<div dir="ltr">Hi Ivan,<div>Just to follow up: This is working out well for me. </div><div><br></div><div>I haven't added the objectSynchronization yet so I don't have the iteration tokens working but, I modified the "test" intent to generate the dn and uid with "-test" concatenated onto the user name. </div><div><br></div><div>One caveat in case anyone else needs to do this, I took the example code from the existing default intent so I also had to turn off the inbound mapping of uid -> name, my midpoint username was changed to add "-test" when I initially set it up but it's working now.</div><div><br></div><div>Thanks again for your help!</div><div>-Peter<br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 21, 2017 at 5:28 AM, <span dir="ltr"><<a href="mailto:midpoint-request@lists.evolveum.com" target="_blank">midpoint-request@lists.evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Send midPoint mailing list submissions to<br>
<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@lists.<wbr>evolveum.com</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:midpoint-owner@lists.evolveum.com">midpoint-owner@lists.evolveum.<wbr>com</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of midPoint digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: Add a second LDAP account to resource for user (Error:<br>
already contains account of type 'default' on resource) (Ivan Noris)<br>
<br>
<br>
------------------------------<wbr>------------------------------<wbr>----------<br>
<br>
Message: 1<br>
Date: Tue, 21 Mar 2017 10:27:56 +0100<br>
From: Ivan Noris <<a href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.com</a>><br>
To: <a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
Subject: Re: [midPoint] Add a second LDAP account to resource for user<br>
(Error: already contains account of type 'default' on resource)<br>
Message-ID: <<a href="mailto:54eb2245-f9fa-b73d-9c05-90fd5dc62172@evolveum.com">54eb2245-f9fa-b73d-9c05-<wbr>90fd5dc62172@evolveum.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi Peter,<br>
<br>
<br>
<br>
On 03/20/2017 10:13 PM, Peter Healy wrote:<br>
> Hi Ivan,<br>
> In my use case we have an application that's configured to use an LDAP<br>
> search base in a particular part of the tree to authenticate all users<br>
> ex. uid=usercn=users,o=dev,dc=...<br>
> Rather than having test users in cn=users,o=test, dc=...<br>
><br>
> We have uid=user-test,cn=user,o=dev,<wbr>dc=...<br>
> or uid=user1,cn=user,o=dev,dc=...<br>
><br>
<br>
If you must keep all accounts in the same tree, then yes, you need to<br>
modify the DN for the test intent (also maybe for different attributes,<br>
such as cn, uid etc.)<br>
<br>
> So what I was originally thinking to do is for the "test" intent to<br>
> generate the uid=user1...,cn=users,o=dev...<br>
> Automatically with the schema handler iteration tokens.<br>
> But that didn't seem to be the case, what actually triggers the<br>
> iteration token to create a new DN?<br>
<br>
The iteration token (by default number starting with 1,2,...) is<br>
automatically added when midPoint detects AlreadyExistsException. This<br>
also assumes you have configured <objectSynchronization> for (both)<br>
intent(s) so that midPoint is able to correlate existing accounts<br>
automatically if this occurs.<br>
<br>
><br>
> Instead I added the following to the schema handler for ri:dn and the<br>
> "test" intent which seems to be working OK for me when adding the<br>
> "test" intent to a role and adding the role to a user:<br>
> <script><br>
> <code><br>
> 'uid=' + name + '-test' + iterationToken + ',cn=users,o=dev,dc=...'<br>
> </code><br>
> </script><br>
<br>
Yes, that's what you need. But also you may need to create corresponding<br>
"uid" attribute value unless your directory server does this<br>
automatically. (See please our ldap samples, there might be differences<br>
between AD, OpenLDAP etc. Or ask in later emails.)<br>
Also be sure to have <objectSynchronization> for both intents including<br>
conditions - so that midPoint "knows" for existing accounts, what's<br>
their intent. If you are unable to find anything in our samples related<br>
to this, please ask and I will try to paste some sample fragment from<br>
