<html><body><p>Hello,<br/><br/>I have a really strange event in my AD synch .. I explain, I have the following setup :<br/>- 1 resource Active directory<br/>- 1 Metarole for Group Ad sync (based on sample : https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO)<br/>- 1 Role with assignement on the metarole<br/>- 1 User with assignement on the previous role.<br/><br/><br/>- When I assign metarole to my role : OK, all elements make the job and my role in now a group in my AD<br/>- When I assign a user (with or without AD constrcution already done) to my role : OK, my user have a AD account and this account is memberOf my group<br/>- When I make a reconcile on my role : NOK, Midpoint execute delta for delete all the member (delete the association memberOf, not the member himself)<br/>If i reconcile my user, nothing is do.<br/><br/>My resource and mly metarole are like the sample.. Any Idée ?<br/><br/><img src="cid:EAA-5A993680-2B-7B032A80" type="image/png"/><br/><br/><br/><u><strong>METRAROLE : </strong></u><br/><role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="41746865-6e61-2001-0001-000000000010" version="1"><br/> <name>metarole-ad-sync</name><br/> <activation><br/> <effectiveStatus>enabled</effectiveStatus><br/> <enableTimestamp>2017-08-08T14:30:44.995Z</enableTimestamp><br/> </activation><br/> <iteration>0</iteration><br/> <iterationToken/><br/> <inducement id="1"><br/> <construction><br/> <resourceRef oid="41746865-6e61-1000-0001-000000000001" relation="org:default" type="c:ResourceType"/><br/> <kind>entitlement</kind><br/> <intent>group</intent><br/> </construction><br/> </inducement><br/> <inducement id="2"><br/> <construction><br/> <resourceRef oid="41746865-6e61-1000-0001-000000000001" relation="org:default" type="c:ResourceType"/><br/> <kind>account</kind><br/> <intent>default</intent><br/> <association><br/> <c:ref>ri:group</c:ref><br/> <outbound><br/> <expression><br/> <associationFromLink xsi:type="c:AssociationFromLinkExpressionEvaluatorType"><br/> <projectionDiscriminator><br/> <kind>entitlement</kind><br/> <intent>group</intent><br/> </projectionDiscriminator><br/> </associationFromLink><br/> </expression><br/> </outbound><br/> </association><br/> </construction><br/> <order>2</order><br/> </inducement><br/> </role><br/><br/><br/><br/><u><strong>Resource : </strong></u><br/><schemaHandling><br/> <objectType><br/> <kind>account</kind><br/> <displayName>User Account</displayName><br/> <default>true</default><br/> <objectClass>ri:user</objectClass><br/> <attribute><br/> <c:ref>ri:dn</c:ref><br/> <displayName>Distinguished Name</displayName><br/> <limitations><br/> <access><br/> <read>true</read><br/> <add>true</add><br/> <modify>false</modify><br/> </access><br/> </limitations><br/> <tolerant>false</tolerant><br/> <exclusiveStrong>false</exclusiveStrong><br/> <outbound><br/> <authoritative>false</authoritative><br/> <exclusive>false</exclusive><br/> <strength>weak</strength><br/> <source><br/> <c:path>$user/fullName</c:path><br/> </source><br/> <expression><br/> <script xsi:type="c:ScriptExpressionEvaluatorType"><br/> <code><br/> 'CN=' + fullName + iterationToken + ',OU=Users,OU=AGORA-T PREPROD,DC=users,DC=pprod,DC=agorat,DC=local'<br/> </code><br/> </script><br/> </expression><br/> </outbound><br/> </attribute><br/> <attribute><br/> <c:ref>ri:sAMAccountName</c:ref><br/> <limitations><br/> <access><br/> <read>true</read><br/> <add>true</add><br/> <modify>false</modify><br/> </access><br/> </limitations><br/> <matchingRule