<div dir="ltr">Awesome!!!<div><br></div><div>So this works, creates CN=Tim Hecks2,OU=AAD,OU=SHP Students,DC=TEST,DC=LOCAL</div><div><br></div><div><div>    <script></div><div>        <language><a href="http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy">http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</a></language></div><div>        <code></div><div>            'cn=' + user.getFullName() + user.getIterationToken() + ',' + basic.stringify(user.getOrganization())</div><div>        </code></div><div>    </script></div></div><div><br></div><div>JASON</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 24, 2014 at 9:48 AM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    Hi Jason,<br>
    <br>
    I've tried to replicate the iterator problem with CSV (instead of
    AD) - no success, it works.<br>
    <br>
    The scenario was: pick up changes from CSV (source); not generating
    unique login in midPoint; automatically assigning role for AD
    (simulated by CSV) where iteration token is used in icfs:name
    mapping.<br>
    <br>
    For source users "jacksparrow" (Jack Sparrow) and "jcksparrow" (also
    Jack Sparrow) I got "jacksparrow" and "jcksparrow" in midPoint, and
    "cn=Jack Sparrow,..." and "cn=Jack Sparrow1,..." in target AD (CSV).<br>
    <br>
    I will still try to replicate on real AD soon.<br>
    <br>
    As for the Groovy/mappings etc: I believe that
    basic.stringify(user.getOrganization()) would fix the latter, but
    this just has to work without such hacks, by using:<br>
    <br>
    <source><br>
      <path>$user/fullName</path><span class=""><br>
    </source><br>
    <source><br>
      <path>$user/organization</path><br>
    </source><br>
    <br></span>
    and using fullName / organization (and iterationToken) in the
    mappings as before...<br>
    i.e.<br>
    <br>
                        <outbound><span class=""><br>
                            <source><br>
                                <path>$user/givenName</path><br>
                            </source><br>
                            <source><br>
                               
    <path>$user/familyName</path><br>
                            </source><br></span>
                            <source><br>
                               
