<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello Jan,</p>
<p>I am not sure what demo you watched and what specific
configuration you use, but when looking at our sample <a
moz-do-not-send="true"
href="https://github.com/Evolveum/midpoint/blob/38a0a4dcc03334f2fbda0ef8fce9a0bcfd43c190/samples/demo/projects-metaRole.xml">https://github.com/Evolveum/midpoint/blob/38a0a4dcc03334f2fbda0ef8fce9a0bcfd43c190/samples/demo/projects-metaRole.xml</a>
I think that the inducement number 2 would deserve the focusType
specification limiting it to users (see red text):<br>
</p>
<p><tt> <inducement id="2"></tt><tt><br>
</tt><tt> <construction></tt><tt><br>
</tt><tt> <resourceRef
oid="ebd0bf7b-7e80-4175-ba5e-4fd5de2ecd62"
type="c:ResourceType"><!-- LDAP Server (OpenDJ)
--></resourceRef></tt><tt><br>
</tt><tt> <kind>account</kind></tt><tt><br>
</tt><tt> <intent>default</intent></tt><tt><br>
</tt><tt> <association></tt><tt><br>
</tt><tt> <c:ref>ri:ldapGroups</c:ref></tt><tt><br>
</tt><tt> <outbound></tt><tt><br>
</tt><tt> <expression></tt><tt><br>
</tt><tt> <associationFromLink></tt><tt><br>
</tt><tt>
<projectionDiscriminator></tt><tt><br>
</tt><tt>
<kind>entitlement</kind></tt><tt><br>
</tt><tt>
<intent>ldapProject</intent></tt><tt><br>
</tt><tt>
</projectionDiscriminator></tt><tt><br>
</tt><tt> </associationFromLink></tt><tt><br>
</tt><tt> </expression></tt><tt><br>
</tt><tt> </outbound></tt><tt><br>
</tt><tt> </association></tt><tt><br>
</tt><tt> </construction><br>
<b><font color="#cc0000"><focusType>UserType</focusType></font></b><br>
</tt><tt> <order>2</order></tt><tt><br>
</tt><tt> </inducement></tt><tt><br>
</tt><tt><br>
</tt></p>
<p>I have no time to try that but it should stop creation of user
accounts for child Orgs.</p>
<p>As for the following</p>
<p>
<blockquote type="cite">Other problem is that when i add someone
to child Org. it is added to correcsponding group. But not to AD
group of root Org.</blockquote>
This is because it is not configured to do so. You would need an
inducement that has the following:</p>
<ol>
<li>a <construction> element telling midPoint that an
account should be created (i.e. kind=account, intent=default) -
just like the one in the code sample above<br>
</li>
<li>the construction should have <association> element with
some expression that would generate the correct value: I am not
sure how exactly to specify it. I would try the following:<br>
<font color="#3333ff"><tt><associationFromLink></tt><br>
<tt> </tt><tt><projectionDiscriminator></tt><tt><br>
</tt><tt> <kind>entitlement</kind></tt><tt><br>
</tt><tt> <intent>ldapProject</intent></tt><tt><br>
</tt><tt> </projectionDiscriminator></tt></font><tt><br>
<b><font color="#cc0000"> <</font></b></tt><b><font
color="#cc0000"><tt>assignmentPathIndex>-1</</tt></font></b><tt><b><font
color="#cc0000">assignmentPathIndex></font></b><br>
</tt><tt><font color="#3333ff"></associationFromLink></font><br>
</tt>but the assignmentPathIndex element requires the latest
master (3.7-SNAPSHOT). And I have no time to try it ... take it
as a pure guess.<br>
<tt></tt></li>
<li><focusType> should be set to UserType</li>
<li><order> should tell something like "use this for any
order: 1, 2, ... or N". This is done by replacing
<order>2</order> by:<br>
<font color="#3333ff"><tt> <orderConstraint></tt><tt><br>
</tt><tt> <orderMax>unbounded</orderMax><br>
</tt><tt></orderConstraint></tt></font></li>
</ol>
<p>Please have a look at the following (besides <a
moz-do-not-send="true"
href="https://evolveum.com/midpoint/midpoint-guide-about-practical-identity-management/">The
midPoint book</a> which is a must-read!):<br>
</p>
<ol>
<li><a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Generic+Synchronization">https://wiki.evolveum.com/display/midPoint/Generic+Synchronization</a>
(and pages linked from it)<br>
</li>
<li><a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Usual+Troubleshooting+Steps">https://wiki.evolveum.com/display/midPoint/Usual+Troubleshooting+Steps</a><br>
</li>
<li><a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Troubleshooting+Mappings">https://wiki.evolveum.com/display/midPoint/Troubleshooting+Mappings</a><br>
</li>
</ol>
<p>Also, when posting to this list, please attach your specific
configuration files, and probably log files (when logging levels
are set appropriately) as well. Screenshots (as you attached) are
OK as well.<br>
</p>
<p>Hope this helps,<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 08.12.2017 20:02, Jan Kaspar wrote:<br>
