<html><body><div style="font-family: times new roman, new york, times, serif; font-size: 12pt; color: #000000"><div>Hello Martin,</div><div><br></div><div>if I understand right, you need to link users comming from DB with users in LDAP according to email address, not DN. If you want midPoint to automatically decide if the user should be created or linked to the existed one, you need to do following steps.</div><div><br></div><div><ol><li><span style="font-size: 12pt;" data-mce-style="font-size: 12pt;">In your LDAP server, set email address as unique attribute.</span></li><li><span style="font-size: 12pt;" data-mce-style="font-size: 12pt;">In midPoint:</span></li><ul><li><span style="font-size: 12pt;" data-mce-style="font-size: 12pt;"><span style="font-size: 12pt;" data-mce-style="font-size: 12pt;">set email address as secondary identifier in your schemaHandling - this will provide that if the account already exists in the LDAP, midPoint will try to find an owner and link them together<br></span></span><div><br></div><span style="font-size: 12pt;" data-mce-style="font-size: 12pt;"><attribute><br></span><span style="font-size: 12pt;" data-mce-style="font-size: 12pt;">    <ref>ri:email</ref><br></span><span style="font-size: 12pt;" data-mce-style="font-size: 12pt;">    <displayName>Email address</displayName><br></span><span style="font-size: 12pt;" data-mce-style="font-size: 12pt;">    <strong><secondaryIdentifier>true</secondaryIdentifier></strong><br></span><span style="font-size: 12pt;" data-mce-style="font-size: 12pt;"><outbound><br>......<br></span></li><li><span style="font-size: 12pt;">set your correlation rule to match users according to the emailAddress - during already exists situation discovery, correlation rule will be used to match user in midPoint (according to your settings of action-reaction, account should be linked to the existing user or new user will be created).<br><div><br></div></span><span data-mce-style="font-size: 12pt;" style="font-size: 12pt;"><q:equal></span><span data-mce-style="font-size: 12pt;" style="font-size: 12pt;"> <br></span><span style="font-size: 12pt;"></span><span style="font-size: 12pt;">    <q:path>emailAddress</q:path>   <strong><!--the user's attribute where is your emailAddress from DB mapped--></strong><br></span><span style="font-size: 12pt;">    <expression><br></span><span style="font-size: 12pt;">    <script><br></span><span style="font-size: 12pt;">        <code><br></span><span style="font-size: 12pt;">                declare namespace ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3";<br><span style="font-size: 12pt;">                $account/attributes/ri:email     <!--<strong>email address attribute in LDAP --></strong><br></span></span><span style="font-size: 12pt;">        </code><br></span><span style="font-size: 12pt;">    </script><br></span><span style="font-size: 12pt;">    </expression><br></span><span style="font-size: 12pt;"></q:equal></span></li><li><span style="font-size: 12pt;">run reconciliation for DB resource (this scenario expects that you have configured object template which will provide creation of accoun in your LDAP)</span></li></ul></ol><div><br></div><div>If you have some other questions or something does not work as expected, please let me know.</div><div><br></div><div>Hope this will help you,</div><div>with kind regards,</div><div>Katarina Valalikova</div></div><div><br></div><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;" data-mce-style="color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;"><b>From: </b>"Martin Lízner - AMI Praha a.s." <martin.lizner@ami.cz><br><b>To: </b>"midPoint General Discussion" <midpoint@lists.evolveum.com><br><b>Sent: </b>Tuesday, March 31, 2015 2:24:05 PM<br><b>Subject: </b>Re: [midPoint] Ad-hoc Reconciliation<br><div><br></div><div dir="ltr">Hi Ivan, I would say that most of the users coming from DB will have account in LDAP. Yes, email would be pairing attribute. This sounds like perfect scenario for correlation via synchro or reconc, but again I need to lookup in the resource (in order to get DN), not in midPoint :-)</div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><table style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important" data-mce-style="font-family: Verdana,Arial,Helvetica,sans-serif; border-collapse: collapse; padding: 0px; margin: 0px; border-width: 0px!important; border-style: solid!important; width: 482px!important;" class="mceItemTable"><tbody><tr style="padding:0px;margin:0px;border:0px solid gray!important" data-mce-style="padding: 0px; margin: 0px; border: 0px solid gray!important;"><td colspan="2" style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;border:0px solid gray!important" data-mce-style="color: #000000; font-family: Arial,sans-serif; font-size: 11px; vertical-align: bottom; padding: 0px; border: 0px solid gray!important;"><p><span style="font-size:14px;font-weight:bold" data-mce-style="font-size: 14px; font-weight: bold;">Martin Lízner</span><br>solution architect<br></p><div><br></div><p>gsm: [+420] 737 745 571<br>e-mail: <a href="mailto:jmeno.prijmeni@ami.cz" target="_blank" data-mce-href="mailto:jmeno.prijmeni@ami.cz">martin.lizner@ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important" data-mce-style="color: #000000; font-family: Verdana,Arial,Helvetica,sans-serif; font-size: 10px; border-right-width: 1px; border-right-style: solid; border-right-color: #cccccc; padding: 0px; border-top-width: 0px!important; border-bottom-width: 0px!important; border-left-width: 0px!important; border-top-style: solid!important; border-bottom-style: solid!important; border-left-style: solid!important; border-top-color: gray!important; border-bottom-color: gray!important; border-left-color: gray!important;">   </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important" data-mce-style="color: #000000; font-family: Verdana,Arial,Helvetica,sans-serif; font-size: 10px; padding: 0px; border: 0px solid gray!important;">   </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;border:0px solid gray!important" data-mce-style="color: #000000; font-family: Arial,sans-serif; font-size: 11px; vertical-align: bottom; padding: 0px; border: 0px solid gray!important;"><p>AMI Praha a.s.