy3u8riUEHZKw@mail.gmail.com>
References: <CAFFw27cT8Vh-t760tR37jhj-6VDqkmWXk=hebsy3u8riUEHZKw@mail.gmail.com>
Message-ID: <1592582475117.64953@senado.leg.br>

Hi,


Take a look at https://wiki.evolveum.com/display/midPoint/Inbound+Mapping#InboundMapping-RangeOfInboundMappings?


Paulo Fernandes de Souza Júnior
NQPPPS
Senado Federal - PRODASEN
Fone: 61 3303.3924


________________________________
De: midPoint <midpoint-bounces at lists.evolveum.com> em nome de Javier Martinez <jmartinez at identicum.com>
Enviado: quarta-feira, 17 de junho de 2020 11:23
Para: midPoint General Discussion
Assunto: [midPoint] Issue with inbound mapping from singled-valued to multi-valued attribute

Hi,
We are having an issue when having an inbound mapping from a single-valued attribute to a multi-valued attribute. When modifying the value from the resource, instead of replacing the value, it is adding new values to the attribute in midPoint. Tested with attributes "organization" and "subtype".
Working OK in midpoint 3.9, but failing with midpoint 4.0.1 and above.
Is there any way to keep this issue from happening?
Regards
--
Javier Martínez
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com<http://www.identicum.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/1d376097/attachment.htm>

From mostrovsky at deloitte.com  Fri Jun 19 17:24:22 2020
From: mostrovsky at deloitte.com (Ostrovsky, Matias)
Date: Fri, 19 Jun 2020 15:24:22 +0000
Subject: [midPoint] entitlement-management-issues
Message-ID: <SN6PR85MB0352E8691E3E679F31B32E23B4980@SN6PR85MB0352.NAMPRD85.PROD.OUTLOOK.COM>

Hello,

My team is having trouble while managing entitlements. We think the issue is from midPoint code, not the connector.
The following images describe how we proceed to add and remove entitlement objects to a role:


We go to a role (named rol_test in the example) and then we select the induced entitlement tab
[cid:image007.png at 01D64633.17FCACC0]


Then App A is added with Account,default and ref:group parameters
[cid:image008.png at 01D64633.17FCACC0]


[cid:image009.png at 01D64633.17FCACC0]

Add button is clicked and then we proceed to add Entitlement003 and Entitlement001 entitlements. After this, changes are successfully saved.
[cid:image010.png at 01D64633.17FCACC0]


We go to rol_test again and delete Entitlement001 saving the change.
[cid:image011.png at 01D64633.17FCACC0]

Then the first error appears. Entitlement001 gets duplicated. Error that always happens. We are currently working on 4.0.1 and the error persists in 3.9 and later versions, except for 4.0.
[cid:image012.png at 01D64633.17FCACC0]


The second error comes when adding an entitlement with the same name, for example Entitlement003. We add it, the screen is the same as above, so it seems that there are no changes,
But Entitlement001 is now duplicated again. Error that persists on 3.9 and later versions.
[cid:image013.png at 01D64633.17FCACC0]




So, here we have two errors. Duplicated entitlement when trying to remove it and same name entitlement addition allowed, duplicating another one (sometimes the same). My question is...
Do we proceed incorrectly or midpoint code is failing? Is there an existing code to fix this? I hope that you can help us, thank you for your time.


Regards,

--
Matias Ostrovsky
Consultant | Cyber Risk Services | Risk Advisory
Deloitte & Co. S.A.
Av. Caseros 3563, 5° piso, C1263AAE, Buenos Aires, Argentina
Tel.: +54 (11) 4390 2600 Int: 2854
mostrovsky at deloitte.com<mailto:mostrovsky at deloitte.com> | http://www.deloitte.com/ar
--

[cid:image001.png at 01D59324.E9012610]

[cid:image002.png at 01D59324.E9012610]<https://www.facebook.com/YourFutureatDeloitteArgentina/>[cid:image003.png at 01D59324.E9012610]<https://www.linkedin.com/company/deloitte-argentina> [cid:image004.png at 01D59324.E9012610] <https://twitter.com/deloittearg>  [cid:image005.png at 01D59324.E9012610] <https://www.youtube.com/user/DeloitteArgentina>  [cid:image006.png at 01D59324.E9012610] <https://www.instagram.com/deloitte_ar/>
--
Antes de imprimir, piensa en tu responsabilidad con el medio ambiente.


Deloitte refers to a Deloitte member firm, one of its related entities, or Deloitte Touche Tohmatsu Limited ("DTTL"). Each Deloitte member firm is a separate legal entity and a member of DTTL. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/e465b3a2/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1421 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/e465b3a2/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1363 bytes
Desc: image002.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/e465b3a2/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1416 bytes
Desc: image003.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/e465b3a2/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1398 bytes
Desc: image004.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/e465b3a2/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 1308 bytes
Desc: image005.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/e465b3a2/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 1190 bytes
Desc: image006.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/e465b3a2/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 18455 bytes
Desc: image007.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/e465b3a2/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.png
Type: image/png
Size: 15040 bytes
Desc: image008.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/e465b3a2/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image009.png
Type: image/png
Size: 17490 bytes
Desc: image009.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/e465b3a2/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image010.png
Type: image/png
Size: 20174 bytes
Desc: image010.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/e465b3a2/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image011.png
Type: image/png
Size: 21541 bytes
Desc: image011.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/e465b3a2/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image012.png
Type: image/png
Size: 22868 bytes
Desc: image012.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/e465b3a2/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image013.png
Type: image/png
Size: 24999 bytes
Desc: image013.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/e465b3a2/attachment-0012.png>

From gugalou38 at gmail.com  Mon Jun 22 01:18:36 2020
From: gugalou38 at gmail.com (Gus Lou)
Date: Sun, 21 Jun 2020 20:18:36 -0300
Subject: [midPoint] Recompute all users is not working for me
Message-ID: <CA+XZjGStBEHcxMdP31VTABja28_qJswh4py=QtE0T9mH+QM=bA@mail.gmail.com>

Hi Guys
I need the permissions of users assigned to a Role (Rbac role named "Sec -
SOC") to be updated after adding a new group (gs_spo_sec_soc) to this Role.
After adding the group to the role, I ran a recompute task, I expected the
new group to be added to users but it didn't. If I add a new user to the
role he receives all groups.

Did I do something wrong, did any steps miss?

I followed the instructions on the wiki:
https://wiki.evolveum.com/display/midPoint/Recompute+Task

And also in this thread:
https://lists.evolveum.com/pipermail/midpoint/2014-November/000639.html

*My Lab*
01 Midpoint 4.1
01 Active Directory (Connector Ldap / AD 3.0) Resource
01 Metarole: "Metarole for groups - AD" (inducement to Active Directory
(LDAP) Resource
03 Groups (gs_snow_sec_soc, gs_jira_sec_soc, gs_spo_sec_soc) assigned to
Metarole
01 Rbac Role "Sec - SOC" inducements (gs_snow_sec_soc, gs_jira_sec_soc,
gs_spo_sec_soc)


Best Regards
Gus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200621/bb11f854/attachment.htm>

From ivan.noris at evolveum.com  Mon Jun 22 09:16:09 2020
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Mon, 22 Jun 2020 09:16:09 +0200
Subject: [midPoint] Value of attribute '_NAME_'must be a single value,
 but it has nullvalues
In-Reply-To: <CA+XZjGQY-xFXrwNy8mhtSXaiLhMyK+XVVygtQqcJWDFCXBPtEA@mail.gmail.com>
References: <CA+XZjGQoa4Fg+5iyOJDJmfB_rQh=wbR3v-jobrv8W2JOCiUoWQ@mail.gmail.com>
 <f100e2bd-04ba-bedd-23f6-d939d73ecb93@evolveum.com>
 <CA+XZjGS1R1WpVR_=0Fs+z3yGe+-_1U1T-PmEy_Xe31sQGjBtUA@mail.gmail.com>
 <4e369643-c41c-c022-10a7-9ea21a198f90@evolveum.com>
 <CA+XZjGQY-xFXrwNy8mhtSXaiLhMyK+XVVygtQqcJWDFCXBPtEA@mail.gmail.com>
Message-ID: <e51dec22-251d-2eca-7b52-4bc948bca204@evolveum.com>

Hi Gus,

please create a new bug in jira and specify as much of the details as
possible.

Thanks,

Ivan

On 19. 6. 2020 17:41, Gus Lou wrote:
> Hi Ivan
>
> I think I have identified a possible bug. Whenever I configure
> something in Schema Handling in my CSV Resource, the option <tolerant>
> false </tolerant> returns in the XML configuration.
> In the Tolerant checkbox it remains unchecked.
>
> Regards
>
> Gus
>
> Em sex., 19 de jun. de 2020 às 09:44, Ivan Noris
> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> escreveu:
>
>     Hi Gus,
>
>     there is nothing to be ashamed. Trying midPoint and asking for
>     help is natural and if we can help you, it's good for all of us.
>
>     I was asking about wizard/tolerance because several people already
>     had this problem (including me) knowing that could lead to better
>     documentation, tooltips, wizard etc.
>
>     Best regards,
>
>     Ivan
>
>     On 19. 6. 2020 14:39, Gus Lou wrote:
>>     Hi Ivan
>>
>>     *Great news!!!*
>>
>>     I removed the <tolerant> false </tolerant> option from each field
>>     in Schema Handling and now the import and update of the data from
>>     the CSV file is going smoothly.
>>     I'm ashamed to have made that mistake. I wanted to follow the
>>     wizard to understand each step of the configuration and ended up
>>     making mistakes.
>>     Anyway thank you very much for the guidelines.
>>
>>     Best Regards
>>
>>     Gus
>>
>>     Em sex., 19 de jun. de 2020 às 05:37, Ivan Noris
>>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> escreveu:
>>
>>         Hi Gus,
>>
>>         please don't use <tolerant>false</tolerant>.
>>
>>         This means that midpoint does not tolerate values of the
>>         (resource) attribute other than given by midpoint.
>>
>>         But this is inbound connector, so midpoint does not put any
>>         values to the resource attribute at all.
>>
>>         That means, midpoint attempts to clear the values.
>>
>>         That's why tolerant set to false for inbound connectors is
>>         not useful.
>>
>>         This is not the first time I see this issue, so two questions:
>>
>>         1. are you using wizard? I assume yes
>>
>>         2. was the tolerant implicitly set to false by wizard or did
>>         you set that to false by yourself?
>>
>>         Thanks.
>>
>>         Best rehards,
>>
>>         Ivan
>>
>>         On 19. 6. 2020 3:42, Gus Lou wrote:
>>>         I'm doing a proof of concept with Midpoint 4.1
>>>         I configured a resource with a CSV connector (I tested
>>>         versions 2.3 and 2.4 of the connectors)
>>>         My CSV file has the following fields:
>>>         login (linked to midpoint field name)
>>>         func_num_cpf (linked to midpoint employeeNumber) it is
>>>         Unique attribute name
>>>
>>>         Whenever I add or modify a record in my csv file, I get the
>>>         following error when executing the task:
>>>
>>>         /*Value of attribute '_NAME_'must be a single value, but it
>>>         has nullvalues*/
>>>
>>>         I have already remade the settings, I searched the forum for
>>>         something similar, but I didn't find it. I know the error
>>>         message is very clear, but I don't know what else to do.
>>>         I attached my resource settings and csv file if anyone can
>>>         help. I appreciate any help
>>>
>>>         Best Regards
>>>         Gus
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>         https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>         -- 
>>         Ivan Noris
>>         Senior Identity Engineer
>>         evolveum.com <http://evolveum.com>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     https://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>     Ivan Noris
>     Senior Identity Engineer
>     evolveum.com <http://evolveum.com>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200622/2fbf63b9/attachment.htm>

From ivan.noris at evolveum.com  Mon Jun 22 13:29:37 2020
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Mon, 22 Jun 2020 13:29:37 +0200
Subject: [midPoint] Recompute all users is not working for me
In-Reply-To: <CA+XZjGStBEHcxMdP31VTABja28_qJswh4py=QtE0T9mH+QM=bA@mail.gmail.com>
References: <CA+XZjGStBEHcxMdP31VTABja28_qJswh4py=QtE0T9mH+QM=bA@mail.gmail.com>
Message-ID: <8be8379c-9ae7-ac7a-aae1-ad5d6d30156a@evolveum.com>

Hi Gus,

I don't know if you are referring to a specific sample, e.g. for the
metarole.

