<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Yes, now I see... maybe this is really a bug.</p>
<p><br>
</p>
<p>But it's quite possible it was corrected recently, as Rado fixed
something related to handling Object not found exceptions.</p>
<p><br>
</p>
<p>Could you try with current 3.4 snapshot? It is already a "near
release" quality.</p>
<p><br>
</p>
<p>Pavol<br>
</p>
<br>
<div class="moz-cite-prefix">On 14.06.2016 14:22, Aivo Kuhlberg
wrote:<br>
</div>
<blockquote cite="mid:1465906934732.34244@rmit.ee" type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} p
{margin-top:0;
margin-bottom:0}p
{margin-top:0;
margin-bottom:0}--></style>
<p>If I do it in another order, like first doing CSV import then I
see the problems I reported and if I later do any AD
reconciliations then the problem is still not solved (errors in
log) - I think because of the dead shadows. Because when I
delete these dead shadows then AD reconciliations starts working
again.<br>
</p>
<p><br>
</p>
<div id="Signature">
<div name="divtagdefaultwrapper"
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:; margin:0">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">Aivo
Kuhlberg Telefon: (+372)
<span style="">671 3984</span><br>
Rahandusministeeriumi Infotehnoloogiakeskus<br>
</div>
</div>
</div>
</div>
</div>
</div>
<div style="color: rgb(33, 33, 33);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>Saatja:</b>
midPoint <a class="moz-txt-link-rfc2396E" href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a>
nimelPavol Mederly <a class="moz-txt-link-rfc2396E" href="mailto:mederly@evolveum.com"><mederly@evolveum.com></a><br>
<b>Saadetud:</b> 14. juuni 2016 14:55<br>
<b>Adressaat:</b> <a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<b>Teema:</b> Re: [midPoint] Question about syncing
situation</font>
<div> </div>
</div>
<div>
<p>Aivo,</p>
<p><br>
</p>
<p>yes. But if the sync operations go in another order (e.g.
CSV import first, then reconciliation of AD groups, then AD
users, and then perhaps again CSV import), is the problem
fixed? Or midPoint ends in a wrong state?</p>
<p><br>
</p>
<p>Pavol<br>
</p>
<br>
<div class="moz-cite-prefix">On 14.06.2016 13:54, Aivo
Kuhlberg wrote:<br>
</div>
<blockquote type="cite">
<style type="text/css" style="">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<p>Hi Pavol,<br>
Thanks for the answer. Don't know if this is a bug or my
bad syncing configuration. I can avoid it by syncing in
following order:<br>
First, doing reconciliation of AD groups -> this
restores the deleted AD group<br>
Second, doing reconciliation of AD/Exchange users ->
this restores AD group user membership<br>
Third, doing CSV import of users -> this reimports all
users data to midPoint and provisions the changes to
AD/Exchange<br>
<br>
Regards,<br>
Aivo Kuhlberg<br>
</p>
<div style="color:rgb(33,33,33)">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" face="Calibri, sans-serif"
color="#000000"><b>Saatja:</b> midPoint
<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:midpoint-bounces@lists.evolveum.com">
<midpoint-bounces@lists.evolveum.com></a>
nimelPavol Mederly <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:mederly@evolveum.com">
<mederly@evolveum.com></a><br>
<b>Saadetud:</b> 14. juuni 2016 14:28<br>
<b>Adressaat:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:midpoint@lists.evolveum.com">
midpoint@lists.evolveum.com</a><br>
<b>Teema:</b> Re: [midPoint] Question about syncing
situation</font>
<div> </div>
</div>
<div>
<p>Hello Aivo,</p>
<p><br>
</p>
<p>midPoint should be able to resolve such situations;
although maybe not in one iteration (of CSV import).
It might be possible that a sequence of operations,
like:</p>
<p>- import from CSV</p>
<p>- AD reconciliation or user/role recomputation</p>
<p>is necessary to completely recover from such
situations.</p>
<p><br>
</p>
<p>If there's a sequence of these operation that results
in a wrong midPoint state (i.e. state that requires
manual intervention), it is a bug.</p>
<p><br>
</p>
<p>From your mail I'm not sure if manual intervention is
really necessary, or if a sequence of import +
reconciliation operations would solve the problem.</p>
<p><br>
</p>
<p>If the former, I would suggest inspecting your
synchronization settings (in particular, correlation
search filter, including matching rules).</p>
<p><br>
</p>
<p>(My personal experience with midPoint failing to
recover from similar strange situations is just like
that; after correcting the correlation rules midPoint
was able to recover from those, although not within
one import operation.)</p>
<p><br>
</p>
<p>Hope this helps.<br>
</p>
<p>Pavol</p>
<p><br>
</p>
<p>On 07.06.2016 10:10, Aivo Kuhlberg wrote:<br>
</p>
<blockquote type="cite">
<style type="text/css" style="">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<p>Hi,<br>
</p>
<p>I have question about one syncing situation. I
import users from CSV-file and use Exchange
connector to sync both AD/Exchange user accounts and
groups (as roles). I am testing following situation:<br>
</p>
<ol>
<li>I create a new group "testgroup" in AD </li>
<li>I run reconciliation of AD groups and I see that
new midPoint role "testgroup" is created from AD
group.
