<div dir="ltr">Ok thanks for looking at it,<div><br></div><div>I am going to see what happens if I move it from the multi-valued attribute organization to a custom created single-valued attribute.</div><div><br></div><div>All in all it works great, has been running, enabling/disabling accounts for weeks now, I just ran into this!</div><div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 16, 2015 at 4:39 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hi Jason,<br>
<br>
now I understand the circumstances, thank you.<br>
<br>
I don't have a solution handy though. (I have not used such
combination in my projects yet.) We will try to come up with
something.<br>
<br>
I think that the authoritative mapping does not help here, because
only one of the templates is executed - so the "old" value is not
removed and user ends up with two values. So maybe the mechanisms
how you connect the events from CSV to midPoint would require
slight redesign of your solution.<br>
<br>
Best regards and have a nice weekend.<span class="HOEnZb"><font color="#888888"><br>
Ivan</font></span><div><div class="h5"><br>
<br>
<div>On 10/16/2015 11:13 PM, Jason Everling
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Oh, within the resource synchronization situations,
<div><br>
</div>
<div>
<div> <reaction></div>
<div> <situation>deleted</situation></div>
<div> <objectTemplateRef
oid="10000000-0000-0000-0000-000000000301"/></div>
<div> <action ref="<a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateFocus" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateFocus</a>"/></div>
<div> </reaction></div>
<div> <reaction></div>
<div> <situation>unlinked</situation></div>
<div> <objectTemplateRef
oid="10000000-0000-0000-0000-000000000302"/></div>
<div> <action ref="<a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#linkAccount" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/action-3#linkAccount</a>"/></div>
<div> </reaction></div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Oct 16, 2015 at 4:08 PM, Ivan
Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> .. and how midpoint
runs the "Disabled Students Template 1" and "Enable
Student Template 1"? (Where?)<span><font color="#888888"><br>
<br>
Ivan</font></span>
<div>
<div><br>
<br>
<div>On 10/16/2015 11:04 PM, Jason Everling wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">The user is disabled once they are
removed from the CSV resource, the CSV resource
only contains active users. A template disables
their account and set the OU path just like the
enable one which I pasted below.
<div><br>
</div>
<div>Yes, assigning an Org will cause icfs:name to
be modified in AD to move them into the correct
ou's in AD.</div>
<div><br>
</div>
<div>If you are meaning the Org Template/Meta
Role, they are assigned automatically using the
system default org template.</div>
<div><br>
</div>
<div>There are not any roles currently assigned to
a user that controls enabled/disabled. It just
happens automatically when they are either added
or removed from CSV.</div>
<div><br>
</div>
<div>jason</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Oct 16, 2015 at
3:58 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank"></a><a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi
Jason,<br>
<br>
some more questions to understand.<br>
<br>
What is the "lifecycle" of the user?<br>
<br>
Assigning role will cause icfs:name
generation for the correct OU.<br>
<br>
Are such roles assigned manually?<br>
<br>
Is the role for "DISABLED" users also
assigned manually when user leaves?<br>
<br>
Has the user which we are speaking of, still
assigned that "DISABLED" role?<br>
<br>
Thanks,<br>
Ivan
<div>
<div><br>
<br>
<div>On 10/16/2015 10:47 PM, Jason
Everling wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Ok so that makes a
little more sense,
<div><br>
</div>
<div>The meta role is used so that
when a user is created in the
"GUI" and is assigned an Org, they
will then be created in AD in the
same Org. This is that we do not
have manually type out the entire
OU Path.</div>
<div><br>
</div>
<div>Here is the role,</div>
<div><br>
</div>
<div>
<div> <name>Metarole for
Orgs</name></div>
<div> <description></div>
<div> This MetaRole will
add the current assigned
organization to the organization
attribute.</div>
<div> </description></div>
<div> <metadata></div>
<div>
<createTimestamp>2015-02-16T13:26:01.203-06:00</createTimestamp></div>
