<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Anton,<br>
<br>
first of all, what are you trying to achieve?<br>
<br>
Yes, midPoint is capable to have multiple accounts linked to the
same user. Even multiple accounts (better: projections) on the same
resource. But if the various accounts are on the same resource,
schema handling configuration must define intents for them, and
synchronization configuration must define conditions which would
then identify the intent and the correlation rule.<br>
<br>
Back to your problem: the exception seems to be because midPoint is
trying to provision an account which already exists. (The same DN,
but correlation rule does not declare that the currently processed
user is the owner of that account.) The iteration is configured
(maxIterations=5), but as iterationToken is used nowhere in your
configuration, midpoint stops the retrying when the maxIterations is
exceeded.<br>
<br>
My first GUESS is that midPoint tries to synchronize the account
(UNLINKED) by running the inbound mappings. But I see also outbound
mappings, and I don't see outbound mapping for ri:dn (DN on AD).<br>
<br>
Why do you have also outbound mappings? Is this intentional? If so,
why there is no mapping for ri:dn?<br>
<br>
I'd recommend to remove the outbound mappings from this resource,
and then if the correlation expression is correct, you should have
two projections for the users.<br>
<br>
I also see that:<br>
<span lang="EN-US"><o:p></o:p></span>
<p class="MsoNormal"><span lang="EN-US">com.evolveum.midpoint.util.exception.SystemException:
com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException:
Too many iterations (6) for account(ID
{.../resource/instance-3}objectGUID = [
2d42b6f0b3554a4cbe75fb9a8f0a1141 ], type 'default',
<a class="moz-txt-link-freetext" href="resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaed(Active">resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaed(Active</a> Directory
Advanced Sync 1)): cannot determine values that satisfy
constraints: Found more than one object with attribute
{.../resource/instance-3}dn = [ CN=Vilk,DC=igp,DC=local ]</span></p>
<br>
.. this is actually referencing the other AD resource named "Active
Directory Advanced Sync 1" ...<br>
<br>
I may still be able to find another hint.<br>
<br>
BUT beware: if you have two resources which point to the same
directory, and the accounts in both resources are physically the
same, you would have problems when you delete one account from
midPoint - the other would dissapear (as it's the same account).<br>
<br>
So my first question still applies: what are you trying to achieve?<br>
<br>
Regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 05/31/2016 03:57 PM, Ерошенко Антон
wrote:<br>
</div>
<blockquote
cite="mid:8c469182c8d6489a9c26c4b685343fe8@exch.sc.exsc.ru"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:2.0cm 42.5pt 2.0cm 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style>
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hello!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I’m trying to import
accounts from AD resource. These accounts were already
imported (LINKED) from another resource configured with same
AD . So, users are the same, ADs are the same, resources
configurations only differ. I would like to get midpoint
user linked to two projections (accounts).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Midpoint sync process
set UNLINKED status for accounts, but then fails them and
shows ObjectAlreadyExistsException instead of link the
account to midpoint user.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Does it mean that its
impossible to have two similar accounts for the same
midpoint user? Or something wrong?
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Resource config
<a class="moz-txt-link-freetext" href="http://pastebin.com/XX6KrcQB">http://pastebin.com/XX6KrcQB</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Exception class
com.evolveum.midpoint.util.exception.SystemException thrown
by object change listener model synchronization service:
com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException:
Too many iterations (6) for account(ID
{.../resource/instance-3}objectGUID = [
2d42b6f0b3554a4cbe75fb9a8f0a1141 ], type 'default',
<a class="moz-txt-link-freetext" href="resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaed(Active">resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaed(Active</a>
Directory Advanced Sync 1)): cannot determine values that
satisfy constraints: Found more than one object with
attribute {.../resource/instance-3}dn = [
CN=Vilk,DC=igp,DC=local]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">com.evolveum.midpoint.util.exception.SystemException:
com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException:
Too many iterations (6) for account(ID
{.../resource/instance-3}objectGUID = [
2d42b6f0b3554a4cbe75fb9a8f0a1141 ], type 'default',
<a class="moz-txt-link-freetext" href="resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaed(Active">resource:ef2bc95b-76e0-48e2-86d6-3d4f02d3eaed(Active</a>
Directory Advanced Sync 1)): cannot determine values that
satisfy constraints: Found more than one object with
attribute {.../resource/instance-3}dn = [
CN=Vilk,DC=igp,DC=local ]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
com.evolveum.midpoint.model.impl.sync.SynchronizationService.notifyChange_aroundBody0(SynchronizationService.java:298)
~[model-impl-3.3.1.jar:na]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> at
com.evolveum.midpoint.model.impl.sync.SynchronizationService$AjcClosure1.run(SynchronizationService.java:1)
~[model-impl-3.3.1.jar:na]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Thanks for any
suggestions.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Anton.<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
</pre>
</body>
</html>