<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Jason,<br>
<br>
it may be working, but it's not correct. The
"user.getIterationToken()" will get the iterator from user, not the
account.<br>
<br>
FYI it seems that we have replicated the behaviour, tracked as
<a class="moz-txt-link-freetext" href="https://jira.evolveum.com/browse/MID-2102">https://jira.evolveum.com/browse/MID-2102</a><br>
<br>
Regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 11/24/2014 05:28 PM, Jason Everling
wrote:<br>
</div>
<blockquote
cite="mid:CAFkZXY6S_FmdbZZfWWiyM++-tK7hj2QOfg9POYWsAdRc-nZO6g@mail.gmail.com"
type="cite">
<div dir="ltr">Awesome!!!
<div><br>
</div>
<div>So this works, creates CN=Tim Hecks2,OU=AAD,OU=SHP
Students,DC=TEST,DC=LOCAL</div>
<div><br>
</div>
<div>
<div> <script></div>
<div> <language><a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy">http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</a></language></div>
<div> <code></div>
<div> 'cn=' + user.getFullName() +
user.getIterationToken() + ',' +
basic.stringify(user.getOrganization())</div>
<div> </code></div>
<div> </script></div>
</div>
<div><br>
</div>
<div>JASON</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Nov 24, 2014 at 9:48 AM, Ivan
Noris <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi Jason,<br>
<br>
I've tried to replicate the iterator problem with CSV
(instead of AD) - no success, it works.<br>
<br>
The scenario was: pick up changes from CSV (source); not
generating unique login in midPoint; automatically
assigning role for AD (simulated by CSV) where iteration
token is used in icfs:name mapping.<br>
<br>
For source users "jacksparrow" (Jack Sparrow) and
"jcksparrow" (also Jack Sparrow) I got "jacksparrow" and
"jcksparrow" in midPoint, and "cn=Jack Sparrow,..." and
"cn=Jack Sparrow1,..." in target AD (CSV).<br>
<br>
I will still try to replicate on real AD soon.<br>
<br>
As for the Groovy/mappings etc: I believe that
basic.stringify(user.getOrganization()) would fix the
latter, but this just has to work without such hacks, by
using:<br>
<br>
<source><br>
<path>$user/fullName</path><span class=""><br>
</source><br>
<source><br>
<path>$user/organization</path><br>
</source><br>
<br>
</span> and using fullName / organization (and
iterationToken) in the mappings as before...<br>
i.e.<br>
<br>
<outbound><span class=""><br>
<source><br>
<path>$user/givenName</path><br>
</source><br>
<source><br>
<path>$user/familyName</path><br>
</source><br>
</span> <source><br>
<path>$user/organization</path><br>
</source><br>
<expression><br>
<script><br>
<code><span class=""><br>
'cn='+givenName+'
'+familyName+iterationToken+','+organization+''<br>
</span><span class="">
</code><br>
</script><br>
</expression><br>
</outbound><br>
</attribute><br>
<iteration><br>
</span>
<maxIterations>5</maxIterations><br>
</iteration><br>
<br>
So this must be either strange misconfiguration or a bug.
