<div dir="ltr">Awesome!!!<div><br></div><div>So this works, creates CN=Tim Hecks2,OU=AAD,OU=SHP Students,DC=TEST,DC=LOCAL</div><div><br></div><div><div> <script></div><div> <language><a href="http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy">http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</a></language></div><div> <code></div><div> 'cn=' + user.getFullName() + user.getIterationToken() + ',' + basic.stringify(user.getOrganization())</div><div> </code></div><div> </script></div></div><div><br></div><div>JASON</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 24, 2014 at 9:48 AM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi Jason,<br>
<br>
I've tried to replicate the iterator problem with CSV (instead of
AD) - no success, it works.<br>
<br>
The scenario was: pick up changes from CSV (source); not generating
unique login in midPoint; automatically assigning role for AD
(simulated by CSV) where iteration token is used in icfs:name
mapping.<br>
<br>
For source users "jacksparrow" (Jack Sparrow) and "jcksparrow" (also
Jack Sparrow) I got "jacksparrow" and "jcksparrow" in midPoint, and
"cn=Jack Sparrow,..." and "cn=Jack Sparrow1,..." in target AD (CSV).<br>
<br>
I will still try to replicate on real AD soon.<br>
<br>
As for the Groovy/mappings etc: I believe that
basic.stringify(user.getOrganization()) would fix the latter, but
this just has to work without such hacks, by using:<br>
<br>
<source><br>
<path>$user/fullName</path><span class=""><br>
</source><br>
<source><br>
<path>$user/organization</path><br>
</source><br>
<br></span>
and using fullName / organization (and iterationToken) in the
mappings as before...<br>
i.e.<br>
<br>
<outbound><span class=""><br>
<source><br>
<path>$user/givenName</path><br>
</source><br>
<source><br>
<path>$user/familyName</path><br>
</source><br></span>
<source><br>
<path>$user/organization</path><br>
</source><br>
<expression><br>
<script><br>
<code><span class=""><br>
'cn='+givenName+'
'+familyName+iterationToken+','+organization+''<br></span><span class="">
</code><br>
</script><br>
</expression><br>
</outbound><br>
</attribute><br>
<iteration><br></span>
<maxIterations>5</maxIterations><br>
</iteration><br>
<br>
So this must be either strange misconfiguration or a bug. But as it
seems to work for CSV, I have to confirm it on real AD. It's just
patching itself, so I'll let you know after it's ready and tested.<br>
<br>
The issue with generating unique users in midPoint for liveSync is a
bug, being worked on.<br>
<br>
Regards,<br>
Ivan<div><div class="h5"><br>
<br>
<div>On 11/24/2014 04:30 PM, Jason Everling
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I got a little closer, tried Groovy and XPATH,
<div><br>
</div>
<div>Using a Groovy expression, it picks up the iterationToken
but I am getting an error in the expressions, Groovy is new to
me so here is the code,</div>
<div><br>
</div>
<div>
<div> <code></div>
<div> "cn=" + user.getFullName() +
user.getIterationToken() + "," + user.getOrganization();</div>
<div> </code></div>
</div>
<div><br>
</div>
<div>When trying to add the account to midpoint, I am getting
the below, you can see the iterationToken was added but I dont
think my code above is correct</div>
<div><br>
</div>
<div><span> Attribute: {Name=__NAME__, Value=[cn=Tim
Hecks2,[OU=AAD,OU=SHP Students,DC=TEST,DC=LOCAL]]}, </span><br>
</div>
<div><span><br>
</span></div>
<div>JASON</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Nov 21, 2014 at 5:41 PM, Jason
Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I know so strange,
<div><br>
</div>
<div>This is basically still the same setup, with the CSV
resource how it is not creating the username on the AD
resource when it is generating the username from this
conversation</div>
<div><a href="http://lists.evolveum.com/pipermail/midpoint/2014-November/000576.html" target="_blank">http://lists.evolveum.com/pipermail/midpoint/2014-November/000576.html</a><br>
</div>
<div><br>
</div>
<div>I put it up on a temp repo to make it easier for you
to pull what you want to look at, it has the latest
changes I made using the additionalName mapping, you can
add back the distinguishedName code that is on the
samples github which is what I was using,</div>
<div><br>
</div>
<div>Here are the files,</div>
<div><a href="https://bitbucket.org/jason_everling/idm_midpoint-dev" target="_blank">https://bitbucket.org/jason_everling/idm_midpoint-dev</a><span><font color="#888888"><br>
</font></span></div>
<span><font color="#888888">
<div><br>
</div>
<div>JASON</div>
</font></span></div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Nov 21, 2014 at 3:22
PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi Jason,<br>
<br>
this is definitely strange. Please send the AD
resource configuration (without confidential
info of course). I'll try to have a more
complete look at it...<br>
<br>
What is the exact scenario? Are you creating the
user from GUI, or from external source (recon,
livesync or import)? If so, can you try to
create the user from GUI?<br>
<br>
Thank you,<br>
regards,<br>
Ivan
<div>
<div><br>
<br>
<br>
<div>On 11/21/2014 06:24 PM, Jason Everling
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I upgraded to 3.0.1 this
morning and it is still the same, it
doesn't add the iteratorToken, it is
almost as if it is using the
displayName.
