<div dir="ltr">Meant to say I commented out the 2nd order inducement,<div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 28, 2014 at 11:27 AM, Jason Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks for the followup, yes the groups to roles are created and vice-versa but users are not synced to roles or groups, I am using the domain administrator account so it shouldn't be an issue.<div><br></div><div>One thing I changed from the original samples was the Metarole, these lines for the 2nd order incudment. WOuld this be the reason users are not synced to groups/roles? I had already had a role in midpoint that has the AD resource inducement so I figured it was not necessary unless I misinterpreted the comments.</div><div><br></div><div><pre style="margin-top:0px;margin-bottom:0px;padding:0px;font-family:Consolas,Menlo,'Liberation Mono',Courier,monospace;font-size:12px;line-height:1.4;color:rgb(51,51,51)">            <span style="color:rgb(153,153,136);font-style:italic"><!-- This inducement causes creation of AD account that is in AD group for any USER that possesses any role that possesses this metarole --></span>
<a name="149f771c3b26d1e1_cl-37" style="color:rgb(53,114,176)"></a>            <span style="color:rgb(153,153,136);font-style:italic"><!-- That's why this is called second-order inducement --></span>
<a name="149f771c3b26d1e1_cl-41" style="color:rgb(53,114,176)"></a>
<a name="149f771c3b26d1e1_cl-42" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">            <inducement></span>
<a name="149f771c3b26d1e1_cl-43" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                <construction></span>
<a name="149f771c3b26d1e1_cl-44" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                    <resourceRef oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef" type="c:ResourceType"/></span>
<a name="149f771c3b26d1e1_cl-45" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                    <kind>account</kind></span>
<a name="149f771c3b26d1e1_cl-46" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                    <intent>default</intent></span>
<a name="149f771c3b26d1e1_cl-47" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                    <association></span>
<a name="149f771c3b26d1e1_cl-48" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                        <ref>ri:group</ref></span>
<a name="149f771c3b26d1e1_cl-49" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                        <outbound></span>
<a name="149f771c3b26d1e1_cl-50" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                            <expression></span>
<a name="149f771c3b26d1e1_cl-51" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                                <associationFromLink></span>
<a name="149f771c3b26d1e1_cl-52" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                                    <projectionDiscriminator></span>
<a name="149f771c3b26d1e1_cl-53" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                                        <kind>entitlement</kind></span>
<a name="149f771c3b26d1e1_cl-54" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                                        <intent>group</intent></span>
<a name="149f771c3b26d1e1_cl-55" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                                    </projectionDiscriminator></span>
<a name="149f771c3b26d1e1_cl-56" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                                </associationFromLink></span>
<a name="149f771c3b26d1e1_cl-57" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                            </expression></span>
<a name="149f771c3b26d1e1_cl-58" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                        </outbound></span>
<a name="149f771c3b26d1e1_cl-59" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                    </association></span>
<a name="149f771c3b26d1e1_cl-60" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                </construction></span>
<a name="149f771c3b26d1e1_cl-61" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">                <order>2</order></span>
<a name="149f771c3b26d1e1_cl-62" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic">            </inducement></span></pre></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 28, 2014 at 3:49 AM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    Sorry for late responding - but you've already got your solution, it
    was the right track indeed. Not using the samAccountName attribute
    will cause AD to generate a random value (we were using this feature
    in one deployment). This is the same also for Users (and
    sAMAccountName attribute).<br>
    <br>
    For the future you may also want to check the schema in the resource
    object (Configuration - Repository objects - your AD resource) - you
    will see all usable attributes if you are unsure of which are
    supported by the connector. This works after the schema was fetched,
    which is the first connection to your AD (e.g. the TEST connection
    for the resource).<br>
    <br>
    Of course this is usable for all other connectors as well.<br>
    <br>
    One more related thing to the permissions: to add/remove AD users to
    the groups, your AD permissions must allow you to modify the <b>groups</b>.
    (As the group membership is using the members attribute of the
    groups.)<br>
    I.e. permissions just to modify Users will be not enough.<br>
    <br>
    But as you are able to create groups, this should be ok now.<br>
    <br>
    Regards,<br>
    Ivan<div><div><br>
    <br>
    <div>On 11/27/2014 11:56 PM, Jason Everling
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">Ah so I was on the right track, it works now, I had
