<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
AD is doing its own referential integrity. I.e. When account is
renamed AD will automatically rename it in all the groups. That's
the reason for the unwillingToPerform: midPoint tries to remove a
value that is no longer there because AD has changed it already.<br>
<br>
You can switch off midPoint referential integrity behavior for the
association by using explicitReferentialIntegrity property:<br>
<br>
<association><br>
.....<br>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity><br>
</association><br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
<div class="moz-cite-prefix">On 11/03/2016 02:51 PM, Oskar Butovič -
AMI Praha a.s. wrote:<br>
</div>
<blockquote
cite="mid:CAE8MtZA-cuOMa6-7yc7P13J_E-UoceUmY5Lr7JCHrZg97CZ0og@mail.gmail.com"
type="cite">
<div dir="ltr">little correction error was in modifying group so:
<div><span style="color:rgb(51,51,51);font-family:"source
sans pro","helvetica
neue",helvetica,arial,sans-serif;font-size:14px">Error
modifying LDAP entry </span><span style="font-size:12.8px">CN=All,DC=test,DC=com</span><span
style="color:rgb(51,51,51);font-family:"source sans
pro","helvetica
neue",helvetica,arial,sans-serif;font-size:14px">:
[remove:member: </span><span style="font-size:12.8px">CN=test
user,OU=old org,DC=test,DC=com</span><span
style="color:rgb(51,51,51);font-family:"source sans
pro","helvetica
neue",helvetica,arial,sans-serif;font-size:14px">,]:
unwillingToPerform: 00000561: SvcErr: DSID-031A12D2, problem
5003 (WILL_NOT_PERFORM), data 0?? (53))</span><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-11-03 14:44 GMT+01:00 Oskar
Butovič - AMI Praha a.s. <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:oskar.butovic@ami.cz"
target="_blank">oskar.butovic@ami.cz</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hello everybody,
<div><br>
</div>
<div>I have noticed weird behaviour related to
provisioning group membership. I am using version
3.4.2-SNAPSHOT from support branch.</div>
<div><br>
</div>
<div>When I have configured this according to <a
moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO"
target="_blank">https://wiki.evolveum.com/<wbr>display/midPoint/Active+<wbr>Directory+Group+<wbr>Synchronization+HOWTO</a>
. Everything works fine until midpoint tries to move
user to different OU in AD.</div>
<div><br clear="all">
<div>for ecample i have user:</div>
<div> CN=test user,OU=old org,DC=test,DC=com</div>
<div>as member in group CN=All,DC=test,DC=com</div>
<div><br>
</div>
<div>when idem tries to move user to:</div>
<div> CN=test user,OU=new org,DC=test,DC=com</div>
<div>it should stay as a member of group
CN=All,DC=test,DC=com</div>
<div><br>
</div>
<div>but a<span
style="color:rgb(51,51,51);font-family:"source
sans pro","helvetica
neue",helvetica,arial,sans-serif;font-size:14px">lthough
all other AD related changes are executed correctly
in this transaction, </span>AD returns error: </div>
<div><span
style="color:rgb(51,51,51);font-family:"source
sans pro","helvetica
neue",helvetica,arial,sans-serif;font-size:14px">Error
modifying LDAP entry </span>CN=test user,OU=new
org,DC=test,DC=com<span
style="color:rgb(51,51,51);font-family:"source
sans pro","helvetica
neue",helvetica,arial,sans-serif;font-size:14px">:
[remove:member: </span>CN=test user,OU=old
org,DC=test,DC=com<span
style="color:rgb(51,51,51);font-family:"source
sans pro","helvetica
neue",helvetica,arial,sans-serif;font-size:14px">,]:
unwillingToPerform: 00000561: SvcErr: DSID-031A12D2,
problem 5003 (WILL_NOT_PERFORM), data 0?? (53))</span></div>
<div><span
style="color:rgb(51,51,51);font-family:"source
sans pro","helvetica
neue",helvetica,arial,sans-serif;font-size:14px"><br>
</span></div>
<div><span
style="color:rgb(51,51,51);font-family:"source
sans pro","helvetica
neue",helvetica,arial,sans-serif;font-size:14px">which
is understandable because user is no longer in old
org but why does midpoint try to remove account from
group only when account is moved within
organizational structure? Normal recompute or
reconcilliation doesnt behave this way and ends
correctly.</span></div>
<div><span
style="color:rgb(51,51,51);font-family:"source
sans pro","helvetica
neue",helvetica,arial,sans-serif;font-size:14px"><br>
</span></div>
<div><span
style="color:rgb(51,51,51);font-family:"source
sans pro","helvetica
neue",helvetica,arial,sans-serif;font-size:14px">Best
Regards</span></div>
<div><span
style="color:rgb(51,51,51);font-family:"source
sans pro","helvetica
neue",helvetica,arial,sans-serif;font-size:14px"><br>
</span></div>
<div>Oskar Butovič</div>
<div><br>
-- </div>
<div class="m_-7275131278018209371gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<table
style="font-family:verdana,arial,helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px;border-style:solid;width:482px">