<div><br>
</div>
<div>I can keep using the + name +
attribute or with what I tested today
in the below</div>
<div><br>
</div>
<div>Another I got around it is by
creating a mapping to additionalName
with iterationToken then changing the
way the DN is built by just using the
additionalName like</div>
<div><br>
</div>
<div>'CN=' + additionalName + ',' +
organization + ''<br>
</div>
<div><br>
</div>
<div>
<div> <mapping></div>
<div> <source></div>
<div>
<path>$user/givenName</path></div>
<div> </source></div>
<div> <source></div>
<div>
<path>$user/familyName</path></div>
<div> </source></div>
<div> <expression></div>
<div> <script></div>
<div> <code></div>
<div> givenName + '
' + familyName + iterationToken</div>
<div> </code></div>
<div> </script></div>
<div> </expression></div>
<div> <target></div>
<div>
<path>additionalName</path></div>
<div> </target></div>
<div> </mapping></div>
</div>
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Nov 20,
2014 at 1:52 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi Jason,<br>
<br>
it could also help if you can try
the same with midPoint 3.0.1...<br>
<br>
Regards,<br>
Ivan
<div>
<div><br>
<br>
<div>On 11/20/2014 06:13 PM,
Jason Everling wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Ok thanks,
for now until this is
fixed just for my testing
purposes I changed it from
<div><br>
</div>
<div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">'cn='+givenName+'
'+familyName+iterationToken+',</span><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">'+organization+''</span><br>
</div>
<div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">To</span></div>
<div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">'CN='+name+',</span><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">'+organization+''</span><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">Which
works since it uses
the username instead
of first/last and
doesn't need the
iterator, this might
be the best way to go
for us in the future,
we never delete
student accounts. just
disabled, right now we
have over 6000
disabled accounts in
AD and in the future
using first/last with
iterator might get up
to flastname54 which I
am not sure we would
like anyways.</span></div>
<div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><span style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">JASON</span></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Wed, Nov 19, 2014 at
1:47 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi
Jason,<br>
<span><br>
<br>
> Just on a side
note, the username
from the db table
source gets<br>
> created
correctly with the
iteration token, it
is just not applying<br>
> the iteration
token when building
the DN for AD.<br>
><br>
<br>
</span>So I recommend
to wait for Pavol's
resolution then. He's
our primary AD<br>
connector specialist.
From what you've
written it _looks_
like AD<br>
connector specific
issue. But it's
strange as I've used
the AD connector<br>
with iterator for even
older midPoint
versions - and it has
worked.<br>
<br>
I'd have another look
at it too, just in
case.<br>
<br>
Regards,<br>
Ivan<br>
<div>
<div><br>
--<br>
Ing. Ivan Noris<br>
Senior Identity
Management
Engineer<br>
<a href="http://evolveum.com" target="_blank">evolveum.com</a><br>
___________________________________________<br>
"Idem
per idem - semper
idem Vix."<br>
<br>
_______________________________________________<br>
midPoint mailing
list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
</div>
</div>
<font><br>
<br>
<span> CONFIDENTIALITY NOTICE:<br>
This e-mail together with
any attachments is
proprietary and
confidential; intended for
only the recipient(s) named
above and may contain
information that is
privileged. You should not
retain, copy or use this
e-mail or any attachments
for any purpose, or disclose
all or any part of the
contents to any person. Any
views or opinions expressed
in this e-mail are those of
the author and do not
represent those of the
Baptist School of Health
Professions. If you have
received this e-mail in
error, or are not the named
recipient(s), you are hereby
notified that any review,
dissemination, distribution
or copying of this
communication is prohibited
by the sender and to do so
might constitute a violation
of the Electronic
Communications Privacy Act,
18 U.S.C. section 2510-2521.
Please immediately notify
the sender and delete this
e-mail and any attachments
from your computer. </span></font><br>
<br>
<fieldset></fieldset>
<br>
<span>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</span></blockquote>
<span> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
___________________________________________
"Idem per idem - semper idem Vix."
</pre>
</span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any
attachments is proprietary and
confidential; intended for only the
recipient(s) named above and may contain
information that is privileged. You
should not retain, copy or use this
e-mail or any attachments for any
purpose, or disclose all or any part of
the contents to any person. Any views or
opinions expressed in this e-mail are
those of the author and do not represent
those of the Baptist School of Health
Professions. If you have received this
e-mail in error, or are not the named
recipient(s), you are hereby notified
that any review, dissemination,
distribution or copying of this
communication is prohibited by the
sender and to do so might constitute a
violation of the Electronic
Communications Privacy Act, 18 U.S.C.
section 2510-2521. Please immediately
notify the sender and delete this e-mail
and any attachments from your computer.
</font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
</div>
<span><font color="#888888">
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div></div></div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>