But as it seems to work for CSV, I have to confirm it on
real AD. It's just patching itself, so I'll let you know
after it's ready and tested.<br>
<br>
The issue with generating unique users in midPoint for
liveSync is a bug, being worked on.<br>
<br>
Regards,<br>
Ivan
<div>
<div class="h5"><br>
<br>
<div>On 11/24/2014 04:30 PM, Jason Everling wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I got a little closer, tried Groovy
and XPATH,
<div><br>
</div>
<div>Using a Groovy expression, it picks up the
iterationToken but I am getting an error in the
expressions, Groovy is new to me so here is the
code,</div>
<div><br>
</div>
<div>
<div> <code></div>
<div> "cn=" + user.getFullName() +
user.getIterationToken() + "," +
user.getOrganization();</div>
<div> </code></div>
</div>
<div><br>
</div>
<div>When trying to add the account to midpoint, I
am getting the below, you can see the
iterationToken was added but I dont think my
code above is correct</div>
<div><br>
</div>
<div><span> Attribute: {Name=__NAME__,
Value=[cn=Tim Hecks2,[OU=AAD,OU=SHP
Students,DC=TEST,DC=LOCAL]]}, </span><br>
</div>
<div><span><br>
</span></div>
<div>JASON</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Nov 21, 2014 at
5:41 PM, Jason Everling <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:jeverling@bshp.edu"
target="_blank">jeverling@bshp.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">I know so strange,
<div><br>
</div>
<div>This is basically still the same setup,
with the CSV resource how it is not
creating the username on the AD resource
when it is generating the username from
this conversation</div>
<div><a moz-do-not-send="true"
href="http://lists.evolveum.com/pipermail/midpoint/2014-November/000576.html"
target="_blank">http://lists.evolveum.com/pipermail/midpoint/2014-November/000576.html</a><br>
</div>
<div><br>
</div>
<div>I put it up on a temp repo to make it
easier for you to pull what you want to
look at, it has the latest changes I made
using the additionalName mapping, you can
add back the distinguishedName code that
is on the samples github which is what I
was using,</div>
<div><br>
</div>
<div>Here are the files,</div>
<div><a moz-do-not-send="true"
href="https://bitbucket.org/jason_everling/idm_midpoint-dev"
target="_blank">https://bitbucket.org/jason_everling/idm_midpoint-dev</a><span><font
color="#888888"><br>
</font></span></div>
<span><font color="#888888">
<div><br>
</div>
<div>JASON</div>
</font></span></div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Nov 21,
2014 at 3:22 PM, Ivan Noris <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com"
target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000"> Hi Jason,<br>
<br>
this is definitely strange.
Please send the AD resource
configuration (without
confidential info of course). I'll
try to have a more complete look
at it...<br>
<br>
What is the exact scenario? Are
you creating the user from GUI, or
from external source (recon,
livesync or import)? If so, can
you try to create the user from
GUI?<br>
<br>
Thank you,<br>
regards,<br>
Ivan
<div>
<div><br>
<br>
<br>
<div>On 11/21/2014 06:24 PM,
Jason Everling wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I upgraded to
3.0.1 this morning and it
is still the same, it
doesn't add the
iteratorToken, it is
almost as if it is using
the displayName.
<div><br>
</div>
<div>I can keep using the
+ name + attribute or
with what I tested today
in the below</div>
<div><br>
</div>
<div>Another I got around
it is by creating a
mapping to
additionalName with
iterationToken then
changing the way the DN
is built by just using
the additionalName like</div>
<div><br>
</div>
<div>'CN=' +
additionalName + ',' +
organization + ''<br>
</div>
<div><br>
</div>
<div>
<div> <mapping></div>
<div>
<source></div>
<div>
<path>$user/givenName</path></div>
<div>
</source></div>
<div>
<source></div>
<div>
<path>$user/familyName</path></div>
<div>
</source></div>
<div>
<expression></div>
<div>
<script></div>
<div>
<code></div>
<div>
givenName + ' ' +
familyName +
iterationToken</div>
<div>
</code></div>
<div>
</script></div>
<div>
</expression></div>
<div>
<target></div>
<div>
<path>additionalName</path></div>
<div>
</target></div>
<div>
</mapping></div>
</div>
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Thu, Nov 20, 2014 at
1:52 PM, Ivan Noris <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000"> Hi
Jason,<br>
<br>
it could also help
if you can try the
same with midPoint
3.0.1...<br>
<br>
Regards,<br>
Ivan
<div>
<div><br>
<br>
<div>On
11/20/2014
06:13 PM,
Jason Everling
wrote:<br>
</div>
</div>
</div>
<blockquote
type="cite">
<div>
<div>
<div dir="ltr">Ok
thanks, for
now until this
is fixed just
for my testing
purposes I
changed it
from
<div><br>
</div>
<div><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">'cn='+givenName+'
'+familyName+iterationToken+',</span><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">'+organization+''</span><br>
</div>
<div><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">To</span></div>
<div><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">'CN='+name+',</span><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">'+organization+''</span><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">Which
works since it
uses the
username
instead of
first/last and
doesn't need
the iterator,
this might be
the best way
to go for us
in the future,
we never
delete student
accounts. just
disabled,
right now we
have over 6000
disabled
accounts in AD
and in the
future using
first/last
with iterator
might get up
to flastname54
which I am not
sure we would
like anyways.</span></div>
<div><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">JASON</span></div>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Wed, Nov 19,
2014 at 1:47
PM, Ivan Noris
<span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:ivan.noris@evolveum.com"
target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">Hi
Jason,<br>
<span><br>
<br>
> Just on a
side note, the
username from
the db table
source gets<br>
> created
correctly with
the iteration
token, it is
just not
applying<br>
> the
iteration
token when
building the
DN for AD.<br>
><br>
<br>
</span>So I
recommend to
wait for
Pavol's
resolution
then. He's our
primary AD<br>
connector
specialist.