</li>
<li>Now I assign this newly created role to midPoint
user "testuser". I see that the same AD user
account is now group member of testgroup in AD.
</li>
<li>Now I delete in AD group testgroup. This should
be OK as midPoint is able to restore deleted AD
group and its members.
</li>
<li>After that I do import of users from CSV file. I
understand this is unusual situation and I
probably should have done before that
reconciliation of AD groups and users but I just
wanted to see what happens. What happens is that
after CSV file import AD group is restored in AD
but AD user is not member of this group. Another
thing what happens is that I see following error:
</li>
</ol>
<p><span style="color:rgb(189,19,152)"><span
style="color:rgb(189,19,152)"><span
style="color:rgb(189,19,152)">2016-06-06
15:04:01,881 [RESOURCE_OBJECT_CHANGE_LISTENER]
[midPointScheduler_Worker-7] ERROR
(com.evolveum.midpoint.model.impl.lens.ChangeExecutor):
Error executing changes for (entitlement
(group) on <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="">
resource:c2c5a39d-44ca-4b84-8cba-82e906cf3564(Exchange))</a>: Couldn't
add object. Object already exists: Object
already exists on the resource:
org.identityconnectors.framework.common.exceptions.AlreadyExistsException(The
object already exists.??: when creating
<a moz-do-not-send="true"
class="moz-txt-link-freetext" href="">LDAP://server.my.domain/CN=testgroup,OU=Service1,OU=Services,OU=TEST2,DC=my,DC=domain</a>)->org.identityconnectors.framework.impl.api.remote.RemoteWrappedException(The
object already exists.??: when creating
<a moz-do-not-send="true"
class="moz-txt-link-freetext" href="">LDAP://server.my.domain/CN=testgroup,OU=Service1,OU=Services,OU=TEST2,DC=my,DC=domain</a>)</span></span></span><br
style="color:rgb(255,0,0)">
<span style="color:rgb(255,0,0)"></span><br>
When I look at the shadow information of testgroup
and testuser then I see that they have now following
attributes:
<br>
For testgroup:<br>
<span style="color:rgb(0,111,201);
font-family:Consolas,monospace; font-size:11pt"><dead>true</dead></span><br
style="color:rgb(0,111,201);
font-family:Consolas,monospace; font-size:11pt">
<span style="color:rgb(0,111,201);
font-family:Consolas,monospace; font-size:11pt"><synchronizationSituation>deleted</synchronizationSituation></span><br>
<br>
and for testuser:<br>
<span style="color:rgb(0,111,201);
font-family:Consolas,monospace; font-size:11pt"><dead>true</dead></span><br
style="color:rgb(0,111,201);
font-family:Consolas,monospace; font-size:11pt">
<span style="color:rgb(0,111,201);
font-family:Consolas,monospace; font-size:11pt"><synchronizationSituation>linked</synchronizationSituation></span><br>
<br>
I have to fix this situation by deleting manually
testgroup and testuser shadows and do reconciliation
of AD groups and users.<br>
</p>
<p><br>
</p>
<p>Has anybody tested that situation and should
midPoint 3.3.1 be able to resolve that situation
automatically or is it too complex situation and I
just have to avoid it by doing AD groups and users
reconciliation every time before importing users fom
CSV file?<br>
<br>
Thanks,<br>
Aivo Kuhlberg<br>
</p>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Käesolev
e-kiri võib sisaldada asutusesiseseks kasutamiseks
tunnistatud teavet.<br>
This e-mail may contain information which is
classified for official use.</font> <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Käesolev e-kiri
võib sisaldada asutusesiseseks kasutamiseks tunnistatud
teavet.<br>
This e-mail may contain information which is classified
for official use.</font> <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Käesolev e-kiri võib
sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.<br>
This e-mail may contain information which is classified for
official use.</font>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>