        seen that (samAccountName) in the group schema but thought maybe
        it was a typo so I had changed it to sAMAccountName.
        <div><br>
        </div>
        <div>Changed the name for a role and the attribute updated
          correctly now!</div>
        <div><br>
        </div>
        <div>JASON</div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Thu, Nov 27, 2014 at 4:50 PM, Pavol
          Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <div>Ah, this is a stupidity in original AD connector that
                I've inherited.<br>
                (And didn't have the courage to fix up to now.)<br>
                Sorry for that.<br>
                <br>
                For groups, please use <b>samAccountName</b> (not
                sAMAccountName) as for users.<br>
                <br>
                Best regards,<br>
                Pavol<br>
                <br>
              </div>
              <div>
                <div>
                  <blockquote type="cite">
                    <div dir="ltr">Spoke too soon, seems it errors when
                      using sAMAccountName under the object type,
                      <div><br>
                      </div>
                      <div><span>Definition of attribute sAMAccountName
                          not found in object class {<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7DCustomGroupObjectClass" target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}CustomGroupObjectClass</a> </span></div>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Thu, Nov 27, 2014 at
                        4:40 PM, Jason Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div dir="ltr">Hah, nevermind, I just needed
                            create a attribute for sAMAccountName under
                            the objecttype using the +name+ outbound,
                            <div><br>
                            </div>
                            <div>JASON</div>
                          </div>
                          <div>
                            <div>
                              <div class="gmail_extra"><br>
                                <div class="gmail_quote">On Thu, Nov 27,
                                  2014 at 4:36 PM, Jason Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span>
                                  wrote:<br>
                                  <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                    <div dir="ltr">Not sure why I didn't
                                      think about that after looking at
                                      it so many times, working now.
                                      <div><br>
                                      </div>
                                      <div>One more question, the roles
                                        get created in AD as groups now
                                        but it does not update the
                                        sAMAccountName, so it created
                                        the
                                        cn=tester,ou=groups,dc=test,dc=local
                                        and common name is testers but
                                        the sAMAccountName or the Group
                                        Name (Pre Windows 2000) is a
                                        random value
                                        like $K61000-DN631FIPKSLL</div>
                                      <div><br>
                                      </div>
                                      <div>How can that be fixed?</div>
                                      <div><br>
                                      </div>
                                      <div>Thanks Again!</div>
                                      <span><font color="#888888">
                                          <div>JASON</div>
                                        </font></span></div>
                                    <div>
                                      <div>
                                        <div class="gmail_extra"><br>
                                          <div class="gmail_quote">On
                                            Thu, Nov 27, 2014 at 4:18
                                            PM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
                                            wrote:<br>
                                            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                              <div bgcolor="#FFFFFF" text="#000000">
                                                <div>Hello Jason,<br>
                                                  <br>
                                                  as far as I know, in
                                                  Active Directory CN is
                                                  not updateable. It
                                                  suffices to
                                                  create/update
                                                  icfs:name attribute,
                                                  and CN is updated
                                                  automatically.<br>
                                                  <br>
                                                  So, I would suggest to
                                                  drop outbound mapping
                                                  from CN attribute,
                                                  i.e. this one:<br>
                                                  <br>
                                                                     
