<div dir="ltr">Ok so that makes a little more sense,<div><br></div><div>The meta role is used so that when a user is created in the "GUI" and is assigned an Org, they will then be created in AD in the same Org. This is that we do not have manually type out the entire OU Path.</div><div><br></div><div>Here is the role,</div><div><br></div><div><div> <name>Metarole for Orgs</name></div><div> <description></div><div> This MetaRole will add the current assigned organization to the organization attribute.</div><div> </description></div><div> <metadata></div><div> <createTimestamp>2015-02-16T13:26:01.203-06:00</createTimestamp></div><div> <creatorRef oid="00000000-0000-0000-0000-000000000002" type="c:UserType"><!-- administrator --></creatorRef></div><div> <createChannel><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</a></createChannel></div><div> </metadata></div><div> <inducement id="1"></div><div> <focusMappings></div><div> <mapping></div><div> <source></div><div> <c:path>$immediateRole/name</c:path></div><div> </source></div><div> <target></div><div> <c:path>$focus/organization</c:path></div><div> </target></div><div> </mapping></div><div> </focusMappings></div><div> <order>2</order></div><div> </inducement></div><div></role></div></div><div><br></div><div>What would you recommend I try?</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 16, 2015 at 3:39 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hi Jason,<br>
<br>
Pavol and I are looking into the logs.<br>
<br>
It seems that the user has assigned organization OU=_DISABLED,OU=SHP
Students,DC=TEST,DC=LOCAL, oid cce5ec38-5246-4368-9e7b-6b049e01ef4d,
which sets the attribute "organization" (using the metarole).<br>
<br>
Additionally, the user template you posted, also sets the attribute
"organization", so after processing, user has TWO values of
organization attribute and this eventually fails in mapping for (AD)
icfs:name.<br>
<br>
How is the first role assigned and why it's kept assigned..?<br>
<br>
Regards,<br>
Ivan<div><div class="h5"><br>
<br>
<div>On 10/16/2015 09:55 PM, Jason Everling
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">But the users do not have 2 "organizations in their
profile, they end up with only 1,
<div><br>
</div>
<div>doesn't the "authoritive" flag ensure that only one value
exists for any multi value attribute?</div>
<div><br>
</div>
<div>I attached the template that kicks off when a user is added
back to CSV</div>
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Oct 16, 2015 at 2:52 PM, Jason
Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">So yes, during the re adding of the user, a
template kicks off, which all it does, is add back their
original organization based on costCenter, which then
causes them to be enabled and moved in into another AD
container.</div>
<div class="gmail_extra">
<div>
<div><br>
<div class="gmail_quote">On Fri, Oct 16, 2015 at 2:50
PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank"></a><a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> This is
strange.<br>
<br>
The two values have the same initial, so I start
to believe that the two values are produced by
"organization" attribute.<br>
<br>
Can you please check if this user has one or two
values of user/organization? One seems to be
"OU=DISABLED..."<span><font color="#888888"><br>
<br>
I.</font></span><span><br>
<br>
<div>On 10/16/2015 09:02 PM, Jason Everling
wrote:<br>
</div>
</span>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Here is the situation,
<div><br>
</div>
<div>I am running into a issue, if the
user in the CSV has a middle initial
that was not there before and does not
have that value in AD then I get an
error,<br clear="all">
<div><br>
</div>
<div><span>Attempt to replace 2 values
to a single-valued item
attributes/name; values:
[PPV(String:cn=Charlie K.
Brown,OU=DISABLED,OU=Students,DC=TEST,DC=LOCAL),
PPV(String:cn=Charlie K. Brown,</span><span>OU=Dept,OU=Users,OU=Students,</span><span>DC=TEST,DC=LOCAL)]</span><br>
</div>
<div><span><br>
</span></div>
<div><span>The above users original
"name" in AD is</span></div>
<div><span>cn=Charlie
Brown,OU=Dept,OU=Users,OU=Students,DC=TEST,DC=LOCAL</span><span><br>
</span></div>
<div><span><br>
</span></div>
<div><span>So when they are added to
CSV with a middle initial it is
trying to build the new name like
in the first example and fails.</span></div>
<div><br>
</div>
<div>My AD DN code is,</div>
<div><br>
</div>
<div>
<div><span style="white-space:pre-wrap"> </span>if
(additionalName == null) {</div>
<div><span style="white-space:pre-wrap"> </span>return
'cn='+givenName+'
'+familyName+iterationToken+','+organization+'';</div>
<div><span style="white-space:pre-wrap"> </span>}
else {</div>
<div><span style="white-space:pre-wrap"> </span>return
'cn='+givenName+'
'+additionalName+'.
'+familyName+iterationToken+','+organization+'';</div>
<div><span style="white-space:pre-wrap"> </span>}</div>
</div>
<div><br>
</div>
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
</div>
<br>
</div>
</div>
<font size="2"><br>
<br>
<span> CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments
is proprietary and confidential; intended
for only the recipient(s) named above and
may contain information that is
privileged. You should not retain, copy or
use this e-mail or any attachments for any
purpose, or disclose all or any part of
the contents to any person. Any views or
opinions expressed in this e-mail are
those of the author and do not represent
those of the Baptist School of Health
Professions. If you have received this
e-mail in error, or are not the named
recipient(s), you are hereby notified that
any review, dissemination, distribution or
copying of this communication is
prohibited by the sender and to do so
might constitute a violation of the
Electronic Communications Privacy Act, 18
U.S.C. section 2510-2521. Please
immediately notify the sender and delete
this e-mail and any attachments from your
computer. </span></font><br>
<span> <br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</span></blockquote>
<span> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
</div>
</div>
<span><font color="#888888">
<div>
<div dir="ltr">JASON</div>
</div>
</font></span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div></div></div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">JASON</div></div>
</div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>