[midPoint] [Signatur ungueltig] Slow Active Directory get operations for groups
Keith Hazelton
hazelton at internet2.edu
Wed Jul 10 21:56:32 CEST 2024
Alcides,
Thanks for this full answer to the issue. --Keith
________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Alcides Moraes via midPoint <midpoint at lists.evolveum.com>
Sent: Wednesday, July 10, 2024 1:30 PM
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Cc: Alcides Moraes <alcides.neto at gmail.com>
Subject: Re: [midPoint] [Signatur ungueltig] Slow Active Directory get operations for groups
Hi Emil,
Thanks your reaching out.
Yes, I have an inbound mapping restricted to the reconciliation channel. I’ll try disabling it, see if it changes anything.
Here’s my association configuration, I have redacted some intents (I have about 20 group intents) and the inbound mapping (it’s a simple assignmentTargetSearch with createOnDemand)
I have this many intents for groups in order to link many types of automatic groups to OrgTypes, with members based on the kind of employment contract (interns, externals, etc.).
<association id="54">
<ref>ri:group</ref>
<displayName>AD Group Membership</displayName>
<tolerant>true</tolerant>
<intolerantValuePattern>.*(OU=AutomaticGroups|OU=ITProducts).*</intolerantValuePattern>
<exclusiveStrong>false</exclusiveStrong>
<fetchStrategy>explicit</fetchStrategy>
<inbound id="542”>
</inbound>
<kind>entitlement</kind>
<intent>adGroup</intent>
<intent>intent1</intent>
<intent>intent2</intent>
. . .
<intent>intent20</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
<shortcutValueAttribute>ri:dn</shortcutValueAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
Here’s the task xml, with minor redaction.
<task ...>
<name>Reconcile Employees</name>
<assignment id="6">
<targetRef oid="00000000-0000-0000-0000-000000000501" relation="org:default" type="c:ArchetypeType"/>
<activation>
<effectiveStatus>enabled</effectiveStatus>
</activation>
</assignment>
<archetypeRef oid="00000000-0000-0000-0000-000000000501" relation="org:default" type="c:ArchetypeType"/>
<roleMembershipRef oid="00000000-0000-0000-0000-000000000501" relation="org:default" type="c:ArchetypeType"/>
<ownerRef oid="00000000-0000-0000-0000-000000000002" relation="org:default" type="c:UserType"/>
<channel>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#reconciliation</channel>
<unpauseAction>executeImmediately</unpauseAction>
<category>Reconciliation</category>
<objectRef oid=“----" relation="org:default" type="c:ResourceType"/>
<binding>loose</binding>
<schedule>
<recurrence>recurring</recurrence>
<cronLikePattern>1 0 0 ? * MON-FRI</cronLikePattern>
<misfireAction>executeImmediately</misfireAction>
</schedule>
<threadStopAction>restart</threadStopAction>
<activity>
<work>
<reconciliation>
<resourceObjects>
<resourceRef oid=“----" relation="org:default" type="c:ResourceType"/>
<kind>account</kind>
<intent>default</intent>
<objectclass>ri:AccountObjectClass</objectclass>
</resourceObjects>
</reconciliation>
</work>
<distribution>
<workerThreads>6</workerThreads>
<subtasks/>
</distribution>
<tailoring>
<change id="1">
<reference>resourceObjects</reference>
<distribution>
<buckets>
<stringSegmentation>
<discriminator>attributes/ri:DOCUMENT_ID</discriminator>
<boundary id="12">
<position>1</position>
<characters>0123456789</characters>
</boundary>
<boundary id="13">
<position>2</position>
<characters>0123456789</characters>
</boundary>
<comparisonMethod>prefix</comparisonMethod>
</stringSegmentation>
</buckets>
<workers>
<workersPerNode id="3">
<count>1</count>
</workersPerNode>
</workers>
<workerThreads>6</workerThreads>
</distribution>
</change>
<change id="2">
<reference>remainingShadows</reference>
<distribution>
<buckets>
<oidSegmentation>
<depth>1</depth>
</oidSegmentation>
</buckets>
<workers>
<workersPerNode id="4">
<count>1</count>
</workersPerNode>
</workers>
<workerThreads>6</workerThreads>
</distribution>
</change>
</tailoring>
</activity>
</task>
Em 10 de jul. de 2024, à(s) 12:18, iam-mailing--- via midPoint <midpoint at lists.evolveum.com> escreveu:
Hi,
can you provide your association configuration? Do you use an inbound mapping inside the association configuration?
Also the task configuration for the reconciliation could help.
We had an issue regarding get operations in the AD so I would have a look if it’s a similar problem.
Kind Regards,
Emil Militzer
Am 28.06.24, 19:03 schrieb "midPoint im Auftrag von Alcides Moraes via midPoint" <midpoint-bounces at lists.evolveum.com <mailto:midpoint-bounces at lists.evolveum.com> im Auftrag von midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>>:
EXTERNE E-MAIL - Bitte prüfen Sie die Vertrauenswürdigkeit der Absender-Informationen, bevor Sie Links oder Anhänge öffnen.
------------------------------------------------------------------------------
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint <https://lists.evolveum.com/mailman/listinfo/midpoint>
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240710/b1abf891/attachment-0001.htm>
More information about the midPoint
mailing list