<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
This is an interesting issue. We haven't expected that
provisioning will be slower than livesync.<br>
<br>
The proper solution would be to implement what we call
"asynchronous provisioning". At least some parts of it.
Specifically we should store shadow before we attempt operation on
resource. The asynchronous provisioning is on midPoint roadmap for
quite a long time. However midPoint subscribers are asking for
other features. Therefore the asynchronous provisioning has been
moved out on the roadmap several times.<br>
<br>
Therefore, you have the usual options:
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature">https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature</a><br>
<br>
I have created jira issues to track this:
<a class="moz-txt-link-freetext" href="https://jira.evolveum.com/browse/MID-2458">https://jira.evolveum.com/browse/MID-2458</a><br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com</pre>
<br>
<br>
On 07/14/2015 01:25 PM, Pavol Mederly wrote:<br>
</div>
<blockquote cite="mid:55A4F1B3.4000301@evolveum.com" type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<div class="moz-cite-prefix">Илья, Алексей,<br>
<br>
yes, this is a strong reason.<br>
<br>
If immediate reaction to illegitimate situation is not required,
it is possible to use the reconciliation task, running e.g.
nightly. The race condition would be still there, but with a lot
smaller probability. (Having said that, it is possible to run
LiveSync as well, but with a longer interval - e.g. 1 hour - to
minimize this risk of conflict.)<br>
<br>
Anyway, the serious solution is to log this issue into our jira,
and we have to fix it. If you could attach log with model=TRACE,
provisioning=TRACE, covering the two colliding operations, it
would be perfect. <br>
<br>
But I feel the fix will not be very easy [unless someone has a
very bright idea how to do it :)], so if you would need this in
a specific time frame, please contact Igor Farinic.<br>
<br>
Best regards,<br>
Pavol<br>
<br>
</div>
<blockquote
cite="mid:F82253638486D44DABA51EC404D48AF387501B@EX-MB1.solar.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"Стандартный HTML Знак";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTML
{mso-style-name:"Стандартный HTML Знак";
mso-style-priority:99;
mso-style-link:"Стандартный HTML";
font-family:Consolas;
color:black;
mso-fareast-language:EN-US;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:2.0cm 42.5pt 2.0cm 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Hi
Pavol,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">But
how am I supposed to track, for instance, illegitimate
associations between account and groups performed directly
in target system if not by means of synchronization
mechanism?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Ilya<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:RU">From:</span></b><span
style="color:windowtext;mso-fareast-language:RU">
midPoint [<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="mailto:midpoint-bounces@lists.evolveum.com">mailto:midpoint-bounces@lists.evolveum.com</a>]
<b>On Behalf Of </b>Pavol Mederly<br>
<b>Sent:</b> Tuesday, July 14, 2015 1:06 PM<br>
<b>To:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<b>Subject:</b> Re: [midPoint] AD account duplication<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">:-( That's
unfortunate. But in other installations it usually takes
only a few hundred milliseconds (except for initial
connection opening, which could take 20-30 seconds
indeed).<br>
<br>
Is your connector opening a new remote PowerShell
connection each time? Because if not, subsequent operation
should be much quicker.<br>
<br>
Anyway, couldn't you avoid using Live Sync from Exchange
resource?<br>
<br>
We can fix this "race condition" issue in midPoint, but
I'm not sure how quickly.<br>
<br>
Pavol<span
style="font-size:12.0pt;mso-fareast-language:RU"><o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">Power shell works very slow. It’s work
takes about 35 second from console. </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:RU">From:</span></b><span
style="color:windowtext;mso-fareast-language:RU">
midPoint [<a moz-do-not-send="true"
href="mailto:midpoint-bounces@lists.evolveum.com">mailto:midpoint-bounces@lists.evolveum.com</a>]
<b>On Behalf Of </b>Pavol Mederly<br>
<b>Sent:</b> Tuesday, July 14, 2015 12:35 PM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<b>Subject:</b> Re: [midPoint] AD account
duplication</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">Hello Alexej,<br>
<br>
are you sure you need Live Synchronization for Exchange
resource? If a resource is a target and a source at the
same time, problems may occur. It is best to avoid this,
it it's not strictly necessary.<br>
<br>
However, 40 seconds for user creation process is a
waaaaay too long. Have you any idea why it takes so
long?<br>
<br>
Pavol<br>
<br>
On 14. 7. 2015 11:28, Ващенков Алексей wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US">Hi, we have one
more problem with Exchange.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">We create live
synchronization task with Exchange connector. And it
bring us one problem. </span><o:p></o:p></p>
<div style="border-top:double windowtext
2.25pt;border-left:none;border-bottom:double windowtext
2.25pt;border-right:none;padding:1.0pt 0cm 1.0pt 0cm">
<p class="MsoNormal"><span lang="EN-US">Too many
iterations (6) for account(ID {<a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>}uid
= [ <GUID=af020927ab893540bf7ca32f4ad86f30> ],
type 'default', <a moz-do-not-send="true"
href="resource:8790e490-326a-46e9-ba35-9e0c1dcbb41d%28Exchange%29%29">
resource:8790e490-326a-46e9-ba35-9e0c1dcbb41d(Exchange))</a>: cannot
determine values that satisfy constraints: Found
more than one object with attribute {<a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>}uid
= [ <GUID=af020927ab893540bf7ca32f4ad86f30> ],
Found more than one object with attribute {<a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>}name
= [ CN=abaulin.d.v,OU=????????????
????,OU=inrights,DC=isim,DC=local ]</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">I see this
situation like “Live synchronization” task was started
after user creation process (it take about 40 seconds)
and finished before creation process ends. In this
case “Live synchronization” see “new” AD account which
already created with “Creation process” (but doesn’t
ends because waiting for ends of Exchange creation)
and create new shadow. After that “Creation process”
ends and returns UID of “new” shadow but it doesn’t
know that shadow already exists (in “Live
synchronization” process).</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">What can we do
with this situation?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>midPoint mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:RU"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>midPoint mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:RU"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">
</pre>
</body>
</html>