<div dir="ltr"><div>Forgot to reply to this, I got it working with the credentials tag, thanks!<br></div>I had to use the explicit fetchStrategy, or it wouldn't work.<br><div><br> I generated the password instead of replicating from Midpoint, like this:</div><div><br></div><div> <credentials><br> <password><br> <fetchStrategy>explicit</fetchStrategy><br> <outbound><br> <authoritative>false</authoritative><br> <exclusive>false</exclusive><br> <strength>weak</strength><br> <expression><br> <generate xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>"<br> xsi:type="c:GenerateExpressionEvaluatorType"><br> <valuePolicyRef oid="00000000-0000-0000-0000-000000000003"/><br> </generate><br> </expression><br> </outbound><br> </password><br> </credentials><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-01-04 6:11 GMT-02:00 Petr Gašparík - AMI Praha a.s. <span dir="ltr"><<a href="mailto:petr.gasparik@ami.cz" target="_blank">petr.gasparik@ami.cz</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi, as Oleksandr says, AD disallows manipulating with userPassword directly. Instead, credential tag is used.<div>Also, SSL is a must.</div><div><br></div><div>in general. WILL_NOT_PERFORM is almost always wrongly set password - in our cases mostly policy violation (weak or no/bad set password)</div><div><br></div><div>Petr</div></div><div class="gmail_extra"><br clear="all"><div><div class="m_7827602555647054327gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><p><span style="font-family:Arial,sans-serif;font-size:10pt">--</span></p><p><span style="font-family:Arial,sans-serif;font-size:10pt">s pozdravem</span></p><table style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important"><tbody><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px solid gray!important"><p><span style="font-size:14px;font-weight:bold">Petr Gašparík</span><br>solution architect<br><br>gsm: <a href="tel:+420%20603%20523%20860" value="+420603523860" target="_blank">[+420] 603 523 860</a><br>e-mail: <a href="mailto:petr.gasparik@ami.cz" target="_blank">petr.gasparik@ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px solid gray!important"><p>AMI Praha a.s.<br>Pláničkova 11<br>162 00 Praha 6<br>tel.: <a href="tel:+420%20274%20783%20239" value="+420274783239" target="_blank">[+420] 274 783 239</a><br>web: <a href="http://www.ami.cz/" target="_blank">www.ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;border:0px solid gray!important;width:116px"><p><img src="http://www.ami.cz/images/podpis/ami_logo.gif" alt="AMI Praha a.s." style="border:0px"></p></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px solid gray!important"><br></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px solid gray!important">Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.<br>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.<br><br></td></tr></tbody></table></div></div></div></div></div><div><div class="h5">
<br><div class="gmail_quote">2018-01-04 8:39 GMT+01:00 Oleksandr Nekriach <span dir="ltr"><<a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
It is strange I was sure that problem is in SSL.<br>
See<br>
Known Causes<br>
- This is caused when you don't use SSL in your LDAP connection and AD<br>
enforces SSL connection.<br>
- There are password policies in the AD environment<br>
<br>
In my Midpoint instance I don't use "direct" outbound mapping for userPassword.<br>
Instead, I use<br>
<br>
<credentials><br>
<password><br>
<outbound><br>
<expression><br>
<asIs xsi:type="c:AsIsExpressionEval<wbr>uatorType"/><br>
</expression><br>
</outbound><br>
</password><br>
</credentials><br>
<br>
On 4 January 2018 at 02:00, Alcides Carlos de Moraes Neto<br>
<div class="m_7827602555647054327HOEnZb"><div class="m_7827602555647054327h5"><<a href="mailto:alcides.neto@gmail.com" target="_blank">alcides.neto@gmail.com</a>> wrote:<br>
> Hello,<br>
><br>
> Yes, I'm using ldaps.<br>
><br>
> <a href="tel:2018-01-02%205" value="+420201801025" target="_blank">2018-01-02 5</a>:16 GMT-02:00 Oleksandr Nekriach <<a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a>>:<br>
>><br>
>> Happy new year!<br>
>> Hi Alcides,<br>
>> Do you use secure communication for AD connection (ldaps) or not?<br>
>> Some AD settings does not allow to manage password via open<br>
>> communications.<br>
>> I had similar issue few years ago with Oracle connector ;)<br>
>><br>
>> Regards, Oleksandr<br>
>><br>
>><br>
>> On 28 December 2017 at 21:30, Alcides Carlos de Moraes Neto<br>