our official training at least.<br>
<br>
<br>
><br>
> and I got a second LDAP account with user-test.<br>
><br>
> This seems to be fine but, is there another way to do this? Would you<br>
> recommend something different?<br>
<br>
It's probably OK, if you cannot distinguish using suffix/tree, using<br>
attribute or DN naming convention is very fine. Just be sure to have<br>
also the objectSynchronization settings.<br>
<br>
Regards,<br>
Ivan<br>
<br>
><br>
> Thanks,<br>
> Peter<br>
><br>
> On Mon, Mar 20, 2017 at 12:33 PM, <<a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@lists.<wbr>evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@<wbr>lists.evolveum.com</a>>> wrote:<br>
><br>
> Send midPoint mailing list submissions to<br>
> <a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.<wbr>evolveum.com</a>><br>
><br>
> To subscribe or unsubscribe via the World Wide Web, visit<br>
> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
> <<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>><br>
> or, via email, send a message with subject or body 'help' to<br>
> <a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@lists.<wbr>evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@<wbr>lists.evolveum.com</a>><br>
><br>
> You can reach the person managing the list at<br>
> <a href="mailto:midpoint-owner@lists.evolveum.com">midpoint-owner@lists.evolveum.<wbr>com</a><br>
> <mailto:<a href="mailto:midpoint-owner@lists.evolveum.com">midpoint-owner@lists.<wbr>evolveum.com</a>><br>
><br>
> When replying, please edit your Subject line so it is more specific<br>
> than "Re: Contents of midPoint digest..."<br>
><br>
><br>
> Today's Topics:<br>
><br>
> 1. JMS based workflow configuration (Prabhakara Rao Doddapaneni)<br>
> 2. Re: Add a second LDAP account to resource for user (Error:<br>
> already contains account of type 'default' on resource)<br>
> (Peter Healy)<br>
> 3. Re: Add a second LDAP account to resource for user (Error:<br>
> already contains account of type 'default' on resource)<br>
> (Ivan Noris)<br>
><br>
><br>
> ------------------------------<wbr>------------------------------<wbr>----------<br>
><br>
> Message: 1<br>
> Date: Mon, 20 Mar 2017 15:29:20 +0000 (UTC)<br>
> From: Prabhakara Rao Doddapaneni <<a href="mailto:dp_rao@yahoo.com">dp_rao@yahoo.com</a><br>
> <mailto:<a href="mailto:dp_rao@yahoo.com">dp_rao@yahoo.com</a>>><br>
> To: "<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.<wbr>evolveum.com</a>>" <<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.<wbr>evolveum.com</a>>><br>
> Subject: [midPoint] JMS based workflow configuration<br>
> Message-ID: <<a href="mailto:1407184618.3744599.1490023760210@mail.yahoo.com">1407184618.3744599.<wbr>1490023760210@mail.yahoo.com</a><br>
> <mailto:<a href="mailto:1407184618.3744599.1490023760210@mail.yahoo.com">1407184618.3744599.<wbr>1490023760210@mail.yahoo.com</a>>><br>
> Content-Type: text/plain; charset="utf-8"<br>
><br>
> Is this something new I am trying to do with midPoint?<br>
><br>
> Date: Mon, 6 Mar 2017 19:30:26 +0000 (UTC)<br>
> From: Prabhakara Rao Doddapaneni <<a href="mailto:dp_rao@yahoo.com">dp_rao@yahoo.com</a><br>
> <mailto:<a href="mailto:dp_rao@yahoo.com">dp_rao@yahoo.com</a>>><br>
> To: "<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.<wbr>evolveum.com</a>>" <<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.<wbr>evolveum.com</a>>><br>
> Subject: [midPoint] JMS based workflow configuration<br>
> Message-ID: <<a href="mailto:1001644321.2237664.1488828626312@mail.yahoo.com">1001644321.2237664.<wbr>1488828626312@mail.yahoo.com</a><br>
> <mailto:<a href="mailto:1001644321.2237664.1488828626312@mail.yahoo.com">1001644321.2237664.<wbr>1488828626312@mail.yahoo.com</a>>><br>
> Content-Type: text/plain; charset="utf-8"<br>
><br>
> One of my resources cannot be configured to respond to sync poll.<br>
> I plan to send a message in JMS Q so that midpoint can listen to<br>
> that message and reconcile/add the user into repository. What is<br>
> the ideal solution to achieve this? has anybody come across this<br>
> situation?<br>
> Thanks,Prabhakar.<br>
><br>
><br>
><br>
> -------------- next part --------------<br>
> An HTML attachment was scrubbed...<br>
> URL:<br>
