<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none"><!-- p { margin-top: 0px; margin-bottom: 0px; }--></style>
</head>
<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Hi Ivan,</p>
<div><br>
</div>
<div>Sorry, I should have provided more details. The objects in question are ldap groups, and we are using the pattern where a role assignment induces a membership in a group. When I assign a role to a user, midPoint tries to make the user a member of a group,
say cn=mygroup,dc=mydomain. This is a group that midPoint has seen before, so it tries to look it up using the uuid stored in the shadow object. The problem is that the uuid of the group is not valid any more, and the lookup fails.<br>
</div>
<div><br>
</div>
<div>Pertti<br>
</div>
<div><br>
</div>
<p><br>
</p>
<div style="color: rgb(33, 33, 33);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font color="#000000" face="Calibri, sans-serif" style="font-size:11pt"><b>Lähettäjä:</b> midPoint <midpoint-bounces@lists.evolveum.com> käyttäjän puolestaIvan Noris <ivan.noris@evolveum.com><br>
<b>Lähetetty:</b> 30. marraskuuta 2017 15:59<br>
<b>Vastaanottaja:</b> midpoint@lists.evolveum.com<br>
<b>Aihe:</b> Re: [midPoint] Refreshing uuids in ldap shadow objects</font>
<div> </div>
</div>
<div>
<p>Hi Pertti,</p>
<p>have you tried reconciliation? It should detect the old account as DELETED, delete the shadow and linkRef, and also detect the new account as UNLINKED, and link it using the correlation expression...</p>
<p><br>
</p>
<p>(If you have the common synchronization definition, where DELETED has unlink reaction and UNLINKED has link reaction.)<br>
</p>
<br>
Running reconciliation with dryRun=true should show you approximately the same number of UNLINKED and DELETED accounts... running without dryrun should fix it then.<br>
<br>
Best regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 30.11.2017 14:43, Pertti Kellomäki wrote:<br>
</div>
<blockquote type="cite"><style type="text/css">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<p>Hi all,</p>
<p><br>
</p>
<p>I have a situation where midPoint does not find some entries in an openldap resource because the uuid's of the entries have changed (don't ask...). I know how to fix them manually by editing the shadow object xml, but it is not very practical.</p>
<p><br>
</p>
<p>Is there a way to refresh the shadow objects from the resource? The dn's of the ldap entries are valid and present in the ldap database, but some entries have been deleted and recreated, so uuids in the shadow objects are not valid any more. Consequently
the ldap connector complains about missing entries.<br>
</p>
<p>-- </p>
<p>Pertti</p>
<p><br>
</p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset> <br>
<pre>_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</div>
</div>
</body>
</html>