<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>I think that almost certainly (or, let's say, with 99%
probability) the midPoint version is not a problem with regards to
the connector.</p>
<p>.Net connector is deprecated, yes, but only because it was so
awkward to maintain. As far as I know, there's nothing in midPoint
3.5.x that would prohibit using that connector with newest
midPoint. (You'd need to test it for yourself, of course.) It's
just not officially supported, and in general, not much
recommended. But running on MP 3.2 is not recommended either :) At
least in my opinion.<br>
</p>
<p>--<br>
</p>
<p>But, of course, migration to AD-LDAP would be very useful as
well. I wanted just to point out that you'd probably need not wait
with midPoint upgrade because of the connector issue.<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 13.02.2017 17:32, Jason Everling
wrote:<br>
</div>
<blockquote
cite="mid:CAFkZXY5vOuw8xeL_wpg28k_Voc-Vm-zZcBsA=yk94nqbUYVkAw@mail.gmail.com"
type="cite">
<div dir="ltr">I know, I have seen all the latest features and
additions!!! Going from 3.2 and having to run all the upgrades
and scripts for each version since is much work. Is what I
thought about doing... just deploy an updated midpoint war on
the server as a different name and add in my updated
configs/resources/objects etc.. The thing that is really keeping
me from doing that now is the switch to AD-LDAP connector from
the .NET connector, I haven't had time to test an updated config
using that connector.
<div><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">JASON</div>
</div>
</div>
<br>
<div class="gmail_quote">On Mon, Feb 13, 2017 at 9:27 AM, Pavol
Mederly <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Yes. And the shadow integrity checker tool looks for
this information, and removes it if necessary.</p>
<p>Jason, maybe you could start thinking about an upgrade
... You'll see - the 3.4/3.5 version is much, much nicer
than 3.2. :-)<span class="HOEnZb"><font color="#888888"><br>
</font></span></p>
<span class="HOEnZb"><font color="#888888">
<pre class="m_-6905463155965042503moz-signature" cols="72">Pavol Mederly
Software developer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</font></span>
<div>
<div class="h5">
<div class="m_-6905463155965042503moz-cite-prefix">On
13.02.2017 13:37, Ivan Noris wrote:<br>
</div>
<blockquote type="cite">
<p>Hi Jason,</p>
<p>AFAIK somewhere between 3.2 and 3.4 there was a
change and this is no longer stored in Shadows.
Only metadata e.g. activation/enableTimestamp, but
not the state. (Just looking to my shadows on
midpoint 3.5.x)</p>
<p>Regards,</p>
<p>Ivan<br>
</p>
<br>
<div class="m_-6905463155965042503moz-cite-prefix">On
02/08/2017 06:52 PM, Jason Everling wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Not sure if this was fixed in later
versions, we are on 3.2 still BUT i ran into
some activation issues when testing my new
authoritative resource, it kept enabling
accounts even though their resource account was
'disabled' and inbound was strong, on every
single reconcile.
<div><br>
</div>
<div>It took forever to figure it out, it was
the same accounts every single time, I finally
found through a ton of logging, the shadow
account for the AD resource had wrong
activation information, below.</div>
<div><br>
</div>
<div> <activation></div>
<div> <administrativeStatus><wbr>disabled</<wbr>administrativeStatus></div>
<div> <effectiveStatus>enabled</<wbr>effectiveStatus></div>
<div> <lockoutStatus>normal</<wbr>lockoutStatus></div>
<div> </activation></div>
<div></shadow></div>
<div><br>
</div>
<div>It was that effectiveStatus that kept
enabling their midpoint account even though on
AD it is still disabled.</div>
<div><br>
</div>
<div>I went through each shadow, one by one, and
changed effectiveStatus to disabled and ran a
full recon and it no longer enables the
accounts.</div>
<div><br>
</div>
<div>In any case, I did this one by one, it took
quite a while to do it. I was hoping I could
scan through the database for any I might have
missed and just compare 'administrativeStatus'
to 'effectiveStatus' for the shadows BUT it
seems in the shadow table those columns do not
exist.</div>
<div><br>
</div>
<div>Where are these values stored for a shadow
object? Out of all my resources, the AD
resource is the only one that actually has
those values, all other resource shadows
contain no activation even though they have
inbound/outbound mappings.</div>
<div><br>
</div>
<div>Thanks!</div>
<div>JASON</div>
</div>
<br>
<fieldset
class="m_-6905463155965042503mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_-6905463155965042503moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_-6905463155965042503moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="m_-6905463155965042503moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<fieldset class="m_-6905463155965042503mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_-6905463155965042503moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_-6905463155965042503moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body></html>