> <<a href="http://lists.evolveum.com/pipermail/midpoint/attachments/20170320/b890a3fc/attachment-0001.html" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>pipermail/midpoint/<wbr>attachments/20170320/b890a3fc/<wbr>attachment-0001.html</a><br>
> <<a href="http://lists.evolveum.com/pipermail/midpoint/attachments/20170320/b890a3fc/attachment-0001.html" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>pipermail/midpoint/<wbr>attachments/20170320/b890a3fc/<wbr>attachment-0001.html</a>>><br>
><br>
> ------------------------------<br>
><br>
> Message: 2<br>
> Date: Mon, 20 Mar 2017 12:03:55 -0400<br>
> From: Peter Healy <<a href="mailto:phealy3330@gmail.com">phealy3330@gmail.com</a> <mailto:<a href="mailto:phealy3330@gmail.com">phealy3330@gmail.com</a>>><br>
> To: <a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a> <mailto:<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.<wbr>evolveum.com</a>><br>
> Subject: Re: [midPoint] Add a second LDAP account to resource for user<br>
> (Error: already contains account of type 'default' on<br>
> resource)<br>
> Message-ID:<br>
><br>
> <CADnbc=zAa2oqXDnH0RnyM=<a href="mailto:inAgqSwJcf76Ybc9E%2BADKoy-rmNg@mail.gmail.com">inAgqS<wbr>wJcf76Ybc9E+ADKoy-rmNg@mail.<wbr>gmail.com</a><br>
> <mailto:<a href="mailto:inAgqSwJcf76Ybc9E%252BADKoy-rmNg@mail.gmail.com">inAgqSwJcf76Ybc9E%<wbr>2BADKoy-rmNg@mail.gmail.com</a>>><br>
> Content-Type: text/plain; charset="utf-8"<br>
><br>
> Hi Ivan,<br>
> I added a role object as described in example 2 with the OID of the<br>
> resource I need to add a test account to, when I add that role to<br>
> a user it<br>
> does come computation and comes back with success but the user<br>
> still only<br>
> has the 1 default projection assigned.<br>
><br>
> I was able to navigate back in the browser history and it looks<br>
> like it<br>
> assigns the existing shadow on the resource to the "test" intent<br>
> along with<br>
> the "default" intent<br>
><br>
> Activity Status Resource object (if applicable)<br>
> Computing projections of the focus object<br>
> Operation on focus object (repository)<br>
> Account (default) on AWS DEV OpenLDAP<br>
> uid=Testuser6,cn=users,o=dev,<wbr>dc=odhsolutions,dc=com<br>
> Account (test) on AWS DEV OpenLDAP<br>
> uid=Testuser6,cn=users,o=dev,<wbr>dc=odhsolutions,dc=com<br>
> Considering or starting approval workflows<br>
><br>
> Is there a way I can specify the uid for the second account or have it<br>
> follow some kind of iteration rule?<br>
><br>
> Thanks again,<br>
> Peter<br>
><br>
> On Mon, Mar 20, 2017 at 10:32 AM,<br>
> <<a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@lists.<wbr>evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@<wbr>lists.evolveum.com</a>>><br>
> wrote:<br>
><br>
> > Send midPoint mailing list submissions to<br>
> > <a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.<wbr>evolveum.com</a>><br>
> ><br>
> > To subscribe or unsubscribe via the World Wide Web, visit<br>
> > <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
> <<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>><br>
> > or, via email, send a message with subject or body 'help' to<br>
> > <a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@lists.<wbr>evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@<wbr>lists.evolveum.com</a>><br>
> ><br>
> > You can reach the person managing the list at<br>
> > <a href="mailto:midpoint-owner@lists.evolveum.com">midpoint-owner@lists.evolveum.<wbr>com</a><br>
> <mailto:<a href="mailto:midpoint-owner@lists.evolveum.com">midpoint-owner@lists.<wbr>evolveum.com</a>><br>
> ><br>
> > When replying, please edit your Subject line so it is more specific<br>
> > than "Re: Contents of midPoint digest..."<br>
> ><br>
> ><br>
> > Today's Topics:<br>
> ><br>
> > 1. Re: Add a second LDAP account to resource for user (Error:<br>
> > already contains account of type 'default' on resource)<br>
> (Ivan Noris)<br>
> ><br>
> ><br>
> ><br>
> ------------------------------<wbr>------------------------------<wbr>----------<br>
> ><br>
> > Message: 1<br>
> > Date: Mon, 20 Mar 2017 15:31:36 +0100<br>
> > From: Ivan Noris <<a href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.com</a><br>
> <mailto:<a href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.<wbr>com</a>>><br>