Sharing it would be helpful.

So far my only idea is to check if the (2nd order) mapping for
association has strong strength.

Best regards,

Ivan

On 22. 6. 2020 1:18, Gus Lou wrote:
> Hi Guys
> I need the permissions of users assigned to a Role (Rbac role named
> "Sec - SOC") to be updated after adding a new group (gs_spo_sec_soc)
> to this Role.
> After adding the group to the role, I ran a recompute task, I expected
> the new group to be added to users but it didn't. If I add a new user
> to the role he receives all groups.
>
> Did I do something wrong, did any steps miss?
>
> I followed the instructions on the wiki:
> https://wiki.evolveum.com/display/midPoint/Recompute+Task
>
> And also in this thread:
> https://lists.evolveum.com/pipermail/midpoint/2014-November/000639.html
>
> *My Lab*
> 01 Midpoint 4.1
> 01 Active Directory (Connector Ldap / AD 3.0) Resource
> 01 Metarole: "Metarole for groups - AD" (inducement to Active
> Directory (LDAP) Resource
> 03 Groups (gs_snow_sec_soc, gs_jira_sec_soc, gs_spo_sec_soc) assigned
> to Metarole
> 01 Rbac Role "Sec - SOC" inducements (gs_snow_sec_soc,
> gs_jira_sec_soc, gs_spo_sec_soc)
>
>
> Best Regards
> Gus
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200622/370f4095/attachment.htm>

From gugalou38 at gmail.com  Mon Jun 22 14:49:43 2020
From: gugalou38 at gmail.com (Gus Lou)
Date: Mon, 22 Jun 2020 09:49:43 -0300
Subject: [midPoint] Value of attribute '_NAME_'must be a single value,
 but it has nullvalues
In-Reply-To: <e51dec22-251d-2eca-7b52-4bc948bca204@evolveum.com>
References: <CA+XZjGQoa4Fg+5iyOJDJmfB_rQh=wbR3v-jobrv8W2JOCiUoWQ@mail.gmail.com>
 <f100e2bd-04ba-bedd-23f6-d939d73ecb93@evolveum.com>
 <CA+XZjGS1R1WpVR_=0Fs+z3yGe+-_1U1T-PmEy_Xe31sQGjBtUA@mail.gmail.com>
 <4e369643-c41c-c022-10a7-9ea21a198f90@evolveum.com>
 <CA+XZjGQY-xFXrwNy8mhtSXaiLhMyK+XVVygtQqcJWDFCXBPtEA@mail.gmail.com>
 <e51dec22-251d-2eca-7b52-4bc948bca204@evolveum.com>
Message-ID: <CA+XZjGQvFhwGs_3L7NKOUd0CDszbs218BfgtePHJ1kdg2i8JvA@mail.gmail.com>

Hi Ivan

Ok Ivan I will do this.

Thanks

Gus

Em seg., 22 de jun. de 2020 às 04:16, Ivan Noris <ivan.noris at evolveum.com>
escreveu:

> Hi Gus,
>
> please create a new bug in jira and specify as much of the details as
> possible.
>
> Thanks,
>
> Ivan
> On 19. 6. 2020 17:41, Gus Lou wrote:
>
> Hi Ivan
>
> I think I have identified a possible bug. Whenever I configure something
> in Schema Handling in my CSV Resource, the option <tolerant> false
> </tolerant> returns in the XML configuration.
> In the Tolerant checkbox it remains unchecked.
>
> Regards
>
> Gus
>
> Em sex., 19 de jun. de 2020 às 09:44, Ivan Noris <ivan.noris at evolveum.com>
> escreveu:
>
>> Hi Gus,
>>
>> there is nothing to be ashamed. Trying midPoint and asking for help is
>> natural and if we can help you, it's good for all of us.
>>
>> I was asking about wizard/tolerance because several people already had
>> this problem (including me) knowing that could lead to better
>> documentation, tooltips, wizard etc.
>>
>> Best regards,
>>
>> Ivan
>> On 19. 6. 2020 14:39, Gus Lou wrote:
>>
>> Hi Ivan
>>
>> *Great news!!!*
>>
>> I removed the <tolerant> false </tolerant> option from each field in
>> Schema Handling and now the import and update of the data from the CSV file
>> is going smoothly.
>> I'm ashamed to have made that mistake. I wanted to follow the wizard to
>> understand each step of the configuration and ended up making mistakes.
>> Anyway thank you very much for the guidelines.
>>
>> Best Regards
>>
>> Gus
>>
>> Em sex., 19 de jun. de 2020 às 05:37, Ivan Noris <ivan.noris at evolveum.com>
>> escreveu:
>>
>>> Hi Gus,
>>>
>>> please don't use <tolerant>false</tolerant>.
>>>
>>> This means that midpoint does not tolerate values of the (resource)
>>> attribute other than given by midpoint.
>>>
>>> But this is inbound connector, so midpoint does not put any values to
>>> the resource attribute at all.
>>>
>>> That means, midpoint attempts to clear the values.
>>>
>>> That's why tolerant set to false for inbound connectors is not useful.
>>>
>>> This is not the first time I see this issue, so two questions:
>>>
>>> 1. are you using wizard? I assume yes
>>>
>>> 2. was the tolerant implicitly set to false by wizard or did you set
>>> that to false by yourself?
>>>
>>> Thanks.
>>>
>>> Best rehards,
>>>
>>> Ivan
>>> On 19. 6. 2020 3:42, Gus Lou wrote:
>>>
>>> I'm doing a proof of concept with Midpoint 4.1
>>> I configured a resource with a CSV connector (I tested versions 2.3 and
>>> 2.4 of the connectors)
>>> My CSV file has the following fields:
>>> login (linked to midpoint field name)
>>> func_num_cpf (linked to midpoint employeeNumber) it is Unique attribute
>>> name
>>>
>>> Whenever I add or modify a record in my csv file, I get the following
>>> error when executing the task:
>>>
>>> *Value of attribute '_NAME_'must be a single value, but it has
>>> nullvalues*
>>>
>>> I have already remade the settings, I searched the forum for something
>>> similar, but I didn't find it. I know the error message is very clear,
>>> but I don't know what else to do.
>>> I attached my resource settings and csv file if anyone can help. I
>>> appreciate any help
>>>
>>> Best Regards
>>> Gus
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>> --
>>> Ivan Noris
>>> Senior Identity Engineerevolveum.com
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ivan Noris
>> Senior Identity Engineerevolveum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200622/6e2697ae/attachment.htm>

From gugalou38 at gmail.com  Mon Jun 22 19:12:09 2020
From: gugalou38 at gmail.com (Gus Lou)
Date: Mon, 22 Jun 2020 14:12:09 -0300
Subject: [midPoint] Recompute all users is not working for me
In-Reply-To: <CA+XZjGRE_3B_kGg-xyXNHUw=_RfX5bWfguf0Q7ShAx1irwnU3w@mail.gmail.com>
References: <CA+XZjGStBEHcxMdP31VTABja28_qJswh4py=QtE0T9mH+QM=bA@mail.gmail.com>
 <8be8379c-9ae7-ac7a-aae1-ad5d6d30156a@evolveum.com>
 <CA+XZjGRE_3B_kGg-xyXNHUw=_RfX5bWfguf0Q7ShAx1irwnU3w@mail.gmail.com>
Message-ID: <CA+XZjGQA-Po4-w+QB8eLUFRm4QPkJMfUBh6onqp+SsejmyrpBw@mail.gmail.com>

Hi Guys

I tried to perform a reconciliation task instead of recompute.
Users were assigned to the new group inserted in the role rbac, but the
task had several errors.
Analyzing the midpoint logs I detected the following:

020-06-22 13:53:08,868 [SYNCHRONIZATION_SERVICE]
[midPointScheduler_Worker-6] ERROR
(com.evolveum.midpoint.model.impl.sync.SynchronizationServiceImpl):
SYNCHRONIZATION: Error in synchronization on
resource:746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2(Medusa Active Directory
(LDAP)) for situation LINKED: SchemaException: Expected to find 'UserType'
but found 'RoleType'
(role:9d22cbe8-c67f-4248-9c21-26aa7ce2215f(gs_jira_sec_soc)). Bad OID in a
reference?. Change was
ResourceObjectShadowChangeDescription(objectDelta=null,
currentShadow=shadow:7bdf855b-b748-4b94-9a23-037f32021005(CN=gs_jira_sec_soc,OU=Usuarios,DC=xyz,DC=net),
oldShadow=null, sourceChannel=
http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation,
resource=resource:746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2(Medusa Active
Directory (LDAP)))
com.evolveum.midpoint.util.exception.SchemaException: Expected to find
'UserType' but found 'RoleType'
(role:9d22cbe8-c67f-4248-9c21-26aa7ce2215f(gs_jira_sec_soc)). Bad OID in a
reference?