xmlns:gen730="http://prism.evolveum.com/xml/ns/public/matching-rule-3">gen730:stringIgnoreCase</matchingRule><br/> <tolerant>false</tolerant><br/> <exclusiveStrong>false</exclusiveStrong><br/> <outbound><br/> <authoritative>false</authoritative><br/> <exclusive>false</exclusive><br/> <strength>weak</strength><br/> <source><br/> <c:path>$user/name</c:path><br/> </source><br/> </outbound><br/> </attribute><br/> <attribute><br/> <c:ref>ri:cn</c:ref><br/> <limitations><br/> <minOccurs>0</minOccurs><br/> </limitations><br/> <tolerant>false</tolerant><br/> <exclusiveStrong>false</exclusiveStrong><br/> <outbound><br/> <authoritative>false</authoritative><br/> <exclusive>false</exclusive><br/> <strength>weak</strength><br/> <source><br/> <c:path>fullName</c:path><br/> </source><br/> </outbound><br/> </attribute><br/> <attribute><br/> <c:ref>ri:sn</c:ref><br/> <limitations><br/> <minOccurs>0</minOccurs><br/> </limitations><br/> <outbound><br/> <source><br/> <c:path>familyName</c:path><br/> </source><br/> </outbound><br/> </attribute><br/> <attribute><br/> <c:ref>ri:givenName</c:ref><br/> <outbound><br/> <source><br/> <c:path>givenName</c:path><br/> </source><br/> </outbound><br/> </attribute><br/> <attribute><br/> <c:ref>ri:userPrincipalName</c:ref><br/> <outbound><br/> <source><br/> <c:path>$user/name</c:path><br/> </source><br/> <expression><br/> <script xsi:type="c:ScriptExpressionEvaluatorType"><br/> <code><br/> name + iterationToken + '@pprod.agora-t.net'<br/> </code><br/> </script><br/> </expression><br/> </outbound><br/> </attribute><br/> <attribute><br/> <c:ref>ri:pwdLastSet</c:ref><br/> <outbound><br/> <expression><br/> <value xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:long">-1</value><br/> </expression><br/> </outbound><br/> </attribute><br/> <attribute><br/> <c:ref>ri:createTimeStamp</c:ref><br/> <fetchStrategy>explicit</fetchStrategy><br/> </attribute><br/> <attribute><br/> <c:ref>ri:nTSecurityDescriptor</c:ref><br/> <limitations><br/> <minOccurs>0</minOccurs><br/> </limitations><br/> </attribute><br/> <attribute><br/> <c:ref>ri:instanceType</c:ref><br/> <limitations><br/> <minOccurs>0</minOccurs><br/> </limitations><br/> </attribute><br/> <attribute><br/> <c:ref>ri:objectCategory</c:ref><br/> <limitations><br/> <minOccurs>0</minOccurs><br/> </limitations><br/> <outbound><br/> <expression><br/> <value>CN=Person,CN=Schema,CN=Configuration,DC=users,DC=pprod,DC=agorat,DC=local</value><br/> </expression><br/> </outbound><br/> </attribute><br/> <attribute><br/> <c:ref>ri:displayName</c:ref><br/> <tolerant>false</tolerant><br/> <exclusiveStrong>false</exclusiveStrong><br/> <outbound><br/> <authoritative>false</authoritative><br/> <exclusive>false</exclusive><br/> <strength>normal</strength><br/> <source><br/> <c:path>$user/givenName</c:path><br/> </source><br/> <source><br/> <c:path>$user/familyName</c:path><br/> </source><br/> <expression><br/> <script xsi:type="c:ScriptExpressionEvaluatorType"><br/> <code><br/> (givenName + '.' + familyName).toString().toLowerCase()<br/> </code><br/> </script><br/> </expression><br/> </outbound><br/> </attribute><br/> <attribute><br/> <c:ref>ri:mail</c:ref><br/> <outbound><br/> <source><br/> <c:path>$user/emailAddress</c:path><br/> </source><br/> </outbound><br/> </attribute><br/> <association><br/> <c:ref>ri:group</c:ref><br/> <displayName>AD Group Membership</displayName><br/> <kind>entitlement</kind><br/> <intent>group</intent><br/> <direction>objectToSubject</direction><br/> <associationAttribute>ri:member</associationAttribute><br/> <valueAttribute>ri:dn</valueAttribute><br/> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute><br/> <shortcutValueAttribute>ri:dn</shortcutValueAttribute><br/> <explicitReferentialIntegrity>false</explicitReferentialIntegrity><br/> </association><br/> <activation><br/> <administrativeStatus><br/> <outbound/><br/> </administrativeStatus><br/> </activation><br/> <credentials><br/> <password><br/> <outbound/><br/> </password><br/> </credentials><br/> </objectType><br/> <objectType><br/> <kind>entitlement</kind><br/> <intent>group</intent><br/> <displayName>Athena Groups</displayName><br/> <default>true</default><br/> <objectClass>ri:group</objectClass><br/> <attribute><br/> <c:ref>ri:dn</c:ref><br/> <tolerant>false</tolerant><br/> <exclusiveStrong>false</exclusiveStrong><br/> <outbound><br/> <authoritative>true</authoritative><br/> <exclusive>false</exclusive><br/> <strength>normal</strength><br/> <source><br/> <c:path>$focus/name</c:path><br/> </source><br/> <expression><br/> <script