> > To: <a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a> <mailto:<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.<wbr>evolveum.com</a>><br>
> > Subject: Re: [midPoint] Add a second LDAP account to resource<br>
> for user<br>
> > (Error: already contains account of type 'default' on<br>
> resource)<br>
> > Message-ID: <<a href="mailto:fc626f42-1372-8fd9-79fa-1fcd09f8cef8@evolveum.com">fc626f42-1372-8fd9-79fa-<wbr>1fcd09f8cef8@evolveum.com</a><br>
> <mailto:<a href="mailto:fc626f42-1372-8fd9-79fa-1fcd09f8cef8@evolveum.com">fc626f42-1372-8fd9-<wbr>79fa-1fcd09f8cef8@evolveum.com</a><wbr>>><br>
> > Content-Type: text/plain; charset="utf-8"<br>
> ><br>
> > Hi Peter,<br>
> ><br>
> > GUI currently cannot use Add projection for other-than-default<br>
> intents.<br>
> ><br>
> > But it's very easy to create a role:<br>
> ><br>
> > Example 1: role to create default account on resource with given oid<br>
> ><br>
> ><br>
> > <role oid="2dfa0d20-3263-11e6-838d-<wbr>3c970e44b9e2"<br>
> ><br>
> xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/common/common-3</a>><wbr>"<br>
> > xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/</a>><br>
> > common/common-3"<br>
> ><br>
> ><br>
> xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>resource/instance-3</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/resource/<wbr>instance-3</a>>"><br>
> > <name>CSV-1 Default account</name><br>
> > <description><br>
> > This role assigns CSV-1 (Simulated App 1) resource and<br>
> creates a<br>
> > test account.<br>
> > </description><br>
> > <inducement><br>
> > <construction><br>
> > <!-- The c: prefix in type must be there due to a<br>
> JAXB bug --><br>
> > <resourceRef oid="10000000-9999-9999-0000-<wbr>a000ff000002"<br>
> > type="c:ResourceType"/><br>
> > <kind>account</kind><br>
> > </construction><br>
> > </inducement><br>
> > </role><br>
> ><br>
> > Example 2: role to create account with intent test on resource with<br>
> > given oid<br>
> ><br>
> > <role oid="2dfa0d20-3263-11e6-838d-<wbr>3c970e44b9e2"<br>
> ><br>
> xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/common/common-3</a>><wbr>"<br>
> > xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/</a>><br>
> > common/common-3"<br>
> ><br>
> ><br>
> xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>resource/instance-3</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/resource/<wbr>instance-3</a>>"><br>
> > <name>CSV-1 Tester</name><br>
> > <description><br>
> > This role assigns CSV-1 (Simulated App 1) resource and<br>
> creates a<br>
> > test account.<br>
> > </description><br>
> > <inducement><br>
> > <construction><br>
> > <!-- The c: prefix in type must be there due to a<br>
> JAXB bug --><br>
> > <resourceRef oid="10000000-9999-9999-0000-<wbr>a000ff000002"<br>
> > type="c:ResourceType"/><br>
> > <kind>account</kind><br>
> > <intent>test</intent><br>
> > </construction><br>
> > </inducement><br>
> > </role><br>
> ><br>
> > Then just add one or both roles to your user in midpoint and the<br>
> > corresponding account(s) should be created. Just be sure to use your<br>
> > resource oid and correct intent.<br>
> ><br>
> > Regards,<br>
> ><br>
> > Ivan<br>
> ><br>
> ><br>
> -------------- next part --------------<br>
> An HTML attachment was scrubbed...<br>
> URL:<br>
> <<a href="http://lists.evolveum.com/pipermail/midpoint/attachments/20170320/a91ed915/attachment-0001.html" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>pipermail/midpoint/<wbr>attachments/20170320/a91ed915/<wbr>attachment-0001.html</a><br>
> <<a href="http://lists.evolveum.com/pipermail/midpoint/attachments/20170320/a91ed915/attachment-0001.html" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>pipermail/midpoint/<wbr>attachments/20170320/a91ed915/<wbr>attachment-0001.html</a>>><br>
><br>
> ------------------------------<br>
><br>
> Message: 3<br>
> Date: Mon, 20 Mar 2017 17:33:42 +0100<br>
> From: Ivan Noris <<a href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.com</a><br>
> <mailto:<a href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.<wbr>com</a>>><br>
> To: <a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a> <mailto:<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.<wbr>evolveum.com</a>><br>