</div>
<blockquote type="cite"
cite="mid:8rR.vFT.GtzEaq9oCg.1QAk71@seznam.cz">Hi All,
<div><br>
</div>
<div>I need help with setup of Org. Structure. First of all i have
prepared demo Active Directory with hundrets of users and
groups.</div>
<div><span style="background-color:transparent">User are synced to
MidPoint and also Roles are synced to AD as Groups. So it
works.</span><br>
</div>
<div><span style="background-color:transparent"><br>
</span></div>
<div><span style="background-color:transparent">I would like to
try also Org Structure. I watched demo online and after some
adjustments I was able to create Orgs: </span></div>
<div><span style="background-color:transparent">'functional as OU'
and 'projects as Groups'.</span><br>
</div>
<div><span style="background-color:transparent"><br>
</span></div>
<div><span style="background-color:transparent">I am having
multiple issues: </span></div>
<div><span style="background-color:transparent"><br>
</span></div>
<div>If I create root Org for project, everything is OK. Security
Group is created in AD. If I try to assign user, then user is
added to corresponding Group.</div>
<div>But if I try to create child Org type project. I got error:</div>
<div><br>
</div>
<div><span style="color:rgb(51,51,51);font-family:'Source Sans
Pro','Helvetica
Neue',Helvetica,Arial,sans-serif;font-size:14px">Can't process
shadow: null (OID:null): Generic error in connector: Invalid
credentials:
org.identityconnectors.framework.common.exceptions.InvalidPasswordException(0000052D:
SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data
0??: PASSWORD_RESTRICTION: Unable to update the password. The
value provided for the new password does not meet the length,
complexity, or history requirement of the domain): Can't
process shadow: null (OID:null): Generic error in connector:
Invalid credentials:
org.identityconnectors.framework.common.exceptions.InvalidPasswordException(0000052D:
SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data
0??: PASSWORD_RESTRICTION: Unable to update the password. The
value provided for the new password does not meet the length,
complexity, or history requirement of the domain): Can't
process shadow: null (OID:null): Generic error in connector:
Invalid credentials:
org.identityconnectors.framework.common.exceptions.InvalidPasswordException(0000052D:
SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data
0??: PASSWORD_RESTRICTION: Unable to update the password. The
value provided for the new password does not meet the length,
complexity, or history requirement of the domain): Can't
process shadow: null (OID:null): Generic error in connector:
Invalid credentials:
org.identityconnectors.framework.common.exceptions.InvalidPasswordException(0000052D:
SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data
0??: PASSWORD_RESTRICTION: Unable to update the password. The
value provided for the new password does not meet the length,
complexity, or history requirement of the domain)</span><br>
</div>
<div><span style="color:rgb(51,51,51);font-family:'Source Sans
Pro','Helvetica
Neue',Helvetica,Arial,sans-serif;font-size:14px"><br>
</span></div>
<div>I see that it is creating object type account :</div>
<div><br>
</div>
<div>
<div
style="box-sizing:border-box;border-radius:3px;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-attachment:initial;background-origin:initial;background-clip:initial;border-top:3px
solid
rgb(210,214,222);margin-bottom:20px;width:auto;box-shadow:rgba(0,0,0,0.1)0px
1px 1px;color:rgb(51,51,51);font-family:'Source Sans
Pro','Helvetica
Neue',Helvetica,Arial,sans-serif;font-size:14px;display:table">
<div style="box-sizing:border-box;border-radius:0px 0px 3px
3px;padding:0px!important">
<table
style="box-sizing:border-box;border-spacing:0px;border-collapse:collapse;background-color:transparent;width:709px;max-width:100%;margin-bottom:0px;border:1px
solid rgb(244,244,244)">
<tbody style="box-sizing:border-box">
<tr
style="box-sizing:border-box;background-color:rgb(249,249,249)">
<th
style="box-sizing:border-box;padding:5px;text-align:left;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)">Activity</th>
<th
style="box-sizing:border-box;padding:5px;text-align:left;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)">Status</th>
<th
style="box-sizing:border-box;padding:5px;text-align:left;line-height:1.42857;vertical-align:top;border-width:1px
0px 1px