From what
you've written
it _looks_
like AD<br>
connector
specific
issue. But
it's strange
as I've used
the AD
connector<br>
with iterator
for even older
midPoint
versions - and
it has worked.<br>
<br>
I'd have
another look
at it too,
just in case.<br>
<br>
Regards,<br>
Ivan<br>
<div>
<div><br>
--<br>
Ing. Ivan
Noris<br>
Senior
Identity
Management
Engineer<br>
<a
moz-do-not-send="true"
href="http://evolveum.com" target="_blank">evolveum.com</a><br>
___________________________________________<br>
"Idem per
idem - semper
idem Vix."<br>
<br>
_______________________________________________<br>
midPoint
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a
moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
</div>
</div>
<font><br>
<br>
<span>
CONFIDENTIALITY
NOTICE:<br>
This e-mail
together with
any
attachments is
proprietary
and
confidential;
intended for
only the
recipient(s)
named above
and may
contain
information
that is
privileged.
You should not
retain, copy
or use this
e-mail or any
attachments
for any
purpose, or
disclose all
or any part of
the contents
to any person.
Any views or
opinions
expressed in
this e-mail
are those of
the author and
do not
represent
those of the
Baptist School
of Health
Professions.
If you have
received this
e-mail in
error, or are
not the named
recipient(s),
you are hereby
notified that
any review,
dissemination,
distribution
or copying of
this
communication
is prohibited
by the sender
and to do so
might
constitute a
violation of
the Electronic
Communications
Privacy Act,
18 U.S.C.
section
2510-2521.
Please
immediately
notify the
sender and
delete this
e-mail and any
attachments
from your
computer. </span></font><br>
<br>
<fieldset></fieldset>
<br>
<span>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</span></blockquote>
<span> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
___________________________________________
"Idem per idem - semper idem Vix."
</pre>
</span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a
moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a
moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with
any attachments is
proprietary and
confidential; intended for
only the recipient(s)
named above and may
contain information that
is privileged. You should
not retain, copy or use
this e-mail or any
attachments for any
purpose, or disclose all
or any part of the
contents to any person.
Any views or opinions
expressed in this e-mail
are those of the author
and do not represent those
of the Baptist School of
Health Professions. If you
have received this e-mail
in error, or are not the
named recipient(s), you
are hereby notified that
any review, dissemination,
distribution or copying of
this communication is
prohibited by the sender
and to do so might
constitute a violation of
the Electronic
Communications Privacy
Act, 18 U.S.C. section
2510-2521. Please
immediately notify the
sender and delete this
e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
</div>
<span><font color="#888888">
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com"
target="_blank">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is
proprietary and confidential; intended for only
the recipient(s) named above and may contain
information that is privileged. You should not
retain, copy or use this e-mail or any attachments
for any purpose, or disclose all or any part of
the contents to any person. Any views or opinions
expressed in this e-mail are those of the author
and do not represent those of the Baptist School
of Health Professions. If you have received this
e-mail in error, or are not the named
recipient(s), you are hereby notified that any
review, dissemination, distribution or copying of
this communication is prohibited by the sender and
to do so might constitute a violation of the
Electronic Communications Privacy Act, 18 U.S.C.
section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com evolveum.com/blog/
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</body>
</html>