> Subject: Re: [midPoint] Add a second LDAP account to resource for user<br>
> (Error: already contains account of type 'default' on<br>
> resource)<br>
> Message-ID: <<a href="mailto:57fd8bd1-c8b1-dd43-4e0d-160e16127afb@evolveum.com">57fd8bd1-c8b1-dd43-4e0d-<wbr>160e16127afb@evolveum.com</a><br>
> <mailto:<a href="mailto:57fd8bd1-c8b1-dd43-4e0d-160e16127afb@evolveum.com">57fd8bd1-c8b1-dd43-<wbr>4e0d-160e16127afb@evolveum.com</a><wbr>>><br>
> Content-Type: text/plain; charset="utf-8"<br>
><br>
> Hi Peter,<br>
><br>
> If you add both roles to the same user and you have correct<br>
> resourceRef<br>
> oid and the name of the intent, midPoint should use the correct schema<br>
> handling configurations for both accounts and both should be created.<br>
> The schema handling also specified how the accounts names (DN) are<br>
> constructed.<br>
><br>
> But wait a minute. It looks like *both* your accounts are<br>
> configured to<br>
> have the *same DN*<br>
> (***uid=Testuser6,cn=users,o=<wbr>dev,dc=odhsolutions,dc=com*). This can't<br>
> be, the test account must have different identifier. Either change the<br>
> suffix (like cn=test instead of cn=users for the testing accounts) or<br>
> something like that.<br>
><br>
> So fix your icfs:name (ri:dn) mapping in the schema handling for the<br>
> "test" intent and try again.<br>
><br>
> Regards,<br>
><br>
> Ivan<br>
><br>
><br>
> On 03/20/2017 05:03 PM, Peter Healy wrote:<br>
> > Hi Ivan,<br>
> > I added a role object as described in example 2 with the OID of the<br>
> > resource I need to add a test account to, when I add that role to a<br>
> > user it does come computation and comes back with success but<br>
> the user<br>
> > still only has the 1 default projection assigned.<br>
> ><br>
> > I was able to navigate back in the browser history and it looks like<br>
> > it assigns the existing shadow on the resource to the "test" intent<br>
> > along with the "default" intent<br>
> ><br>
> > ActivityStatusResource object (if applicable)<br>
> > Computing projections of the focus object<br>
> > Operation on focus object (repository)<br>
> > Account (default) on AWS DEV<br>
> > OpenLDAPuid=Testuser6,cn=<wbr>users,o=dev,dc=odhsolutions,<wbr>dc=com<br>
> > Account (test) on AWS DEV<br>
> > OpenLDAPuid=Testuser6,cn=<wbr>users,o=dev,dc=odhsolutions,<wbr>dc=com<br>
> > Considering or starting approval workflows<br>
> > Is there a way I can specify the uid for the second account or<br>
> have it<br>
> > follow some kind of iteration rule?<br>
> > Thanks again,<br>
> > Peter<br>
> ><br>
> > On Mon, Mar 20, 2017 at 10:32 AM,<br>
> <<a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@lists.<wbr>evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@<wbr>lists.evolveum.com</a>><br>
> > <mailto:<a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@<wbr>lists.evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@<wbr>lists.evolveum.com</a>>>> wrote:<br>
> ><br>
> > Send midPoint mailing list submissions to<br>
> > <a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.<wbr>evolveum.com</a>><br>
> > <mailto:<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.<wbr>evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.<wbr>evolveum.com</a>>><br>
> ><br>
> > To subscribe or unsubscribe via the World Wide Web, visit<br>
> > <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
> <<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>><br>
> > <<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
> <<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>>><br>
> > or, via email, send a message with subject or body 'help' to<br>
> > <a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@lists.<wbr>evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@<wbr>lists.evolveum.com</a>><br>
> > <mailto:<a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@<wbr>lists.evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@<wbr>lists.evolveum.com</a>>><br>
> ><br>
> > You can reach the person managing the list at<br>
> > <a href="mailto:midpoint-owner@lists.evolveum.com">midpoint-owner@lists.evolveum.<wbr>com</a><br>
> <mailto:<a href="mailto:midpoint-owner@lists.evolveum.com">midpoint-owner@lists.<wbr>evolveum.com</a>><br>
