<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Yes. And the shadow integrity checker tool looks for this
information, and removes it if necessary.</p>
<p>Jason, maybe you could start thinking about an upgrade ... You'll
see - the 3.4/3.5 version is much, much nicer than 3.2. :-)<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 13.02.2017 13:37, Ivan Noris wrote:<br>
</div>
<blockquote
cite="mid:7dab0c06-4d6a-bf0d-37c9-8201ff4277e7@evolveum.com"
type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<p>Hi Jason,</p>
<p>AFAIK somewhere between 3.2 and 3.4 there was a change and this
is no longer stored in Shadows. Only metadata e.g.
activation/enableTimestamp, but not the state. (Just looking to
my shadows on midpoint 3.5.x)</p>
<p>Regards,</p>
<p>Ivan<br>
</p>
<br>
<div class="moz-cite-prefix">On 02/08/2017 06:52 PM, Jason
Everling wrote:<br>
</div>
<blockquote
cite="mid:CAFkZXY7gwTjh+ck4wOnvXCK-AVvOdQ9XCyTmKX0AdDRJm=XuRA@mail.gmail.com"
type="cite">
<div dir="ltr">Not sure if this was fixed in later versions, we
are on 3.2 still BUT i ran into some activation issues when
testing my new authoritative resource, it kept enabling
accounts even though their resource account was 'disabled' and
inbound was strong, on every single reconcile.
<div><br>
</div>
<div>It took forever to figure it out, it was the same
accounts every single time, I finally found through a ton of
logging, the shadow account for the AD resource had wrong
activation information, below.</div>
<div><br>
</div>
<div> <activation></div>
<div>
<administrativeStatus>disabled</administrativeStatus></div>
<div>
<effectiveStatus>enabled</effectiveStatus></div>
<div> <lockoutStatus>normal</lockoutStatus></div>
<div> </activation></div>
<div></shadow></div>
<div><br>
</div>
<div>It was that effectiveStatus that kept enabling their
midpoint account even though on AD it is still disabled.</div>
<div><br>
</div>
<div>I went through each shadow, one by one, and changed
effectiveStatus to disabled and ran a full recon and it no
longer enables the accounts.</div>
<div><br>
</div>
<div>In any case, I did this one by one, it took quite a while
to do it. I was hoping I could scan through the database for
any I might have missed and just compare
'administrativeStatus' to 'effectiveStatus' for the shadows
BUT it seems in the shadow table those columns do not exist.</div>
<div><br>
</div>
<div>Where are these values stored for a shadow object? Out of
all my resources, the AD resource is the only one that
actually has those values, all other resource shadows
contain no activation even though they have inbound/outbound
mappings.</div>
<div><br>
</div>
<div>Thanks!</div>
<div>JASON</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>