<div> <creatorRef
oid="00000000-0000-0000-0000-000000000002"
type="c:UserType"><!--
administrator
--></creatorRef></div>
<div> <createChannel><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport" target="_blank"></a><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</a></createChannel></div>
<div> </metadata></div>
<div> <inducement id="1"></div>
<div> <focusMappings></div>
<div> <mapping></div>
<div> <source></div>
<div>
<c:path>$immediateRole/name</c:path></div>
<div> </source></div>
<div> <target></div>
<div>
<c:path>$focus/organization</c:path></div>
<div> </target></div>
<div> </mapping></div>
<div> </focusMappings></div>
<div>
<order>2</order></div>
<div> </inducement></div>
<div></role></div>
</div>
<div><br>
</div>
<div>What would you recommend I try?</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Oct
16, 2015 at 3:39 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank"></a><a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi Jason,<br>
<br>
Pavol and I are looking into
the logs.<br>
<br>
It seems that the user has
assigned organization
OU=_DISABLED,OU=SHP
Students,DC=TEST,DC=LOCAL, oid
cce5ec38-5246-4368-9e7b-6b049e01ef4d,
which sets the attribute
"organization" (using the
metarole).<br>
<br>
Additionally, the user
template you posted, also sets
the attribute "organization",
so after processing, user has
TWO values of organization
attribute and this eventually
fails in mapping for (AD)
icfs:name.<br>
<br>
How is the first role assigned
and why it's kept assigned..?<br>
<br>
Regards,<br>
Ivan
<div>
<div><br>
<br>
<div>On 10/16/2015 09:55
PM, Jason Everling
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">But the
users do not have 2
"organizations in
their profile, they
end up with only 1,
<div><br>
</div>
<div>doesn't the
"authoritive" flag
ensure that only one
value exists for any
multi value
attribute?</div>
<div><br>
</div>
<div>I attached the
template that kicks
off when a user is
added back to CSV</div>
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Fri, Oct 16, 2015 at
2:52 PM, Jason
Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank"></a><a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">So
yes, during the
re adding of the
user, a template
kicks off, which
all it does, is
add back their
original
organization
based on
costCenter,
which then
causes them to
be enabled and
moved in into
another AD
container.</div>
<div class="gmail_extra">
<div>
<div><br>
<div class="gmail_quote">On
Fri, Oct 16,
2015 at 2:50
PM, Ivan Noris
<span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank"></a><a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> This is strange.<br>
<br>
The two values
have the same
initial, so I
start to
believe that
the two values
are produced
by
"organization"
attribute.<br>
<br>
Can you please
check if this
user has one
or two values
of
user/organization?
One seems to
be
"OU=DISABLED..."<span><font color="#888888"><br>
<br>
I.</font></span><span><br>
<br>
<div>On
10/16/2015
09:02 PM,
Jason Everling
wrote:<br>
</div>
</span>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Here
is the
situation,
<div><br>
</div>
<div>I am
running into a
issue, if the
user in the
CSV has a
middle initial
that was not
there before
and does not
have that
value in AD
then I get an
error,<br clear="all">
<div><br>
</div>
<div><span>Attempt
to replace 2
values to a
single-valued
item
attributes/name;
values:
[PPV(String:cn=Charlie
K.
Brown,OU=DISABLED,OU=Students,DC=TEST,DC=LOCAL),
PPV(String:cn=Charlie
K. Brown,</span><span>OU=Dept,OU=Users,OU=Students,</span><span>DC=TEST,DC=LOCAL)]</span><br>
</div>
<div><span><br>
</span></div>
<div><span>The
above users
original
"name" in AD
is</span></div>
<div><span>cn=Charlie
Brown,OU=Dept,OU=Users,OU=Students,DC=TEST,DC=LOCAL</span><span><br>
</span></div>
<div><span><br>
</span></div>
<div><span>So
when they are
added to CSV
with a middle
initial it is
trying to
build the new
name like in
the first
example and
fails.</span></div>
<div><br>
</div>
<div>My AD DN
code is,</div>
<div><br>
</div>
<div>
<div><span style="white-space:pre-wrap"> </span>if
(additionalName
== null) {</div>
<div><span style="white-space:pre-wrap"> </span>return
'cn='+givenName+'
'+familyName+iterationToken+','+organization+'';</div>
<div><span style="white-space:pre-wrap"> </span>}
else {</div>
<div><span style="white-space:pre-wrap"> </span>return
'cn='+givenName+'
'+additionalName+'.