>> <<a href="mailto:alcides.neto@gmail.com" target="_blank">alcides.neto@gmail.com</a>> wrote:<br>
>> > Hello list,<br>
>> ><br>
>> > I'm trying to create AD users from Midpoint. I'm getting the 53<br>
>> > WILL_NOT_PERFORM error, which it seems to be related to the password<br>
>> > policy.<br>
>> > The AD I'm using does have a password policy.<br>
>> ><br>
>> > So I'm trying to set some literal, strong password as a placeholder, but<br>
>> > I<br>
>> > don't think my mapping is working. How should I configure it? I cannot<br>
>> > find<br>
>> > any examples. Below are the error I get and the password outbound<br>
>> > mapping.<br>
>> ><br>
>> > com.evolveum.midpoint.util.exc<wbr>eption.SystemException: Got unexpected<br>
>> > exception:<br>
>> ><br>
>> > org.identityconnectors.framewo<wbr>rk.common.exceptions.Permissio<wbr>nDeniedException:<br>
>> > Error adding LDAP entry CN=JOHN DOE,OU=Users,DC=midpoint,DC=lo<wbr>cal:<br>
>> > unwillingToPerform: 0000052D: SvcErr: DSID-031A12D2, problem 5003<br>
>> > (WILL_NOT_PERFORM), data 0?? (53)<br>
>> ><br>
>> > <attribute><br>
>> > <c:ref>ri:userPassword</c:<wbr>ref><br>
>> > <tolerant>true</tolerant><br>
>> > <exclusiveStrong>false</exclu<wbr>siveStrong><br>
>> > <fetchStrategy>explicit</fetc<wbr>hStrategy><br>
>> > <outbound><br>
>> > <authoritative>true</authorita<wbr>tive><br>
>> > <exclusive>false</exclusive><br>
>> > <strength>normal</strength><br>
>> > <expression><br>
>> > <value>Midpoint2018*</value><br>
>> > </expression><br>
>> > </outbound><br>
>> > </attribute><br>
>> ><br>
>> ><br>
>> > Thanks and happy new year to all =)<br>
>> ><br>
>> > ______________________________<wbr>_________________<br>
>> > midPoint mailing list<br>
>> > <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
>> > <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
>> ><br>
>><br>
>><br>
>><br>
>> --<br>
>> Best regards,<br>
>><br>
>> Oleksandr Nekriach | Identity and access management engineer<br>
>><br>
>> Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia<br>
>><br>
>> <a href="tel:%2B37125314685" value="+37125314685" target="_blank">+37125314685</a><br>
>> ,<br>
>> <a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a><br>
>> |<br>
>> <a href="http://www.dynatech.lv" rel="noreferrer" target="_blank">www.dynatech.lv</a><br>
>><br>
>><br>
>><br>
>><br>
>> Stay connected:<br>
>><br>
>><br>
>> Confidentiality Notice: This message contains confidential information<br>
>> and is intended only for the named recipient(s). If you are not the<br>
>> addressee you may not copy, distribute or perform any other activities<br>
>> with this information. If you have received this transmission in<br>
>> error, please notify us by e-mail immediately. E-mail transmission<br>
>> cannot be guaranteed to be secure or error-free as information could<br>
>> be intercepted, corrupted, lost, destroyed, arrive late or incomplete,<br>
>> or contain viruses.<br>
>> ______________________________<wbr>_________________<br>
>> midPoint mailing list<br>
>> <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
>> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
><br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> midPoint mailing list<br>
> <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
><br>
<br>
<br>
<br>
--<br>
Best regards,<br>
<br>
Oleksandr Nekriach | Identity and access management engineer<br>
<br>
Dynatech, Mednieku str. 4a, Riga, LV-1010, Latvia<br>
<br>
<a href="tel:%2B37125314685" value="+37125314685" target="_blank">+37125314685</a><br>
,<br>
<a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a><br>
|<br>
<a href="http://www.dynatech.lv" rel="noreferrer" target="_blank">www.dynatech.lv</a><br>
<br>
<br>
<br>
<br>
Stay connected:<br>
<br>
<br>
Confidentiality Notice: This message contains confidential information<br>
and is intended only for the named recipient(s). If you are not the<br>
addressee you may not copy, distribute or perform any other activities<br>
with this information. If you have received this transmission in<br>
error, please notify us by e-mail immediately. E-mail transmission<br>
cannot be guaranteed to be secure or error-free as information could<br>
be intercepted, corrupted, lost, destroyed, arrive late or incomplete,<br>
or contain viruses.<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
</div></div></blockquote></div><br></div></div></div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>