<div dir="ltr">So I tested, turns out it needs the 2nd order inducement.<div><br></div><div>Using Midpoint Gui to add/remove users to roles also add/removes them from AD Group, tested, works.</div><div><br></div><div>Using AD to add/remove users in Group, does not sync back to Midpoint, tested, does not sync, Should this work?</div><div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 28, 2014 at 11:28 AM, Jason Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Meant to say I commented out the 2nd order inducement,<div><br></div><div>JASON</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 28, 2014 at 11:27 AM, Jason Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks for the followup, yes the groups to roles are created and vice-versa but users are not synced to roles or groups, I am using the domain administrator account so it shouldn't be an issue.<div><br></div><div>One thing I changed from the original samples was the Metarole, these lines for the 2nd order incudment. WOuld this be the reason users are not synced to groups/roles? I had already had a role in midpoint that has the AD resource inducement so I figured it was not necessary unless I misinterpreted the comments.</div><div><br></div><div><pre style="margin-top:0px;margin-bottom:0px;padding:0px;font-family:Consolas,Menlo,'Liberation Mono',Courier,monospace;font-size:12px;line-height:1.4;color:rgb(51,51,51)"> <span style="color:rgb(153,153,136);font-style:italic"><!-- This inducement causes creation of AD account that is in AD group for any USER that possesses any role that possesses this metarole --></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-37" style="color:rgb(53,114,176)"></a> <span style="color:rgb(153,153,136);font-style:italic"><!-- That's why this is called second-order inducement --></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-41" style="color:rgb(53,114,176)"></a>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-42" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> <inducement></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-43" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> <construction></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-44" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> <resourceRef oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef" type="c:ResourceType"/></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-45" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> <kind>account</kind></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-46" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> <intent>default</intent></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-47" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> <association></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-48" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> <ref>ri:group</ref></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-49" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> <outbound></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-50" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> <expression></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-51" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> <associationFromLink></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-52" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> <projectionDiscriminator></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-53" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> <kind>entitlement</kind></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-54" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> <intent>group</intent></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-55" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> </projectionDiscriminator></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-56" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> </associationFromLink></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-57" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> </expression></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-58" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> </outbound></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-59" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> </association></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-60" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> </construction></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-61" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> <order>2</order></span>
<a name="149f772b6a513d73_149f771c3b26d1e1_cl-62" style="color:rgb(53,114,176)"></a><span style="color:rgb(153,153,136);font-style:italic"> </inducement></span></pre></div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 28, 2014 at 3:49 AM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Sorry for late responding - but you've already got your solution, it
was the right track indeed. Not using the samAccountName attribute
will cause AD to generate a random value (we were using this feature
in one deployment). This is the same also for Users (and
sAMAccountName attribute).<br>
<br>
For the future you may also want to check the schema in the resource
object (Configuration - Repository objects - your AD resource) - you
will see all usable attributes if you are unsure of which are
supported by the connector. This works after the schema was fetched,
which is the first connection to your AD (e.g. the TEST connection
for the resource).<br>
<br>
Of course this is usable for all other connectors as well.<br>
<br>
One more related thing to the permissions: to add/remove AD users to
the groups, your AD permissions must allow you to modify the <b>groups</b>.
(As the group membership is using the members attribute of the
groups.)<br>
I.e. permissions just to modify Users will be not enough.<br>
<br>
But as you are able to create groups, this should be ok now.<br>
<br>
Regards,<br>
Ivan<div><div><br>
<br>
<div>On 11/27/2014 11:56 PM, Jason Everling
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Ah so I was on the right track, it works now, I had
seen that (samAccountName) in the group schema but thought maybe
it was a typo so I had changed it to sAMAccountName.
<div><br>
</div>
<div>Changed the name for a role and the attribute updated
correctly now!</div>
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Nov 27, 2014 at 4:50 PM, Pavol
Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Ah, this is a stupidity in original AD connector that
I've inherited.<br>
(And didn't have the courage to fix up to now.)<br>
Sorry for that.<br>
<br>
For groups, please use <b>samAccountName</b> (not
sAMAccountName) as for users.<br>
<br>
Best regards,<br>
Pavol<br>
<br>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">Spoke too soon, seems it errors when
using sAMAccountName under the object type,
<div><br>
</div>
<div><span>Definition of attribute sAMAccountName
not found in object class {<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7DCustomGroupObjectClass" target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}CustomGroupObjectClass</a> </span></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Nov 27, 2014 at
4:40 PM, Jason Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hah, nevermind, I just needed
create a attribute for sAMAccountName under
the objecttype using the +name+ outbound,
<div><br>
</div>
<div>JASON</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Nov 27,
2014 at 4:36 PM, Jason Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Not sure why I didn't
think about that after looking at
it so many times, working now.