> > <mailto:<a href="mailto:midpoint-owner@lists.evolveum.com">midpoint-owner@lists.<wbr>evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint-owner@lists.evolveum.com">midpoint-owner@lists.<wbr>evolveum.com</a>>><br>
> ><br>
> > When replying, please edit your Subject line so it is more<br>
> specific<br>
> > than "Re: Contents of midPoint digest..."<br>
> ><br>
> ><br>
> > Today's Topics:<br>
> ><br>
> > 1. Re: Add a second LDAP account to resource for user (Error:<br>
> > already contains account of type 'default' on resource)<br>
> > (Ivan Noris)<br>
> ><br>
> ><br>
> ><br>
> ------------------------------<wbr>------------------------------<wbr>----------<br>
> ><br>
> > Message: 1<br>
> > Date: Mon, 20 Mar 2017 15:31:36 +0100<br>
> > From: Ivan Noris <<a href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.com</a><br>
> <mailto:<a href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.<wbr>com</a>><br>
> > <mailto:<a href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.<wbr>com</a><br>
> <mailto:<a href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.<wbr>com</a>>>><br>
> > To: <a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.<wbr>evolveum.com</a>><br>
> <mailto:<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.<wbr>evolveum.com</a><br>
> <mailto:<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.<wbr>evolveum.com</a>>><br>
> > Subject: Re: [midPoint] Add a second LDAP account to<br>
> resource for user<br>
> > (Error: already contains account of type 'default' on<br>
> > resource)<br>
> > Message-ID:<br>
> <<a href="mailto:fc626f42-1372-8fd9-79fa-1fcd09f8cef8@evolveum.com">fc626f42-1372-8fd9-79fa-<wbr>1fcd09f8cef8@evolveum.com</a><br>
> <mailto:<a href="mailto:fc626f42-1372-8fd9-79fa-1fcd09f8cef8@evolveum.com">fc626f42-1372-8fd9-<wbr>79fa-1fcd09f8cef8@evolveum.com</a><wbr>><br>
> > <mailto:<a href="mailto:fc626f42-1372-8fd9-79fa-1fcd09f8cef8@evolveum.com">fc626f42-1372-8fd9-<wbr>79fa-1fcd09f8cef8@evolveum.com</a><br>
> <mailto:<a href="mailto:fc626f42-1372-8fd9-79fa-1fcd09f8cef8@evolveum.com">fc626f42-1372-8fd9-<wbr>79fa-1fcd09f8cef8@evolveum.com</a><wbr>>>><br>
> > Content-Type: text/plain; charset="utf-8"<br>
> ><br>
> > Hi Peter,<br>
> ><br>
> > GUI currently cannot use Add projection for other-than-default<br>
> > intents.<br>
> ><br>
> > But it's very easy to create a role:<br>
> ><br>
> > Example 1: role to create default account on resource with<br>
> given oid<br>
> ><br>
> ><br>
> > <role oid="2dfa0d20-3263-11e6-838d-<wbr>3c970e44b9e2"<br>
> ><br>
> ><br>
> xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/common/common-3</a>><br>
> > <<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/common/common-3</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/common/common-3</a>><wbr>>"<br>
> ><br>
> ><br>
> xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/common/common-3</a>><br>
> > <<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/common/common-3</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/common/common-3</a>><wbr>>"<br>
> ><br>
> ><br>
> xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>resource/instance-3</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/resource/<wbr>instance-3</a>><br>
> ><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/resource/<wbr>instance-3</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/resource/<wbr>instance-3</a>>>"><br>
> > <name>CSV-1 Default account</name><br>
> > <description><br>
> > This role assigns CSV-1 (Simulated App 1) resource and<br>
> creates a<br>
> > test account.<br>
> > </description><br>
> > <inducement><br>
> > <construction><br>
> > <!-- The c: prefix in type must be there due to<br>
> a JAXB<br>
> > bug --><br>
> > <resourceRef<br>
> oid="10000000-9999-9999-0000-<wbr>a000ff000002"<br>
> > type="c:ResourceType"/><br>
> > <kind>account</kind><br>
> > </construction><br>
> > </inducement><br>
> > </role><br>
> ><br>
> > Example 2: role to create account with intent test on<br>
> resource with<br>
> > given oid<br>
> ><br>
> > <role oid="2dfa0d20-3263-11e6-838d-<wbr>3c970e44b9e2"<br>
> ><br>
> ><br>
> xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/common/common-3</a>><br>
