[midPoint] Attempt to add shadow without any attributes

Oleksandr Nekriach o.nekriach at dynatech.lv
Wed Sep 16 09:27:28 CEST 2020


Hi  Ethan,
In my case user, reconciliation works fine for me. Try to adopt my config
settings to your instance

        <objectSynchronization>
>             <name>Users sync</name>
>             <kind>account</kind>
>             <intent>default</intent>
>             <focusType>c:UserType</focusType>
>             <enabled>true</enabled>
>             <correlation>
>                 <q:equal xmlns="">
>                     <q:matching>stringIgnoreCase</q:matching>
>                     <q:path xmlns:c="
> http://midpoint.evolveum.com/xml/ns/public/common/common-3
> ">c:emailAddress</q:path>
>                     <expression xmlns="">
>                         <variable xmlns="">
>                             <name>principalName</name>
>                             <path xmlns:icfs="
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
> ">$projection/attributes/icfs:name</path>
>                         </variable>
>                         <script xmlns="">
>                             <code>
>                                 return principalName;
>                             </code>
>                         </script>
>                     </expression>
>                 </q:equal>
>             </correlation>
>             <reconcile>false</reconcile>
>             <reaction>
>                 <situation>linked</situation>
>                 <synchronize>true</synchronize>
>             </reaction>
>             <reaction>
>                 <situation>unlinked</situation>
>                 <synchronize>true</synchronize>
>                 <reconcile>false</reconcile>
>                 <action>
>                     <handlerUri>
> http://midpoint.evolveum.com/xml/ns/public/model/action-3#link
> </handlerUri>
>                 </action>
>             </reaction>
>         </objectSynchronization>
>


Best regards,
Oleksandr



On Tue, 15 Sep 2020 at 22:05, Ethan Kromhout via midPoint <
midpoint at lists.evolveum.com> wrote:

> Hi Chris,
>
> I hit that problem with an attribute named "id" in a connector I was
> writing, that one wasn't a lot of fun to track down. I've seen this "shadow
> without attributes" thing in other connectors, I think there is something
> fundamental I'm not understanding about cases where midPoint isn't managing
> the Accounts in the resource, but I still want it to read or right
> information about those Accounts.
>
> Thanks,
>
> Ethan
> On 9/15/20 11:15 AM, Chris Woods wrote:
>
> Hi Ethan,
>
> We are using the connector too. I think there are a few bugs in the
> connector. All of our broken shadows came from this connector (the schema
> has an "id" attribute that causes problems in midPoint)
>
> I will be doing the same as you next week, so I can report back then if
> you like. At the moment we are only provisioning user accounts.
>
> Regards,
> Chris
>
> Am 15. September 2020 16:45:59 schrieb Ethan Kromhout via midPoint
> <midpoint at lists.evolveum.com> <midpoint at lists.evolveum.com>:
>
> I'm working with the experimental MS Graph connector to Azure AD. My
>> initial use case is just creating groups and updating memberships, so my
>> mappings are just an association for the AccountObjectClass and a more
>> complete set of mappings for the GroupObjectClass. The schema this
>> connector generates contain no mandatory attributes, e.g. nothing is
>> marked minOccurs="1".. Group creation is working just fine, but I'm
>> having  a problem with the membership management. If I go into a user
>> who is a member of an organization that should connect the user to the
>> Azure AD group, and preview a reconciliation change, it sees that it
>> should add the Azure AD group, but when I hit save on the user, the
>> change fails with this error:
>>
>> 2020-09-15 14:22:05,611 [MODEL] [pool-3-thread-16] WARN
>>
>> (com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor):
>> Can't do reconciliation. Account context doesn't contain current version
>> of account.
>> 2020-09-15 14:22:05,820 [MODEL] [pool-3-thread-16] ERROR
>> (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl):
>> Attempt to add shadow without any attributes: shadow:null(null)
>> com.evolveum.midpoint.util.exception.SchemaException: Attempt to add
>> shadow without any attributes: shadow:null(null)
>>      at
>>
>> com.evolveum.midpoint.provisioning.impl.ShadowCache.addShadowAttempt(ShadowCache.java:508)
>>
>> And indeed, no Account shadow is created for the Azure AD resource for
>> that user. If I import the the Account object for that user directly
>> from the Azure AD resource, then the shadow is created, and the
>> membership in Azure AD is updated. So I'm confused as to why saving a
>> user on reconciliation would fail with this error, but an import on the
>> resource succeeds.
>>
>> Thanks for any experience or advise, I've attached the resource
>> definition in case that is of interest,
>>
>> Ethan
>>
>>
>>
>>
>> ----------
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>


-- 
Best regards,



Oleksandr Nekriach | Identity and access management engineer

Dynatech, Jeruzalemes iela 1, Rīga, LV-1010, Latvia
<https://www.google.com/maps/place/DYNATECH/@56.9575205,24.1107235,17z/data=!3m1!4b1!4m5!3m4!1s0x46eecf5753e42351:0x23b120b9745cae62!8m2!3d56.9575205!4d24.1129122>

+37125314685 <+371%2025%20314%20685>
,
o.nekriach at dynatech.lv
|
www.dynatech.lv


Stay connected:
<https://www.facebook.com/DynatechLatvia/?ref=br_rs>
<https://www.linkedin.com/company-beta/17893047/>


Confidentiality Notice: This message contains confidential information and
is intended only for the named recipient(s). If you are not the addressee
you may not copy, distribute or perform any other activities with this
information. If you have received this transmission in error, please notify
us by e-mail immediately. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200916/f5f58141/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200916/f5f58141/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7770
Type: image/png
Size: 4265 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200916/f5f58141/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200916/f5f58141/attachment-0002.png>


More information about the midPoint mailing list