    <path>$user/organization</path><br>
                            </source><br>
                            <expression><br>
                                <script><br>
                                    <code><span class=""><br>
                                        'cn='+givenName+'
    '+familyName+iterationToken+','+organization+''<br></span><span class="">
                                    </code><br>
                                </script><br>
                            </expression><br>
                        </outbound><br>
                    </attribute><br>
                    <iteration><br></span>
                        <maxIterations>5</maxIterations><br>
                    </iteration><br>
    <br>
    So this must be either strange misconfiguration or a bug. But as it
    seems to work for CSV, I have to confirm it on real AD. It's just
    patching itself, so I'll let you know after it's ready and tested.<br>
    <br>
    The issue with generating unique users in midPoint for liveSync is a
    bug, being worked on.<br>
    <br>
    Regards,<br>
    Ivan<div><div class="h5"><br>
    <br>
    <div>On 11/24/2014 04:30 PM, Jason Everling
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">I got a little closer, tried Groovy and XPATH,
        <div><br>
        </div>
        <div>Using a Groovy expression, it picks up the iterationToken
          but I am getting an error in the expressions, Groovy is new to
          me so here is the code,</div>
        <div><br>
        </div>
        <div>
          <div>        <code></div>
          <div>            "cn=" + user.getFullName() +
            user.getIterationToken() + "," + user.getOrganization();</div>
          <div>        </code></div>
        </div>
        <div><br>
        </div>
        <div>When trying to add the account to midpoint, I am getting
          the below, you can see the iterationToken was added but I dont
          think my code above is correct</div>
        <div><br>
        </div>
        <div><span> Attribute: {Name=__NAME__, Value=[cn=Tim
            Hecks2,[OU=AAD,OU=SHP Students,DC=TEST,DC=LOCAL]]}, </span><br>
        </div>
        <div><span><br>
          </span></div>
        <div>JASON</div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Fri, Nov 21, 2014 at 5:41 PM, Jason
          Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">I know so strange,
              <div><br>
              </div>
              <div>This is basically still the same setup, with the CSV
                resource how it is not creating the username on the AD
                resource when it is generating the username from this
                conversation</div>
              <div><a href="http://lists.evolveum.com/pipermail/midpoint/2014-November/000576.html" target="_blank">http://lists.evolveum.com/pipermail/midpoint/2014-November/000576.html</a><br>
              </div>
              <div><br>
              </div>
              <div>I put it up on a temp repo to make it easier for you
                to pull what you want to look at, it has the latest
                changes I made using the additionalName mapping, you can
                add back the distinguishedName code that is on the
                samples github which is what I was using,</div>
              <div><br>
              </div>
              <div>Here are the files,</div>
              <div><a href="https://bitbucket.org/jason_everling/idm_midpoint-dev" target="_blank">https://bitbucket.org/jason_everling/idm_midpoint-dev</a><span><font color="#888888"><br>
                  </font></span></div>
              <span><font color="#888888">
                  <div><br>
                  </div>
                  <div>JASON</div>
                </font></span></div>
            <div>
              <div>
                <div class="gmail_extra"><br>
                  <div class="gmail_quote">On Fri, Nov 21, 2014 at 3:22
                    PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div bgcolor="#FFFFFF" text="#000000"> Hi Jason,<br>
                        <br>
                        this is  definitely strange. Please send the AD
                        resource configuration (without confidential
                        info of course). I'll try to have a more
                        complete look at it...<br>
                        <br>
                        What is the exact scenario? Are you creating the
                        user from GUI, or from external source (recon,
                        livesync or import)? If so, can you try to
                        create the user from GUI?<br>
                        <br>
                        Thank you,<br>
                        regards,<br>
                        Ivan
                        <div>
                          <div><br>
                            <br>
                            <br>
                            <div>On 11/21/2014 06:24 PM, Jason Everling
                              wrote:<br>
                            </div>
                            <blockquote type="cite">
                              <div dir="ltr">I upgraded to 3.0.1 this
                                morning and it is still the same, it
                                doesn't add the iteratorToken, it is
                                almost as if it is using the
                                displayName.
                                <div><br>
                                </div>
                                <div>I can keep using the + name +
                                  attribute or with what I tested today
                                  in the below</div>
                                <div><br>
                                </div>
                                <div>Another I got around it is by
                                  creating a mapping to additionalName
                                  with iterationToken then changing the
                                  way the DN is built by just using the
                                  additionalName like</div>
                                <div><br>
                                </div>
                                <div>'CN=' + additionalName + ',' +
                                  organization + ''<br>
                                </div>
                                <div><br>
                                </div>
                                <div>
                                  <div>    <mapping></div>
                                  <div>        <source></div>
                                  <div>           
                                    <path>$user/givenName</path></div>
                                  <div>        </source></div>
                                  <div>        <source></div>
                                  <div>           
                                    <path>$user/familyName</path></div>
                                  <div>        </source></div>
                                  <div>        <expression></div>
                                  <div>            <script></div>
                                  <div>                <code></div>
                                  <div>                    givenName + '
                                    ' + familyName + iterationToken</div>
                                  <div>                </code></div>
                                  <div>            </script></div>
                                  <div>        </expression></div>
                                  <div>        <target></div>
                                  <div>           
                                    <path>additionalName</path></div>
                                  <div>        </target></div>
                                  <div>    </mapping></div>
                                </div>
                                <div><br>
                                </div>
                                <div>JASON</div>
                              </div>
                              <div class="gmail_extra"><br>
                                <div class="gmail_quote">On Thu, Nov 20,
                                  2014 at 1:52 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
                                  wrote:<br>
                                  <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                    <div bgcolor="#FFFFFF" text="#000000"> Hi Jason,<br>
                                      <br>
                                      it could also help if you can try
                                      the same with midPoint 3.0.1...<br>
                                      <br>
                                      Regards,<br>
                                      Ivan
                                      <div>
                                        <div><br>
                                          <br>
                                          <div>On 11/20/2014 06:13 PM,
                                            Jason Everling wrote:<br>
                                          </div>
                                        </div>
                                      </div>
                                      <blockquote type="cite">
                                        <div>
                                          <div>
                                            <div dir="ltr">Ok thanks,
                                              for now until this is
                                              fixed just for my testing
                                              purposes I changed it from
                                              <div><br>
                                              </div>
                                              <div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">'cn='+givenName+'


'+familyName+iterationToken+',</span><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">'+organization+''</span><br>
                                              </div>
                                              <div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
                                                </span></div>
                                              <div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">To</span></div>
                                              <div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
                                                </span></div>
                                              <div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">'CN='+name+',</span><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">'+organization+''</span><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
                                                </span></div>
                                              <div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
                                                </span></div>
                                              <div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">Which


                                                  works since it uses
                                                  the username instead
                                                  of first/last and
                                                  doesn't need the
                                                  iterator, this might
                                                  be the best way to go
                                                  for us in the future,
                                                  we never delete
                                                  student accounts. just
                                                  disabled, right now we
                                                  have over 6000
                                                  disabled accounts in
                                                  AD and in the future
                                                  using first/last with
                                                  iterator might get up
                                                  to flastname54 which I
                                                  am not sure we would
                                                  like anyways.</span></div>
                                              <div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
                                                </span></div>
                                              <div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">JASON</span></div>
                                            </div>
                                            <div class="gmail_extra"><br>
                                              <div class="gmail_quote">On
                                                Wed, Nov 19, 2014 at
                                                1:47 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
                                                wrote:<br>
                                                <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi
                                                  Jason,<br>
                                                  <span><br>
                                                    <br>
                                                    > Just on a side
                                                    note, the username
                                                    from the db table
                                                    source gets<br>
                                                    > created
                                                    correctly with the
                                                    iteration token, it
                                                    is just not applying<br>
                                                    > the iteration
                                                    token when building
                                                    the DN for AD.<br>
                                                    ><br>
                                                    <br>
                                                  </span>So I recommend
                                                  to wait for Pavol's
                                                  resolution then. He's
                                                  our primary AD<br>
                                                  connector specialist.
                                                  From what you've
                                                  written it _looks_
                                                  like AD<br>
                                                  connector specific
                                                  issue. But it's
                                                  strange as I've used
                                                  the AD connector<br>
                                                  with iterator for even
                                                  older midPoint
                                                  versions - and it has
                                                  worked.<br>
                                                  <br>
                                                  I'd have another look
                                                  at it too, just in
                                                  case.<br>
                                                  <br>
                                                  Regards,<br>
                                                  Ivan<br>
                                                  <div>
                                                    <div><br>
                                                      --<br>
                                                        Ing. Ivan Noris<br>
                                                        Senior Identity
                                                      Management
                                                      Engineer<br>
                                                        <a href="http://evolveum.com" target="_blank">evolveum.com</a><br>
                                                       