<br>Pláničkova 11<br>162 00 Praha 6<br>tel.: [+420] 274 783 239<br>web: <a href="http://www.ami.cz/" target="_blank" data-mce-href="http://www.ami.cz/">www.ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important" data-mce-style="color: #000000; font-family: Verdana,Arial,Helvetica,sans-serif; font-size: 10px; border-right-width: 1px; border-right-style: solid; border-right-color: #cccccc; padding: 0px; border-top-width: 0px!important; border-bottom-width: 0px!important; border-left-width: 0px!important; border-top-style: solid!important; border-bottom-style: solid!important; border-left-style: solid!important; border-top-color: gray!important; border-bottom-color: gray!important; border-left-color: gray!important;">   </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important" data-mce-style="color: #000000; font-family: Verdana,Arial,Helvetica,sans-serif; font-size: 10px; padding: 0px; border: 0px solid gray!important;">   </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;border:0px solid gray!important" data-mce-style="color: #000000; font-family: Arial,sans-serif; font-size: 11px; margin: 8px; border: 0px solid gray!important;"><p><img alt="" style="border:0px" src="http://www.ami.cz/images/podpis/ami_logo.gif" data-mce-style="border: 0px;"></p></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important" data-mce-style="padding: 0px; margin: 0px; border: 0px solid gray!important;"><td colspan="8" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important" data-mce-style="color: #000000; font-family: Verdana,Arial,Helvetica,sans-serif; font-size: 10px; padding: 0px; border: 0px solid gray!important;"><br><a href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap" target="_blank" data-mce-href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap"><img alt="" style="border:0px;width:480px;height:82px" src="http://www.ami.cz/images/podpis/AMI-podpis-AuditSAP_1.png" data-mce-style="border: 0px; width: 480px; height: 82px;"></a></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important" data-mce-style="padding: 0px; margin: 0px; border: 0px solid gray!important;"><td colspan="8" style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px solid gray!important" data-mce-style="color: #808080; font-family: Arial,sans-serif; font-size: 11px; padding: 0px; border: 0px solid gray!important;"><br>Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.<br>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.</td></tr></tbody></table></div><br></div></div></div><br><div class="gmail_quote">2015-03-31 14:19 GMT+02:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank" data-mce-href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" data-mce-style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;"><div>Hi Martin,<br> <br> is every user that is being synced from DB and created in midPoint expected to have existing account in LDAP?<br> Do you have the same value of email attribute in midPoint and LDAP?<br>I.<div><div class="h5"><br> <br><div>On 03/31/2015 02:13 PM, Martin Lízner - AMI Praha a.s. wrote:<br></div></div></div><blockquote><div><div class="h5"><div dir="ltr">Hi guys, Im in situation that I have one really big LDAP with no changelog, which can be full reconciled e.g. every 24 hours. I got new identities being synced from DB resource every minute or so. Right after new DB user is created in midPoint I need to adhoc reconcile this user with LDAP resource. I can lookup user via email attribute, dont know LDAP DN yet.<div><br></div><div>I guess that typical correlation logic in synchronization wont help me here, since I need to query resource, not IdM. I came to these two solutions, but I dont know how to implement them in midPoint. And maybe there is better way...<br><div><br></div><div>1. Query resource objects in LDAP connector. Using standard ldap filter with email=XXX and fetching DN => linking to midpoint User. Im not sure if midPoint can do these queries yet.</div><div><br></div><div>2. Query shadow objects in midPoint repo. These would have been loaded in last reconc. It wouldnt be 100% online, but might work for my business case. Unfortunatelly, I havent found how to extend shadow schema in the doc :-(</div><div><br></div><div>Please help, if you can :-)<br></div><div><br></div><div>Regards, Martin</div><div><div><div><div dir="ltr"><div><table style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important" data-mce-style="font-family: Verdana,Arial,Helvetica,sans-serif; border-collapse: collapse; padding: 0px; margin: 0px; border-width: 0px!important; border-style: solid!important; width: 482px!important;" class="mceItemTable"><tbody><tr style="padding:0px;margin:0px;border:0px solid gray!important" data-mce-style="padding: 0px; margin: 0px; border: 0px solid gray!important;"><td colspan="2" style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;border:0px solid gray!important" data-mce-style="color: #000000; font-family: Arial,sans-serif; font-size: 11px; vertical-align: bottom; padding: 0px; border: 0px solid gray!important;"><p><span