<div dir="ltr">Hey Jason, <div><br></div><div>It sounds like our problems are in a similar vein but not quite the same. I had no problems deleting the shadow at all through the REPO in the GUI. My problem lies with Importing Users from AD. Once my task reaches that user it somehow spits an error indicating that the there is no definition for the DN (as a schema object) in the shadow and thus cuasing my sync task to fail prematurely. </div><div><br></div><div>Also unlike you, I don't have the possibility of deleting this user from AD as I'm not the managing it. I only realized that this shadow was created an hour ago as until now I thought it failed to create the shadow due to the special character. I deleted the shadow and I'm re-running the import user task again to see if it overcomes this problem. </div><div><br></div><div>Thanks, </div><div>-F </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 20, 2016 at 10:38 AM, Jason Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">These were the tables, used the oid to locate,<div><br></div><div><span style="font-size:12.8px">m_shadow.name_orig</span><br style="font-size:12.8px"><span style="font-size:12.8px">m_object.name_orig</span><br style="font-size:12.8px"><span style="font-size:12.8px">m_object_ext_string.</span><span style="font-size:12.8px">stringValu<wbr>e</span><span class="HOEnZb"><font color="#888888"><br></font></span></div></div><div class="gmail_extra"><span class="HOEnZb"><font color="#888888"><br clear="all"><div><div class="m_-5720922725992660611gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">JASON</div></div></div></font></span><div><div class="h5">
<br><div class="gmail_quote">On Thu, Oct 20, 2016 at 12:37 PM, Jason Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hah! Someone else came across this error! I had the same issue with the diacritics and AD, see this thread, <div><a href="http://lists.evolveum.com/pipermail/midpoint/2015-November/001489.html" target="_blank">http://lists.evolveum.com/pipe<wbr>rmail/midpoint/2015-November/<wbr>001489.html</a><br></div><div><br></div><div>I had to manually go into the database and modify certain items for that object, removing the invalid character in order to delete the shadow from gui</div></div><div class="gmail_extra"><br clear="all"><div><div class="m_-5720922725992660611m_3718520476483699565gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">JASON</div></div></div>
<br><div class="gmail_quote"><div><div class="m_-5720922725992660611h5">On Thu, Oct 20, 2016 at 12:26 PM, Florin. Stingaciu <span dir="ltr"><<a href="mailto:fstingaciu@mirantis.com" target="_blank">fstingaciu@mirantis.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="m_-5720922725992660611h5"><div dir="ltr">Upon further investigation, I've also noticed that this user actually does have a shadow in the midPoint repository and further inspection of the source indicates that the initial error means that the attribute DN has no definition in the schema. This is definitely not the case as other shadows don't have this issue. I am assuming that the special char is somehow tripping midPoint into believing that the DN has no definition (<a href="https://github.com/Evolveum/midpoint/blob/02f47924ccaffc96adfd9129aff655a17428a45d/repo/repo-sql-impl/src/main/java/com/evolveum/midpoint/repo/sql/data/common/any/RAnyConverter.java#L80" target="_blank">https://github.com/Evolveum/m<wbr>idpoint/blob/02f47924ccaffc96a<wbr>dfd9129aff655a17428a45d/repo/r<wbr>epo-sql-impl/src/main/java/com<wbr>/evolveum/midpoint/repo/sql/<wbr>data/common/any/RAnyConverter.<wbr>java#L80</a>).<div><br></div><div>I will try deleting this shadow from the repo and run the task again and update this thread with the result, however I don't have much confidence that this will work. </div><div><br></div><div>Thanks, </div><span class="m_-5720922725992660611m_3718520476483699565HOEnZb"><font color="#888888"><div>-F </div></font></span></div><div class="m_-5720922725992660611m_3718520476483699565HOEnZb"><div class="m_-5720922725992660611m_3718520476483699565h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 19, 2016 at 9:25 PM, Florin. Stingaciu <span dir="ltr"><<a href="mailto:fstingaciu@mirantis.com" target="_blank">fstingaciu@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I