<div dir="ltr">I know, I have seen all the latest features and additions!!! Going from 3.2 and having to run all the upgrades and scripts for each version since is much work. Is what I thought about doing... just deploy an updated midpoint war on the server as a different name and add in my updated configs/resources/objects etc.. The thing that is really keeping me from doing that now is the switch to AD-LDAP connector from the .NET connector, I haven't had time to test an updated config using that connector.<div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">JASON</div></div></div>
<br><div class="gmail_quote">On Mon, Feb 13, 2017 at 9:27 AM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Yes. And the shadow integrity checker tool looks for this
information, and removes it if necessary.</p>
<p>Jason, maybe you could start thinking about an upgrade ... You'll
see - the 3.4/3.5 version is much, much nicer than 3.2. :-)<span class="HOEnZb"><font color="#888888"><br>
</font></span></p><span class="HOEnZb"><font color="#888888">
<pre class="m_-6905463155965042503moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></font></span><div><div class="h5">
<div class="m_-6905463155965042503moz-cite-prefix">On 13.02.2017 13:37, Ivan Noris wrote:<br>
</div>
<blockquote type="cite">
<p>Hi Jason,</p>
<p>AFAIK somewhere between 3.2 and 3.4 there was a change and this
is no longer stored in Shadows. Only metadata e.g.
activation/enableTimestamp, but not the state. (Just looking to
my shadows on midpoint 3.5.x)</p>
<p>Regards,</p>
<p>Ivan<br>
</p>
<br>
<div class="m_-6905463155965042503moz-cite-prefix">On 02/08/2017 06:52 PM, Jason
Everling wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Not sure if this was fixed in later versions, we
are on 3.2 still BUT i ran into some activation issues when
testing my new authoritative resource, it kept enabling
accounts even though their resource account was 'disabled' and
inbound was strong, on every single reconcile.
<div><br>
</div>
<div>It took forever to figure it out, it was the same
accounts every single time, I finally found through a ton of
logging, the shadow account for the AD resource had wrong
activation information, below.</div>
<div><br>
</div>
<div> <activation></div>
<div>
<administrativeStatus><wbr>disabled</<wbr>administrativeStatus></div>
<div>
<effectiveStatus>enabled</<wbr>effectiveStatus></div>
<div> <lockoutStatus>normal</<wbr>lockoutStatus></div>
<div> </activation></div>
<div></shadow></div>
<div><br>
</div>
<div>It was that effectiveStatus that kept enabling their
midpoint account even though on AD it is still disabled.</div>
<div><br>
</div>
<div>I went through each shadow, one by one, and changed
effectiveStatus to disabled and ran a full recon and it no
longer enables the accounts.</div>
<div><br>
</div>
<div>In any case, I did this one by one, it took quite a while
to do it. I was hoping I could scan through the database for
any I might have missed and just compare
'administrativeStatus' to 'effectiveStatus' for the shadows
BUT it seems in the shadow table those columns do not exist.</div>
<div><br>
</div>
<div>Where are these values stored for a shadow object? Out of
all my resources, the AD resource is the only one that
actually has those values, all other resource shadows
contain no activation even though they have inbound/outbound
mappings.</div>
<div><br>
</div>
<div>Thanks!</div>
<div>JASON</div>
</div>
<br>
<fieldset class="m_-6905463155965042503mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-6905463155965042503moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-6905463155965042503moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="m_-6905463155965042503moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<br>
<fieldset class="m_-6905463155965042503mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-6905463155965042503moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-6905463155965042503moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>