<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Илья, Алексей,<br>
<br>
yes, this is a strong reason.<br>
<br>
If immediate reaction to illegitimate situation is not required,
it is possible to use the reconciliation task, running e.g.
nightly. The race condition would be still there, but with a lot
smaller probability. (Having said that, it is possible to run
LiveSync as well, but with a longer interval - e.g. 1 hour - to
minimize this risk of conflict.)<br>
<br>
Anyway, the serious solution is to log this issue into our jira,
and we have to fix it. If you could attach log with model=TRACE,
provisioning=TRACE, covering the two colliding operations, it
would be perfect. <br>
<br>
But I feel the fix will not be very easy [unless someone has a
very bright idea how to do it :)], so if you would need this in a
specific time frame, please contact Igor Farinic.<br>
<br>
Best regards,<br>
Pavol<br>
<br>
</div>
<blockquote
cite="mid:F82253638486D44DABA51EC404D48AF387501B@EX-MB1.solar.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"Стандартный HTML Знак";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTML
{mso-style-name:"Стандартный HTML Знак";
mso-style-priority:99;
mso-style-link:"Стандартный HTML";
font-family:Consolas;
color:black;
mso-fareast-language:EN-US;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:2.0cm 42.5pt 2.0cm 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Hi
Pavol,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">But
how am I supposed to track, for instance, illegitimate
associations between account and groups performed directly
in target system if not by means of synchronization
mechanism?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Ilya<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:RU">From:</span></b><span
style="color:windowtext;mso-fareast-language:RU">
midPoint [<a class="moz-txt-link-freetext" href="mailto:midpoint-bounces@lists.evolveum.com">mailto:midpoint-bounces@lists.evolveum.com</a>]
<b>On Behalf Of </b>Pavol Mederly<br>
<b>Sent:</b> Tuesday, July 14, 2015 1:06 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<b>Subject:</b> Re: [midPoint] AD account duplication<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">:-( That's
unfortunate. But in other installations it usually takes
only a few hundred milliseconds (except for initial
connection opening, which could take 20-30 seconds indeed).<br>
<br>
Is your connector opening a new remote PowerShell connection
each time? Because if not, subsequent operation should be
much quicker.<br>
<br>
Anyway, couldn't you avoid using Live Sync from Exchange
resource?<br>
<br>
We can fix this "race condition" issue in midPoint, but I'm
not sure how quickly.<br>
<br>
Pavol<span style="font-size:12.0pt;mso-fareast-language:RU"><o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Power
shell works very slow. It’s work takes about 35 second
from console.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:RU">From:</span></b><span
style="color:windowtext;mso-fareast-language:RU">
midPoint [<a moz-do-not-send="true"
href="mailto:midpoint-bounces@lists.evolveum.com">mailto:midpoint-bounces@lists.evolveum.com</a>]
<b>On Behalf Of </b>Pavol Mederly<br>
<b>Sent:</b> Tuesday, July 14, 2015 12:35 PM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<b>Subject:</b> Re: [midPoint] AD account duplication</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">Hello Alexej,<br>
<br>
are you sure you need Live Synchronization for Exchange
resource? If a resource is a target and a source at the
same time, problems may occur. It is best to avoid this,
it it's not strictly necessary.<br>
<br>
However, 40 seconds for user creation process is a waaaaay
too long. Have you any idea why it takes so long?<br>
<br>
Pavol<br>
<br>
On 14. 7. 2015 11:28, Ващенков Алексей wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US">Hi, we have one more
problem with Exchange.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">We create live
synchronization task with Exchange connector. And it
bring us one problem.
</span><o:p></o:p></p>
<div style="border-top:double windowtext
2.25pt;border-left:none;border-bottom:double windowtext
2.25pt;border-right:none;padding:1.0pt 0cm 1.0pt 0cm">
<p class="MsoNormal"><span lang="EN-US">Too many
iterations (6) for account(ID {<a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>}uid
= [ <GUID=af020927ab893540bf7ca32f4ad86f30> ],
type 'default', <a moz-do-not-send="true"
href="resource:8790e490-326a-46e9-ba35-9e0c1dcbb41d%28Exchange%29%29">
resource:8790e490-326a-46e9-ba35-9e0c1dcbb41d(Exchange))</a>: cannot
determine values that satisfy constraints: Found more
than one object with attribute {<a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>}uid
= [ <GUID=af020927ab893540bf7ca32f4ad86f30> ],
Found more than one object with attribute {<a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>}name
= [ CN=abaulin.d.v,OU=????????????
????,OU=inrights,DC=isim,DC=local ]</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">I see this situation
like “Live synchronization” task was started after user
creation process (it take about 40 seconds) and finished
before creation process ends. In this case “Live
synchronization” see “new” AD account which already
created with “Creation process” (but doesn’t ends
because waiting for ends of Exchange creation) and
create new shadow. After that “Creation process” ends
and returns UID of “new” shadow but it doesn’t know that
shadow already exists (in “Live synchronization”
process).</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">What can we do with
this situation?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>midPoint mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:RU"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>midPoint mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:RU"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>