<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hello Aivo,</p>
<p><br>
</p>
<p>midPoint should be able to resolve such situations; although
maybe not in one iteration (of CSV import). It might be possible
that a sequence of operations, like:</p>
<p>- import from CSV</p>
<p>- AD reconciliation or user/role recomputation</p>
<p>is necessary to completely recover from such situations.</p>
<p><br>
</p>
<p>If there's a sequence of these operation that results in a wrong
midPoint state (i.e. state that requires manual intervention), it
is a bug.</p>
<p><br>
</p>
<p>From your mail I'm not sure if manual intervention is really
necessary, or if a sequence of import + reconciliation operations
would solve the problem.</p>
<p><br>
</p>
<p>If the former, I would suggest inspecting your synchronization
settings (in particular, correlation search filter, including
matching rules).</p>
<p><br>
</p>
<p>(My personal experience with midPoint failing to recover from
similar strange situations is just like that; after correcting the
correlation rules midPoint was able to recover from those,
although not within one import operation.)</p>
<p><br>
</p>
<p>Hope this helps.<br>
</p>
<p>Pavol</p>
<p><br>
</p>
<p>On 07.06.2016 10:10, Aivo Kuhlberg wrote:<br>
</p>
<blockquote cite="mid:1465287016369.84164@rmit.ee" type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} p
{margin-top:0;
margin-bottom:0}--></style>
<p>Hi,<br>
</p>
<p>I have question about one syncing situation. I import users
from CSV-file and use Exchange connector to sync both
AD/Exchange user accounts and groups (as roles). I am testing
following situation:<br>
</p>
<ol>
<li>I create a new group "testgroup" in AD</li>
<li>I run reconciliation of AD groups and I see that new
midPoint role "testgroup" is created from AD group.</li>
<li>Now I assign this newly created role to midPoint user
"testuser". I see that the same AD user account is now group
member of testgroup in AD.</li>
<li>Now I delete in AD group testgroup. This should be OK as
midPoint is able to restore deleted AD group and its members.</li>
<li>After that I do import of users from CSV file. I understand
this is unusual situation and I probably should have done
before that reconciliation of AD groups and users but I just
wanted to see what happens. What happens is that after CSV
file import AD group is restored in AD but AD user is not
member of this group. Another thing what happens is that I see
following error:</li>
</ol>
<p><span style="color: rgb(189, 19, 152);"><span style="color:
rgb(189, 19, 152);"><span style="color: rgb(189, 19, 152);">2016-06-06
15:04:01,881 [RESOURCE_OBJECT_CHANGE_LISTENER]
[midPointScheduler_Worker-7] ERROR
(com.evolveum.midpoint.model.impl.lens.ChangeExecutor):
Error executing changes for (entitlement (group) on
<a class="moz-txt-link-freetext" href="resource:c2c5a39d-44ca-4b84-8cba-82e906cf3564(Exchange))">resource:c2c5a39d-44ca-4b84-8cba-82e906cf3564(Exchange))</a>:
Couldn't add object. Object already exists: Object already
exists on the resource:
org.identityconnectors.framework.common.exceptions.AlreadyExistsException(The
object already exists.??: when creating
<a class="moz-txt-link-freetext" href="LDAP://server.my.domain/CN=testgroup,OU=Service1,OU=Services,OU=TEST2,DC=my,DC=domain">LDAP://server.my.domain/CN=testgroup,OU=Service1,OU=Services,OU=TEST2,DC=my,DC=domain</a>)->org.identityconnectors.framework.impl.api.remote.RemoteWrappedException(The
object already exists.??: when creating
<a class="moz-txt-link-freetext" href="LDAP://server.my.domain/CN=testgroup,OU=Service1,OU=Services,OU=TEST2,DC=my,DC=domain">LDAP://server.my.domain/CN=testgroup,OU=Service1,OU=Services,OU=TEST2,DC=my,DC=domain</a>)</span></span></span><br
style="color: rgb(255, 0, 0);">
<span style="color: rgb(255, 0, 0);"></span><br>
When I look at the shadow information of testgroup and testuser
then I see that they have now following attributes:
<br>
For testgroup:<br>
<span style="color: rgb(0, 111, 201); font-family:
Consolas,monospace; font-size: 11pt;"><dead>true</dead></span><br
style="color: rgb(0, 111, 201); font-family:
Consolas,monospace; font-size: 11pt;">
<span style="color: rgb(0, 111, 201); font-family:
Consolas,monospace; font-size: 11pt;"><synchronizationSituation>deleted</synchronizationSituation></span><br>
<br>
and for testuser:<br>
<span style="color: rgb(0, 111, 201); font-family:
Consolas,monospace; font-size: 11pt;"><dead>true</dead></span><br
style="color: rgb(0, 111, 201); font-family:
Consolas,monospace; font-size: 11pt;">
<span style="color: rgb(0, 111, 201); font-family:
Consolas,monospace; font-size: 11pt;"><synchronizationSituation>linked</synchronizationSituation></span><br>
<br>
I have to fix this situation by deleting manually testgroup and
testuser shadows and do reconciliation of AD groups and users.<br>
</p>
<p><br>
</p>
<p>Has anybody tested that situation and should midPoint 3.3.1 be
able to resolve that situation automatically or is it too
complex situation and I just have to avoid it by doing AD groups
and users reconciliation every time before importing users fom
CSV file?<br>
<br>
Thanks,<br>
Aivo Kuhlberg<br>
</p>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Käesolev e-kiri võib
sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.<br>
This e-mail may contain information which is classified for
official use.</font>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>