[midPoint] midPoint creating duplicate AD account instead of linking

Carlos Ferreira carlos18619 at gmail.com
Fri Sep 26 16:40:55 CEST 2025 

João,

Have you already tried the "secondaryIdentifier" option on the attribute
resource configuration?


Something like this:







*            <attribute id="3190">
<ref>ri:sAMAccountName</ref>                <tolerant>true</tolerant>
          <exclusiveStrong>false</exclusiveStrong>
<secondaryIdentifier>true</secondaryIdentifier>                <outbound>*



Em qui., 25 de set. de 2025 às 12:54, João Paulo Ribeiro via midPoint <
midpoint at lists.evolveum.com> escreveu:

> Hello!
>
> I have a midPoint deployment with an authoritative (inbound) resource and
> an outbound Active Directory resource. There's a specific situation where a
> user that I haven't imported into midPoint yet already has an account in
> Active Directory (outbound). In this scenario, when I import the user from
> the authoritative resource, I would expect midPoint to link the existing
> Active Directory account (UNLINKED -> LINKED). However, it's trying to
> create another account in AD, and because of that, the following error is
> being thrown:
>
> ObjectAlreadyExistsException:
> org.identityconnectors.framework.common.exceptions.AlreadyExistsException(Error
> adding LDAP entry CN=username,OU=users,DC=example,DC=com:
> constraintViolation: 000021C8: AtrErr: DSID-03200BD1, #1:??0: 000021C8:
> DSID-03200BD1, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90290 (
> *userPrincipalName*)?? (19))
>
> I have already checked the correlation and synchronization rules on both
> the inbound (authoritative) and outbound (AD) resources, and they seem
> correct. In fact, if I try to run the "import" for the existing AD account
> while it's in the UNLINKED state, it performs the expected operation: it
> LINKS the account with its respective focus and applies the necessary
> updates. The problem really happens when I try to run the "import" from the
> authoritative resource, in which case midPoint doesn't detect the
> pre-existing AD account for the user.
>
> Has anyone else experienced this?
>
> Versions:
> midPoint 4.8.7
> AdLdapConnector 3.7.4
>
> Thanks in advance!
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250926/82dfe393/attachment-0001.htm>

More information about the midPoint mailing list