<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000"><br>
Hi Erik -<br>
<br>
Thank you for your detailed email.<br>
<br>
I will try to profile when I get a chance to run the reconciliation
again next and return to you with some results.<br>
<br>
BR/Deepak<br>
<br>
<blockquote style="border: 0px none;"
cite="mid:CAF2MyvToC36XGu1M1sO_Qme+bHyCpx=-kiy0n30q-edtZ=n6kQ@mail.gmail.com"
type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="suta.erik@gmail.com" photoname="Erik Šuta"
src="cid:part1.07060600.00040809@trilobytesystems.com"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:suta.erik@gmail.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Erik Šuta</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January 8, 2014
at 11:20 AM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div dir="ltr"><div>Hi Deepak,</div><div><br></div><div>MidPoint
performance is an aspect that still needs a lot of work, but we have
spent</div><div>a significant amount of time on its improvements during
last releases. In last release,</div>
<div>we have integrated a very simple profiling tool to midPoint and I
would like to</div><div>ask you to use this tool during AD
reconciliation and provide results for further</div><div>analysis. If
possible, we would like you to perform following measurements:</div>
<div><br></div><div>1.) Entry/Exit cycle measurement:</div><div>Please,
refer to</div><div><a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Administration+Interface#AdministrationInterface-LoggingConfiguration">https://wiki.evolveum.com/display/midPoint/Administration+Interface#AdministrationInterface-LoggingConfiguration</a>
</div>
<div>to turn on Entry/Exit profiling during AD reconciliation. This
profiling performs method Entry/Exit</div><div>analysis and it needs to
be turned on for only couple of seconds, so it can capture several
single</div><div>
user reconciliation processes.</div><div><br></div><div>2.) General
Subsystem Profiling:</div><div>Please, refer to:</div><div><a
moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Administration+Interface#AdministrationInterface-ProfilingConfiguration">https://wiki.evolveum.com/display/midPoint/Administration+Interface#AdministrationInterface-ProfilingConfiguration</a></div>
<div>to configure general profiling. Just to be sure, check all
subsystems except "Workflow" and set Dump Interval</div><div>to a couple
of minutes (2-5) and if possible, please run AD reconciliation for
15-30 minutes.</div>
<div><br></div><div>More on midPoint profiling concepts can also be
found here:</div><div><a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Profiling+Concepts#">https://wiki.evolveum.com/display/midPoint/Profiling+Concepts#</a></div>
<div><br></div><div>Results of measurements can be seen in
'idm-profile.log' file(s) in <tomcat_home>/logs directory. Please</div><div>provide
these log file(s) so we can analyse it(them), find bottleneck and
improve performance. </div>
<div><br></div><div>P.S. If you have any problems or ideas using
midPoint profiling, please provide feedback since this</div><div>feature
is still in development and any user feedback is much appreciated. </div></div><div
class="gmail_extra">
<br><br><br></div>
<div>_______________________________________________<br>midPoint mailing
list<br><a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br><a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br></div></div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="dnataraj@trilobytesystems.com" photoname="Deepak
Natarajan" src="cid:part1.07060600.00040809@trilobytesystems.com"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true"
href="mailto:dnataraj@trilobytesystems.com" style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Deepak Natarajan</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January 7, 2014
at 5:39 PM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<br>
Thank you very much Ivan, I will try this out.<br>
<br>
Could you also please show me the namespace declaration for mr: ?<br>
<br>
<span><matchingRule>mr:stringIgnoreCase</matchingRule> <br>
<br>
I'm also curious about one other thing - how is reconcilation with AD
performing for you? I am trying to reconcile approx 5600 users between
Midpoint and AD, and this is typically taking our Midpoint installation
about 5 hours to complete (!). Of course, I have various scripting hooks
and a before-create vbs script for AD (that creates OU containers if