'+familyName+iterationToken+','+organization+'';</div>
<div><span style="white-space:pre-wrap"> </span>}</div>
</div>
<div><br>
</div>
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
</div>
<br>
</div>
</div>
<font size="2"><br>
<br>
<span>
CONFIDENTIALITY
NOTICE:<br>
This e-mail
together with
any
attachments is
proprietary
and
confidential;
intended for
only the
recipient(s)
named above
and may
contain
information
that is
privileged.
You should not
retain, copy
or use this
e-mail or any
attachments
for any
purpose, or
disclose all
or any part of
the contents
to any person.
Any views or
opinions
expressed in
this e-mail
are those of
the author and
do not
represent
those of the
Baptist School
of Health
Professions.
If you have
received this
e-mail in
error, or are
not the named
recipient(s),
you are hereby
notified that
any review,
dissemination,
distribution
or copying of
this
communication
is prohibited
by the sender
and to do so
might
constitute a
violation of
the Electronic
Communications
Privacy Act,
18 U.S.C.
section
2510-2521.
Please
immediately
notify the
sender and
delete this
e-mail and any
attachments
from your
computer. </span></font><br>
<span> <br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</span></blockquote>
<span> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</span></div>
<br>
_______________________________________________<br>
midPoint
mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank"></a><a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank"></a><a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
</div>
</div>
<span><font color="#888888">
<div>
<div dir="ltr">JASON</div>
</div>
</font></span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY
NOTICE:<br>
This e-mail together
with any attachments
is proprietary and
confidential; intended
for only the
recipient(s) named
above and may contain
information that is
privileged. You should
not retain, copy or
use this e-mail or any
attachments for any
purpose, or disclose
all or any part of the
contents to any
person. Any views or
opinions expressed in
this e-mail are those
of the author and do
not represent those of
the Baptist School of
Health Professions. If
you have received this
e-mail in error, or
are not the named
recipient(s), you are
hereby notified that
any review,
dissemination,
distribution or
copying of this
communication is
prohibited by the
sender and to do so
might constitute a
violation of the
Electronic
Communications Privacy
Act, 18 U.S.C. section
2510-2521. Please
immediately notify the
sender and delete this
e-mail and any
attachments from your
computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any
attachments is proprietary and
confidential; intended for only the
recipient(s) named above and may
contain information that is
privileged. You should not retain,
copy or use this e-mail or any
attachments for any purpose, or
disclose all or any part of the
contents to any person. Any views or
opinions expressed in this e-mail
are those of the author and do not
represent those of the Baptist
School of Health Professions. If you
have received this e-mail in error,
or are not the named recipient(s),
you are hereby notified that any
review, dissemination, distribution
or copying of this communication is
prohibited by the sender and to do
so might constitute a violation of
the Electronic Communications
Privacy Act, 18 U.S.C. section
2510-2521. Please immediately notify
the sender and delete this e-mail
and any attachments from your
computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is
proprietary and confidential; intended for only
the recipient(s) named above and may contain
information that is privileged. You should not
retain, copy or use this e-mail or any attachments
for any purpose, or disclose all or any part of
the contents to any person. Any views or opinions
expressed in this e-mail are those of the author
and do not represent those of the Baptist School
of Health Professions. If you have received this
e-mail in error, or are not the named
recipient(s), you are hereby notified that any
review, dissemination, distribution or copying of
this communication is prohibited by the sender and
to do so might constitute a violation of the
Electronic Communications Privacy Act, 18 U.S.C.
section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div></div></div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">JASON</div></div>
</div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>