Regards

Gus

Em seg., 22 de jun. de 2020 às 11:02, Gus Lou <gugalou38 at gmail.com>
escreveu:

> Hi Ivan
>
> I've attached my configs:
> Resource: AD Resource
> Role: Rbac Role - SOC - Sec
> Role: Metarole AD Group
> Role: gs_snow_sec_soc
> Role: gs_jira_sec_soc
> Role: gs_spo_sec_soc
>
> I checked the mapping and there is only one field like strong in my
> Resource - AD:
> <attribute id="18">
>                 <c:ref xmlns:ri="
> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
> ">ri:description</c:ref>
>                 <outbound>
>                     <strength>strong</strength>
>                     <source>
>                         <c:path>description</c:path>
>                     </source>
>                 </outbound>
>                 <inbound id="20">
>                     <target>
>                         <c:path>description</c:path>
>                     </target>
>                 </inbound>
>             </attribute>
>
> Best Regards
>
> Gus
>
>
> Em seg., 22 de jun. de 2020 às 08:29, Ivan Noris <ivan.noris at evolveum.com>
> escreveu:
>
>> Hi Gus,
>>
>> I don't know if you are referring to a specific sample, e.g. for the
>> metarole.
>>
>> Sharing it would be helpful.
>>
>> So far my only idea is to check if the (2nd order) mapping for
>> association has strong strength.
>>
>> Best regards,
>>
>> Ivan
>> On 22. 6. 2020 1:18, Gus Lou wrote:
>>
>> Hi Guys
>> I need the permissions of users assigned to a Role (Rbac role named "Sec
>> - SOC") to be updated after adding a new group (gs_spo_sec_soc) to this
>> Role.
>> After adding the group to the role, I ran a recompute task, I expected
>> the new group to be added to users but it didn't. If I add a new user to
>> the role he receives all groups.
>>
>> Did I do something wrong, did any steps miss?
>>
>> I followed the instructions on the wiki:
>> https://wiki.evolveum.com/display/midPoint/Recompute+Task
>>
>> And also in this thread:
>> https://lists.evolveum.com/pipermail/midpoint/2014-November/000639.html
>>
>> *My Lab*
>> 01 Midpoint 4.1
>> 01 Active Directory (Connector Ldap / AD 3.0) Resource
>> 01 Metarole: "Metarole for groups - AD" (inducement to Active Directory
>> (LDAP) Resource
>> 03 Groups (gs_snow_sec_soc, gs_jira_sec_soc, gs_spo_sec_soc) assigned to
>> Metarole
>> 01 Rbac Role "Sec - SOC" inducements (gs_snow_sec_soc, gs_jira_sec_soc,
>> gs_spo_sec_soc)
>>
>>
>> Best Regards
>> Gus
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ivan Noris
>> Senior Identity Engineerevolveum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200622/1a1946b2/attachment.htm>

From gugalou38 at gmail.com  Mon Jun 22 19:39:32 2020
From: gugalou38 at gmail.com (Gus Lou)
Date: Mon, 22 Jun 2020 14:39:32 -0300
Subject: [midPoint] Recompute all users is not working for me
In-Reply-To: <CA+XZjGQA-Po4-w+QB8eLUFRm4QPkJMfUBh6onqp+SsejmyrpBw@mail.gmail.com>
References: <CA+XZjGStBEHcxMdP31VTABja28_qJswh4py=QtE0T9mH+QM=bA@mail.gmail.com>
 <8be8379c-9ae7-ac7a-aae1-ad5d6d30156a@evolveum.com>
 <CA+XZjGRE_3B_kGg-xyXNHUw=_RfX5bWfguf0Q7ShAx1irwnU3w@mail.gmail.com>
 <CA+XZjGQA-Po4-w+QB8eLUFRm4QPkJMfUBh6onqp+SsejmyrpBw@mail.gmail.com>
Message-ID: <CA+XZjGTdWLpcosNzCr4ehuRggmE7i7pLxyBLjqK6HVv-_8HMOA@mail.gmail.com>

Sorry Guys, my mistake
My Recon Task was config with ri:group rather than ri:user

Still unable to recompute

Regards

Gus

Em seg., 22 de jun. de 2020 às 14:12, Gus Lou <gugalou38 at gmail.com>
escreveu:

> Hi Guys
>
> I tried to perform a reconciliation task instead of recompute.
> Users were assigned to the new group inserted in the role rbac, but the
> task had several errors.
> Analyzing the midpoint logs I detected the following:
>
> 020-06-22 13:53:08,868 [SYNCHRONIZATION_SERVICE]
> [midPointScheduler_Worker-6] ERROR
> (com.evolveum.midpoint.model.impl.sync.SynchronizationServiceImpl):
> SYNCHRONIZATION: Error in synchronization on
> resource:746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2(Medusa Active Directory
> (LDAP)) for situation LINKED: SchemaException: Expected to find 'UserType'
> but found 'RoleType'
> (role:9d22cbe8-c67f-4248-9c21-26aa7ce2215f(gs_jira_sec_soc)). Bad OID in a
> reference?. Change was
> ResourceObjectShadowChangeDescription(objectDelta=null,
> currentShadow=shadow:7bdf855b-b748-4b94-9a23-037f32021005(CN=gs_jira_sec_soc,OU=Usuarios,DC=xyz,DC=net),
> oldShadow=null, sourceChannel=
> http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#reconciliation,
> resource=resource:746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2(Medusa Active
> Directory (LDAP)))
> com.evolveum.midpoint.util.exception.SchemaException: Expected to find
> 'UserType' but found 'RoleType'
> (role:9d22cbe8-c67f-4248-9c21-26aa7ce2215f(gs_jira_sec_soc)). Bad OID in a
> reference?
>
> Regards
>
> Gus
>
> Em seg., 22 de jun. de 2020 às 11:02, Gus Lou <gugalou38 at gmail.com>
> escreveu:
>
>> Hi Ivan
>>
>> I've attached my configs:
>> Resource: AD Resource
>> Role: Rbac Role - SOC - Sec
>> Role: Metarole AD Group
>> Role: gs_snow_sec_soc
>> Role: gs_jira_sec_soc
>> Role: gs_spo_sec_soc
>>
>> I checked the mapping and there is only one field like strong in my
>> Resource - AD:
>> <attribute id="18">
>>                 <c:ref xmlns:ri="
>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
>> ">ri:description</c:ref>
>>                 <outbound>
>>                     <strength>strong</strength>
>>                     <source>
>>                         <c:path>description</c:path>
>>                     </source>
>>                 </outbound>
>>                 <inbound id="20">
>>                     <target>
>>                         <c:path>description</c:path>
>>                     </target>
>>                 </inbound>
>>             </attribute>
>>
>> Best Regards
>>
>> Gus
>>
>>
>> Em seg., 22 de jun. de 2020 às 08:29, Ivan Noris <ivan.noris at evolveum.com>
>> escreveu:
>>
>>> Hi Gus,
>>>
>>> I don't know if you are referring to a specific sample, e.g. for the
>>> metarole.
>>>
>>> Sharing it would be helpful.
>>>
>>> So far my only idea is to check if the (2nd order) mapping for
>>> association has strong strength.
>>>
>>> Best regards,
>>>
>>> Ivan
>>> On 22. 6. 2020 1:18, Gus Lou wrote:
>>>
>>> Hi Guys
>>> I need the permissions of users assigned to a Role (Rbac role named "Sec
>>> - SOC") to be updated after adding a new group (gs_spo_sec_soc) to this
>>> Role.
>>> After adding the group to the role, I ran a recompute task, I expected
>>> the new group to be added to users but it didn't. If I add a new user to
>>> the role he receives all groups.
>>>
>>> Did I do something wrong, did any steps miss?
>>>
>>> I followed the instructions on the wiki:
>>> https://wiki.evolveum.com/display/midPoint/Recompute+Task
>>>
>>> And also in this thread:
>>> https://lists.evolveum.com/pipermail/midpoint/2014-November/000639.html
>>>
>>> *My Lab*
>>> 01 Midpoint 4.1
>>> 01 Active Directory (Connector Ldap / AD 3.0) Resource
>>> 01 Metarole: "Metarole for groups - AD" (inducement to Active Directory
>>> (LDAP) Resource
>>> 03 Groups (gs_snow_sec_soc, gs_jira_sec_soc, gs_spo_sec_soc) assigned to
>>> Metarole
>>> 01 Rbac Role "Sec - SOC" inducements (gs_snow_sec_soc, gs_jira_sec_soc,
>>> gs_spo_sec_soc)
>>>
>>>
>>> Best Regards
>>> Gus
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>> --
>>> Ivan Noris
>>> Senior Identity Engineerevolveum.com
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200622/e6dec67d/attachment.htm>

From jmartinez at identicum.com  Mon Jun 22 21:15:24 2020
From: jmartinez at identicum.com (Javier Martinez)
Date: Mon, 22 Jun 2020 16:15:24 -0300
Subject: [midPoint] Issue with inbound mapping from singled-valued to
 multi-valued attribute
In-Reply-To: <1592582475117.64953@senado.leg.br>
References: <CAFFw27cT8Vh-t760tR37jhj-6VDqkmWXk=hebsy3u8riUEHZKw@mail.gmail.com>
 <1592582475117.64953@senado.leg.br>
Message-ID: <CAFFw27dt+XA-8CPjYQ=NEFKXooRDpDLA9+RTOqgMVY-OEc6RJg@mail.gmail.com>

Hi,
I added the the range as mentioned above:
*<set>*
*     <predefined>all</predefined>*
*</set>*

and it's working correctly, it now replaces the previous value instead of
adding a new one.

Thank you!
Regards

On Fri, Jun 19, 2020 at 1:01 PM Paulo Fernandes de Souza Junior <
PFSJ at senado.leg.br> wrote:

> Hi,
>
>
> Take a look at
> https://wiki.evolveum.com/display/midPoint/Inbound+Mapping#InboundMapping-RangeOfInboundMappings
> ​
>
>
> *Paulo Fernandes de Souza Júnior*
>
> *NQPPPS *Senado Federal - PRODASEN
> Fone: 61 3303.3924
>
>
> ------------------------------
> *De:* midPoint <midpoint-bounces at lists.evolveum.com> em nome de Javier
> Martinez <jmartinez at identicum.com>
> *Enviado:* quarta-feira, 17 de junho de 2020 11:23
> *Para:* midPoint General Discussion
> *Assunto:* [midPoint] Issue with inbound mapping from singled-valued to
> multi-valued attribute
>
> Hi,
> We are having an issue when having an inbound mapping from a single-valued
> attribute to a multi-valued attribute. When modifying the value from the
> resource, instead of replacing the value, it is adding new values to the
> attribute in midPoint. Tested with attributes "organization" and
> "subtype".
> Working OK in midpoint 3.9, but failing with midpoint 4.0.1 and above.
> Is there any way to keep this issue from happening?
> Regards
> --
> Javier Martínez
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>


-- 
Javier Martínez
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200622/ba89275d/attachment.htm>

From jeverling at bshp.edu  Mon Jun 22 22:02:18 2020
From: jeverling at bshp.edu (Jason Everling)
Date: Mon, 22 Jun 2020 15:02:18 -0500
Subject: [midPoint] Issue with inbound mapping from singled-valued to
 multi-valued attribute
In-Reply-To: <CAFFw27dt+XA-8CPjYQ=NEFKXooRDpDLA9+RTOqgMVY-OEc6RJg@mail.gmail.com>
References: <CAFFw27cT8Vh-t760tR37jhj-6VDqkmWXk=hebsy3u8riUEHZKw@mail.gmail.com>
 <1592582475117.64953@senado.leg.br>,
 <CAFFw27dt+XA-8CPjYQ=NEFKXooRDpDLA9+RTOqgMVY-OEc6RJg@mail.gmail.com>
Message-ID: <2CB300A6-90BB-4383-9B68-7C98E4AAAA58@hxcore.ol>