xsi:type="c:ScriptExpressionEvaluatorType"><br/> <code><br/> 'CN=' + name + ',OU=Groups,OU=AGORA-T PREPROD,DC=users,DC=pprod,DC=agorat,DC=local'<br/> </code><br/> </script><br/> </expression><br/> </outbound><br/> </attribute><br/> <attribute><br/> <c:ref>ri:cn</c:ref><br/> <tolerant>false</tolerant><br/> <exclusiveStrong>false</exclusiveStrong><br/> <outbound><br/> <authoritative>true</authoritative><br/> <exclusive>false</exclusive><br/> <strength>normal</strength><br/> <source><br/> <c:path>$focus/name</c:path><br/> </source><br/> </outbound><br/> </attribute><br/> <attribute><br/> <c:ref>ri:description</c:ref><br/> <tolerant>false</tolerant><br/> <exclusiveStrong>false</exclusiveStrong><br/> <outbound><br/> <source><br/> <c:path>description</c:path><br/> </source><br/> </outbound><br/> </attribute><br/> <attribute><br/> <c:ref>ri:member</c:ref><br/> <displayName>Member</displayName><br/> <tolerant>false</tolerant><br/> <exclusiveStrong>false</exclusiveStrong><br/> </attribute><br/> <attribute><br/> <c:ref>ri:groupType</c:ref><br/> <tolerant>false</tolerant><br/> <exclusiveStrong>false</exclusiveStrong><br/> <outbound><br/> <expression><br/> <value>-2147483646</value><br/> </expression><br/> </outbound><br/> </attribute><br/> <attribute><br/> <c:ref>ri:sAMAccountName</c:ref><br/> <tolerant>false</tolerant><br/> <exclusiveStrong>false</exclusiveStrong><br/> <outbound><br/> <authoritative>true</authoritative><br/> <exclusive>false</exclusive><br/> <strength>normal</strength><br/> <source><br/> <c:path>$focus/name</c:path><br/> </source><br/> </outbound><br/> </attribute><br/> </objectType><br/> </schemaHandling><br/> <capabilities><br/> <cachingMetadata><br/> <retrievalTimestamp>2017-10-03T08:28:33.067Z</retrievalTimestamp><br/> <serialNumber>2af0af9006ddad16-bd8b78664df70159</serialNumber><br/> </cachingMetadata><br/> <native xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3" xsi:type="c:CapabilityCollectionType"><br/> <cap:schema/><br/> <cap:liveSync/><br/> <cap:testConnection/><br/> <cap:create/><br/> <cap:read/><br/> <cap:update/><br/> <cap:delete/><br/> <cap:script><br/> <cap:host><br/> <cap:type>resource</cap:type><br/> </cap:host><br/> <cap:host><br/> <cap:type>connector</cap:type><br/> </cap:host><br/> </cap:script><br/> <cap:addRemoveAttributeValues/><br/> <cap:activation><br/> <cap:status/><br/> </cap:activation><br/> <cap:credentials><br/> <cap:password><br/> <cap:returnedByDefault>false</cap:returnedByDefault><br/> </cap:password><br/> </cap:credentials><br/> <cap:auxiliaryObjectClasses/><br/> <cap:pagedSearch/><br/> </native><br/> <configured xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3" xsi:type="c:CapabilityCollectionType"><br/> <cap:liveSync><br/> <cap:enabled>true</cap:enabled><br/> </cap:liveSync><br/> <cap:testConnection><br/> <cap:enabled>true</cap:enabled><br/> </cap:testConnection><br/> <cap:create><br/> <cap:enabled>true</cap:enabled><br/> </cap:create><br/> <cap:read><br/> <cap:enabled>true</cap:enabled><br/> </cap:read><br/> <cap:update><br/> <cap:enabled>true</cap:enabled><br/> </cap:update><br/> <cap:delete><br/> <cap:enabled>true</cap:enabled><br/> </cap:delete><br/> <cap:script><br/> <cap:enabled>true</cap:enabled><br/> <cap:host><br/> <cap:type>resource</cap:type><br/> </cap:host><br/> <cap:host><br/> <cap:type>connector</cap:type><br/> </cap:host><br/> </cap:script><br/> <cap:addRemoveAttributeValues><br/> <cap:enabled>true</cap:enabled><br/> </cap:addRemoveAttributeValues><br/> <cap:activation><br/> <cap:enabled>true</cap:enabled><br/> <cap:status><br/> <cap:enabled>true</cap:enabled><br/> <cap:returnedByDefault>true</cap:returnedByDefault><br/> <cap:ignoreAttribute>true</cap:ignoreAttribute><br/> </cap:status><br/> <cap:validFrom><br/> <cap:enabled>false</cap:enabled><br/> <cap:returnedByDefault>false</cap:returnedByDefault><br/> </cap:validFrom><br/> <cap:validTo><br/> <cap:enabled>false</cap:enabled><br/> <cap:returnedByDefault>false</cap:returnedByDefault><br/> </cap:validTo><br/> <cap:lockoutStatus><br/> <cap:enabled>false</cap:enabled><br/> <cap:returnedByDefault>false</cap:returnedByDefault><br/> <cap:ignoreAttribute>true</cap:ignoreAttribute><br/> </cap:lockoutStatus><br/> </cap:activation><br/> <cap:credentials><br/> <cap:enabled>true</cap:enabled><br/> <cap:password><br/> <cap:enabled>true</cap:enabled><br/> <cap:returnedByDefault>false</cap:returnedByDefault><br/> </cap:password><br/> </cap:credentials><br/> <cap:auxiliaryObjectClasses><br/> <cap:enabled>true</cap:enabled><br/> </cap:auxiliaryObjectClasses><br/> </configured><br/> </capabilities><br/> <scripts><br/> <script><br/> <host>resource</host><br/> <language>powershell</language><br/> <argument><br/> <c:path xsi:type="t:ItemPathType">$user/name</c:path><br/> <name>identity</name><br/> </argument><br/> <code>powershell "D:\midpoint\create-certificate\create-certificate.ps1 $identity"</code><br/> <operation>add</operation><br/> <kind>account</kind><br/> <order>after</order><br/> </script><br/> </scripts><br/> <synchronization><br/> <objectSynchronization><br/> <name>Account sync</name><br/> <objectClass>ri:user</objectClass><br/> <kind>account</kind><br/> <intent>default</intent><br/> <focusType>c:UserType</focusType><br/> <enabled>true</enabled><br/> <correlation><br/> <q:equal><br/> <q:path>c:name</q:path><br/> <expression xmlns=""><br/> <path>$user/sAMAccountName</path><br/> </expression><br/> </q:equal><br/> </correlation><br/> <reconcile>false</reconcile><br/> <opportunistic>true</opportunistic><br/> <reaction><br/> <situation>linked</situation><br/> <synchronize>true</synchronize><br/> <reconcile>false</reconcile><br/> </reaction><br/> <reaction><br/> <situation>deleted</situation><br/> <reconcile>false</reconcile><br/> <action ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink"><br/> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteFocus</handlerUri><br/> </action><br/> </reaction><br/> <reaction><br/> <situation>unlinked</situation><br/> <reconcile>false</reconcile><br/> <action><br/> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri><br/> </action><br/> </reaction><br/> <reaction><br/> <situation>unmatched</situation><br/> <channel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</channel><br/> <synchronize>true</synchronize><br/> <reconcile>false</reconcile><br/> <objectTemplateRef oid="41746865-6e61-9001-0000-000000000010" type="c:ObjectTemplateType"><br/> <targetName>Athena User Template</targetName><br/> </objectTemplateRef><br/> <action><br/> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri><br/> </action><br/> </reaction><br/> </objectSynchronization><br/> <objectSynchronization><br/> <name>Athena Transversal Group sync</name><br/> <objectClass>ri:group</objectClass><br/> <kind>entitlement</kind><br/> <intent>group</intent><br/> <focusType>c:RoleType</focusType><br/> <enabled>true</enabled><br/> <correlation><br/> <q:equal><br/> <q:path>c:name</q:path><br/> <expression><br/> <path>$shadow/attributes/cn</path><br/> </expression><br/> </q:equal><br/> </correlation><br/> <reconcile>false</reconcile><br/> <reaction><br/> <situation>linked</situation><br/> <synchronize>true</synchronize><br/> <reconcile>false</reconcile><br/> </reaction><br/> <reaction><br/> <situation>deleted</situation><br/> <reconcile>false</reconcile><br/> <action/><br/> </reaction><br/> <reaction><br/> <situation>unlinked</situation><br/> <reconcile>false</reconcile><br/> <action><br/> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri><br/> </action><br/> </reaction><br/> <reaction><br/> <situation>unmatched</situation><br/> <reconcile>false</reconcile><br/> <action><br/> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri><br/> </action><br/> </reaction><br/> </objectSynchronization><br/> </synchronization><br/> </resource><br/><br/><br/>--</p><p>Cordialement.</p></body></html>