<div dir="ltr">I was curious to try this myself being on AD and I have excluded/protected entire OUs,<div><br></div><div>I added a new person to my CSV resource with first name Us and lastname Ers and yes, you are correct, provisioning fails. I would have figured that it should iterate to Users1 as that is what it does for the other accounts.</div><div><br></div><div>I don't think mine attempted 1000 because in the logs it doesn't seem to and it only took a minute or so to error out,</div><div><br></div><div><div>2015-07-22 08:30:10,273 [] [midPointScheduler_Worker-6] ERROR (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Couldn't add object. Object already exist: Object already exists on the resource: org.identityconnectors.framework.common.exceptions.AlreadyExistsException(The object already exists.</div><div>: when creating LDAP://dc1.test.local/cn=Us Ers,OU=DPN,OU=SHP Students,DC=TEST,DC=LOCAL)->org.identityconnectors.framework.impl.api.remote.RemoteWrappedException(The object already exists.</div><div>: when creating LDAP://dc1.test.local/cn=Us Ers,OU=DPN,OU=SHP Students,DC=TEST,DC=LOCAL)</div><div>com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException: Object already exists on the resource: org.identityconnectors.framework.common.exceptions.AlreadyExistsException(The object already exists.</div><div>: when creating LDAP://dc1.test.local/cn=Us Ers,OU=DPN,OU=SHP Students,DC=TEST,DC=LOCAL)->org.identityconnectors.framework.impl.api.remote.RemoteWrappedException(The object already exists.</div><div>: when creating LDAP://dc1.test.local/cn=Us Ers,OU=DPN,OU=SHP Students,DC=TEST,DC=LOCAL)</div></div><div><br></div><div><br></div><div><div>2015-07-22 08:30:15,532 [] [midPointScheduler_Worker-6] ERROR (com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler): Live Sync: Internal Error:</div><div>com.evolveum.midpoint.util.exception.SystemException: Synchronization error: java.lang.IllegalStateException: Model operation took too many clicks (limit is 200). Is there a cycle?</div></div><div><br></div><div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 22, 2015 at 5:56 AM, <span dir="ltr"><<a href="mailto:midpoint@mybtinternet.com" target="_blank">midpoint@mybtinternet.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Guys,<br><br> I'm looking for a way to exclude certain account names for use on any resource; this could include:<br><span> </span>- operating system accounts<br><span> </span>- service accounts<br><span> </span>- sensitive accounts<br><span> </span>- account names generated that may be offensive words etc<br><br> I have noted the protected account feature, however this seems to require definition on every resource<br> which can be tedious and prone to error on large numbers of resources. Also, as this maps to the<br> designated repository name attribute, it is not very flexible; e.g. if you take AD built-in group Users.<br> While this is a group, it still has a sAMAccountName of Users. Setting a protection of "Users" does not<br> exclude an attempt to provision an account with sAMAccountName of users.<br><br> What happens in the above example, midPoint attempts to add the account to AD, this fails with "Already<br> exists". This does not seem to trigger the need for iteration. This is attempted a 1000 times until some<br> limit in midPoint then aborts the transaction. Needless to say, performance deteriorates rapidly during<br> this cycle ... I would like to understand where this limit of a 1000 is set and ideally reduce this significantly.<br><br> Another side-effect of the AD problem described above; we also have the AD "Recycle Bin" feature<br> enabled. Every failed attempt at provisioning the "users" account, also leaves a deleted object entry;<br> e.g. with a 1000 attempted adds, this results in a 1000 deleted object entries.<br><br> I'm hoping there is a way of setting a global exclusion list or policy that would reject certain values<br> by attribute name; e.g. filter, but not based on an individual resource.<br><br>Regards,<br> Anton<br><br><br><br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">JASON</div></div>
</div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>