An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200622/09dbc624/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 72D57AF3B91E4C6BBA29FA1EF5F12B90.png
Type: image/png
Size: 144 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200622/09dbc624/attachment.png>

From gugalou38 at gmail.com  Mon Jun 22 16:02:33 2020
From: gugalou38 at gmail.com (Gus Lou)
Date: Mon, 22 Jun 2020 11:02:33 -0300
Subject: [midPoint] Recompute all users is not working for me
In-Reply-To: <8be8379c-9ae7-ac7a-aae1-ad5d6d30156a@evolveum.com>
References: <CA+XZjGStBEHcxMdP31VTABja28_qJswh4py=QtE0T9mH+QM=bA@mail.gmail.com>
 <8be8379c-9ae7-ac7a-aae1-ad5d6d30156a@evolveum.com>
Message-ID: <CA+XZjGRE_3B_kGg-xyXNHUw=_RfX5bWfguf0Q7ShAx1irwnU3w@mail.gmail.com>

Hi Ivan

I've attached my configs:
Resource: AD Resource
Role: Rbac Role - SOC - Sec
Role: Metarole AD Group
Role: gs_snow_sec_soc
Role: gs_jira_sec_soc
Role: gs_spo_sec_soc

I checked the mapping and there is only one field like strong in my
Resource - AD:
<attribute id="18">
                <c:ref xmlns:ri="
http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
">ri:description</c:ref>
                <outbound>
                    <strength>strong</strength>
                    <source>
                        <c:path>description</c:path>
                    </source>
                </outbound>
                <inbound id="20">
                    <target>
                        <c:path>description</c:path>
                    </target>
                </inbound>
            </attribute>

Best Regards

Gus


Em seg., 22 de jun. de 2020 às 08:29, Ivan Noris <ivan.noris at evolveum.com>
escreveu:

> Hi Gus,
>
> I don't know if you are referring to a specific sample, e.g. for the
> metarole.
>
> Sharing it would be helpful.
>
> So far my only idea is to check if the (2nd order) mapping for association
> has strong strength.
>
> Best regards,
>
> Ivan
> On 22. 6. 2020 1:18, Gus Lou wrote:
>
> Hi Guys
> I need the permissions of users assigned to a Role (Rbac role named "Sec -
> SOC") to be updated after adding a new group (gs_spo_sec_soc) to this Role.
> After adding the group to the role, I ran a recompute task, I expected the
> new group to be added to users but it didn't. If I add a new user to the
> role he receives all groups.
>
> Did I do something wrong, did any steps miss?
>
> I followed the instructions on the wiki:
> https://wiki.evolveum.com/display/midPoint/Recompute+Task
>
> And also in this thread:
> https://lists.evolveum.com/pipermail/midpoint/2014-November/000639.html
>
> *My Lab*
> 01 Midpoint 4.1
> 01 Active Directory (Connector Ldap / AD 3.0) Resource
> 01 Metarole: "Metarole for groups - AD" (inducement to Active Directory
> (LDAP) Resource
> 03 Groups (gs_snow_sec_soc, gs_jira_sec_soc, gs_spo_sec_soc) assigned to
> Metarole
> 01 Rbac Role "Sec - SOC" inducements (gs_snow_sec_soc, gs_jira_sec_soc,
> gs_spo_sec_soc)
>
>
> Best Regards
> Gus
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200622/46aeb35b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RoleType_2020_06_22_10_22_50 - gs_spo_sec_soc.xml
Type: text/xml
Size: 5611 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200622/46aeb35b/attachment.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RoleType_2020_06_22_10_15_21 - Rbac SOC - Sec.xml
Type: text/xml
Size: 6712 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200622/46aeb35b/attachment-0001.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RoleType_2020_06_22_09_55_3 - Metarole - AD Groups.xml
Type: text/xml
Size: 4345 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200622/46aeb35b/attachment-0002.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RoleType_2020_06_22_10_18_14 - gs_snow_sec_soc.xml
Type: text/xml
Size: 5388 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200622/46aeb35b/attachment-0003.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RoleType_2020_06_22_10_17_34 - gs_jira_sec_soc.xml
Type: text/xml
Size: 5388 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200622/46aeb35b/attachment-0004.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ResourceType_2020_06_22_09_51_28 - Active Directory.xml
Type: text/xml
Size: 384150 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200622/46aeb35b/attachment-0005.xml>

From jmartinez at identicum.com  Wed Jun 24 18:58:14 2020
From: jmartinez at identicum.com (Javier Martinez)
Date: Wed, 24 Jun 2020 13:58:14 -0300
Subject: [midPoint] Issue with inbound mapping from singled-valued to
 multi-valued attribute
In-Reply-To: <2CB300A6-90BB-4383-9B68-7C98E4AAAA58@hxcore.ol>
References: <CAFFw27cT8Vh-t760tR37jhj-6VDqkmWXk=hebsy3u8riUEHZKw@mail.gmail.com>
 <1592582475117.64953@senado.leg.br>
 <CAFFw27dt+XA-8CPjYQ=NEFKXooRDpDLA9+RTOqgMVY-OEc6RJg@mail.gmail.com>
 <2CB300A6-90BB-4383-9B68-7C98E4AAAA58@hxcore.ol>
Message-ID: <CAFFw27cfbCpteWUT2c_Op3MNNaDx1XJ=im5eeRo626QNgLOtHg@mail.gmail.com>

Hi Jason,
Thank you very much for your answer, we tried with this approach and when
we tried to change the value of a user, we got the error "Expected one
value for attribute organization, got 2".

It worked with the solution given by Ivan.

Regards!



On Mon, Jun 22, 2020 at 5:02 PM Jason Everling <jeverling at bshp.edu> wrote:

> You can also remove the multi-value capability from the gui using the
> default user template, it just prevents some user from adding an additional
> value if you really want it to be single-valued only
>
>
>
>     <item>
>
>         <c:ref>c:organization</c:ref>
>
>         <limitations>
>
>             <layer>presentation</layer>
>
>             <minOccurs>0</minOccurs>
>
>             <maxOccurs>1</maxOccurs>
>
>         </limitations>
>
>     </item>
>
>
>
> *From: *Javier Martinez <jmartinez at identicum.com>
> *Sent: *Monday, June 22, 2020 2:16 PM
> *To: *midPoint General Discussion <midpoint at lists.evolveum.com>
> *Subject: *Re: [midPoint] Issue with inbound mapping from singled-valued
> to multi-valued attribute
>
>
>
> Hi,
>
> I added the the range as mentioned above:
>
>
> *<set>     <predefined>all</predefined>*
>
> *</set>*
>
>
>
> and it's working correctly, it now replaces the previous value instead of
> adding a new one.
>
>
>
> Thank you!
>
> Regards
>
>
>
> On Fri, Jun 19, 2020 at 1:01 PM Paulo Fernandes de Souza Junior <
> PFSJ at senado.leg.br> wrote:
>
> Hi,
>
>
>
> Take a look at
> https://wiki.evolveum.com/display/midPoint/Inbound+Mapping#InboundMapping-RangeOfInboundMappings
> ​
>
>
>
> *Paulo Fernandes de Souza Júnior*
>
> *NQPPPS*Senado Federal - PRODASEN
> Fone: 61 3303.3924
>
>
>
> *De:* midPoint <midpoint-bounces at lists.evolveum.com> em nome de Javier
> Martinez <jmartinez at identicum.com>
> *Enviado:* quarta-feira, 17 de junho de 2020 11:23
> *Para:* midPoint General Discussion
> *Assunto:* [midPoint] Issue with inbound mapping from singled-valued to
> multi-valued attribute
>
>
>
> Hi,
>
> We are having an issue when having an inbound mapping from a single-valued
> attribute to a multi-valued attribute. When modifying the value from the
> resource, instead of replacing the value, it is adding new values to the
> attribute in midPoint. Tested with attributes "organization" and "subtype".
>
> Working OK in midpoint 3.9, but failing with midpoint 4.0.1 and above.
>
> Is there any way to keep this issue from happening?
>
> Regards
>
> --
>
> Javier Martínez
>
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> --
>
> Javier Martínez
>
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>


-- 
Javier Martínez
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200624/0dcf863d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 72D57AF3B91E4C6BBA29FA1EF5F12B90.png
Type: image/png
Size: 144 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200624/0dcf863d/attachment.png>

From jeverling at bshp.edu  Wed Jun 24 19:02:30 2020
From: jeverling at bshp.edu (Jason Everling)
Date: Wed, 24 Jun 2020 12:02:30 -0500
Subject: [midPoint] Issue with inbound mapping from singled-valued to
 multi-valued attribute
In-Reply-To: <CAFFw27cfbCpteWUT2c_Op3MNNaDx1XJ=im5eeRo626QNgLOtHg@mail.gmail.com>
References: <CAFFw27cT8Vh-t760tR37jhj-6VDqkmWXk=hebsy3u8riUEHZKw@mail.gmail.com>
 <1592582475117.64953@senado.leg.br>
 <CAFFw27dt+XA-8CPjYQ=NEFKXooRDpDLA9+RTOqgMVY-OEc6RJg@mail.gmail.com>
 <2CB300A6-90BB-4383-9B68-7C98E4AAAA58@hxcore.ol>,
 <CAFFw27cfbCpteWUT2c_Op3MNNaDx1XJ=im5eeRo626QNgLOtHg@mail.gmail.com>
Message-ID: <D2EFE676-325D-41A0-A764-BA80BC62F85F@hxcore.ol>

An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200624/926ab8e0/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 72D57AF3B91E4C6BBA29FA1EF5F12B90.png
Type: image/png
Size: 144 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200624/926ab8e0/attachment.png>

From atdhe.musliu at zhdk.ch  Thu Jun 25 10:28:29 2020
From: atdhe.musliu at zhdk.ch (Musliu Atdhe)
Date: Thu, 25 Jun 2020 08:28:29 +0000
Subject: [midPoint] Issue with inbound mapping from singled-valued to
 multi-valued attribute
In-Reply-To: <D2EFE676-325D-41A0-A764-BA80BC62F85F@hxcore.ol>
References: <CAFFw27cT8Vh-t760tR37jhj-6VDqkmWXk=hebsy3u8riUEHZKw@mail.gmail.com>
 <1592582475117.64953@senado.leg.br>
 <CAFFw27dt+XA-8CPjYQ=NEFKXooRDpDLA9+RTOqgMVY-OEc6RJg@mail.gmail.com>
 <2CB300A6-90BB-4383-9B68-7C98E4AAAA58@hxcore.ol>,
 <CAFFw27cfbCpteWUT2c_Op3MNNaDx1XJ=im5eeRo626QNgLOtHg@mail.gmail.com>
 <D2EFE676-325D-41A0-A764-BA80BC62F85F@hxcore.ol>
Message-ID: <6fc5b57c104c4668b4f1602717e7780a@zhdk.ch>

Hi, Have you tried to change the Layer to ‘model’ or ‘schema’ ?
I would try to change it to ‘model’ and then test it again.

https://wiki.evolveum.com/display/midPoint/User+Interface+Form+Fields :

