<div dir="ltr"><div>I can answer the first question, 2 options, taken from ours , <br><br></div>Add a protected section for everything you do not want to sync,<br><a href="https://github.com/Evolveum/midpoint/blob/master/samples/resources/opendj/opendj-localhost-resource-sync-advanced.xml#L309">https://github.com/Evolveum/midpoint/blob/master/samples/resources/opendj/opendj-localhost-resource-sync-advanced.xml#L309</a><br><br><pre><span class=""><protected></span>
<a name="BSHP_ad_development.xml-567"></a> <span class=""><filter></span>
<a name="BSHP_ad_development.xml-568"></a> <span class=""><q:substring</span> <span class="">xmlns:q=</span><span class="">"<a href="http://prism.evolveum.com/xml/ns/public/query-3">http://prism.evolveum.com/xml/ns/public/query-3</a>"</span><span class="">></span>
<a name="BSHP_ad_development.xml-569"></a> <span class=""><q:matching></span>stringIgnoreCase<span class=""></q:matching></span>
<a name="BSHP_ad_development.xml-570"></a> <span class=""><q:path></span>attributes/name<span class=""></q:path></span>
<a name="BSHP_ad_development.xml-571"></a> <span class=""><q:value></span>OU=TEMPLATE,DC=TEST,DC=LOCAL<span class=""></q:value></span>
<a name="BSHP_ad_development.xml-572"></a> <span class=""><q:anchorEnd></span>true<span class=""></q:anchorEnd></span>
<a name="BSHP_ad_development.xml-573"></a> <span class=""></q:substring></span>
<a name="BSHP_ad_development.xml-574"></a> <span class=""></filter></span>
<a name="BSHP_ad_development.xml-575"></a><span class=""></protected></span></pre><br><div><br>you could also instead add into the objectSynchronization section. Not necessarily based on a query but more of specific attribute values. In the below (..... ....... 'info') is the ad attribute and values are mpSecurity or mpDistribution . This keeps midPoint from syncing all AD groups and only the ones we want to sync.<br><br><pre> <span class=""><objectSynchronization></span>
<a name="BSHP_ad_development.xml-970"></a> <span class=""><objectClass></span>ri:CustomGroupObjectClass<span class=""></objectClass></span>
<a name="BSHP_ad_development.xml-971"></a> <span class=""><kind></span>entitlement<span class=""></kind></span>
<a name="BSHP_ad_development.xml-972"></a> <span class=""><intent></span>group<span class=""></intent></span>
<a name="BSHP_ad_development.xml-973"></a> <span class=""><focusType></span>c:RoleType<span class=""></focusType></span>
<a name="BSHP_ad_development.xml-974"></a> <span class=""><enabled></span>true<span class=""></enabled></span>
<a name="BSHP_ad_development.xml-975"></a> <span class=""><!-- Only Sync Groups from AD that have info set as either "</span><span class="">mpSecurity" or "mpDistribution" --></span>
<a name="BSHP_ad_development.xml-976"></a> <span class=""><condition></span>
<a name="BSHP_ad_development.xml-977"></a> <span class=""><script></span>
<a name="BSHP_ad_development.xml-978"></a> <span class=""><code></span>
<a name="BSHP_ad_development.xml-979"></a> tmp = basic.getAttributeValue(shadow, '<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>', 'info');
<a name="BSHP_ad_development.xml-980"></a> return (tmp == 'mpSecurity' || tmp == 'mpDistribution')
<a name="BSHP_ad_development.xml-981"></a> <span class=""></code></span>
<a name="BSHP_ad_development.xml-982"></a> <span class=""></script><br></span><span class=""> </condition></span><br></pre><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">JASON</div></div></div>
<br><div class="gmail_quote">On Fri, Aug 19, 2016 at 11:35 AM, Mencel, Matt <span dir="ltr"><<a href="mailto:mr-mencel@wiu.edu" target="_blank">mr-mencel@wiu.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">OK. I think it's correct in the XML. It's just throwing the warning in the UI. I'll try a sync and see how it goes.<div><br></div><div>Is there a way to specify an LDAP query for the sync/import? I just want to sync for example my department '(&(objectClass=person)(<wbr>department=IT))' during testing, rather than every user object in my LDAP directory.</div><div><br></div><div><br></div><div>Also, my resource XML that I edit and put in my source control system.... Is there a place to put that in midpoint.home that gets imported automatically (midpoint.home/import)? Or do I need to manually import that every time I make a change to it?</div><div><br></div><div>Thanks for being patient with my questions...</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>Matt</div><div><br></div></font></span></div><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Fri, Aug 19, 2016 at 11:22 AM, Pavol Mederly <span dir="ltr"><<a href="mailto:pavol.mederly@evolveum.com" target="_blank">pavol.mederly@evolveum.com</a>></span> wrote:<br></span><div><div class="h5"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-family:times new roman,new york,times,serif;font-size:12pt;color:#000000"><div>Hello Matt,<br></div><div><br></div><div>I'm afraid that the resource wizard maybe does not work 100% correctly with auxiliary classes. At least I haven't tested it in this way when preparing it for 3.4 release. I've now created <a href="https://jira.evolveum.com/browse/MID-3359" target="_blank">MID-3359</a> for it.<br></div><div><br></div><div>For the time being, I'd recommend setting schemaHandling for that particular attribute by hand (via XML editor).