<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Aivo,</p>
<p><br>
</p>
<p>yes. But if the sync operations go in another order (e.g. CSV
import first, then reconciliation of AD groups, then AD users, and
then perhaps again CSV import), is the problem fixed? Or midPoint
ends in a wrong state?</p>
<p><br>
</p>
<p>Pavol<br>
</p>
<br>
<div class="moz-cite-prefix">On 14.06.2016 13:54, Aivo Kuhlberg
wrote:<br>
</div>
<blockquote cite="mid:1465905265400.42641@rmit.ee" type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} p
{margin-top:0;
margin-bottom:0}--></style>
<p>Hi Pavol,<br>
Thanks for the answer. Don't know if this is a bug or my bad
syncing configuration. I can avoid it by syncing in following
order:<br>
First, doing reconciliation of AD groups -> this restores the
deleted AD group<br>
Second, doing reconciliation of AD/Exchange users -> this
restores AD group user membership<br>
Third, doing CSV import of users -> this reimports all users
data to midPoint and provisions the changes to AD/Exchange<br>
<br>
Regards,<br>
Aivo Kuhlberg<br>
</p>
<div style="color: rgb(33, 33, 33);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>Saatja:</b>
midPoint <a class="moz-txt-link-rfc2396E" href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a>
nimelPavol Mederly <a class="moz-txt-link-rfc2396E" href="mailto:mederly@evolveum.com"><mederly@evolveum.com></a><br>
<b>Saadetud:</b> 14. juuni 2016 14:28<br>
<b>Adressaat:</b> <a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<b>Teema:</b> Re: [midPoint] Question about syncing
situation</font>
<div> </div>
</div>
<div>
<p>Hello Aivo,</p>
<p><br>
</p>
<p>midPoint should be able to resolve such situations;
although maybe not in one iteration (of CSV import). It
might be possible that a sequence of operations, like:</p>
<p>- import from CSV</p>
<p>- AD reconciliation or user/role recomputation</p>
<p>is necessary to completely recover from such situations.</p>
<p><br>
</p>
<p>If there's a sequence of these operation that results in a
wrong midPoint state (i.e. state that requires manual
intervention), it is a bug.</p>
<p><br>
</p>
<p>From your mail I'm not sure if manual intervention is
really necessary, or if a sequence of import +
reconciliation operations would solve the problem.</p>
<p><br>
</p>
<p>If the former, I would suggest inspecting your
synchronization settings (in particular, correlation search
filter, including matching rules).</p>
<p><br>
</p>
<p>(My personal experience with midPoint failing to recover
from similar strange situations is just like that; after
correcting the correlation rules midPoint was able to
recover from those, although not within one import
operation.)</p>
<p><br>
</p>
<p>Hope this helps.<br>
</p>
<p>Pavol</p>
<p><br>
</p>
<p>On 07.06.2016 10:10, Aivo Kuhlberg wrote:<br>
</p>
<blockquote type="cite">
<style type="text/css" style="">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<p>Hi,<br>
</p>
<p>I have question about one syncing situation. I import
users from CSV-file and use Exchange connector to sync
both AD/Exchange user accounts and groups (as roles). I am
testing following situation:<br>
</p>
<ol>
<li>I create a new group "testgroup" in AD </li>
<li>I run reconciliation of AD groups and I see that new
midPoint role "testgroup" is created from AD group.
</li>
<li>Now I assign this newly created role to midPoint user
"testuser". I see that the same AD user account is now
group member of testgroup in AD.
</li>
<li>Now I delete in AD group testgroup. This should be OK
as midPoint is able to restore deleted AD group and its
members.
</li>
<li>After that I do import of users from CSV file. I
understand this is unusual situation and I probably
should have done before that reconciliation of AD groups
and users but I just wanted to see what happens. What
happens is that after CSV file import AD group is
restored in AD but AD user is not member of this group.
Another thing what happens is that I see following
error:
</li>
</ol>
<p><span style="color:rgb(189,19,152)"><span
style="color:rgb(189,19,152)"><span
style="color:rgb(189,19,152)">2016-06-06
15:04:01,881 [RESOURCE_OBJECT_CHANGE_LISTENER]
[midPointScheduler_Worker-7] ERROR
(com.evolveum.midpoint.model.impl.lens.ChangeExecutor):
Error executing changes for (entitlement (group) on
<a moz-do-not-send="true"
class="moz-txt-link-freetext" href="">
resource:c2c5a39d-44ca-4b84-8cba-82e906cf3564(Exchange))</a>: Couldn't
add object. Object already exists: Object already
exists on the resource:
org.identityconnectors.framework.common.exceptions.AlreadyExistsException(The
object already exists.??: when creating
<a moz-do-not-send="true"
class="moz-txt-link-freetext" href="">LDAP://server.my.domain/CN=testgroup,OU=Service1,OU=Services,OU=TEST2,DC=my,DC=domain</a>)->org.identityconnectors.framework.impl.api.remote.RemoteWrappedException(The
object already exists.??: when creating
<a moz-do-not-send="true"
class="moz-txt-link-freetext" href="">LDAP://server.my.domain/CN=testgroup,OU=Service1,OU=Services,OU=TEST2,DC=my,DC=domain</a>)</span></span></span><br
style="color:rgb(255,0,0)">
<span style="color:rgb(255,0,0)"></span><br>
When I look at the shadow information of testgroup and
testuser then I see that they have now following
attributes:
<br>
For testgroup:<br>
<span style="color:rgb(0,111,201);
font-family:Consolas,monospace; font-size:11pt"><dead>true</dead></span><br
style="color:rgb(0,111,201);
font-family:Consolas,monospace; font-size:11pt">
<span style="color:rgb(0,111,201);
font-family:Consolas,monospace; font-size:11pt"><synchronizationSituation>deleted</synchronizationSituation></span><br>
<br>
and for testuser:<br>
<span style="color:rgb(0,111,201);
font-family:Consolas,monospace; font-size:11pt"><dead>true</dead></span><br
style="color:rgb(0,111,201);
font-family:Consolas,monospace; font-size:11pt">
<span style="color:rgb(0,111,201);
font-family:Consolas,monospace; font-size:11pt"><synchronizationSituation>linked</synchronizationSituation></span><br>
<br>
I have to fix this situation by deleting manually
testgroup and testuser shadows and do reconciliation of AD
groups and users.<br>
</p>
<p><br>
</p>
<p>Has anybody tested that situation and should midPoint
3.3.1 be able to resolve that situation automatically or
is it too complex situation and I just have to avoid it by
doing AD groups and users reconciliation every time before
importing users fom CSV file?<br>
<br>
Thanks,<br>
Aivo Kuhlberg<br>
</p>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Käesolev e-kiri
võib sisaldada asutusesiseseks kasutamiseks tunnistatud
teavet.<br>
This e-mail may contain information which is classified
for official use.</font> <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Käesolev e-kiri võib
sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.<br>
This e-mail may contain information which is classified for
official use.</font>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>