‘Model layer means application of schema constraints inside the IDM Model Subsystem<https://wiki.evolveum.com/display/midPoint/IDM+Model+Subsystem>. This is the value that the midPoint identity management logic will be using. It will be used by mappings and similar mechanisms.
E.g. LDAP attributes uid, cn, sn are formally multi-valued in the LDAP schema. But vast majority of systems are using them as single-valued attributes. Setting multiple values for these attributes can easily ruin interoperability. Therefore these attributes can be defined as single valued (maxOccurs=1) in the model layer. Then any mapping that produces multiple values for these attributes will fail which makes the diagnostics and troubleshooting much easier.
‘

Best Regards
Atdhe
—
—
Zürcher Hochschule der Künste
Zurich University of the Arts
—
Atdhe Musliu
Mitarbeiter Informationstechnologie-Zentrum
——
www.zhdk.ch<http://www.zhdk.ch>
http://www.zhdk.ch/?itz

Von: midPoint <midpoint-bounces at lists.evolveum.com> Im Auftrag von Jason Everling
Gesendet: Wednesday, 24 June 2020 19:03
An: midPoint General Discussion <midpoint at lists.evolveum.com>
Betreff: Re: [midPoint] Issue with inbound mapping from singled-valued to multi-valued attribute

Yes, it doesn’t fix the inbound stuff, it is merely a fix to prevent an end user from adding multiple values

From: Javier Martinez<mailto:jmartinez at identicum.com>
Sent: Wednesday, June 24, 2020 11:58 AM
To: midPoint General Discussion<mailto:midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Issue with inbound mapping from singled-valued to multi-valued attribute

Hi Jason,
Thank you very much for your answer, we tried with this approach and when we tried to change the value of a user, we got the error "Expected one value for attribute organization, got 2".

It worked with the solution given by Ivan.

Regards!



On Mon, Jun 22, 2020 at 5:02 PM Jason Everling <jeverling at bshp.edu<mailto:jeverling at bshp.edu>> wrote:
You can also remove the multi-value capability from the gui using the default user template, it just prevents some user from adding an additional value if you really want it to be single-valued only

    <item>
        <c:ref>c:organization</c:ref>
        <limitations>
            <layer>presentation</layer>
            <minOccurs>0</minOccurs>
            <maxOccurs>1</maxOccurs>
        </limitations>
    </item>

From: Javier Martinez<mailto:jmartinez at identicum.com>
Sent: Monday, June 22, 2020 2:16 PM
To: midPoint General Discussion<mailto:midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Issue with inbound mapping from singled-valued to multi-valued attribute

Hi,
I added the the range as mentioned above:
<set>
     <predefined>all</predefined>
</set>

and it's working correctly, it now replaces the previous value instead of adding a new one.

Thank you!
Regards

On Fri, Jun 19, 2020 at 1:01 PM Paulo Fernandes de Souza Junior <PFSJ at senado.leg.br<mailto:PFSJ at senado.leg.br>> wrote:

Hi,



Take a look at https://wiki.evolveum.com/display/midPoint/Inbound+Mapping#InboundMapping-RangeOfInboundMappings​


Paulo Fernandes de Souza Júnior
NQPPPS
Senado Federal - PRODASEN
Fone: 61 3303.3924


De: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> em nome de Javier Martinez <jmartinez at identicum.com<mailto:jmartinez at identicum.com>>
Enviado: quarta-feira, 17 de junho de 2020 11:23
Para: midPoint General Discussion
Assunto: [midPoint] Issue with inbound mapping from singled-valued to multi-valued attribute

Hi,
We are having an issue when having an inbound mapping from a single-valued attribute to a multi-valued attribute. When modifying the value from the resource, instead of replacing the value, it is adding new values to the attribute in midPoint. Tested with attributes "organization" and "subtype".
Working OK in midpoint 3.9, but failing with midpoint 4.0.1 and above.
Is there any way to keep this issue from happening?
Regards
--
Javier Martínez
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com<http://www.identicum.com/>

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint


--
Javier Martínez
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com<http://www.identicum.com/>


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint


--
Javier Martínez
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com<http://www.identicum.com/>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200625/a63ec9e8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 144 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200625/a63ec9e8/attachment.png>

From radovan.semancik at evolveum.com  Thu Jun 25 14:58:13 2020
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Thu, 25 Jun 2020 14:58:13 +0200
Subject: [midPoint] Blog: SCIM in 2020
Message-ID: <58065c2d-617b-8e54-e40f-5d84cfd3e674@evolveum.com>

Dear midPoint community,

System for Cross-domain Identity Management (SCIM) is a specification 
for universal identity provisioning interface. Universal interfaces are, 
generally speaking, a good idea. However, I am quite skeptical about 
SCIM. Identity management interfaces may seem to be dead simple, yet 
they are notoriously hard to get right. Did SCIM get it right?

Identity management is all about creating accounts, isn’t it? All we 
need is to agree whether the right name for the attribute is username or 
login. Mix in some schema extension capabilities, wrap it all in a nice 
REST API and we are done. How hard can that be?

Turns out it is /much/ harder than it seems. It is “we cannot get this 
right for almost 20 years” hard. The reasons for this are subtle and 
counter-intuitive. This is far beyond what can fit into a blog post. 
Therefore I have written it down in a longer article:

SCIM Troubles 
<https://docs.evolveum.com/midpoint/devel/design/scim-troubles/> at 
https://docs.evolveum.com/midpoint/devel/design/scim-troubles/.

I have been in identity management since early 2000s. I have seen DSML, 
SPML1 and SPML2 that reinvented the LDAP wheel in XML. I have seen SCIM1 
that reinvented the SPML wheel in JSON. Now we have SCIM2 and there are 
talks about SCIM3. I would like to say that now I have seen everything. 
But I’m quite sure that I haven’t. SCIM hype is rising and I’m afraid 
that there is more to come. However, there is still a chance that I’m 
wrong about SCIM. There is a chance that my past experiences influenced 
my judgement about current developments. If that is the case then please 
let me know where I’m wrong. I will try to re-consider my position.

Coincidentally, the moment as I was writing the SCIM article, I received 
news that there may be a contribution of SCIM gateway for midPoint quite 
soon. Even though I’m not exactly over-excited about SCIM, I’m quite 
happy about such contribution. I will let you know when it is published. 
This is going to be a very interesting experiment. We will see how SCIM 
really works with midPoint. Because it is engineering reality that 
matters, not some talks or blog posts. If there is enough interest in 
that SCIM gateway, we will even consider adopting it as midPoint core 
component. Let the community decide!

(Reposted from Evolveum blog <https://evolveum.com/scim-in-2020/>)

-- 
Radovan Semancik
Software Architect
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200625/fdc403f7/attachment.htm>

From Konstantin.Tikhonov at veeam.com  Fri Jun 26 03:12:33 2020
From: Konstantin.Tikhonov at veeam.com (Konstantin Tikhonov)
Date: Fri, 26 Jun 2020 01:12:33 +0000
Subject: [midPoint] A problem with synchronization
Message-ID: <CY4PR14MB1238D8A2B14F011DEC38BFE6F6930@CY4PR14MB1238.namprd14.prod.outlook.com>

Hello Colleagues.

I have a strange problem with synchronization.

I configured CSV resource (XML attached) and it works good. But when I delete account in the CSV file midPoint shows that it's absent in the Resource tab but still present and even LINKED in the Repository one (screenshots 1, 2 also attached). I run synchronization many times but it doesn't help.

And one more strange thing - if I click to the deleted account in Repository tab it opens with Username field filled only (screenshot 3) and after that in the Repository tab it gets marked DELETED and with Dead Shadow (screenshot 4) as it should be.

Could you please help to fix this issue?

Thank you in advance.

--
Best Regards,

Konstantin


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200626/97c34681/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ExportedData_ResourceType_2020_06_26_03_55_13.xml
Type: application/xml
Size: 16835 bytes
Desc: ExportedData_ResourceType_2020_06_26_03_55_13.xml
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200626/97c34681/attachment.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20200626_midPoint, Problem with sync 1.png
Type: image/png
Size: 64021 bytes
Desc: 20200626_midPoint, Problem with sync 1.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200626/97c34681/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20200626_midPoint, Problem with sync 2.png
Type: image/png
Size: 68669 bytes
Desc: 20200626_midPoint, Problem with sync 2.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200626/97c34681/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20200626_midPoint, Problem with sync 3.png
Type: image/png
Size: 25650 bytes
Desc: 20200626_midPoint, Problem with sync 3.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200626/97c34681/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20200626_midPoint, Problem with sync 4.png
Type: image/png
Size: 67394 bytes
Desc: 20200626_midPoint, Problem with sync 4.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200626/97c34681/attachment-0003.png>

From ivan.noris at evolveum.com  Fri Jun 26 08:14:06 2020
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Fri, 26 Jun 2020 08:14:06 +0200
Subject: [midPoint] A problem with synchronization
In-Reply-To: <CY4PR14MB1238D8A2B14F011DEC38BFE6F6930@CY4PR14MB1238.namprd14.prod.outlook.com>
References: <CY4PR14MB1238D8A2B14F011DEC38BFE6F6930@CY4PR14MB1238.namprd14.prod.outlook.com>
Message-ID: <3c9349ff-dd0d-2868-2f85-843177f95cc0@evolveum.com>

Hi Konstantin,

you may want to apply the fragment from
https://jira.evolveum.com/browse/MID-5452

I remember I had some hard time with that, but as seen in the JIRA
comments, during some time period it also worked without that workaround.

Unfortunately I can't point you to a documentation in this case. But the
deadShadowRetentionPeriod should help you in this particular case.

Best regards,

Ivan

On 26. 6. 2020 3:12, Konstantin Tikhonov wrote:
>
> Hello Colleagues.
>
>  
>
> I have a strange problem with synchronization.
>
>  
>
> I configured CSV resource (XML attached) and it works good. But when I
> delete account in the CSV file midPoint shows that it’s absent in the
> Resource tab but still present and even LINKED in the Repository one
> (screenshots 1, 2 also attached). I run synchronization many times but
> it doesn’t help.
>
>  
>
> And one more strange thing – if I click to the deleted account in
> Repository tab it opens with Username field filled only (screenshot 3)
> and after that in the Repository tab it gets marked DELETED and with
> Dead Shadow (screenshot 4) as it should be.
>
>  
>
> Could you please help to fix this issue?
>
>  
>
> Thank you in advance.
>
>  
>
> *--*
>
> Best Regards,
>
> * *
>
> *Konstantin *
>
>  
>
>  
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200626/a5587a03/attachment.htm>

From Konstantin.Tikhonov at veeam.com  Fri Jun 26 13:06:46 2020
From: Konstantin.Tikhonov at veeam.com (Konstantin Tikhonov)
Date: Fri, 26 Jun 2020 11:06:46 +0000
Subject: [midPoint] A problem with synchronization
In-Reply-To: <3c9349ff-dd0d-2868-2f85-843177f95cc0@evolveum.com>
References: <CY4PR14MB1238D8A2B14F011DEC38BFE6F6930@CY4PR14MB1238.namprd14.prod.outlook.com>
 <3c9349ff-dd0d-2868-2f85-843177f95cc0@evolveum.com>
Message-ID: <CY4PR14MB1238E1F14B43AA58DED06403F6930@CY4PR14MB1238.namprd14.prod.outlook.com>

Hi Ivan.