they don't exist for the users - but I can see that this takes utmost a
second or two from the connector server logs)<br>
<br>
Thanks!<br>
<br>
BR/Deepak<br>
</span><br>
</div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="ivan.noris@evolveum.com" photoname="Ivan Noris"
src="cid:part1.07060600.00040809@trilobytesystems.com"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:ivan.noris@evolveum.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Ivan Noris</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January 7, 2014
at 5:23 PM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div>Hi Deepak,<br><br>I'm
using the Active Directory connector to manage accounts in AD, and a<br>mapping
which assigns user to groups. I didn't have to change resource<br>schema
to use groups; it is available out of the box.<br><br>The mapping is
for the icfs:groups attribute and midPoint 2.2.x,<br>although it should
still be the same for 2.3.<br><br>I've adapted this from actual customer
configuration, removing the<br>customer-specific code, but leaving the
XML comments for you:<br><br> <attribute><br>
<ref>icfs:groups</ref><br>
<displayName>Groups</displayName><br><br>
<limitations><br> <access><br>
<create>true</create><br>
<read>true</read><br>
<update>true</update><br>
</access><br> </limitations><br><!--
tolerant=false + strength=strong removes ALL other values including<br>groups
not managed by midpoint<br><br>tolerant=true + strength=strong removes
old group when the condition<br>changes, keeping groups managed outside
of midpoint --><br><br>
<tolerant>true</tolerant><!-- See above --><br>
<matchingRule>mr:stringIgnoreCase</matchingRule><br>
<outbound><br>
<strength>strong</strength><!-- See above --><br>
<source><br>
<path>$user/employeeType</path><br>
</source><br> <expression><br>
<script><br>
<code><br>if (employeeType == 'FTE')<br>{<br> return
'CN=group1,.........................'<br>}<br><br></code><br>
</script><br>
</expression><br> </outbound><br>
</attribute><br><br>You may need to use our versions of
Connector Server and Active<br>Directory connector, there were some
case-sensitivity issues in the<br>original versions (causing groups like
"cn=group1,... and CN=group1" to<br>cause problems):<br><br><a class="moz-txt-link-freetext" href="http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/ActiveDirectory.Connector/1.0.0.20069/">http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/ActiveDirectory.Connector/1.0.0.20069/</a><br><br><a class="moz-txt-link-freetext" href="http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/openicf-dotnet/1.4.0.20081/">http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/openicf-dotnet/1.4.0.20081/</a><br><br>And
update your resource configuration:<br><br>
<icfc:resultsHandlerConfiguration><br>
<!-- currently this requires latest Evolveum<br>version of .net
connector server --><br> <br><icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler><br>
</icfc:resultsHandlerConfiguration><br><br>
<!-- Configuration specific for the Active Directory<br>connector
--><br><br> <icfc:configurationProperties<br>. . .<br><br>This
is the combination I currently use and seems to work well.<br><br>Hope
this helps,<br>regards,<br>Ivan<br></div><div><!----><br></div></div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="dnataraj@trilobytesystems.com" photoname="Deepak
Natarajan" src="cid:part1.07060600.00040809@trilobytesystems.com"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true"
href="mailto:dnataraj@trilobytesystems.com" style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Deepak Natarajan</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January 7, 2014
at 4:55 PM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div>Hi -<br><br>I'm trying to
figure out how to implement group membership for an Active<br>Directory
resource.<br><br>We are using Midpoint 2.3-SNAPSHOT.<br><br>Is it still
possible to execute this using the idea of LDAP groups<br>described
here :<br><a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/LDAP+Groups+HOWTO">https://wiki.evolveum.com/display/midPoint/LDAP+Groups+HOWTO</a>
(since AD<br>supports LDAPv3)?<br><br>Does anyone have any working
configuration they can share that they use<br>against Active Directory
to provision users and also set up group<br>memberships?<br><br>Thanks
in advance!<br>BR/Deepak<br><br></div></div>
</blockquote>
</body></html>