[midPoint] [EXTERNAL]AW: Account Sync: Correlation using multivalued attribute

Sanudo Martinez, Santiago Santiago.SanudoMartinez at ingrammicro.com
Mon Jan 24 14:15:23 CET 2022


Solved:


<synchronization>
        <objectSynchronizationSorter xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:ObjectSynchronizationSorterType">
            <expression>
                <trace>false</trace>
                <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:ScriptExpressionEvaluatorType">
                    <code>


                        import com.evolveum.midpoint.prism.impl.query.ObjectQueryImpl
                        import com.evolveum.midpoint.prism.query.ObjectQuery
                        import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
                        import javax.xml.namespace.QName;
                        import com.evolveum.midpoint.prism.query.builder.*;
                        import com.evolveum.midpoint.prism.path.ItemPath;
                        import com.evolveum.midpoint.schema.constants.SchemaConstants;
                        import com.evolveum.midpoint.util.exception.ConfigurationException;
                        import com.evolveum.midpoint.schema.util.ShadowUtil;

                        //log.info("----------------------------- Entering in the  SynchronizationSorter ----------------")
                        discriminator = new ObjectSynchronizationDiscriminatorType()

                        discriminator.setKind(ShadowKindType.ACCOUNT)
                        discriminator.setIntent("default")

                        owner = midpoint.searchShadowOwner(shadow.getOid());
                        log.info("Owner: {}", owner)
                       if (owner == null) {
                            aliases = basic.getAttributeValues(shadow, 'Aliases');
                            log.info("Aliases: {}", aliases)

                            boolean userFound = false
                            usersList = new ArrayList();
                            for (alias in aliases) {
                                filter = prismContext.queryFor(ObjectType.class).type(UserType.class)
                                        .item(UserType.F_EMAIL_ADDRESS).eq(alias).matchingCaseIgnore()
                                        .buildFilter();
                                query = ObjectQueryImpl.createObjectQuery(filter)


                                queryResult = midpoint.searchObjects(UserType.class, query)


                                if (queryResult != null) {
                                    if (queryResult.size() > 0) {
                                        userFound = true
                                        for (user in queryResult) {
                                            usersList.add(user)
                                        }
                                    }
                                }
                            }

                            if (userFound == false) {
                                discriminator.setSynchronizationSituation(SynchronizationSituationType.UNMATCHED)
                            } else {
                                set = new HashSet(usersList);
                                usersList.clear();
                                usersList.addAll(set);
                                log.info("Users: {}", usersList)

                                if (usersList.size() > 1) {
                                    discriminator.setSynchronizationSituation(SynchronizationSituationType.DISPUTED)
                                } else {
                                    log.info("New Owner: {}", usersList.get(0))
                                    discriminator.setOwner(usersList.get(0))
                                    discriminator.setSynchronizationSituation(SynchronizationSituationType.LINKED)
                                }
                            }


                        }else{
                            ownerType = owner.asObjectable();
                            discriminator.setOwner(ownerType)
                            discriminator.setSynchronizationSituation(SynchronizationSituationType.LINKED)

                        }
                        discriminator.setKind(ShadowKindType.ACCOUNT)
                        discriminator.setIntent("default")
                        //log.info("----------------------------- Leaving the SynchronizationSorter ----------------")
                        return discriminator
                    </code>
                </script>
            </expression>
        </objectSynchronizationSorter>


Regards,

Santiago Sañudo Martínez
Cloud Security Operations
Plaza de Manuel Llano, Santander, Spain, 39011

[cid:image001.jpg at 01D8112C.D1EC57F0]
Twitter<http://bit.ly/IngramTwitter> | LinkedIn<http://bit.ly/IngramLinkedIN> | Facebook<http://bit.ly/IngramFacebook> | YouTube<http://bit.ly/IngramYouTube>

This email may contain material that is confidential, and proprietary to Ingram Micro and subsidiaries, for the sole use of the intended recipient. Any review, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.

From: Fabian Noll-Dukiewicz <fabian.noll-dukiewicz at fndit.de>
Sent: Monday, January 24, 2022 1:07 PM
To: Sanudo Martinez, Santiago <Santiago.SanudoMartinez at ingrammicro.com>
Cc: MidPoint Mailing List <midpoint at lists.evolveum.com>
Subject: [EXTERNAL]AW: [midPoint] Account Sync: Correlation using multivalued attribute

Hi Santiago,

I think if "Aliases" is multivalue you need to loop through the values to compare the values ony by one. Aliases should be present as array of values, so you can use a for loop for example for the comparison.