Thank you for your response.

I added the section:

    <consistency>
        <deadShadowRetentionPeriod>PT0H</deadShadowRetentionPeriod>
    </consistency>

to the CSV resource but unfortunately it didn’t fix synchronization. Synchronization doesn’t mark an account as deleted, it remains LINKED. But when I clicked to the account (perhaps some local sync task for one account runs in this case) the shadow is removed.

So in terms of the ticket you sent my scenario looks as follows

1.    account doesn't exist in target system.

2.    user exists in midpoint.

3.    sync configuration deleted -> unlink, unlinked -> unlink.

4.    sync DOESN’T MARK shadow as deleted, shadow stays.
And actually we don’t need to delete a shadow immediately, to mark it as deleted would be enough. I removed <deadShadowRetentionPeriod> parameter from the resource.

May be, I do something wrong? Please, let me know.

Thanks.

--
Best Regards,

Konstantin.

From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of Ivan Noris
Sent: Friday, June 26, 2020 9:14 AM
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] A problem with synchronization


Hi Konstantin,

you may want to apply the fragment from https://jira.evolveum.com/browse/MID-5452

I remember I had some hard time with that, but as seen in the JIRA comments, during some time period it also worked without that workaround.

Unfortunately I can't point you to a documentation in this case. But the deadShadowRetentionPeriod should help you in this particular case.

Best regards,

Ivan
On 26. 6. 2020 3:12, Konstantin Tikhonov wrote:
Hello Colleagues.

I have a strange problem with synchronization.

I configured CSV resource (XML attached) and it works good. But when I delete account in the CSV file midPoint shows that it’s absent in the Resource tab but still present and even LINKED in the Repository one (screenshots 1, 2 also attached). I run synchronization many times but it doesn’t help.

And one more strange thing – if I click to the deleted account in Repository tab it opens with Username field filled only (screenshot 3) and after that in the Repository tab it gets marked DELETED and with Dead Shadow (screenshot 4) as it should be.

Could you please help to fix this issue?

Thank you in advance.

--
Best Regards,

Konstantin





_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

https://lists.evolveum.com/mailman/listinfo/midpoint

--

Ivan Noris

Senior Identity Engineer

evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200626/1fa1fbff/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20200626_midPoint, Problem with sync 5.png
Type: image/png
Size: 62158 bytes
Desc: 20200626_midPoint, Problem with sync 5.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200626/1fa1fbff/attachment.png>

From ivan.noris at evolveum.com  Fri Jun 26 13:48:42 2020
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Fri, 26 Jun 2020 13:48:42 +0200
Subject: [midPoint] A problem with synchronization
In-Reply-To: <CY4PR14MB1238E1F14B43AA58DED06403F6930@CY4PR14MB1238.namprd14.prod.outlook.com>
References: <CY4PR14MB1238D8A2B14F011DEC38BFE6F6930@CY4PR14MB1238.namprd14.prod.outlook.com>
 <3c9349ff-dd0d-2868-2f85-843177f95cc0@evolveum.com>
 <CY4PR14MB1238E1F14B43AA58DED06403F6930@CY4PR14MB1238.namprd14.prod.outlook.com>
Message-ID: <56b59842-9762-847b-3a29-22d64cb0c3aa@evolveum.com>

Hi Konstantin,

well, in my situation it worked with the following notes:

- the resource was authoritative, delete -> inactivateFocus

- no multiaccounts inbound feature used

- the consistency set for deadShadowsRetentionPeriod 0

I'm using that setup in our training which is based on 4.0.1 (or 4.0.2).

One thing that disturbs me is your resource where for your <reaction>
element you have <reconcile>false</reconcile> and also
<tolerant>false</tolerant> for your attributes. These are not defaults.

Ivan

On 26. 6. 2020 13:06, Konstantin Tikhonov wrote:
>
> Hi Ivan.
>
>  
>
> Thank you for your response.
>
>  
>
> I added the section:
>
>  
>
>     <consistency>
>
>         <deadShadowRetentionPeriod>PT0H</deadShadowRetentionPeriod>
>
>     </consistency>
>
>  
>
> to the CSV resource but unfortunately it didn’t fix synchronization.
> Synchronization doesn’t mark an account as deleted, it remains LINKED.
> But when I clicked to the account (perhaps some local sync task for
> one account runs in this case) the shadow is removed.
>
>  
>
> So in terms of the ticket you sent my scenario looks as follows
>
> 1.    account doesn't exist in target system.
>
> 2.    user exists in midpoint.
>
> 3.    sync configuration deleted -> unlink, unlinked -> unlink.
>
> 4.    sync DOESN’T MARK shadow as deleted, shadow stays.
>
> And actually we don’t need to delete a shadow immediately, to mark it
> as deleted would be enough. I removed <deadShadowRetentionPeriod>
> parameter from the resource.
>
>  
>
> May be, I do something wrong? Please, let me know.
>
>  
>
> Thanks.
>
>  
>
> *--*
>
> Best Regards,
>
> * *
>
> *Konstantin.*
>
>  
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com> *On Behalf Of
> *Ivan Noris
> *Sent:* Friday, June 26, 2020 9:14 AM
> *To:* midpoint at lists.evolveum.com
> *Subject:* Re: [midPoint] A problem with synchronization
>
>  
>
> Hi Konstantin,
>
> you may want to apply the fragment from
> https://jira.evolveum.com/browse/MID-5452
> <https://jira.evolveum.com/browse/MID-5452>
>
> I remember I had some hard time with that, but as seen in the JIRA
> comments, during some time period it also worked without that workaround.
>
> Unfortunately I can't point you to a documentation in this case. But
> the deadShadowRetentionPeriod should help you in this particular case.
>
> Best regards,
>
> Ivan
>
> On 26. 6. 2020 3:12, Konstantin Tikhonov wrote:
>
>     Hello Colleagues.
>
>      
>
>     I have a strange problem with synchronization.
>
>      
>
>     I configured CSV resource (XML attached) and it works good. But
>     when I delete account in the CSV file midPoint shows that it’s
>     absent in the Resource tab but still present and even LINKED in
>     the Repository one (screenshots 1, 2 also attached). I run
>     synchronization many times but it doesn’t help.
>
>      
>
>     And one more strange thing – if I click to the deleted account in
>     Repository tab it opens with Username field filled only
>     (screenshot 3) and after that in the Repository tab it gets marked
>     DELETED and with Dead Shadow (screenshot 4) as it should be.
>
>      
>
>     Could you please help to fix this issue?
>
>      
>
>     Thank you in advance.
>
>      
>
>     *--*
>
>     Best Regards,
>
>     * *
>
>     *Konstantin *
>
>      
>
>      
>
>
>
>     _______________________________________________
>
>     midPoint mailing list
>
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
>     https://lists.evolveum.com/mailman/listinfo/midpoint
>
> -- 
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200626/0e16c081/attachment.htm>

From frederic at lohier.org  Fri Jun 26 20:00:41 2020
From: frederic at lohier.org (=?UTF-8?B?RnLDqWTDqXJpYyBMb2hpZXI=?=)
Date: Fri, 26 Jun 2020 20:00:41 +0200
Subject: [midPoint] Assigning several roles from a single attribute in a
 resource inbound mapping
Message-ID: <CALRGK0rRPWDuB5sZ0Smt3uSPXJJ+RXotaD39eEBuM6EBPxdY+A@mail.gmail.com>

Hello,

In order to assign several roles from a single attribute value in a
resource inbound mapping, I wrote the following inbound mapping in my
resource, taking some hints from
https://wiki.evolveum.com/display/midPoint/Scripting+Hooks, but I get
the error “com.evolveum.midpoint.util.exception.ExpressionEvaluationException:
No such property: modelContext for class”
Am I on the correct path? Or is there a better way to do what I want?

<attribute>
<ref>ri:my_attribute</ref>
<displayName>My attribute</displayName>
<inbound>
<expression>
<script>
<code>
import com.evolveum.midpoint.prism.delta.*;
import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
UserType user = (UserType) focus;
roleName = "My_Role"
role = midpoint.searchObjectByName(RoleType.class, roleName)
if (!midpoint.isDirectlyAssigned(role)) {
// The role is not assigned. Let's assign it. We need to construct a
delta to do this
assignment = new AssignmentType();
roleTarget = new ObjectReferenceType();
roleTarget.setOid("00000-0000-0000-000-0000");
roleTarget.setType(RoleType.COMPLEX_TYPE);
assignment.setTargetRef(roleTarget);
assignmentDelta =
prismContext.deltaFactory().container().createModificationAdd(UserType.F_ASSIGNMENT,
UserType.class, assignment);
modelContext.getFocusContext().swallowToPrimaryDelta(assignmentDelta);
log.debug('test assignment  ' + assignmentDelta + ' of user ' + user.getName());
return  my_attribute;
}
</code>
</script>
</expression>
<target>
<path>$focus/extension/my_attribute</path>
</target>
<strength>strong</strength>
</inbound>
</attribute>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200626/490b695a/attachment.htm>

From jmartinez at identicum.com  Fri Jun 26 22:31:38 2020
From: jmartinez at identicum.com (Javier Martinez)
Date: Fri, 26 Jun 2020 17:31:38 -0300
Subject: [midPoint] Issue with inbound mapping from singled-valued to
 multi-valued attribute
In-Reply-To: <6fc5b57c104c4668b4f1602717e7780a@zhdk.ch>
References: <CAFFw27cT8Vh-t760tR37jhj-6VDqkmWXk=hebsy3u8riUEHZKw@mail.gmail.com>
 <1592582475117.64953@senado.leg.br>
 <CAFFw27dt+XA-8CPjYQ=NEFKXooRDpDLA9+RTOqgMVY-OEc6RJg@mail.gmail.com>
 <2CB300A6-90BB-4383-9B68-7C98E4AAAA58@hxcore.ol>
 <CAFFw27cfbCpteWUT2c_Op3MNNaDx1XJ=im5eeRo626QNgLOtHg@mail.gmail.com>
 <D2EFE676-325D-41A0-A764-BA80BC62F85F@hxcore.ol>
 <6fc5b57c104c4668b4f1602717e7780a@zhdk.ch>
Message-ID: <CAFFw27cUmD1hXrYD_bBzSKeWeW4Xd7q6kzL9wr5VqPwnj761Mw@mail.gmail.com>

Hello,
thank you for your reply!
I will try to change it to 'model' and I'll let you know the outcome.

Regards!

