<div dir="ltr"><div>Hi Deepak,</div><div><br></div><div>MidPoint performance is an aspect that still needs a lot of work, but we have spent</div><div>a significant amount of time on its improvements during last releases. In last release,</div>
<div>we have integrated a very simple profiling tool to midPoint and I would like to</div><div>ask you to use this tool during AD reconciliation and provide results for further</div><div>analysis. If possible, we would like you to perform following measurements:</div>
<div><br></div><div>1.) Entry/Exit cycle measurement:</div><div>Please, refer to</div><div><a href="https://wiki.evolveum.com/display/midPoint/Administration+Interface#AdministrationInterface-LoggingConfiguration">https://wiki.evolveum.com/display/midPoint/Administration+Interface#AdministrationInterface-LoggingConfiguration</a>  </div>
<div>to turn on Entry/Exit profiling during AD reconciliation. This profiling performs method Entry/Exit</div><div>analysis and it needs to be turned on for only couple of seconds, so it can capture several single</div><div>
user reconciliation processes.</div><div><br></div><div>2.) General Subsystem Profiling:</div><div>Please, refer to:</div><div><a href="https://wiki.evolveum.com/display/midPoint/Administration+Interface#AdministrationInterface-ProfilingConfiguration">https://wiki.evolveum.com/display/midPoint/Administration+Interface#AdministrationInterface-ProfilingConfiguration</a></div>
<div>to configure general profiling. Just to be sure, check all subsystems except "Workflow" and set Dump Interval</div><div>to a couple of minutes (2-5) and if possible, please run AD reconciliation for 15-30 minutes.</div>
<div><br></div><div>More on midPoint profiling concepts can also be found here:</div><div><a href="https://wiki.evolveum.com/display/midPoint/Profiling+Concepts#">https://wiki.evolveum.com/display/midPoint/Profiling+Concepts#</a></div>
<div><br></div><div>Results of measurements can be seen in 'idm-profile.log' file(s) in <tomcat_home>/logs directory. Please</div><div>provide these log file(s) so we can analyse it(them), find bottleneck and improve performance. </div>
<div><br></div><div>P.S. If you have any problems or ideas using midPoint profiling, please provide feedback since this</div><div>feature is still in development and any user feedback is much appreciated. </div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Tue, Jan 7, 2014 at 5:39 PM, Deepak Natarajan <span dir="ltr"><<a href="mailto:dnataraj@trilobytesystems.com" target="_blank">dnataraj@trilobytesystems.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div bgcolor="#FFFFFF" text="#000000"><br>
Thank you very much Ivan, I will try this out.<br>
 <br>
Could you also please show me the namespace declaration for mr: ?<br>
<br>
<span><matchingRule>mr:stringIgnoreCase</matchingRule> <br>
  <br>
I'm also curious about one other thing - how is reconcilation with AD 
performing for you? I am trying to reconcile approx 5600 users between 
Midpoint and AD, and this is typically taking our Midpoint installation 
about 5 hours to complete (!). Of course, I have various scripting hooks
 and a before-create vbs script for AD (that creates OU containers if 
they don't exist for the users - but I can see that this takes utmost a 
second or two from the connector server logs)<br>
  <br>
Thanks!<br>
  <br>
BR/Deepak<br>
</span><br>
<blockquote style="border:0px none" type="cite">
  <div style="margin:30px 25px 10px 25px"><div style="display:table;width:100%;border-top:1px solid #edeef0;padding-top:5px">   <div style="display:table-cell;vertical-align:middle;padding-right:6px"><img src="cid:part1.02080202.06090609@trilobytesystems.com" name="1436d93226af1cd0_compose-unknown-contact.jpg" height="25px" width="25px"></div>
   <div style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
        <a href="mailto:ivan.noris@evolveum.com" style="color:#737f92!important;padding-right:6px;font-weight:bold;text-decoration:none!important" target="_blank">Ivan Noris</a></div>   <div style="display:table-cell;white-space:nowrap;vertical-align:middle">
   