<br></div><div><br></div><div>Best regards,<br></div><div>Pavol<br></div><div><br></div><hr><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><b>From: </b>"Matt Mencel" <<a href="mailto:mr-mencel@wiu.edu" target="_blank">mr-mencel@wiu.edu</a>><br><b>To: </b>"midPoint General Discussion" <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>><br><b>Sent: </b>Friday, August 19, 2016 6:11:13 PM<br><b>Subject: </b>Re: [midPoint] Discovering Custom objectClasses<div><div><br><div><br></div><div dir="ltr">Capitalization looks correct. I notice that I cannot select wiuId on the Schema Handling tab for that attribute. It defaults to CN.<div><br></div><div>The Atttribute drop down is only presenting attributes from the person OC, not the other auxiliary OCs.</div><div><br></div><div>Matt<br><div><br></div><div><br></div><div> <img src="cid:ii_is1ybojd0_156a390976675e70" height="296" width="562"></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 19, 2016 at 10:47 AM, Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a><wbr>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Hi,<br> <br> Yes, that should work.<br> Just check that you have correct lowercase/uppercase form for the attribute names. LDAP is (mostly) case insensitive, but midPoint is case sensitive. Look at the <schema> part of the resource definition. That is generated from the resource. Look for your auxiliary object class definition there. And use the same capitalization as you see in the <schema> section.<span><span><br> <br></span></span><pre>--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre><span><br> <br> <br></span><div><div>On 08/19/2016 05:23 PM, Mencel, Matt wrote:<br></div></div></div><div><div><blockquote><div dir="ltr">Thanks Radovan,<div><br></div><div>That helps. Do I declare the auxiliary's attributes in the same place as the default objectClass then? I'm getting this error in the UI...</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">There is no attribute named '{<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7DwiuId" target="_blank">http://midpoint.evolveum.com<wbr>/xml/ns/public/resource/instan<wbr>ce-3}wiuId</a>' in object class '{<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7Dperson" target="_blank">http://midpoint.evolveum.com<wbr>/xml/ns/public/resource/instan<wbr>ce-3}person</a>' (defined in schema handling for 'User Account (kind: ACCOUNT, intent: person)').</blockquote><div><br></div><div> <a href="https://gist.github.com/MattMencel/2a3208371a1b0ce422e0b4923df413f7" target="_blank">https://gist.github.com/MattM<wbr>encel/2a3208371a1b0ce422e0b492<wbr>3df413f7</a><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 19, 2016 at 9:54 AM, Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a><wbr>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Hi,<span><br> <br> On 08/19/2016 04:26 PM, Mencel, Matt wrote:<br> </span></div><blockquote><div dir="ltr">I have multiple LDAP objectclasses that contain all the attributes that make up a person's identity. I've associated multiple OCs with the same kind/intent in midpoint and am getting a warning in the UI.<div><table><tbody><tr></tr><tr><td style="padding:3px;line-height:1.42857;vertical-align:top;border-top:1px solid rgb(244,244,244)"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span>There are multiple schema handling definitions for kind/intent: ACCOUNT/person.</span></blockquote></td></tr><tr><td style="padding:3px;line-height:1.42857;vertical-align:top;border-top:1px solid rgb(244,244,244)" width="1px">Should I be doing this another way?<br></td></tr></tbody></table></div></div></blockquote><span><br> </span> Yes. Just one of the objectclasses is structural (primary). Other object classes are auxiliary. MidPoint fully supports auxiliary object classes, but you need to use a slightly different approach. Use something like this:<br> <br><pre style="color:rgb(0,0,0);font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;word-wrap:break-word;white-space:pre-wrap"> <schemaHandling>
<objectType>
<kind>account</kind>
<displayName>Normal Account</displayName>
<default>true</default>
<objectClass>ri:inetOrgPerson<<wbr>/objectClass>
<auxiliaryObjectClass>ri:posix<wbr>Account</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:foo</<wbr>auxiliaryObjectClass>
<auxiliaryObjectClass>ri:bar</<wbr>auxiliaryObjectClass>
...
</pre><pre>--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></div>______________________________<wbr>_________________ midPoint mailing list <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br></blockquote></div></div><fieldset></fieldset><pre>______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre></blockquote></div></div></div><br>______________________________<wbr>_________________<br> midPoint mailing list<br> <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br> <br></blockquote></div><br></div><br>______________________________<wbr>_________________<br>midPoint mailing list<br><a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br><a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br></div></div></div><div><br></div></div></div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br></blockquote></div></div></div><br></div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>