> > <<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/common/common-3</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/common/common-3</a>><wbr>>"<br>
> ><br>
> ><br>
> xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/common/common-3</a>><br>
> > <<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/common/common-3</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/common/common-3</a>><wbr>>"<br>
> ><br>
> ><br>
> xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" rel="noreferrer" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>resource/instance-3</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/resource/<wbr>instance-3</a>><br>
> ><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/resource/<wbr>instance-3</a><br>
> <<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/resource/<wbr>instance-3</a>>>"><br>
> > <name>CSV-1 Tester</name><br>
> > <description><br>
> > This role assigns CSV-1 (Simulated App 1) resource and<br>
> creates a<br>
> > test account.<br>
> > </description><br>
> > <inducement><br>
> > <construction><br>
> > <!-- The c: prefix in type must be there due to<br>
> a JAXB<br>
> > bug --><br>
> > <resourceRef<br>
> oid="10000000-9999-9999-0000-<wbr>a000ff000002"<br>
> > type="c:ResourceType"/><br>
> > <kind>account</kind><br>
> > <intent>test</intent><br>
> > </construction><br>
> > </inducement><br>
> > </role><br>
> ><br>
> > Then just add one or both roles to your user in midpoint and the<br>
> > corresponding account(s) should be created. Just be sure to<br>
> use your<br>
> > resource oid and correct intent.<br>
> ><br>
> > Regards,<br>
> ><br>
> > Ivan<br>
> ><br>
> ><br>
> ><br>
> > ______________________________<wbr>_________________<br>
> > midPoint mailing list<br>
> > <a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a> <mailto:<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.<wbr>evolveum.com</a>><br>
> > <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
> <<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>><br>
><br>
> --<br>
> Ivan Noris<br>
> Senior Identity Engineer<br>
> <a href="http://evolveum.com" rel="noreferrer" target="_blank">evolveum.com</a> <<a href="http://evolveum.com" rel="noreferrer" target="_blank">http://evolveum.com</a>><br>
><br>
> -------------- next part --------------<br>
> An HTML attachment was scrubbed...<br>
> URL:<br>
> <<a href="http://lists.evolveum.com/pipermail/midpoint/attachments/20170320/236a6297/attachment.html" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>pipermail/midpoint/<wbr>attachments/20170320/236a6297/<wbr>attachment.html</a><br>
> <<a href="http://lists.evolveum.com/pipermail/midpoint/attachments/20170320/236a6297/attachment.html" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>pipermail/midpoint/<wbr>attachments/20170320/236a6297/<wbr>attachment.html</a>>><br>
><br>
> ------------------------------<br>
><br>
> Subject: Digest Footer<br>
><br>
> ______________________________<wbr>_________________<br>
> midPoint mailing list<br>
> <a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a> <mailto:<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.<wbr>evolveum.com</a>><br>
> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
> <<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>><br>
><br>
><br>
> ------------------------------<br>
><br>
> End of midPoint Digest, Vol 59, Issue 116<br>
> ******************************<wbr>***********<br>
><br>
><br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> midPoint mailing list<br>
> <a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br>
--<br>
Ivan Noris<br>
Senior Identity Engineer<br>
<a href="http://evolveum.com" rel="noreferrer" target="_blank">evolveum.com</a><br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.evolveum.com/pipermail/midpoint/attachments/20170321/3dd981bc/attachment.html" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>pipermail/midpoint/<wbr>attachments/20170321/3dd981bc/<wbr>attachment.html</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br>
<br>
------------------------------<br>
<br>
End of midPoint Digest, Vol 59, Issue 118<br>
******************************<wbr>***********<br>
</blockquote></div><br></div></div></div>