style="font-size:14px;font-weight:bold" data-mce-style="font-size: 14px; font-weight: bold;">Martin Lízner</span><br> solution architect<br> <br> gsm: <a href="tel:%5B%2B420%5D%20737%20745%20571" target="_blank" data-mce-href="tel:%5B%2B420%5D%20737%20745%20571">[+420] 737 745 571</a><br> e-mail: <a href="mailto:jmeno.prijmeni@ami.cz" target="_blank" data-mce-href="mailto:jmeno.prijmeni@ami.cz">martin.lizner@ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important" data-mce-style="color: #000000; font-family: Verdana,Arial,Helvetica,sans-serif; font-size: 10px; border-right-width: 1px; border-right-style: solid; border-right-color: #cccccc; padding: 0px; border-top-width: 0px!important; border-bottom-width: 0px!important; border-left-width: 0px!important; border-top-style: solid!important; border-bottom-style: solid!important; border-left-style: solid!important; border-top-color: gray!important; border-bottom-color: gray!important; border-left-color: gray!important;">   </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important" data-mce-style="color: #000000; font-family: Verdana,Arial,Helvetica,sans-serif; font-size: 10px; padding: 0px; border: 0px solid gray!important;">   </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;border:0px solid gray!important" data-mce-style="color: #000000; font-family: Arial,sans-serif; font-size: 11px; vertical-align: bottom; padding: 0px; border: 0px solid gray!important;"><p>AMI Praha a.s.<br> Pláničkova 11<br> 162 00 Praha 6<br> tel.: <a href="tel:%5B%2B420%5D%20274%20783%20239" target="_blank" data-mce-href="tel:%5B%2B420%5D%20274%20783%20239">[+420] 274 783 239</a><br> web: <a href="http://www.ami.cz/" target="_blank" data-mce-href="http://www.ami.cz/">www.ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important" data-mce-style="color: #000000; font-family: Verdana,Arial,Helvetica,sans-serif; font-size: 10px; border-right-width: 1px; border-right-style: solid; border-right-color: #cccccc; padding: 0px; border-top-width: 0px!important; border-bottom-width: 0px!important; border-left-width: 0px!important; border-top-style: solid!important; border-bottom-style: solid!important; border-left-style: solid!important; border-top-color: gray!important; border-bottom-color: gray!important; border-left-color: gray!important;">   </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important" data-mce-style="color: #000000; font-family: Verdana,Arial,Helvetica,sans-serif; font-size: 10px; padding: 0px; border: 0px solid gray!important;">   </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;border:0px solid gray!important" data-mce-style="color: #000000; font-family: Arial,sans-serif; font-size: 11px; margin: 8px; border: 0px solid gray!important;"><p><img alt="" style="border:0px" src="http://www.ami.cz/images/podpis/ami_logo.gif" data-mce-style="border: 0px;"></p></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important" data-mce-style="padding: 0px; margin: 0px; border: 0px solid gray!important;"><td colspan="8" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important" data-mce-style="color: #000000; font-family: Verdana,Arial,Helvetica,sans-serif; font-size: 10px; padding: 0px; border: 0px solid gray!important;"><br> <a href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap" target="_blank" data-mce-href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap"><img alt="" style="border:0px;width:480px;min-height:82px" src="http://www.ami.cz/images/podpis/AMI-podpis-AuditSAP_1.png" data-mce-style="border: 0px; width: 480px; min-height: 82px;"></a></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important" data-mce-style="padding: 0px; margin: 0px; border: 0px solid gray!important;"><td colspan="8" style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px solid gray!important" data-mce-style="color: #808080; font-family: Arial,sans-serif; font-size: 11px; padding: 0px; border: 0px solid gray!important;"><br> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.<br> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.</td></tr></tbody></table></div><br></div></div></div></div></div></div><br><fieldset></fieldset><br></div></div><pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank" data-mce-href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" data-mce-href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><span class="HOEnZb"><span color="#888888" data-mce-style="color: #888888;" style="color: #888888;">
</span></span></pre><span class="HOEnZb"><span color="#888888" data-mce-style="color: #888888;" style="color: #888888;"> </span></span></blockquote><span class="HOEnZb"><span class="HOEnZb"><span color="#888888" data-mce-style="color: #888888;" style="color: #888888;"> <br></span></span></span><pre>-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  <a href="http://evolveum.com" target="_blank" data-mce-href="http://evolveum.com">evolveum.com</a>                     <a href="http://evolveum.com/blog/" target="_blank" data-mce-href="http://evolveum.com/blog/">evolveum.com/blog/</a>
  ___________________________________________________
  "Semper Id(e)M Vix."
</pre></div><br>_______________________________________________<br> midPoint mailing list<br> <a href="mailto:midPoint@lists.evolveum.com" target="_blank" data-mce-href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" data-mce-href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br> <br></blockquote></div><br></div><br>_______________________________________________<br>midPoint mailing list<br>midPoint@lists.evolveum.com<br>http://lists.evolveum.com/mailman/listinfo/midpoint<br></div><div><br></div></div></body></html>