Hope it helps.

Kind regards,
Fabian

________________________________
Von: Sanudo Martinez, Santiago <Santiago.SanudoMartinez at ingrammicro.com<mailto:Santiago.SanudoMartinez at ingrammicro.com>>
Gesendet: Montag, 24. Januar 2022 12:48
An: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com> <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Betreff: [midPoint] Account Sync: Correlation using multivalued attribute


Hi,

I have the following attribute in my shadows (EmployeeId, Aliases):

I am trying to map the employeeId against the user employeeNumber which works OK and the aliases (which is a multivalued field against the user emailAddress). Whenever I try to give the aliases to match against the emailAddress I get the following error that I can't compare emailAddress against more than 1 item. Any ideas how can I compare all the fields inside the multivalued field against the emailAddress?¿


[cid:image002.png at 01D8112C.D1EC57F0]


here you may find the resource xml:



<?xml version="1.0" encoding="UTF-8"?>

<resource oid="6a23afee-0426-4c52-85d4-7223cc4829c8"
          xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
          xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
          xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
          xmlns:xsd="http://www.w3.org/2001/XMLSchema"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
          xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">


    <connectorRef type="ConnectorType">
        <filter>
            <q:equal>
                <q:path>c:connectorType</q:path>
                <q:value>ingrammicro.com.connector.csv.cmp.CsvConnector</q:value>
            </q:equal>
        </filter>
    </connectorRef>



    <schemaHandling>
        <objectType>
            <kind>account</kind>
            <intent>default</intent>
            <displayName>Default Account</displayName>
            <objectClass>ri:AccountObjectClass</objectClass>
            <default>true</default>
            <multiplicity>
                <maxOccurs>unbounded</maxOccurs>
            </multiplicity>

            <attribute>
            <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:UserPrincipalName</c:ref>

            </attribute>

            <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:EmployeeId</c:ref>

            </attribute>

            <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:Aliases</c:ref>
                <limitations>
                    <minOccurs>0</minOccurs>
                    <maxOccurs>unbounded</maxOccurs>
                </limitations>
                <inbound>
                    <target>
                        <c:path>$focus/extension/emailAlias</c:path>
                    </target>
                </inbound>
            </attribute>
            <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:AccountEnabled</c:ref>
            </attribute>
        </objectType>
    </schemaHandling>

    <synchronization>
        <objectSynchronizationSorter xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:ObjectSynchronizationSorterType">
            <expression>
                <trace>false</trace>
                <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:ScriptExpressionEvaluatorType">
                    <code>
                        import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
                        import javax.xml.namespace.QName;
                        import com.evolveum.midpoint.prism.path.ItemPath;
                        import com.evolveum.midpoint.schema.constants.SchemaConstants;
                        import com.evolveum.midpoint.util.exception.ConfigurationException;
                        import com.evolveum.midpoint.schema.util.ShadowUtil;

                        //log.info("----------------------------- Entering in the  SynchronizationSorter ----------------")
                       discriminator = new ObjectSynchronizationDiscriminatorType()

                        discriminator.setKind(ShadowKindType.ACCOUNT)
                        discriminator.setIntent("default")

                        //log.info("----------------------------- Leaving the SynchronizationSorter ----------------")
                        return discriminator
                    </code>
                </script>
            </expression>
        </objectSynchronizationSorter>

        <objectSynchronization>
            <name>account</name>
            <objectClass>ri:AccountObjectClass</objectClass>
            <kind>account</kind>
            <intent>default</intent>
            <focusType>UserType</focusType>
            <enabled>true</enabled>

