<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hi Florin,<br>
    <br>
    The two associations that you see are in fact just two images of the
    same group membership. MidPoint will process the same association
    twice and therefore display it twice. The question is why it is
    processed twice. My guess would be that you have two association
    definitions in the account type definition in schemaHandling
    ("Service groups" and "POSIX memebership"). These two definitions
    most likely point to the entitlements that have the same association
    attribute (most likely "member") and the same object class.
    Therefore when midPoint finds that the account is a member of
    "cpe_services" group it matches both definition and therefore it is
    processed by both of them and therefore it appears twice.<br>
    <br>
    To resolve this issue you need to define some information that will
    tell midPoint how to distinguish the associations. I can only guess
    here, but if the groups live in a different parts of the LDAP tree
    you need a baseContext specification. Like this:<br>
    <br>
      <schemaHandling><br>
    <br>
          <objectType><br>
                <kind>entitlement</kind><br>
                <intent>ldapGroup</intent><br>
                <displayName>LDAP Group</displayName><br>
                <objectClass>ri:groupOfNames</objectClass><br>
                <baseContext><br>
                   
    <objectClass>ri:organizationalUnit</objectClass><br>
                    <filter><br>
                        <q:equal><br>
                            <q:path>attributes/dn</q:path><br>
                           
    <q:value>ou=groups,dc=example,dc=com</q:value><br>
                        </q:equal><br>
                    </filter><br>
                </baseContext><br>
                ....<br>
    <br>
    <br>
    See here:
<a class="moz-txt-link-freetext" href="https://github.com/Evolveum/midpoint/blob/master/samples/evolveum/resource-openldap.xml">https://github.com/Evolveum/midpoint/blob/master/samples/evolveum/resource-openldap.xml</a><br>
    and here:
<a class="moz-txt-link-freetext" href="https://github.com/Evolveum/midpoint/blob/master/testing/story/src/test/resources/unix/resource-opendj.xml">https://github.com/Evolveum/midpoint/blob/master/testing/story/src/test/resources/unix/resource-opendj.xml</a><br>
    <br>
    Or maybe you have wrong specification of <objectClass> in the
    entitlement definitions? Maybe one of them should have
    "groupOfNames" and the other "posixGroup"?<br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Radovan Semancik
Software Architect
evolveum.com
</pre>
    <br>
    <br>
    <div class="moz-cite-prefix">On 06/07/2016 09:15 PM, Florin.
      Stingaciu wrote:<br>
    </div>
    <blockquote
cite="mid:CAMQHPY2wS9jHJ75xsZ666yu=Z+0OebNnUeXD2+Oo2UbTPDppAg@mail.gmail.com"
      type="cite">
      <div dir="ltr">Hello, 
        <div><br>
        </div>
        <div>So I have this user which has only one assignment, to role
          cpe_services. This role was created using the following
          metarole: <a moz-do-not-send="true"
            href="http://pastebin.com/uMtwyfCV">http://pastebin.com/uMtwyfCV</a><br>
          <br>
          This metarole has five different inducements:</div>
        <div>
          <ul>
            <li>the first inducement is an order one inducement that
              creates an LDAP group with intent 'serviceGroup'</li>
            <li>the second inducement is an order two inducement that
              create a 'default' account if the employee type is equal
              to 'user'</li>
            <li>the third inducement is an order two inducement that
              create a 'service' account if the employee type is equal
              to 'service'</li>
            <li>the fourth and fifth are both second order inducements
              that generate a gid and uid for the user </li>
          </ul>
          <div>The assignment of cpe_services to the metarole creates
            the cpe_services group in LDAP. The assignment of the user
            to cpe_services, creates an LDAP 'service' account, however
            when I look under projections, click on the account, and
            look at associations, I see the following: <a
              moz-do-not-send="true" href="http://imgur.com/CUEH7uw"><a class="moz-txt-link-freetext" href="http://imgur.com/CUEH7uw">http://imgur.com/CUEH7uw</a></a><br>
            <br>
            The only association there should be the "Service Group"
            association. The posixMembership is an entitlement that the
            serviceAccount can have, however it is not defined within
            this metarole. Also, as you can see, the dn for the
            association is the same in both. </div>
        </div>
        <div><br>
        </div>
        <div>This problem is not only limited to my serviceGroups
          entitlement but all entitlements. It also happens for
          different types of accounts as well. </div>
        <div><br>
        </div>
        <div>Please let me know if I can provide with anything further
          that would help debug this issue. </div>
        <div><br>
        </div>
        <div>Thanks, </div>
        <div>-F </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>