On Thu, Jun 25, 2020 at 5:28 AM Musliu Atdhe <atdhe.musliu at zhdk.ch> wrote:

> Hi, Have you tried to change the Layer to ‘model’ or ‘schema’ ?
>
> I would try to change it to ‘model’ and then test it again.
>
>
>
> https://wiki.evolveum.com/display/midPoint/User+Interface+Form+Fields :
>
> ‘Model layer means application of schema constraints inside the IDM Model
> Subsystem <https://wiki.evolveum.com/display/midPoint/IDM+Model+Subsystem>.
> This is the value that the midPoint identity management logic will be
> using. It will be used by mappings and similar mechanisms.
>
> E.g. LDAP attributes uid, cn, sn are formally multi-valued in the LDAP
> schema. But vast majority of systems are using them as single-valued
> attributes. Setting multiple values for these attributes can easily ruin
> interoperability. Therefore these attributes can be defined as single
> valued (maxOccurs=1) in the model layer. Then any mapping that produces
> multiple values for these attributes will fail which makes the diagnostics
> and troubleshooting much easier.
>
> ‘
>
>
>
> Best Regards
>
> Atdhe
>
> —
>
> —
>
> Zürcher Hochschule der Künste
>
> Zurich University of the Arts
>
> —
>
> Atdhe Musliu
>
> Mitarbeiter Informationstechnologie-Zentrum
>
> ——
>
> www.zhdk.ch
>
> http://www.zhdk.ch/?itz
>
>
>
> *Von:* midPoint <midpoint-bounces at lists.evolveum.com> *Im Auftrag von *Jason
> Everling
> *Gesendet:* Wednesday, 24 June 2020 19:03
> *An:* midPoint General Discussion <midpoint at lists.evolveum.com>
> *Betreff:* Re: [midPoint] Issue with inbound mapping from singled-valued
> to multi-valued attribute
>
>
>
> Yes, it doesn’t fix the inbound stuff, it is merely a fix to prevent an
> end user from adding multiple values
>
>
>
> *From: *Javier Martinez <jmartinez at identicum.com>
> *Sent: *Wednesday, June 24, 2020 11:58 AM
> *To: *midPoint General Discussion <midpoint at lists.evolveum.com>
> *Subject: *Re: [midPoint] Issue with inbound mapping from singled-valued
> to multi-valued attribute
>
>
>
> Hi Jason,
>
> Thank you very much for your answer, we tried with this approach and when
> we tried to change the value of a user, we got the error "Expected one
> value for attribute organization, got 2".
>
>
>
> It worked with the solution given by Ivan.
>
>
>
> Regards!
>
>
>
>
>
>
>
> On Mon, Jun 22, 2020 at 5:02 PM Jason Everling <jeverling at bshp.edu> wrote:
>
> You can also remove the multi-value capability from the gui using the
> default user template, it just prevents some user from adding an additional
> value if you really want it to be single-valued only
>
>
>
>     <item>
>
>         <c:ref>c:organization</c:ref>
>
>         <limitations>
>
>             <layer>presentation</layer>
>
>             <minOccurs>0</minOccurs>
>
>             <maxOccurs>1</maxOccurs>
>
>         </limitations>
>
>     </item>
>
>
>
> *From: *Javier Martinez <jmartinez at identicum.com>
> *Sent: *Monday, June 22, 2020 2:16 PM
> *To: *midPoint General Discussion <midpoint at lists.evolveum.com>
> *Subject: *Re: [midPoint] Issue with inbound mapping from singled-valued
> to multi-valued attribute
>
>
>
> Hi,
>
> I added the the range as mentioned above:
>
>
> *<set>      <predefined>all</predefined>*
>
> *</set>*
>
>
>
> and it's working correctly, it now replaces the previous value instead of
> adding a new one.
>
>
>
> Thank you!
>
> Regards
>
>
>
> On Fri, Jun 19, 2020 at 1:01 PM Paulo Fernandes de Souza Junior <
> PFSJ at senado.leg.br> wrote:
>
> Hi,
>
>
>
> Take a look at
> https://wiki.evolveum.com/display/midPoint/Inbound+Mapping#InboundMapping-RangeOfInboundMappings
> ​
>
>
>
> *Paulo Fernandes de Souza Júnior*
>
> *NQPPPS *Senado Federal - PRODASEN
> Fone: 61 3303.3924
>
>
>
> *De:* midPoint <midpoint-bounces at lists.evolveum.com> em nome de Javier
> Martinez <jmartinez at identicum.com>
> *Enviado:* quarta-feira, 17 de junho de 2020 11:23
> *Para:* midPoint General Discussion
> *Assunto:* [midPoint] Issue with inbound mapping from singled-valued to
> multi-valued attribute
>
>
>
> Hi,
>
> We are having an issue when having an inbound mapping from a single-valued
> attribute to a multi-valued attribute. When modifying the value from the
> resource, instead of replacing the value, it is adding new values to the
> attribute in midPoint. Tested with attributes "organization" and "subtype".
>
> Working OK in midpoint 3.9, but failing with midpoint 4.0.1 and above.
>
> Is there any way to keep this issue from happening?
>
> Regards
>
> --
>
> Javier Martínez
>
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> --
>
> Javier Martínez
>
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> --
>
> Javier Martínez
>
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>


-- 
Javier Martínez
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200626/e74fea7b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 144 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200626/e74fea7b/attachment.png>

From Konstantin.Tikhonov at veeam.com  Mon Jun 29 01:20:20 2020
From: Konstantin.Tikhonov at veeam.com (Konstantin Tikhonov)
Date: Sun, 28 Jun 2020 23:20:20 +0000
Subject: [midPoint] A problem with synchronization
In-Reply-To: <56b59842-9762-847b-3a29-22d64cb0c3aa@evolveum.com>
References: <CY4PR14MB1238D8A2B14F011DEC38BFE6F6930@CY4PR14MB1238.namprd14.prod.outlook.com>
 <3c9349ff-dd0d-2868-2f85-843177f95cc0@evolveum.com>
 <CY4PR14MB1238E1F14B43AA58DED06403F6930@CY4PR14MB1238.namprd14.prod.outlook.com>
 <56b59842-9762-847b-3a29-22d64cb0c3aa@evolveum.com>
Message-ID: <CY4PR14MB123805B91FAE667D235D5D97F6910@CY4PR14MB1238.namprd14.prod.outlook.com>

Hi Ivan.

Thanks for your answer.

It seems I managed to solve the issue. I created reconciliation task for the resource and after it’s completed deleted accounts marks DELETED as it should be. I attached XML of the resource to the e-mail.
It looks Synchronization task doesn’t update accounts, Reconciliation task only does it.

A weird thing again – I added two accounts to the CSV file, linked one of them to a user, left the another one unlinked. Then I removed both from CSV file. The unlinked account got UNMATCHED without running Synchronization or Reconciliation task. The linked account stayed unchanged, i. e. LINKED to a user. Then I run Reconciliation task and the unlinked (UNMATCHED) account was removed from midPoint and the LINKED account was unlinked from the user and marked DELETED.

--
Best Regards,

Konstantin.

From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of Ivan Noris
Sent: Friday, June 26, 2020 2:49 PM
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] A problem with synchronization


Hi Konstantin,

well, in my situation it worked with the following notes:

- the resource was authoritative, delete -> inactivateFocus

- no multiaccounts inbound feature used

- the consistency set for deadShadowsRetentionPeriod 0

I'm using that setup in our training which is based on 4.0.1 (or 4.0.2).

One thing that disturbs me is your resource where for your <reaction> element you have <reconcile>false</reconcile> and also <tolerant>false</tolerant> for your attributes. These are not defaults.

Ivan
On 26. 6. 2020 13:06, Konstantin Tikhonov wrote:
Hi Ivan.

Thank you for your response.

I added the section:

    <consistency>
        <deadShadowRetentionPeriod>PT0H</deadShadowRetentionPeriod>
    </consistency>

to the CSV resource but unfortunately it didn’t fix synchronization. Synchronization doesn’t mark an account as deleted, it remains LINKED. But when I clicked to the account (perhaps some local sync task for one account runs in this case) the shadow is removed.

So in terms of the ticket you sent my scenario looks as follows

1.    account doesn't exist in target system.

2.    user exists in midpoint.

3.    sync configuration deleted -> unlink, unlinked -> unlink.

4.    sync DOESN’T MARK shadow as deleted, shadow stays.
And actually we don’t need to delete a shadow immediately, to mark it as deleted would be enough. I removed <deadShadowRetentionPeriod> parameter from the resource.

May be, I do something wrong? Please, let me know.

Thanks.

--
Best Regards,

Konstantin.

From: midPoint <midpoint-bounces at lists.evolveum.com><mailto:midpoint-bounces at lists.evolveum.com> On Behalf Of Ivan Noris
Sent: Friday, June 26, 2020 9:14 AM
To: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Subject: Re: [midPoint] A problem with synchronization


Hi Konstantin,

you may want to apply the fragment from https://jira.evolveum.com/browse/MID-5452

I remember I had some hard time with that, but as seen in the JIRA comments, during some time period it also worked without that workaround.

Unfortunately I can't point you to a documentation in this case. But the deadShadowRetentionPeriod should help you in this particular case.

Best regards,

Ivan
On 26. 6. 2020 3:12, Konstantin Tikhonov wrote:
Hello Colleagues.

I have a strange problem with synchronization.

I configured CSV resource (XML attached) and it works good. But when I delete account in the CSV file midPoint shows that it’s absent in the Resource tab but still present and even LINKED in the Repository one (screenshots 1, 2 also attached). I run synchronization many times but it doesn’t help.

And one more strange thing – if I click to the deleted account in Repository tab it opens with Username field filled only (screenshot 3) and after that in the Repository tab it gets marked DELETED and with Dead Shadow (screenshot 4) as it should be.

Could you please help to fix this issue?

Thank you in advance.

--
Best Regards,

Konstantin






_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

https://lists.evolveum.com/mailman/listinfo/midpoint

--

Ivan Noris

Senior Identity Engineer

evolveum.com



_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

https://lists.evolveum.com/mailman/listinfo/midpoint

--

Ivan Noris

Senior Identity Engineer

evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200628/2a1832d4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ExportedData_ResourceType_2020_06_29_02_6_31.xml
Type: application/xml
Size: 17393 bytes
Desc: ExportedData_ResourceType_2020_06_29_02_6_31.xml
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200628/2a1832d4/attachment.xml>

From ivan.noris at evolveum.com  Mon Jun 29 09:06:00 2020
From: ivan.noris at evolveum.com (Ivan Noris)
Date: Mon, 29 Jun 2020 09:06:00 +0200
Subject: [midPoint] A problem with synchronization
In-Reply-To: <CY4PR14MB123805B91FAE667D235D5D97F6910@CY4PR14MB1238.namprd14.prod.outlook.com>
References: <CY4PR14MB1238D8A2B14F011DEC38BFE6F6930@CY4PR14MB1238.namprd14.prod.outlook.com>
 <3c9349ff-dd0d-2868-2f85-843177f95cc0@evolveum.com>
 <CY4PR14MB1238E1F14B43AA58DED06403F6930@CY4PR14MB1238.namprd14.prod.outlook.com>
 <56b59842-9762-847b-3a29-22d64cb0c3aa@evolveum.com>
 <CY4PR14MB123805B91FAE667D235D5D97F6910@CY4PR14MB1238.namprd14.prod.outlook.com>
Message-ID: <26f93d64-3add-e40f-5265-498a09106cdb@evolveum.com>

Hi Konstantin,

hm, this looks really strange. What I suggest is to retest with midpoint
master to see if this behaviour is the same.

