<div dir="ltr"><div><objectTemplate xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"</div><div> xmlns:icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>"</div><div> xmlns:t="<a href="http://prism.evolveum.com/xml/ns/public/types-3">http://prism.evolveum.com/xml/ns/public/types-3</a>"</div><div> xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"</div><div> xmlns:q="<a href="http://prism.evolveum.com/xml/ns/public/query-3">http://prism.evolveum.com/xml/ns/public/query-3</a>"</div><div> xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>"</div><div> oid="10000000-0000-0000-0000-000000000301"</div><div> version="0"></div><div> <name>Disabled Students Template 1</name></div><div> <description></div><div> This object is used for student accounts that are removed from CSV.</div><div> </description></div><div> <metadata></div><div> <createTimestamp>2015-02-23T09:44:09.471-06:00</createTimestamp></div><div> <creatorRef oid="00000000-0000-0000-0000-000000000002" type="c:UserType"><!-- administrator --></creatorRef></div><div> <createChannel><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</a></createChannel></div><div> </metadata></div><div> <mapping></div><div> <authoritative>true</authoritative></div><div> <source></div><div> <c:path>organization</c:path></div><div> </source></div><div> <expression></div><div> <script></div><div> <code>'OU=_DISABLED,OU=SHP Students,DC=TEST,DC=LOCAL'</code></div><div> </script></div><div> </expression></div><div> <target></div><div> <c:path>organization</c:path></div><div> </target></div><div> </mapping></div><div> <mapping></div><div> <expression></div><div> <value>DISABLED</value></div><div> </expression></div><div> <target></div><div> <c:path>activation/administrativeStatus</c:path></div><div> </target></div><div> </mapping></div><div></objectTemplate></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 16, 2015 at 4:04 PM, Jason Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">The user is disabled once they are removed from the CSV resource, the CSV resource only contains active users. A template disables their account and set the OU path just like the enable one which I pasted below.<div><br></div><div>Yes, assigning an Org will cause icfs:name to be modified in AD to move them into the correct ou's in AD.</div><div><br></div><div>If you are meaning the Org Template/Meta Role, they are assigned automatically using the system default org template.</div><div><br></div><div>There are not any roles currently assigned to a user that controls enabled/disabled. It just happens automatically when they are either added or removed from CSV.</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>jason</div></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 16, 2015 at 3:58 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hi Jason,<br>
<br>
some more questions to understand.<br>
<br>
What is the "lifecycle" of the user?<br>
<br>
Assigning role will cause icfs:name generation for the correct OU.<br>
<br>
Are such roles assigned manually?<br>
<br>
Is the role for "DISABLED" users also assigned manually when user
leaves?<br>
<br>
Has the user which we are speaking of, still assigned that
"DISABLED" role?<br>
<br>
Thanks,<br>
Ivan<div><div><br>
<br>
<div>On 10/16/2015 10:47 PM, Jason Everling
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Ok so that makes a little more sense,
<div><br>
</div>
<div>The meta role is used so that when a user is created in the
"GUI" and is assigned an Org, they will then be created in AD
in the same Org. This is that we do not have manually type out
the entire OU Path.</div>
<div><br>
</div>
<div>Here is the role,</div>
<div><br>
</div>
<div>
<div> <name>Metarole for Orgs</name></div>
<div> <description></div>
<div> This MetaRole will add the current assigned
organization to the organization attribute.</div>
<div> </description></div>
<div> <metadata></div>
<div>
<createTimestamp>2015-02-16T13:26:01.203-06:00</createTimestamp></div>
<div> <creatorRef
oid="00000000-0000-0000-0000-000000000002"
type="c:UserType"><!-- administrator
--></creatorRef></div>
<div> <createChannel><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</a></createChannel></div>
<div> </metadata></div>
<div> <inducement id="1"></div>
<div> <focusMappings></div>
<div> <mapping></div>
<div> <source></div>
<div>
<c:path>$immediateRole/name</c:path></div>
<div> </source></div>
<div> <target></div>
<div>
<c:path>$focus/organization</c:path></div>
<div> </target></div>
<div> </mapping></div>
<div> </focusMappings></div>
<div> <order>2</order></div>
<div> </inducement></div>
<div></role></div>
</div>
<div><br>
</div>
<div>What would you recommend I try?</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Oct 16, 2015 at 3:39 PM, Ivan
Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi Jason,<br>
<br>
Pavol and I are looking into the logs.<br>
<br>
It seems that the user has assigned organization
OU=_DISABLED,OU=SHP Students,DC=TEST,DC=LOCAL, oid
cce5ec38-5246-4368-9e7b-6b049e01ef4d, which sets the
attribute "organization" (using the metarole).<br>
<br>
Additionally, the user template you posted, also sets the
attribute "organization", so after processing, user has
TWO values of organization attribute and this eventually
fails in mapping for (AD) icfs:name.<br>
<br>
How is the first role assigned and why it's kept
