[midPoint] [Signatur ungueltig] Slow Active Directory get operations for groups

[Alcides Moraes]

Hi Emil,

Thanks your reaching out. 
Yes, I have an inbound mapping restricted to the reconciliation channel. I’ll try disabling it, see if it changes anything.
Here’s my association configuration, I have redacted some intents (I have about 20 group intents) and the inbound mapping (it’s a simple assignmentTargetSearch with createOnDemand)
I have this many intents for groups in order to link many types of automatic groups to OrgTypes, with members based on the kind of employment contract (interns, externals, etc.).


<association id="54">
    <ref>ri:group</ref>
    <displayName>AD Group Membership</displayName>
    <tolerant>true</tolerant>
    <intolerantValuePattern>.*(OU=AutomaticGroups|OU=ITProducts).*</intolerantValuePattern>
    <exclusiveStrong>false</exclusiveStrong>
    <fetchStrategy>explicit</fetchStrategy>
    <inbound id="542”>
    </inbound>
    <kind>entitlement</kind>
    <intent>adGroup</intent>
    <intent>intent1</intent>
    <intent>intent2</intent>
 . . .
    <intent>intent20</intent>
    <direction>objectToSubject</direction>
    <associationAttribute>ri:member</associationAttribute>
    <valueAttribute>ri:dn</valueAttribute>
    <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
    <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
    <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>

Here’s the task xml, with minor redaction. 

<task ...>
    <name>Reconcile Employees</name>
    <assignment id="6">
        <targetRef oid="00000000-0000-0000-0000-000000000501" relation="org:default" type="c:ArchetypeType"/>
        <activation>
            <effectiveStatus>enabled</effectiveStatus>
        </activation>
    </assignment>
    <archetypeRef oid="00000000-0000-0000-0000-000000000501" relation="org:default" type="c:ArchetypeType"/>
    <roleMembershipRef oid="00000000-0000-0000-0000-000000000501" relation="org:default" type="c:ArchetypeType"/>
    <ownerRef oid="00000000-0000-0000-0000-000000000002" relation="org:default" type="c:UserType"/>
    <channel>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#reconciliation</channel>
    <unpauseAction>executeImmediately</unpauseAction>
    <category>Reconciliation</category>
    <objectRef oid=“----" relation="org:default" type="c:ResourceType"/>
    <binding>loose</binding>
    <schedule>
        <recurrence>recurring</recurrence>
        <cronLikePattern>1 0 0 ? * MON-FRI</cronLikePattern>
        <misfireAction>executeImmediately</misfireAction>
    </schedule>
    <threadStopAction>restart</threadStopAction>
    <activity>
        <work>
            <reconciliation>
                <resourceObjects>
                    <resourceRef oid=“----" relation="org:default" type="c:ResourceType"/>
                    <kind>account</kind>
                    <intent>default</intent>
                    <objectclass>ri:AccountObjectClass</objectclass>
                </resourceObjects>
            </reconciliation>
        </work>
        <distribution>
            <workerThreads>6</workerThreads>
            <subtasks/>
        </distribution>
        <tailoring>
            <change id="1">
                <reference>resourceObjects</reference>
                <distribution>
                    <buckets>
                        <stringSegmentation>
                            <discriminator>attributes/ri:DOCUMENT_ID</discriminator>
                            <boundary id="12">
                                <position>1</position>
                                <characters>0123456789</characters>
                            </boundary>
                            <boundary id="13">
                                <position>2</position>
                                <characters>0123456789</characters>
                            </boundary>
                            <comparisonMethod>prefix</comparisonMethod>
                        </stringSegmentation>
                    </buckets>
                    <workers>
                        <workersPerNode id="3">
                            <count>1</count>
                        </workersPerNode>
                    </workers>
                    <workerThreads>6</workerThreads>
                </distribution>
            </change>
            <change id="2">
                <reference>remainingShadows</reference>
                <distribution>
                    <buckets>
                        <oidSegmentation>
                            <depth>1</depth>
                        </oidSegmentation>
                    </buckets>
                    <workers>
                        <workersPerNode id="4">
                            <count>1</count>
                        </workersPerNode>
                    </workers>
                    <workerThreads>6</workerThreads>
                </distribution>
            </change>
        </tailoring>
    </activity>
</task>

> Em 10 de jul. de 2024, à(s) 12:18, iam-mailing--- via midPoint <midpoint at lists.evolveum.com> escreveu:
> 
> Hi,
> 
> can you provide your association configuration? Do you use an inbound mapping inside the association configuration?
> Also the task configuration for the reconciliation could help.
> 
> We had an issue regarding get operations in the AD so I would have a look if it’s a similar problem.
> 
> Kind Regards,
> Emil Militzer
> 
> 
> 
> 
> Am 28.06.24, 19:03 schrieb "midPoint im Auftrag von Alcides Moraes via midPoint" <midpoint-bounces at lists.evolveum.com <mailto:midpoint-bounces at lists.evolveum.com> im Auftrag von midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>>:
> 
> 
> EXTERNE E-MAIL - Bitte prüfen Sie die Vertrauenswürdigkeit der Absender-Informationen, bevor Sie Links oder Anhänge öffnen.
> 
> 
> ------------------------------------------------------------------------------
> 
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> https://lists.evolveum.com/mailman/listinfo/midpoint <https://lists.evolveum.com/mailman/listinfo/midpoint>
> 
> 
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240710/f665449f/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6278 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240710/f665449f/attachment-0001.bin>