managed to find the problematic user in AD after enabling TRACE logs in ShadowCache. It turns out the user has a special char (CN=İrem_LASTNAME,OU=People). I'm assuming this is causing midPoint to fail processing this user and return a schema error. <div><br></div><div>I tried to ignore this user in my condition section, however I believe the shadow is processed before the resource condition is checked and the task fails with the error in my initial post. Are there any workarounds in which this scenario is considered a Partial Failure so this task can continue executing? This user is one of 50000. </div><div><br></div><div>A possible solution would involve raising a different error if an invalid char (according to midPoint) was to be found on the resource. One that can be caught in ShadowCache.java (<a href="https://github.com/Evolveum/midpoint/blob/master/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/ShadowCache.java#L875" target="_blank">https://github.com/Evolveum/m<wbr>idpoint/blob/master/provisioni<wbr>ng/provisioning-impl/src/main/<wbr>java/com/evolveum/midpoint/pro<wbr>visioning/impl/ShadowCache.jav<wbr>a#L875</a>) and returned as a "Object failed to processed" rather than a Schema Error. I'm open to any suggestions.</div><div><br></div><div>Thanks, </div><span class="m_-5720922725992660611m_3718520476483699565m_5778998861821252514HOEnZb"><font color="#888888"><div>-F </div></font></span></div><div class="m_-5720922725992660611m_3718520476483699565m_5778998861821252514HOEnZb"><div class="m_-5720922725992660611m_3718520476483699565m_5778998861821252514h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 19, 2016 at 1:14 PM, Florin. Stingaciu <span dir="ltr"><<a href="mailto:fstingaciu@mirantis.com" target="_blank">fstingaciu@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Also, this only happens with a Import Users task and not with Reconcile Users Task. The reconcile users task finishes successfully.. </div><div class="m_-5720922725992660611m_3718520476483699565m_5778998861821252514m_3993096291068712772HOEnZb"><div class="m_-5720922725992660611m_3718520476483699565m_5778998861821252514m_3993096291068712772h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 19, 2016 at 12:56 PM, Florin. Stingaciu <span dir="ltr"><<a href="mailto:fstingaciu@mirantis.com" target="_blank">fstingaciu@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello, <div><br></div><div>My import users task fails with the following error: <a href="http://pastebin.com/L0bKs9U2" target="_blank">http://pastebin.com/L0b<wbr>Ks9U2</a></div><div><br></div><div>I tried increasing the log level, however the logs previous to this pertain to the previous user that was successfully imported. The resource is an active directory entry. </div><div><br></div><div>My condition section looks as follows:</div><div><br></div><div><div> dn = basic.getAttributeValues(shado<wbr>w, "dn")[0]</div><div> if (dn == "someDN"){</div><div> return false</div><div> }</div><div> else if (dn == "someotherDN"){</div><div> return false</div><div> }</div><div> else if (dn.contains("a sub OU domain")){</div><div> return false</div><div> }</div><div><span class="m_-5720922725992660611m_3718520476483699565m_5778998861821252514m_3993096291068712772m_-8143916651942201976m_5194538813917276870gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>return (basic.getAttributeValues(shad<wbr>ow, "mail") != null) </div></div><div><br></div><div><br></div><div>I've tried removing the condition and that didn't help. Any ideas on what could be the problem? </div><div><br></div><div>Realistically, no entry in AD can have an empty DN. Could it maybe be a bad shadow somewhere, missing the dn? </div><div><br></div><div>Thanks, </div><span class="m_-5720922725992660611m_3718520476483699565m_5778998861821252514m_3993096291068712772m_-8143916651942201976HOEnZb"><font color="#888888"><div>-F </div></font></span></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div><br></div></div>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>
</blockquote></div><br></div></div></div><div class="HOEnZb"><div class="h5">
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br></div></div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>