                                                      ___________________________________________<br>
                                                                 "Idem
                                                      per idem - semper
                                                      idem Vix."<br>
                                                      <br>
_______________________________________________<br>
                                                      midPoint mailing
                                                      list<br>
                                                      <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
                                                      <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
                                                    </div>
                                                  </div>
                                                </blockquote>
                                              </div>
                                              <br>
                                            </div>
                                            <br>
                                          </div>
                                        </div>
                                        <font><br>
                                          <br>
                                          <span> CONFIDENTIALITY NOTICE:<br>
                                            This e-mail together with
                                            any attachments is
                                            proprietary and
                                            confidential; intended for
                                            only the recipient(s) named
                                            above and may contain
                                            information that is
                                            privileged. You should not
                                            retain, copy or use this
                                            e-mail or any attachments
                                            for any purpose, or disclose
                                            all or any part of the
                                            contents to any person. Any
                                            views or opinions expressed
                                            in this e-mail are those of
                                            the author and do not
                                            represent those of the
                                            Baptist School of Health
                                            Professions. If you have
                                            received this e-mail in
                                            error, or are not the named
                                            recipient(s), you are hereby
                                            notified that any review,
                                            dissemination, distribution
                                            or copying of this
                                            communication is prohibited
                                            by the sender and to do so
                                            might constitute a violation
                                            of the Electronic
                                            Communications Privacy Act,
                                            18 U.S.C. section 2510-2521.
                                            Please immediately notify
                                            the sender and delete this
                                            e-mail and any attachments
                                            from your computer. </span></font><br>
                                        <br>
                                        <fieldset></fieldset>
                                        <br>
                                        <span>
                                          <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
                                        </span></blockquote>
                                      <span> <br>
                                        <pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  <a href="http://evolveum.com" target="_blank">evolveum.com</a>
  ___________________________________________
           "Idem per idem - semper idem Vix."
</pre>
                                      </span></div>
                                    <br>
_______________________________________________<br>
                                    midPoint mailing list<br>
                                    <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
                                    <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
                                    <br>
                                  </blockquote>
                                </div>
                                <br>
                              </div>
                              <br>
                              <font><br>
                                <br>
                                CONFIDENTIALITY NOTICE:<br>
                                This e-mail together with any
                                attachments is proprietary and
                                confidential; intended for only the
                                recipient(s) named above and may contain
                                information that is privileged. You
                                should not retain, copy or use this
                                e-mail or any attachments for any
                                purpose, or disclose all or any part of
                                the contents to any person. Any views or
                                opinions expressed in this e-mail are
                                those of the author and do not represent
                                those of the Baptist School of Health
                                Professions. If you have received this
                                e-mail in error, or are not the named
                                recipient(s), you are hereby notified
                                that any review, dissemination,
                                distribution or copying of this
                                communication is prohibited by the
                                sender and to do so might constitute a
                                violation of the Electronic
                                Communications Privacy Act, 18 U.S.C.
                                section 2510-2521. Please immediately
                                notify the sender and delete this e-mail
                                and any attachments from your computer.
                              </font><br>
                              <br>
                              <fieldset></fieldset>
                              <br>
                              <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
                            </blockquote>
                            <br>
                          </div>
                        </div>
                        <span><font color="#888888">
                            <pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  <a href="http://evolveum.com" target="_blank">evolveum.com</a>     <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  _____________________________________________
  "Semper Id(e)M Vix."
</pre>
                          </font></span></div>
                      <br>
                      _______________________________________________<br>
                      midPoint mailing list<br>
                      <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
                      <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
                      <br>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <font><br>
        <br>
        CONFIDENTIALITY NOTICE:<br>
        This e-mail together with any attachments is proprietary and
        confidential; intended for only the recipient(s) named above and
        may contain information that is privileged. You should not
        retain, copy or use this e-mail or any attachments for any
        purpose, or disclose all or any part of the contents to any
        person. Any views or opinions expressed in this e-mail are those
        of the author and do not represent those of the Baptist School
        of Health Professions. If you have received this e-mail in
        error, or are not the named recipient(s), you are hereby
        notified that any review, dissemination, distribution or copying
        of this communication is prohibited by the sender and to do so
        might constitute a violation of the Electronic Communications
        Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
        notify the sender and delete this e-mail and any attachments
        from your computer. </font><br>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
    <pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  <a href="http://evolveum.com" target="_blank">evolveum.com</a>     <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  _____________________________________________
  "Semper Id(e)M Vix."
</pre>
  </div></div></div>

<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>

<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>