assigned..?<br>
<br>
Regards,<br>
Ivan
<div>
<div><br>
<br>
<div>On 10/16/2015 09:55 PM, Jason Everling wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">But the users do not have 2
"organizations in their profile, they end up with
only 1,
<div><br>
</div>
<div>doesn't the "authoritive" flag ensure that
only one value exists for any multi value
attribute?</div>
<div><br>
</div>
<div>I attached the template that kicks off when a
user is added back to CSV</div>
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Oct 16, 2015 at
2:52 PM, Jason Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank"></a><a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">So yes, during the re adding of
the user, a template kicks off, which all it
does, is add back their original
organization based on costCenter, which then
causes them to be enabled and moved in into
another AD container.</div>
<div class="gmail_extra">
<div>
<div><br>
<div class="gmail_quote">On Fri, Oct 16,
2015 at 2:50 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank"></a><a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> This is
strange.<br>
<br>
The two values have the same
initial, so I start to believe
that the two values are produced
by "organization" attribute.<br>
<br>
Can you please check if this user
has one or two values of
user/organization? One seems to be
"OU=DISABLED..."<span><font color="#888888"><br>
<br>
I.</font></span><span><br>
<br>
<div>On 10/16/2015 09:02 PM,
Jason Everling wrote:<br>
</div>
</span>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Here is the
situation,
<div><br>
</div>
<div>I am running into a
issue, if the user in
the CSV has a middle
initial that was not
there before and does
not have that value in
AD then I get an error,<br clear="all">
<div><br>
</div>
<div><span>Attempt to
replace 2 values to
a single-valued item
attributes/name;
values:
[PPV(String:cn=Charlie
K.
Brown,OU=DISABLED,OU=Students,DC=TEST,DC=LOCAL),
PPV(String:cn=Charlie
K. Brown,</span><span>OU=Dept,OU=Users,OU=Students,</span><span>DC=TEST,DC=LOCAL)]</span><br>
</div>
<div><span><br>
</span></div>
<div><span>The above
users original
"name" in AD is</span></div>
<div><span>cn=Charlie
Brown,OU=Dept,OU=Users,OU=Students,DC=TEST,DC=LOCAL</span><span><br>
</span></div>
<div><span><br>
</span></div>
<div><span>So when they
are added to CSV
with a middle
initial it is trying
to build the new
name like in the
first example and
fails.</span></div>
<div><br>
</div>
<div>My AD DN code is,</div>
<div><br>
</div>
<div>
<div><span style="white-space:pre-wrap"> </span>if
(additionalName ==
null) {</div>
<div><span style="white-space:pre-wrap"> </span>return
'cn='+givenName+'
'+familyName+iterationToken+','+organization+'';</div>
<div><span style="white-space:pre-wrap"> </span>}
else {</div>
<div><span style="white-space:pre-wrap"> </span>return
'cn='+givenName+'
'+additionalName+'.
'+familyName+iterationToken+','+organization+'';</div>
<div><span style="white-space:pre-wrap"> </span>}</div>
</div>
<div><br>
</div>
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
</div>
<br>
</div>
</div>
<font size="2"><br>
<br>
<span> CONFIDENTIALITY NOTICE:<br>
This e-mail together with
any attachments is
proprietary and
confidential; intended for
only the recipient(s) named
above and may contain
information that is
privileged. You should not
retain, copy or use this
e-mail or any attachments
for any purpose, or disclose
all or any part of the
contents to any person. Any
views or opinions expressed
in this e-mail are those of
the author and do not
represent those of the
Baptist School of Health
Professions. If you have
received this e-mail in
error, or are not the named
recipient(s), you are hereby
notified that any review,
dissemination, distribution
or copying of this
communication is prohibited
by the sender and to do so
might constitute a violation
of the Electronic
Communications Privacy Act,
18 U.S.C. section 2510-2521.
Please immediately notify
the sender and delete this
e-mail and any attachments
from your computer. </span></font><br>
<span> <br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</span></blockquote>
<span> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
</div>
</div>
<span><font color="#888888">
<div>
<div dir="ltr">JASON</div>
</div>
</font></span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is
proprietary and confidential; intended for only
the recipient(s) named above and may contain
information that is privileged. You should not
retain, copy or use this e-mail or any attachments
for any purpose, or disclose all or any part of
the contents to any person. Any views or opinions
expressed in this e-mail are those of the author
and do not represent those of the Baptist School
of Health Professions. If you have received this
e-mail in error, or are not the named
recipient(s), you are hereby notified that any
review, dissemination, distribution or copying of
this communication is prohibited by the sender and
to do so might constitute a violation of the
Electronic Communications Privacy Act, 18 U.S.C.
section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div></div></div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr">JASON</div></div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">JASON</div></div>
</div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>