<div dir="ltr">Oh, within the resource synchronization situations,<div><br></div><div><div> <reaction></div><div> <situation>deleted</situation></div><div> <objectTemplateRef oid="10000000-0000-0000-0000-000000000301"/></div><div> <action ref="<a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateFocus">http://midpoint.evolveum.com/xml/ns/public/model/action-3#inactivateFocus</a>"/></div><div> </reaction></div><div> <reaction></div><div> <situation>unlinked</situation></div><div> <objectTemplateRef oid="10000000-0000-0000-0000-000000000302"/></div><div> <action ref="<a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#linkAccount">http://midpoint.evolveum.com/xml/ns/public/model/action-3#linkAccount</a>"/></div><div> </reaction></div><div><br></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 16, 2015 at 4:08 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
.. and how midpoint runs the "Disabled Students Template 1" and
"Enable Student Template 1"? (Where?)<span class="HOEnZb"><font color="#888888"><br>
<br>
Ivan</font></span><div><div class="h5"><br>
<br>
<div>On 10/16/2015 11:04 PM, Jason Everling
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">The user is disabled once they are removed from the
CSV resource, the CSV resource only contains active users. A
template disables their account and set the OU path just like
the enable one which I pasted below.
<div><br>
</div>
<div>Yes, assigning an Org will cause icfs:name to be modified
in AD to move them into the correct ou's in AD.</div>
<div><br>
</div>
<div>If you are meaning the Org Template/Meta Role, they are
assigned automatically using the system default org template.</div>
<div><br>
</div>
<div>There are not any roles currently assigned to a user that
controls enabled/disabled. It just happens automatically when
they are either added or removed from CSV.</div>
<div><br>
</div>
<div>jason</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Oct 16, 2015 at 3:58 PM, Ivan
Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi Jason,<br>
<br>
some more questions to understand.<br>
<br>
What is the "lifecycle" of the user?<br>
<br>
Assigning role will cause icfs:name generation for the
correct OU.<br>
<br>
Are such roles assigned manually?<br>
<br>
Is the role for "DISABLED" users also assigned manually
when user leaves?<br>
<br>
Has the user which we are speaking of, still assigned that
"DISABLED" role?<br>
<br>
Thanks,<br>
Ivan
<div>
<div><br>
<br>
<div>On 10/16/2015 10:47 PM, Jason Everling wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Ok so that makes a little more sense,
<div><br>
</div>
<div>The meta role is used so that when a user is
created in the "GUI" and is assigned an Org,
they will then be created in AD in the same Org.
This is that we do not have manually type out
the entire OU Path.</div>
<div><br>
</div>
<div>Here is the role,</div>
<div><br>
</div>
<div>
<div> <name>Metarole for
Orgs</name></div>
<div> <description></div>
<div> This MetaRole will add the current
assigned organization to the organization
attribute.</div>
<div> </description></div>
<div> <metadata></div>
<div>
<createTimestamp>2015-02-16T13:26:01.203-06:00</createTimestamp></div>
<div> <creatorRef
oid="00000000-0000-0000-0000-000000000002"
type="c:UserType"><!-- administrator
--></creatorRef></div>
<div> <createChannel><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport" target="_blank"></a><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</a></createChannel></div>
<div> </metadata></div>
<div> <inducement id="1"></div>
<div> <focusMappings></div>
<div> <mapping></div>
<div> <source></div>
<div>
<c:path>$immediateRole/name</c:path></div>
<div> </source></div>
<div> <target></div>
<div>
<c:path>$focus/organization</c:path></div>
<div> </target></div>
<div> </mapping></div>
<div> </focusMappings></div>
<div> <order>2</order></div>
<div> </inducement></div>
<div></role></div>
</div>
<div><br>
</div>
<div>What would you recommend I try?</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Oct 16, 2015 at
3:39 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank"></a><a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi
Jason,<br>
<br>
Pavol and I are looking into the logs.<br>
<br>
It seems that the user has assigned
organization OU=_DISABLED,OU=SHP
Students,DC=TEST,DC=LOCAL, oid
cce5ec38-5246-4368-9e7b-6b049e01ef4d, which
sets the attribute "organization" (using the
metarole).<br>
<br>
Additionally, the user template you posted,
also sets the attribute "organization", so
after processing, user has TWO values of
organization attribute and this eventually
fails in mapping for (AD) icfs:name.<br>
<br>
How is the first role assigned and why it's
kept assigned..?<br>
<br>
Regards,<br>
Ivan
<div>
<div><br>
<br>
<div>On 10/16/2015 09:55 PM, Jason
Everling wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">But the users do not
have 2 "organizations in their
profile, they end up with only 1,
<div><br>
</div>
<div>doesn't the "authoritive" flag
ensure that only one value exists
for any multi value attribute?</div>
<div><br>
</div>
<div>I attached the template that
kicks off when a user is added
back to CSV</div>
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Oct
16, 2015 at 2:52 PM, Jason
Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank"></a><a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">So yes, during
the re adding of the user, a
template kicks off, which all
it does, is add back their
original organization based on
costCenter, which then causes
them to be enabled and moved
in into another AD container.</div>
<div class="gmail_extra">
<div>
<div><br>
<div class="gmail_quote">On
Fri, Oct 16, 2015 at
2:50 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank"></a><a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
This is strange.<br>
<br>
The two values have
the same initial, so
I start to believe
that the two values
are produced by
"organization"
attribute.<br>
<br>
Can you please check
if this user has one
or two values of
user/organization?