  <font color="#9FA2A5"><span style="padding-left:6px">January 7, 2014 
at 5:23 PM</span></font></div></div></div><div><div class="h5">
  <div style="color:#888888;margin-left:24px;margin-right:24px"><div>Hi Deepak,<br><br>I'm 
using the Active Directory connector to manage accounts in AD, and a<br>mapping
 which assigns user to groups. I didn't have to change resource<br>schema
 to use groups; it is available out of the box.<br><br>The mapping is 
for the icfs:groups attribute and midPoint 2.2.x,<br>although it should 
still be the same for 2.3.<br><br>I've adapted this from actual customer
 configuration, removing the<br>customer-specific code, but leaving the 
XML comments for you:<br><br>                <attribute><br>      
              <ref>icfs:groups</ref><br>                    
<displayName>Groups</displayName><br><br>                   
 <limitations><br>                        <access><br>      
                      <create>true</create><br>             
               <read>true</read><br>                        
    <update>true</update><br>                        
</access><br>                    </limitations><br><!-- 
tolerant=false + strength=strong removes ALL other values including<br>groups
 not managed by midpoint<br><br>tolerant=true + strength=strong removes 
old group when the condition<br>changes, keeping  groups managed outside
 of midpoint --><br><br>                    
<tolerant>true</tolerant><!-- See above --><br>       
             
<matchingRule>mr:stringIgnoreCase</matchingRule><br>        
            <outbound><br>                        
<strength>strong</strength><!-- See above --><br>     
                   <source><br>                            
<path>$user/employeeType</path><br>                        
</source><br>                        <expression><br>       
                     <script><br>                                
<code><br>if (employeeType == 'FTE')<br>{<br>    return 
'CN=group1,.........................'<br>}<br><br></code><br>     
                       </script><br>                        
</expression><br>                    </outbound><br>        
        </attribute><br><br>You may need to use our versions of 
Connector Server and Active<br>Directory connector, there were some 
case-sensitivity issues in the<br>original versions (causing groups like
 "cn=group1,... and CN=group1" to<br>cause problems):<br><br><a href="http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/ActiveDirectory.Connector/1.0.0.20069/" target="_blank">http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/ActiveDirectory.Connector/1.0.0.20069/</a><br>
<br><a href="http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/openicf-dotnet/1.4.0.20081/" target="_blank">http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/openicf-dotnet/1.4.0.20081/</a><br>
<br>And
 update your resource configuration:<br><br>            
<icfc:resultsHandlerConfiguration><br>                      
<!-- currently this requires latest Evolveum<br>version of .net 
connector server --><br>                     <br><icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler><br>
            </icfc:resultsHandlerConfiguration><br><br>           
 <!-- Configuration specific for the Active Directory<br>connector 
--><br><br>            <icfc:configurationProperties<br>. . .<br><br>This
 is the combination I currently use and seems to work well.<br><br>Hope 
this helps,<br>regards,<br>Ivan<br></div><div><br></div></div>
  </div></div><div style="margin:30px 25px 10px 25px"><div style="display:table;width:100%;border-top:1px solid #edeef0;padding-top:5px">   <div style="display:table-cell;vertical-align:middle;padding-right:6px"><img src="cid:part1.02080202.06090609@trilobytesystems.com" name="1436d93226af1cd0_compose-unknown-contact.jpg" height="25px" width="25px"></div>
   <div style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
        <a href="mailto:dnataraj@trilobytesystems.com" style="color:#737f92!important;padding-right:6px;font-weight:bold;text-decoration:none!important" target="_blank">Deepak Natarajan</a></div>   <div style="display:table-cell;white-space:nowrap;vertical-align:middle">
   
  <font color="#9FA2A5"><span style="padding-left:6px">January 7, 2014 
at 4:55 PM</span></font></div></div></div><div class="im">
  <div style="color:#888888;margin-left:24px;margin-right:24px"><div>Hi  -<br><br>I'm trying to
 figure out how to implement group membership for an Active<br>Directory
 resource.<br><br>We are using Midpoint 2.3-SNAPSHOT.<br><br>Is it still
 possible to execute this using the idea of LDAP groups<br>described 
here :<br><a href="https://wiki.evolveum.com/display/midPoint/LDAP+Groups+HOWTO" target="_blank">https://wiki.evolveum.com/display/midPoint/LDAP+Groups+HOWTO</a> 
(since AD<br>supports LDAPv3)?<br><br>Does anyone have any working 
configuration they can share that they use<br>against Active Directory 
to provision users and also set up group<br>memberships?<br><br>Thanks 
in advance!<br>BR/Deepak<br><br></div></div>
</div></blockquote>
</div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>