            <correlation>
                <q:or>
                    <q:equal>
                        <q:matching>stringIgnoreCase</q:matching>
                        <q:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:employeeNumber</q:path>
                        <expression>
                            <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xsi:type="c:ScriptExpressionEvaluatorType">
                                <code>
                                    def employeeId = basic.getAttributeValue(shadow, 'EmployeeId')
                                    if(employeeId != null){
                                        employeeId = employeeId.toString().trim()
                                        log.info("EmployeeID: {}",employeeId)
                                        log.info("EmployeeID length: {}",employeeId.length())
                                        if(employeeId.length() != 6){
                                            int count = 6 - employeeId.length()
                                            int i = 0
                                            if(count > 0){
                                                boolean condition = count > i;
                                                while(condition){
                                                    employeeId = "0"+employeeId;
                                                    i++;
                                                    condition = count > i;
                                                }
                                            }
                                        }
                                        log.info("[CSO][AAD Corporate]{Correlation} The employeeId is {}",employeeId)
                                        return employeeId
                                    }else{
                                        log.info("[CSO][AAD Corporate]{Correlation} The employeeId attribute is empty")
                                        return "randomEmployeeIdDontExist"
                                    }
                                </code>
                            </script>
                        </expression>
                    </q:equal>
                    <q:equal>
                        <q:matching>stringIgnoreCase</q:matching>
                        <q:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:extension/emailAlias</q:path>
                        <expression>
                            <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xsi:type="c:ScriptExpressionEvaluatorType">
                                <code>
                                    def aliases = basic.getAttributeValues(shadow, 'Aliases')
                                    if(aliases != null){

                                        log.info("[CSO][AAD Corporate]{Correlation} The aliases is {}",aliases)
                                        return aliases
                                    }else{
                                        log.info("[CSO][AAD Corporate]{Correlation} The aliases attribute is empty")
                                        return "randomAliasesIdDontExist"
                                    }
                                </code>
                            </script>
                        </expression>
                    </q:equal>
                    <q:equal>
                        <q:matching>stringIgnoreCase</q:matching>
                        <q:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:emailAddress</q:path>
                        <expression>
                            <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xsi:type="c:ScriptExpressionEvaluatorType">
                                <code>
                                    def aliases = basic.getAttributeValues(shadow, 'Aliases')
                                    if(aliases != null){

                                        log.info("[CSO][AAD Corporate]{Correlation} The aliases is {}",aliases)
                                        return aliases
                                    }else{
                                        log.info("[CSO][AAD Corporate]{Correlation} The aliases attribute is empty")
                                        return "randomAliasesIdDontExist"
                                    }
                                </code>
                            </script>
                        </expression>
                    </q:equal>

                </q:or>
            </correlation>

            <reaction>
                <situation>linked</situation>
                <synchronize>true</synchronize>
            </reaction>
            <reaction>
                <situation>deleted</situation>
            </reaction>
            <reaction>
                <situation>unlinked</situation>
                <synchronize>true</synchronize>
                <action>
                    <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
                </action>
            </reaction>
            <reaction>
                <situation>unmatched</situation>
            </reaction>
        </objectSynchronization>

    </synchronization>

    <caching>
        <cachingStategy>passive</cachingStategy>
    </caching>

    <capabilities>
        <configured>
            <cap:activation>
                <cap:status>
                    <cap:attribute>ri:AccountEnabled</cap:attribute>
                    <cap:enableValue>True</cap:enableValue>
                    <cap:disableValue>False</cap:disableValue>
                </cap:status>
            </cap:activation>
            <cap:create>
                <cap:enabled>false</cap:enabled>
            </cap:create>
            <cap:update>
                <cap:enabled>false</cap:enabled>
            </cap:update>
            <cap:delete>
                <cap:enabled>false</cap:enabled>
            </cap:delete>
            <cap:credentials>
                <cap:enabled>false</cap:enabled>
            </cap:credentials>
            <cap:liveSync>
                <cap:enabled>false</cap:enabled>
            </cap:liveSync>
            <cap:script>
                <cap:enabled>false</cap:enabled>
            </cap:script>
        </configured>
    </capabilities>





</resource>





Regards,



Santiago Sañudo Martínez

Cloud Security Operations

Plaza de Manuel Llano, Santander, Spain, 39011



[cid:image001.jpg at 01D8112C.D1EC57F0]