                                                  <outbound><br>
                                                                         

                                                  <source><br>
                                                                             

<path>$focus/name</path><br>
                                                                         

                                                  </source><br>
                                                                     
                                                  </outbound><br>
                                                  <br>
                                                  Best regards,<br>
                                                  Pavol
                                                  <div>
                                                    <div><br>
                                                      <br>
                                                      On 27. 11. 2014
                                                      19:23, Jason
                                                      Everling wrote:<br>
                                                    </div>
                                                  </div>
                                                </div>
                                                <blockquote type="cite">
                                                  <div>
                                                    <div>
                                                      <div dir="ltr">I
                                                        cannot figure
                                                        this one out, I
                                                        followed the
                                                        groups sync in
                                                        the wiki and
                                                        from the github
                                                        samples along
                                                        with the
                                                        metarole and
                                                        role template.
                                                        <div><br>
                                                        </div>
                                                        <div>When
                                                          creating a
                                                          role in
                                                          Midpoint it
                                                          attempts to
                                                          create the
                                                          group in AD
                                                          but I get an
                                                          error, look at
                                                          the debug page
                                                          it has the
                                                          correct DN and
                                                          CN.</div>
                                                        <div><br>
                                                        </div>
                                                        <div><span><span>operation.com.evolveum.midpoint.model.impl.lens.ChangeExecutor.execute</span></span><span></span>
                                                          <div>
                                                          <ul style="margin:0px;list-style:none outside none;padding:0px">
                                                          <li style="padding:1px 0px;list-style:none outside none;margin:0px;text-overflow:ellipsis;overflow:auto"><span>Security

                                                          violation
                                                          during
                                                          processing
                                                          shadow shadow:
                                                          null
                                                          (OID:null):
                                                          Attempt to add
                                                          shadow with
                                                          non-createable
                                                          attribute {<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7Dcn" target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}cn</a></span></li>
                                                          <li title="Fatal
                                                          error" style="padding:2px 0px 1px 25px;list-style:none outside none;margin:5px 0px 0px;text-overflow:ellipsis;overflow:auto;background-image:url(http://10.200.0.155/midpoint/img/messages-error-icon.png);background-repeat:no-repeat"><span style="margin-top:0px">Security violation during processing shadow
                                                          shadow: null
                                                          (OID:null):
                                                          Attempt to add
                                                          shadow with
                                                          non-createable
                                                          attribute {<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7Dcn" target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}cn</a></span></li>
                                                          </ul>
                                                          </div>
                                                        </div>
                                                        <div>
                                                          <div><br>
                                                          </div>
                                                          <div>
                                                          <table>
                                                          <tbody>
                                                          <tr>
                                                          <th style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221);background-color:rgb(249,249,249)">Activity</th>
                                                          <th style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221);background-color:rgb(249,249,249)">Status</th>
                                                          <th style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221);background-color:rgb(249,249,249)">Resource


                                                          object (if
                                                          applicable)</th>
                                                          </tr>
                                                          <tr>
                                                          <td style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221)"><span>Computing

                                                          projections of
                                                          the focus
                                                          object</span></td>
                                                          <td style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221)"><span title="SUCCESS" style="color:rgb(70,136,71);display:inline-block;font-family:FontAwesome;line-height:0.75em;font-size:1.33333333333333em;vertical-align:-15%;width:1.28571428571429em;text-align:center"></span><br>
                                                          </td>
                                                          <td style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221)"><span></span><br>
                                                          </td>
                                                          </tr>
                                                          <tr>
                                                          <td style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221);background-color:rgb(249,249,249)"><span>Entitlement


                                                          (group) on
                                                          Active
                                                          Directory</span></td>
                                                          <td style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221);background-color:rgb(249,249,249)"><span title="FATAL_ERROR" style="color:rgb(185,74,72);display:inline-block;font-family:FontAwesome;line-height:0.75em;font-size:1.33333333333333em;vertical-align:-15%;width:1.28571428571429em;text-align:center"></span><br>
                                                          </td>
                                                          <td style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221);background-color:rgb(249,249,249)"><span>Add:Fatal