If livesync task does not update shadows, I would consider that as a bug
- please report it to our JIRA.

Thank you!

Ivan

On 29. 6. 2020 1:20, Konstantin Tikhonov wrote:
>
> Hi Ivan.
>
>  
>
> Thanks for your answer.
>
>  
>
> It seems I managed to solve the issue. I created reconciliation task
> for the resource and after it’s completed deleted accounts marks
> DELETED as it should be. I attached XML of the resource to the e-mail.
>
> It looks Synchronization task doesn’t update accounts, Reconciliation
> task only does it.
>
>  
>
> A weird thing again – I added two accounts to the CSV file, linked one
> of them to a user, left the another one unlinked. Then I removed both
> from CSV file. The unlinked account got UNMATCHED without running
> Synchronization or Reconciliation task. The linked account stayed
> unchanged, i. e. LINKED to a user. Then I run Reconciliation task and
> the unlinked (UNMATCHED) account was removed from midPoint and the
> LINKED account was unlinked from the user and marked DELETED.
>
>  
>
> *--*
>
> Best Regards,
>
> * *
>
> *Konstantin.*
>
>  
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com> *On Behalf Of
> *Ivan Noris
> *Sent:* Friday, June 26, 2020 2:49 PM
> *To:* midpoint at lists.evolveum.com
> *Subject:* Re: [midPoint] A problem with synchronization
>
>  
>
> Hi Konstantin,
>
> well, in my situation it worked with the following notes:
>
> - the resource was authoritative, delete -> inactivateFocus
>
> - no multiaccounts inbound feature used
>
> - the consistency set for deadShadowsRetentionPeriod 0
>
> I'm using that setup in our training which is based on 4.0.1 (or 4.0.2).
>
> One thing that disturbs me is your resource where for your <reaction>
> element you have <reconcile>false</reconcile> and also
> <tolerant>false</tolerant> for your attributes. These are not defaults.
>
> Ivan
>
> On 26. 6. 2020 13:06, Konstantin Tikhonov wrote:
>
>     Hi Ivan.
>
>      
>
>     Thank you for your response.
>
>      
>
>     I added the section:
>
>      
>
>         <consistency>
>
>             <deadShadowRetentionPeriod>PT0H</deadShadowRetentionPeriod>
>
>         </consistency>
>
>      
>
>     to the CSV resource but unfortunately it didn’t fix
>     synchronization. Synchronization doesn’t mark an account as
>     deleted, it remains LINKED. But when I clicked to the account
>     (perhaps some local sync task for one account runs in this case)
>     the shadow is removed.
>
>      
>
>     So in terms of the ticket you sent my scenario looks as follows
>
>     1.    account doesn't exist in target system.
>
>     2.    user exists in midpoint.
>
>     3.    sync configuration deleted -> unlink, unlinked -> unlink.
>
>     4.    sync DOESN’T MARK shadow as deleted, shadow stays.
>
>     And actually we don’t need to delete a shadow immediately, to mark
>     it as deleted would be enough. I removed
>     <deadShadowRetentionPeriod> parameter from the resource.
>
>      
>
>     May be, I do something wrong? Please, let me know.
>
>      
>
>     Thanks.
>
>      
>
>     *--*
>
>     Best Regards,
>
>     * *
>
>     *Konstantin.*
>
>      
>
>     *From:*midPoint <midpoint-bounces at lists.evolveum.com>
>     <mailto:midpoint-bounces at lists.evolveum.com> *On Behalf Of *Ivan Noris
>     *Sent:* Friday, June 26, 2020 9:14 AM
>     *To:* midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
>     *Subject:* Re: [midPoint] A problem with synchronization
>
>      
>
>     Hi Konstantin,
>
>     you may want to apply the fragment from
>     https://jira.evolveum.com/browse/MID-5452
>     <https://jira.evolveum.com/browse/MID-5452>
>
>     I remember I had some hard time with that, but as seen in the JIRA
>     comments, during some time period it also worked without that
>     workaround.
>
>     Unfortunately I can't point you to a documentation in this case.
>     But the deadShadowRetentionPeriod should help you in this
>     particular case.
>
>     Best regards,
>
>     Ivan
>
>     On 26. 6. 2020 3:12, Konstantin Tikhonov wrote:
>
>         Hello Colleagues.
>
>          
>
>         I have a strange problem with synchronization.
>
>          
>
>         I configured CSV resource (XML attached) and it works good.
>         But when I delete account in the CSV file midPoint shows that
>         it’s absent in the Resource tab but still present and even
>         LINKED in the Repository one (screenshots 1, 2 also attached).
>         I run synchronization many times but it doesn’t help.
>
>          
>
>         And one more strange thing – if I click to the deleted account
>         in Repository tab it opens with Username field filled only
>         (screenshot 3) and after that in the Repository tab it gets
>         marked DELETED and with Dead Shadow (screenshot 4) as it
>         should be.
>
>          
>
>         Could you please help to fix this issue?
>
>          
>
>         Thank you in advance.
>
>          
>
>         *--*
>
>         Best Regards,
>
>         * *
>
>         *Konstantin *
>
>          
>
>          
>
>
>
>
>         _______________________________________________
>
>         midPoint mailing list
>
>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
>         https://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>
>     Ivan Noris
>
>     Senior Identity Engineer
>
>     evolveum.com
>
>
>
>     _______________________________________________
>
>     midPoint mailing list
>
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
>     https://lists.evolveum.com/mailman/listinfo/midpoint
>
> -- 
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200629/4e9befc2/attachment.htm>

From anton.shchenev at beeper.ru  Tue Jun 30 07:40:18 2020
From: anton.shchenev at beeper.ru (=?utf-8?B?0KnQtdC90LXQsiDQkNC90YLQvtC9INCS0Y/Rh9C10YHQu9Cw0LLQvtCy0Lg=?= =?utf-8?B?0Yc=?=)
Date: Tue, 30 Jun 2020 05:40:18 +0000
Subject: [midPoint] Winrs (launch from server console)
Message-ID: <651689E53CC19841968296084942E1E849E8AFB1@ekt-asbt-mxs001.beeper.ru>

Hi
Could you pls answer me how can I  check the operation of the command winrs  directly from the console(Linux)?

This script works fine from remote machines and creates a mailbox, but when working through midpoint in Windows logs is always the error(WSMan operation CreateShell failed, error code 2150859120)


<code>winrs -r:http://my.domain.com:5985 -u:????? -p:?????? powershell.exe -command "$username = '????'; $password = ConvertTo-SecureString '?????' -asplaintext -force; $UserCredential = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $username,$password; $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://my.domain.com/powershell -Authentication Kerberos -Credential $UserCredential; Invoke-Command -Session $Session {enable-mailbox -Identity "test.test"};Get-PSSession | Remove-PSSession"</code>


I tried this option too
Winrs   -ad  -u:????? -p:?????? powershell.exe
The result is the same: WSMan operation CreateShell failed, error code 2150859120





С уважением,
Щенев Антон

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200630/50c104bc/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1457 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200630/50c104bc/attachment.png>

From radovan.semancik at evolveum.com  Tue Jun 30 09:41:06 2020
From: radovan.semancik at evolveum.com (Radovan Semancik)
Date: Tue, 30 Jun 2020 09:41:06 +0200
Subject: [midPoint] Community discussion (was: Re: Winrs (launch from server
 console))
In-Reply-To: <651689E53CC19841968296084942E1E849E8AFB1@ekt-asbt-mxs001.beeper.ru>
References: <651689E53CC19841968296084942E1E849E8AFB1@ekt-asbt-mxs001.beeper.ru>
Message-ID: <6efee9f1-7e9c-dcef-d328-2898ab726a9d@evolveum.com>

Hello Anton,

I have noticed your questions, as I have noticed previous questions. 
However, I'm quite disinclined to provide answers. This list is an open 
community discussion, not a commercial support channel.

Firstly, the list is governed by a principle of reciprocity. If you 
expect help from the community, you should probably try to help other 
members of community yourself.

Secondly, it is expected that you make some effort to resolve the 
problem yourself. Microsoft environment, and especially WinRM is a 
complicated and non-transparent matter. You can help the community by 
trying to understand the operation of Microsoft technologies and perhaps 
precisely pinpoint the problem. As all midPoint-related code, source 
code of the connector is available and you are free to have a look at 
it. The connector is not complicated.

Full community guidelines are available here: 
https://wiki.evolveum.com/display/midPoint/Community+Guidelines

This is how open source communities work. This is not a free ride, it is 
mutual cooperation. If you feel that you cannot contribute back with 
your skill, time or experience, then you can contribute with money. 
There are commercial support services provided by Evolveum.

-- 
Radovan Semancik
Software Architect
evolveum.com

On 30. 6. 2020 7:40, Щенев Антон Вячеславович wrote:
>
> Hi
>
> Could you pls answer me how can I  check the operation of the command 
> winrs  directly from the console(Linux)?
>
> This script works fine from remote machines and creates a mailbox, but 
> when working through midpoint in Windows logs is always the 
> error(WSMan operation CreateShell failed, error code 2150859120)
>
> <code>winrs -r:http://my.domain.com:5985 -u:????? -p:?????? 
> powershell.exe -command "$username = '????'; $password = 
> ConvertTo-SecureString '?????' -asplaintext -force; $UserCredential = 
> New-Object -TypeName System.Management.Automation.PSCredential 
> -argumentlist $username,$password; $Session = New-PSSession 
> -ConfigurationName Microsoft.Exchange -ConnectionUri 
> http://my.domain.com/powershell -Authentication Kerberos -Credential 
> $UserCredential; Invoke-Command -Session $Session {enable-mailbox 
> -Identity "test.test"};Get-PSSession | Remove-PSSession"</code>
>
> I tried this option too
>
> Winrs   -ad  -u:????? -p:?????? powershell.exe
>
> The result is the same: WSMan operation CreateShell failed, error code 
> 2150859120
>
> Описание: Описание: Описание: cid:image004.png at 01D47D0D.3B8B0380
>
> С уважением,
>
> Щенев Антон
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200630/87006b84/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1457 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200630/87006b84/attachment.png>

From kir.blood at gmail.com  Tue Jun 30 21:58:19 2020
From: kir.blood at gmail.com (kir.blood at gmail.com)
Date: Tue, 30 Jun 2020 22:58:19 +0300
Subject: [midPoint] OpenLDAP - NIS netgroups association
Message-ID: <CAAvM5gSi_47dpnbGcNpO7HvOKM5gY55i==XB6fiaDMV3bUOTmA@mail.gmail.com>

Hi all,
I tried to create an association for NIS netgroups. OpenLDAP uses the
NisNetgroupTriple attribute with values like
'(hostname,username,domainname)' to identify members of a group.
I think I should use some script to compare associationAttribute (
NisNetgroupTriple) and Value attribute (username), but I did not find how
to do this in the documentation.
Could you help me to solve this issue please?

Kind regards,
Kirill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200630/02f33a46/attachment.htm>