<tbody>
<tr
style="padding:0px;margin:0px;border:0px
solid gray">
<td
style="color:rgb(0,0,0);font-family:arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px
solid gray">
<p><span
style="font-size:14px;font-weight:bold">Oskar
Butovič</span><br>
solution architect<br>
<br>
gsm: <a moz-do-not-send="true"
href="tel:%5B%2B420%5D%20774%20480%20101" value="+420774480101"
target="_blank">[+420] 774 480
101</a><br>
e-mail: <a
moz-do-not-send="true"
href="mailto:oskar.butovic@ami.cz"
target="_blank">oskar.butovic@ami.cz</a></p>
</td>
<td
style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:10px;border-width:0px
1px 0px
0px;border-style:solid;border-color:gray
rgb(204,204,204) gray
gray;padding:0px"> </td>
<td
style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:10px;padding:0px;border:0px
solid gray"> </td>
<td
style="color:rgb(0,0,0);font-family:arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px
solid gray">
<p>AMI Praha a.s.<br>
Pláničkova 11<br>
162 00 Praha 6<br>
tel.: <a moz-do-not-send="true"
href="tel:%5B%2B420%5D%20274%20783%20239" value="+420274783239"
target="_blank">[+420] 274 783
239</a><br>
web: <a moz-do-not-send="true"
href="http://www.ami.cz/"
target="_blank">www.ami.cz</a></p>
</td>
<td
style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:10px;border-width:0px
1px 0px
0px;border-style:solid;border-color:gray
rgb(204,204,204) gray
gray;padding:0px"> </td>
<td
style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:10px;padding:0px;border:0px
solid gray"> </td>
<td
style="color:rgb(0,0,0);font-family:arial,sans-serif;font-size:11px;margin:8px;width:116px;border:0px
solid gray">
<p><img moz-do-not-send="true"
src="http://www.ami.cz/images/podpis/ami_logo.gif"
alt="AMI Praha a.s."
style="border:0px"></p>
</td>
</tr>
<tr
style="padding:0px;margin:0px;border:0px
solid gray">
<td colspan="7"
style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px
solid gray"><br>
<a moz-do-not-send="true"
href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management"
target="_blank"><img
moz-do-not-send="true"
src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png"
alt="AMI Praha a.s."
style="border:0px;width:480px;height:82px"></a></td>
</tr>
<tr
style="padding:0px;margin:0px;border:0px
solid gray">
<td colspan="7"
style="color:rgb(128,128,128);font-family:arial,sans-serif;font-size:11px;padding:0px;border:0px
solid gray"><br>
Textem tohoto e-mailu podepisující
neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.<br>
jakoukoliv smlouvu. Každá smlouva,
pokud bude uzavřena, musí mít
výhradně písemnou formu.<br>
<br>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<table
style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important">
<tbody>
<tr style="padding:0px;margin:0px;border:0px
solid gray!important">
<td
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px
solid gray!important">
<p><span
style="font-size:14px;font-weight:bold">Oskar
Butovič</span><br>
solution architect<br>
<br>
gsm: [+420] 774 480 101<br>
e-mail: <a moz-do-not-send="true"
href="mailto:oskar.butovic@ami.cz"
target="_blank">oskar.butovic@ami.cz</a></p>
</td>
<td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td>
<td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px
solid gray!important"> </td>
<td
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px
solid gray!important">
<p>AMI Praha a.s.<br>
Pláničkova 11<br>
162 00 Praha 6<br>
tel.: [+420] 274 783 239<br>
web: <a moz-do-not-send="true"
href="http://www.ami.cz/"
target="_blank">www.ami.cz</a></p>
</td>
<td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td>
<td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px
solid gray!important"> </td>
<td
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;border:0px
solid gray!important;width:116px">
<p><img moz-do-not-send="true"
src="http://www.ami.cz/images/podpis/ami_logo.gif"
alt="AMI Praha a.s."
style="border:0px"></p>
</td>
</tr>
<tr style="padding:0px;margin:0px;border:0px
solid gray!important">
<td colspan="7"
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px
solid gray!important"><br>
<a moz-do-not-send="true"
href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management"
target="_blank"><img
moz-do-not-send="true"
src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png"
alt="AMI Praha a.s."
style="border:0px;width:480px!important;height:82px!important"></a></td>
</tr>
<tr style="padding:0px;margin:0px;border:0px
solid gray!important">
<td colspan="7"
style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px
solid gray!important"><br>
Textem tohoto e-mailu podepisující
neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.<br>
jakoukoliv smlouvu. Každá smlouva, pokud
bude uzavřena, musí mít výhradně písemnou
formu.<br>
<br>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>