                                                          error ->
                                                          cn=TESTER,ou=Groups,dc=test,dc=local</span></td>
                                                          </tr>
                                                          </tbody>
                                                          </table>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>I
                                                          attached the
                                                          AD Resource,
                                                          Role Template,
                                                          and MetaRole</div>
                                                        </div>
                                                      </div>
                                                      <br>
                                                    </div>
                                                  </div>
                                                  <font><br>
                                                    <br>
                                                    CONFIDENTIALITY
                                                    NOTICE:<br>
                                                    This e-mail together
                                                    with any attachments
                                                    is proprietary and
                                                    confidential;
                                                    intended for only
                                                    the recipient(s)
                                                    named above and may
                                                    contain information
                                                    that is privileged.
                                                    You should not
                                                    retain, copy or use
                                                    this e-mail or any
                                                    attachments for any
                                                    purpose, or disclose
                                                    all or any part of
                                                    the contents to any
                                                    person. Any views or
                                                    opinions expressed
                                                    in this e-mail are
                                                    those of the author
                                                    and do not represent
                                                    those of the Baptist
                                                    School of Health
                                                    Professions. If you
                                                    have received this
                                                    e-mail in error, or
                                                    are not the named
                                                    recipient(s), you
                                                    are hereby notified
                                                    that any review,
                                                    dissemination,
                                                    distribution or
                                                    copying of this
                                                    communication is
                                                    prohibited by the
                                                    sender and to do so
                                                    might constitute a
                                                    violation of the
                                                    Electronic
                                                    Communications
                                                    Privacy Act, 18
                                                    U.S.C. section
                                                    2510-2521. Please
                                                    immediately notify
                                                    the sender and
                                                    delete this e-mail
                                                    and any attachments
                                                    from your computer.
                                                  </font><br>
                                                  <br>
                                                  <fieldset></fieldset>
                                                  <br>
                                                  <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
                                                </blockquote>
                                                <br>
                                              </div>
                                              <br>
_______________________________________________<br>
                                              midPoint mailing list<br>
                                              <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
                                              <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
                                              <br>
                                            </blockquote>
                                          </div>
                                          <br>
                                        </div>
                                      </div>
                                    </div>
                                  </blockquote>
                                </div>
                                <br>
                              </div>
                            </div>
                          </div>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                    <br>
                    <font><br>
                      <br>
                      CONFIDENTIALITY NOTICE:<br>
                      This e-mail together with any attachments is
                      proprietary and confidential; intended for only
                      the recipient(s) named above and may contain
                      information that is privileged. You should not
                      retain, copy or use this e-mail or any attachments
                      for any purpose, or disclose all or any part of
                      the contents to any person. Any views or opinions
                      expressed in this e-mail are those of the author
                      and do not represent those of the Baptist School
                      of Health Professions. If you have received this
                      e-mail in error, or are not the named
                      recipient(s), you are hereby notified that any
                      review, dissemination, distribution or copying of
                      this communication is prohibited by the sender and
                      to do so might constitute a violation of the
                      Electronic Communications Privacy Act, 18 U.S.C.
                      section 2510-2521. Please immediately notify the
                      sender and delete this e-mail and any attachments
                      from your computer. </font><br>
                    <br>
                    <fieldset></fieldset>
                    <br>
                    <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            midPoint mailing list<br>
            <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
            <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <font><br>
        <br>
        CONFIDENTIALITY NOTICE:<br>
        This e-mail together with any attachments is proprietary and
        confidential; intended for only the recipient(s) named above and
        may contain information that is privileged. You should not
        retain, copy or use this e-mail or any attachments for any
        purpose, or disclose all or any part of the contents to any
        person. Any views or opinions expressed in this e-mail are those
        of the author and do not represent those of the Baptist School
        of Health Professions. If you have received this e-mail in
        error, or are not the named recipient(s), you are hereby
        notified that any review, dissemination, distribution or copying
        of this communication is prohibited by the sender and to do so
        might constitute a violation of the Electronic Communications
        Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
        notify the sender and delete this e-mail and any attachments
        from your computer. </font><br>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
    </div></div><span><font color="#888888"><pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  <a href="http://evolveum.com" target="_blank">evolveum.com</a>     <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  _____________________________________________
  "Semper Id(e)M Vix."
</pre>
  </font></span></div>

<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>

<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>