1px;border-style:solid;border-color:rgb(244,244,244);border-image:initial">Resource
object (if applicable)</th>
</tr>
<tr style="box-sizing:border-box">
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box">Computing
projections of the focus object</span></td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box;color:rgb(60,118,61);display:inline-block;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:0.75em;font-family:FontAwesome;font-size:1.33333em;text-rendering:auto;vertical-align:-15%;width:1.28571em;text-align:center"
title="SUCCESS"></span><br>
</td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border-width:1px
0px 1px
1px;border-style:solid;border-color:rgb(244,244,244);border-image:initial"><span
style="box-sizing:border-box"></span><br>
</td>
</tr>
<tr
style="box-sizing:border-box;background-color:rgb(249,249,249)">
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box">Operation on focus
object (repository)</span></td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box;color:rgb(60,118,61);display:inline-block;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:0.75em;font-family:FontAwesome;font-size:1.33333em;text-rendering:auto;vertical-align:-15%;width:1.28571em;text-align:center"
title="SUCCESS"></span><br>
</td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border-width:1px
0px 1px
1px;border-style:solid;border-color:rgb(244,244,244);border-image:initial"><span
style="box-sizing:border-box"></span><br>
</td>
</tr>
<tr style="box-sizing:border-box">
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box">Account (default) on
Hell Active Directory (LDAP)</span></td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box;color:rgb(169,68,66);display:inline-block;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:0.75em;font-family:FontAwesome;font-size:1.33333em;text-rendering:auto;vertical-align:-15%;width:1.28571em;text-align:center"
title="FATAL_ERROR"></span><br>
</td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border-width:1px
0px 1px
1px;border-style:solid;border-color:rgb(244,244,244);border-image:initial"><span
style="box-sizing:border-box">Add:Fatal error
-> CN=A2,OU=Users,OU=CZ,DC=hell,DC=local</span></td>
</tr>
<tr
style="box-sizing:border-box;background-color:rgb(249,249,249)">
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box">Considering or
starting approval workflows</span></td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box;color:rgb(60,118,61);display:inline-block;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:0.75em;font-family:FontAwesome;font-size:1.33333em;text-rendering:auto;vertical-align:-15%;width:1.28571em;text-align:center"
title="SUCCESS"></span><br>
</td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border-width:1px
0px 1px
1px;border-style:solid;border-color:rgb(244,244,244);border-image:initial"><span
style="box-sizing:border-box"></span><br>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div>I see that it tryes to use correct meta role. </div>
<div><br>
</div>
<div><span style="color:rgb(51,51,51);font-family:'Source Sans
Pro','Helvetica
Neue',Helvetica,Arial,sans-serif;font-size:11.6667px">Successfully
finished evaluation of mapping mapping in for association
{.../resource/instance-3}group in
role:3154fafb-9f9f-4c3b-93ae-7fffd43796bf(LDAP Projects
MetaRole) in 7 ms.</span><br>
</div>
<div><br>
</div>
<div>When i add manualy metarole to child Org. I got error:</div>
<div><br>
</div>
<div>
<div
style="box-sizing:border-box;border-radius:3px;background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-attachment:initial;background-origin:initial;background-clip:initial;border-top:3px
solid
rgb(210,214,222);margin-bottom:20px;width:auto;box-shadow:rgba(0,0,0,0.1)0px
1px 1px;color:rgb(51,51,51);font-family:'Source Sans
Pro','Helvetica
Neue',Helvetica,Arial,sans-serif;font-size:14px;display:table">
<div style="box-sizing:border-box;border-radius:0px 0px 3px
3px;padding:0px!important">
<table
style="box-sizing:border-box;border-spacing:0px;border-collapse:collapse;background-color:transparent;width:758px;max-width:100%;margin-bottom:0px;border:1px
solid rgb(244,244,244)">
<tbody style="box-sizing:border-box">
<tr
style="box-sizing:border-box;background-color:rgb(249,249,249)">
<th
style="box-sizing:border-box;padding:5px;text-align:left;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)">Activity</th>
<th
style="box-sizing:border-box;padding:5px;text-align:left;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)">Status</th>