Twitter<https://urldefense.proofpoint.com/v2/url?u=http-3A__bit.ly_IngramTwitter&d=DwMF-g&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=TuRaEyJEujUzaLIef8L24KM6bBcbhk3z5RMMAe94jP_vkaat8KaTtZQ6_HFxCNMB&s=3wnlL9I7frc7maUz98RK2LPPRQSj8NaI4IDRpv5NyaM&e=> | LinkedIn<https://urldefense.proofpoint.com/v2/url?u=http-3A__bit.ly_IngramLinkedIN&d=DwMF-g&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=TuRaEyJEujUzaLIef8L24KM6bBcbhk3z5RMMAe94jP_vkaat8KaTtZQ6_HFxCNMB&s=nVgQb2zqz6oNySAY3x6L0b28eUKJ4I9GeuAN5rhgAaU&e=> | Facebook<https://urldefense.proofpoint.com/v2/url?u=http-3A__bit.ly_IngramFacebook&d=DwMF-g&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=TuRaEyJEujUzaLIef8L24KM6bBcbhk3z5RMMAe94jP_vkaat8KaTtZQ6_HFxCNMB&s=ZgWG3cKhiamyw1SHuLKWaVQq_QUtrKZyFiMpd7oJ-HM&e=> | YouTube<https://urldefense.proofpoint.com/v2/url?u=http-3A__bit.ly_IngramYouTube&d=DwMF-g&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=TuRaEyJEujUzaLIef8L24KM6bBcbhk3z5RMMAe94jP_vkaat8KaTtZQ6_HFxCNMB&s=KI1ornUgBi9GjAvQF5LsfC0wrkH3Y-f3zcxxxWoiPC0&e=>



This email may contain material that is confidential, and proprietary to Ingram Micro and subsidiaries, for the sole use of the intended recipient. Any review, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.



La información contenida en este mensaje es confidencial. En caso de que reciba este mensaje por error le rogamos lo comunique a la mayor brevedad al emisor y proceda a su eliminación definitiva, absteniéndose de copiar, almacenar o difundir su contenido. De acuerdo con lo establecido en la Ley Orgánica 15/1999, de Protección de Datos de Carácter Personal y en el Reglamento de Desarrollo 1720/2007, los datos personales que facilite a través de la dirección de correo indicada serán incorporados a un fichero titularidad de INGRAM MICRO, S.L.U., con domicilio en C/ Antonio Machado, 78-80 1ª y 2ª pl. Business Park ( 08840-Viladecans). Mediante el envío de sus datos, Ud. otorga su consentimiento expreso a INGRAM MICRO, S.L.U, para el tratamiento de sus datos, con la finalidad de atender a su consulta y/o mantener la relación profesional, comercial, y/o contractual que en su caso establezca con INGRAM MICRO, S.L.U. Puede ejercitar sus derechos de acceso, rectificación, cancelación y oposición notificándolo por escrito a la dirección del remitente, o a la siguiente dirección de correo nuevascuentas at ingrammicro.es<mailto:nuevascuentas at ingrammicro.es>. De acuerdo con la Ley 34/2002, de Servicios de la Sociedad de la Información y de Comercio Electrónico, Vd. podrá oponerse en cualquier momento al tratamiento de sus datos con fines promocionales notificándonoslo por escrito a la dirección de correo mencionada.
.................................................................................................................................................................................................................................................
The information contained in this message is confidential. If you receive this message by error please notify it as soon as possible to the sender and proceed to their final elimination by not copy, store or distribute its content. In accordance of what is stated in the Law 15/1999, of Data Personal Protection and Regulation Rule 1720/2007, the personal data provided through the email address you entered will be included in a file owned by INGRAM MICRO, SLU, located at C/ Antonio Machado, 78-80 1ª y 2ª pl. Business Park ( 08840-Viladecans). By submitting your data, you expressly give your consent to INGRAM MICRO, SLU, to the treatment of your data, in order to answer to your questions and / or keep the professional, commercial relationship  and / or contractual set with INGRAM MICRO, SLU You can exercise your rights of access, rectification, cancellation and opposition by giving written notification to the sender address or to  the following email:  nuevascuentas at ingrammicro.es<mailto:nuevascuentas at ingrammicro.es>. According to Law 34/2002, of the Information Society and Electronic Commerce, you may object at any time to your data treatment for promotional purposes by notifying us in writing to the email address above.
[Ingram_2818e5de]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220124/71e3647a/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2057 bytes
Desc: image001.jpg
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220124/71e3647a/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 118198 bytes
Desc: image002.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220124/71e3647a/attachment-0001.png>


More information about the midPoint mailing list