<div><br>
</div>
<div>One more question, the roles
get created in AD as groups now
but it does not update the
sAMAccountName, so it created
the
cn=tester,ou=groups,dc=test,dc=local
and common name is testers but
the sAMAccountName or the Group
Name (Pre Windows 2000) is a
random value
like $K61000-DN631FIPKSLL</div>
<div><br>
</div>
<div>How can that be fixed?</div>
<div><br>
</div>
<div>Thanks Again!</div>
<span><font color="#888888">
<div>JASON</div>
</font></span></div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Thu, Nov 27, 2014 at 4:18
PM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hello Jason,<br>
<br>
as far as I know, in
Active Directory CN is
not updateable. It
suffices to
create/update
icfs:name attribute,
and CN is updated
automatically.<br>
<br>
So, I would suggest to
drop outbound mapping
from CN attribute,
i.e. this one:<br>
<br>
<outbound><br>
<source><br>
<path>$focus/name</path><br>
</source><br>
</outbound><br>
<br>
Best regards,<br>
Pavol
<div>
<div><br>
<br>
On 27. 11. 2014
19:23, Jason
Everling wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">I
cannot figure
this one out, I
followed the
groups sync in
the wiki and
from the github
samples along
with the
metarole and
role template.
<div><br>
</div>
<div>When
creating a
role in
Midpoint it
attempts to
create the
group in AD
but I get an
error, look at
the debug page
it has the
correct DN and
CN.</div>
<div><br>
</div>
<div><span><span>operation.com.evolveum.midpoint.model.impl.lens.ChangeExecutor.execute</span></span><span></span>
<div>
<ul style="margin:0px;list-style:none outside none;padding:0px">
<li style="padding:1px 0px;list-style:none outside none;margin:0px;text-overflow:ellipsis;overflow:auto"><span>Security
violation
during
processing
shadow shadow:
null
(OID:null):
Attempt to add
shadow with
non-createable
attribute {<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7Dcn" target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}cn</a></span></li>
<li title="Fatal
error" style="padding:2px 0px 1px 25px;list-style:none outside none;margin:5px 0px 0px;text-overflow:ellipsis;overflow:auto;background-image:url(http://10.200.0.155/midpoint/img/messages-error-icon.png);background-repeat:no-repeat"><span style="margin-top:0px">Security violation during processing shadow
shadow: null
(OID:null):
Attempt to add
shadow with
non-createable
attribute {<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7Dcn" target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}cn</a></span></li>
</ul>
</div>
</div>
<div>
<div><br>
</div>
<div>
<table>
<tbody>
<tr>
<th style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221);background-color:rgb(249,249,249)">Activity</th>
<th style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221);background-color:rgb(249,249,249)">Status</th>
<th style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221);background-color:rgb(249,249,249)">Resource
object (if
applicable)</th>
</tr>
<tr>
<td style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221)"><span>Computing
projections of
the focus
object</span></td>
<td style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221)"><span title="SUCCESS" style="color:rgb(70,136,71);display:inline-block;font-family:FontAwesome;line-height:0.75em;font-size:1.33333333333333em;vertical-align:-15%;width:1.28571428571429em;text-align:center"></span><br>
</td>
<td style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221)"><span></span><br>
</td>
</tr>
<tr>
<td style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221);background-color:rgb(249,249,249)"><span>Entitlement
(group) on
Active
Directory</span></td>
<td style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221);background-color:rgb(249,249,249)"><span title="FATAL_ERROR" style="color:rgb(185,74,72);display:inline-block;font-family:FontAwesome;line-height:0.75em;font-size:1.33333333333333em;vertical-align:-15%;width:1.28571428571429em;text-align:center"></span><br>
</td>
<td style="padding:5px;line-height:1.428571429;vertical-align:top;border:1px solid rgb(221,221,221);background-color:rgb(249,249,249)"><span>Add:Fatal
error ->
cn=TESTER,ou=Groups,dc=test,dc=local</span></td>
</tr>
</tbody>
</table>
</div>
<div><br>
</div>
<div>I
attached the
AD Resource,
Role Template,
and MetaRole</div>
</div>
</div>
<br>
</div>
</div>
<font><br>
<br>
CONFIDENTIALITY
NOTICE:<br>
This e-mail together
with any attachments
is proprietary and
confidential;
intended for only
the recipient(s)
named above and may
contain information
that is privileged.
You should not
retain, copy or use
this e-mail or any
attachments for any
purpose, or disclose
all or any part of
the contents to any
person. Any views or
opinions expressed
in this e-mail are
those of the author
and do not represent
those of the Baptist
School of Health
Professions. If you
have received this
e-mail in error, or
are not the named
recipient(s), you
are hereby notified
that any review,
dissemination,
distribution or
copying of this
communication is
prohibited by the
sender and to do so
might constitute a
violation of the
Electronic
Communications
Privacy Act, 18
U.S.C. section
2510-2521. Please
immediately notify
the sender and
delete this e-mail
and any attachments
from your computer.
</font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is
proprietary and confidential; intended for only
the recipient(s) named above and may contain
information that is privileged. You should not
retain, copy or use this e-mail or any attachments
for any purpose, or disclose all or any part of
the contents to any person. Any views or opinions
expressed in this e-mail are those of the author
and do not represent those of the Baptist School
of Health Professions. If you have received this
e-mail in error, or are not the named
recipient(s), you are hereby notified that any
review, dissemination, distribution or copying of
this communication is prohibited by the sender and
to do so might constitute a violation of the
Electronic Communications Privacy Act, 18 U.S.C.
section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div></div><span><font color="#888888"><pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>