<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoPlainText>Thanks Ivan again for such a detailed explanation.I have made the changes as per your suggestion but still is not working<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>I get below error if I try to enable my DB account on the user and try to save it.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><span style='background:yellow;mso-highlight:yellow'>Subresult com.evolveum.midpoint.provisioning.ucf.api.ConnectorInstance.modifyObject of operation com.evolveum.midpoint.provisioning.api.ProvisioningService.modifyObject is still UNKNOWN during cleanup; during handling of exception com.evolveum.midpoint.util.exception.SystemException: java.lang.NullPointerException: null, Couldn't add object. Object already exists: Account already exists on the resource: javax.naming.NameAlreadyBoundException([LDAP: error code 68 - The entry uid=200395948546,ou=people,o=nhs cannot be added because an entry with that name already exists])</span><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>My requirement is a user is available in DB needs to synchronized with LDAP<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText> A user in DB is getting provisioned in Midpoint i.e both ways Midpt to DB and DB to Midpt and LDAP account is also assigned after making changes[object template and system configuration as per your suggestion<o:p></o:p></p><p class=MsoPlainText>]but not from Midpt to LDAP<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>I tried to manually assign the account but still getting above error.I am not able to understand why midpoint is trying to create account in LDAP which is already available ideally it should update is that correct?<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Regards,<o:p></o:p></p><p class=MsoPlainText>Nitin<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><span lang=EN-US style='mso-fareast-language:EN-GB'>-----Original Message-----<br>From: midpoint-bounces@lists.evolveum.com [mailto:midpoint-bounces@lists.evolveum.com] On Behalf Of Ivan Noris<br>Sent: 11 April 2014 08:20<br>To: midpoint@lists.evolveum.com<br>Subject: Re: [midPoint] Error while Synchronization</span></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Hi Nitin,<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>your understanding of livesync between DB - midPoint - LDAP was correct:<o:p></o:p></p><p class=MsoPlainText>you have livesync between SOURCE (which is DB table in your case) and midPoint, and you don't need another livesync between midPoint and LDAP, because in your case the LDAP server is the TARGET resource.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>So only one livesync task should be running.<o:p></o:p></p><p class=MsoPlainText>(You _could_ have multiple livesync tasks, if you'd have multiple source resources, but this is not your case and I don't recomment to complicate your environment at this stage.)<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Regarding the problem with "null" values for midPoint users' Given Name/Family Name/Full Name attributes: the remedy is quite simple: just edit your DB Table resource schema, and add inbound expressions for your "ri:firstname" or "ri:lastname" attributes. They should set <target>$user/givenName</target>, or <target>$user/familyName</target>,<o:p></o:p></p><p class=MsoPlainText>respectively.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>You've defined inbound expression for icfs:name becoming midpoint user/name yesterday. The concept is the same for all attributes that you wish to synchronize FROM the source resource to midPoint. In your case, it's firstName to givenName, lastname to familyName, maybe other attributes.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Regarding automatic provisioning to LDAP, the "problem" is because if you create your midPoint users from DB, you're probably not saying that they should have accounts in LDAP created. This is configured elsewhere (in object template objects and in System Configuration you specify which object template should be used).<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Please refer to the sample object<o:p></o:p></p><p class=MsoPlainText>samples/objects/user-template-complex.xml to see how LDAP account can be constructed for every user created in midPoint.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Also see your System Configuration object in midPoint (Repository objects) and look for "<defaultUserTemplate>" element. Here you specify the object template that should be used. The object itself is also in Repository objects, Object Template type. There is object template used even now, as you see your users have "fullName" attribute constructed to "null null" - this is done by the object template, because there are no givenName/familyName attributes.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>I'd recommend to make small steps. First try to provision from midPoint to LDAP (no livesync). If this works, try to livesync from DB to midPoint and add/assign LDAP account for this created users manually - via GUI. If this works, you can make it together using the object template. You will definitely need to fill givenName/familyName attributes in midPoint, because "sn" (LDAP's family name) is mandatory and provisioning will fail without this attribute.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Please refer to the following wiki pages for the Synchronization concept introduction and more information:<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><a href="https://wiki.evolveum.com/display/midPoint/Synchronization"><span style='color:windowtext;text-decoration:none'>https://wiki.evolveum.com/display/midPoint/Synchronization</span></a><o:p></o:p></p><p class=MsoPlainText><a href="https://wiki.evolveum.com/display/midPoint/Synchronization+Examples"><span style='color:windowtext;text-decoration:none'>https://wiki.evolveum.com/display/midPoint/Synchronization+Examples</span></a><o:p></o:p></p><p class=MsoPlainText><a href="https://wiki.evolveum.com/display/midPoint/Outbound+Mapping"><span style='color:windowtext;text-decoration:none'>https://wiki.evolveum.com/display/midPoint/Outbound+Mapping</span></a><o:p></o:p></p><p class=MsoPlainText><a href="https://wiki.evolveum.com/display/midPoint/Inbound+Mapping"><span style='color:windowtext;text-decoration:none'>https://wiki.evolveum.com/display/midPoint/Inbound+Mapping</span></a><o:p></o:p></p><p class=MsoPlainText><a href="https://wiki.evolveum.com/display/midPoint/Synchronization+Situations"><span style='color:windowtext;text-decoration:none'>https://wiki.evolveum.com/display/midPoint/Synchronization+Situations</span></a><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>I believe the study of these pages and correlating them with your already existing configuration and our samples will help you to better understand the whole process.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Regards,<o:p></o:p></p><p class=MsoPlainText>Ivan<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>--<o:p></o:p></p><p class=MsoPlainText> Ing. Ivan Noris<o:p></o:p></p><p class=MsoPlainText> IT Architect<o:p></o:p></p><p class=MsoPlainText> nLight, s.r.o.<o:p></o:p></p><p class=MsoPlainText> ___________________________________________________<o:p></o:p></p><p class=MsoPlainText> "Semper cautus - semper paratus - semper idem Vix."<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>_______________________________________________<o:p></o:p></p><p class=MsoPlainText>midPoint mailing list<o:p></o:p></p><p class=MsoPlainText><a href="mailto:midPoint@lists.evolveum.com"><span style='color:windowtext;text-decoration:none'>midPoint@lists.evolveum.com</span></a><o:p></o:p></p><p class=MsoPlainText><a href="http://lists.evolveum.com/mailman/listinfo/midpoint"><span style='color:windowtext;text-decoration:none'>http://lists.evolveum.com/mailman/listinfo/midpoint</span></a><o:p></o:p></p></div><br><br><table bgcolor=white style="color:black"><tr><td>MASTEK LTD.<br>
In the US, we're called MAJESCOMASTEK<br>
<br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in error, kindly delete this e-mail from desktop and server.<br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
</td></tr></table></body></html>