<th
style="box-sizing:border-box;padding:5px;text-align:left;line-height:1.42857;vertical-align:top;border-width:1px
0px 1px
1px;border-style:solid;border-color:rgb(244,244,244);border-image:initial">Resource
object (if applicable)</th>
</tr>
<tr style="box-sizing:border-box">
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box">Computing
projections of the focus object</span></td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box;color:rgb(60,118,61);display:inline-block;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:0.75em;font-family:FontAwesome;font-size:1.33333em;text-rendering:auto;vertical-align:-15%;width:1.28571em;text-align:center"
title="SUCCESS"></span><br>
</td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border-width:1px
0px 1px
1px;border-style:solid;border-color:rgb(244,244,244);border-image:initial"><span
style="box-sizing:border-box"></span><br>
</td>
</tr>
<tr
style="box-sizing:border-box;background-color:rgb(249,249,249)">
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box">Operation on focus
object (repository)</span></td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box;color:rgb(60,118,61);display:inline-block;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:0.75em;font-family:FontAwesome;font-size:1.33333em;text-rendering:auto;vertical-align:-15%;width:1.28571em;text-align:center"
title="SUCCESS"></span><br>
</td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border-width:1px
0px 1px
1px;border-style:solid;border-color:rgb(244,244,244);border-image:initial"><span
style="box-sizing:border-box"></span><br>
</td>
</tr>
<tr style="box-sizing:border-box">
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box">Account (default) on
Hell Active Directory (LDAP)</span></td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box;color:rgb(169,68,66);display:inline-block;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:0.75em;font-family:FontAwesome;font-size:1.33333em;text-rendering:auto;vertical-align:-15%;width:1.28571em;text-align:center"
title="FATAL_ERROR"></span><br>
</td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border-width:1px
0px 1px
1px;border-style:solid;border-color:rgb(244,244,244);border-image:initial"><span
style="box-sizing:border-box">Add:Fatal error
-> CN=A2,OU=Users,OU=CZ,DC=hell,DC=local</span></td>
</tr>
<tr
style="box-sizing:border-box;background-color:rgb(249,249,249)">
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box">Entitlement
(ldapProject) on Hell Active Directory (LDAP)</span></td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box;color:rgb(60,118,61);display:inline-block;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:0.75em;font-family:FontAwesome;font-size:1.33333em;text-rendering:auto;vertical-align:-15%;width:1.28571em;text-align:center"
title="SUCCESS"></span><br>
</td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border-width:1px
0px 1px
1px;border-style:solid;border-color:rgb(244,244,244);border-image:initial"><span
style="box-sizing:border-box">Add:Success ->
cn=A2,ou=Projects,dc=hell,dc=local</span></td>
</tr>
<tr style="box-sizing:border-box">
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box">Considering or
starting approval workflows</span></td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border:1px
solid rgb(244,244,244)"><span
style="box-sizing:border-box;color:rgb(60,118,61);display:inline-block;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:0.75em;font-family:FontAwesome;font-size:1.33333em;text-rendering:auto;vertical-align:-15%;width:1.28571em;text-align:center"
title="SUCCESS"></span><br>
</td>
<td
style="box-sizing:border-box;padding:5px;line-height:1.42857;vertical-align:top;border-width:1px
0px 1px
1px;border-style:solid;border-color:rgb(244,244,244);border-image:initial"><span
style="box-sizing:border-box"></span><br>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div>In the end groups is created but it is not correct
behaviour. </div>
<div><br>
</div>
<div>Other problem is that when i add someone to child Org. it is
added to correcsponding group. But not to AD group of root Org.</div>
<div><br>
</div>
<div>Hope I described it clearly. <span
style="background-color:transparent">Can Someone please help
me with correct settings? </span></div>
<div><br>
</div>
<div>Thank you</div>
<div><br>
</div>
<div>Jan</div>
<div><br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>