One seems to be
"OU=DISABLED..."<span><font color="#888888"><br>
<br>
I.</font></span><span><br>
<br>
<div>On 10/16/2015
09:02 PM, Jason
Everling wrote:<br>
</div>
</span>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Here
is the
situation,
<div><br>
</div>
<div>I am
running into a
issue, if the
user in the
CSV has a
middle initial
that was not
there before
and does not
have that
value in AD
then I get an
error,<br clear="all">
<div><br>
</div>
<div><span>Attempt
to replace 2
values to a
single-valued
item
attributes/name;
values:
[PPV(String:cn=Charlie
K.
Brown,OU=DISABLED,OU=Students,DC=TEST,DC=LOCAL),
PPV(String:cn=Charlie
K. Brown,</span><span>OU=Dept,OU=Users,OU=Students,</span><span>DC=TEST,DC=LOCAL)]</span><br>
</div>
<div><span><br>
</span></div>
<div><span>The
above users
original
"name" in AD
is</span></div>
<div><span>cn=Charlie
Brown,OU=Dept,OU=Users,OU=Students,DC=TEST,DC=LOCAL</span><span><br>
</span></div>
<div><span><br>
</span></div>
<div><span>So
when they are
added to CSV
with a middle
initial it is
trying to
build the new
name like in
the first
example and
fails.</span></div>
<div><br>
</div>
<div>My AD DN
code is,</div>
<div><br>
</div>
<div>
<div><span style="white-space:pre-wrap"> </span>if
(additionalName
== null) {</div>
<div><span style="white-space:pre-wrap"> </span>return
'cn='+givenName+'
'+familyName+iterationToken+','+organization+'';</div>
<div><span style="white-space:pre-wrap"> </span>}
else {</div>
<div><span style="white-space:pre-wrap"> </span>return
'cn='+givenName+'
'+additionalName+'.
'+familyName+iterationToken+','+organization+'';</div>
<div><span style="white-space:pre-wrap"> </span>}</div>
</div>
<div><br>
</div>
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
</div>
<br>
</div>
</div>
<font size="2"><br>
<br>
<span>
CONFIDENTIALITY
NOTICE:<br>
This e-mail
together with
any
attachments is
proprietary
and
confidential;
intended for
only the
recipient(s)
named above
and may
contain
information
that is
privileged.
You should not
retain, copy
or use this
e-mail or any
attachments
for any
purpose, or
disclose all
or any part of
the contents
to any person.
Any views or
opinions
expressed in
this e-mail
are those of
the author and
do not
represent
those of the
Baptist School
of Health
Professions.
If you have
received this
e-mail in
error, or are
not the named
recipient(s),
you are hereby
notified that
any review,
dissemination,
distribution
or copying of
this
communication
is prohibited
by the sender
and to do so
might
constitute a
violation of
the Electronic
Communications
Privacy Act,
18 U.S.C.
section
2510-2521.
Please
immediately
notify the
sender and
delete this
e-mail and any
attachments
from your
computer. </span></font><br>
<span> <br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</span></blockquote>
<span> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank"></a><a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank"></a><a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
</div>
</div>
<span><font color="#888888">
<div>
<div dir="ltr">JASON</div>
</div>
</font></span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any
attachments is proprietary and
confidential; intended for only the
recipient(s) named above and may
contain information that is
privileged. You should not retain,
copy or use this e-mail or any
attachments for any purpose, or
disclose all or any part of the
contents to any person. Any views or
opinions expressed in this e-mail
are those of the author and do not
represent those of the Baptist
School of Health Professions. If you
have received this e-mail in error,
or are not the named recipient(s),
you are hereby notified that any
review, dissemination, distribution
or copying of this communication is
prohibited by the sender and to do
so might constitute a violation of
the Electronic Communications
Privacy Act, 18 U.S.C. section
2510-2521. Please immediately notify
the sender and delete this e-mail
and any attachments from your
computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is
proprietary and confidential; intended for only
the recipient(s) named above and may contain
information that is privileged. You should not
retain, copy or use this e-mail or any attachments
for any purpose, or disclose all or any part of
the contents to any person. Any views or opinions
expressed in this e-mail are those of the author
and do not represent those of the Baptist School
of Health Professions. If you have received this
e-mail in error, or are not the named
recipient(s), you are hereby notified that any
review, dissemination, distribution or copying of
this communication is prohibited by the sender and
to do so might constitute a violation of the
Electronic Communications Privacy Act, 18 U.S.C.
section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div></div></div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">JASON</div></div>
</div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>