<html>Hey,<br /><br />I have find my problem, the "strong" option was missing. This is the right meta-role, I think it's good to add it in your sample page (on wiki), I just found it in sample source on github.<br /><br />add it here : https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO<br />and here : https://wiki.evolveum.com/display/midPoint/Roles,+Metaroles+and+Generic+Synchronization<br /><br /><inducement id="2"><br /> <construction><br /> <resourceRef<br /> oid="41746865-6e61-1000-0001-000000000001"<br /> relation="org:default"<br /> type="c:ResourceType" /><br /> <kind>account</kind><br /> <intent>default</intent><br /> <association><br /> <c:ref>ri:group</c:ref><br /> <outbound><br /> <strong><strength>strong</strength></strong><br /> <expression><br /> <associationFromLink xsi:type="c:AssociationFromLinkExpressionEvaluatorType"><br /> <projectionDiscriminator><br /> <kind>entitlement</kind><br /> <intent>group</intent><br /> </projectionDiscriminator><br /> </associationFromLink><br /> </expression><br /> </outbound><br /> </association><br /> </construction><br /> <order>2</order><br /> </inducement><br /><br /><br />--<p>Cordialement.</p><br />-------- Message original --------<br />Sujet: [midPoint] Ad synch Group-User failed<br />Date: Vendredi 2 Mars 2018 12:32 CET<br />De: "TIPA Sylvaire-Kevin" <sylvaire-kevin.tipa@mythalesgroup.com><br />Répondre à: midPoint General Discussion <midpoint@lists.evolveum.com><br />Pour: midpoint@lists.evolveum.com<br /><br /><br /> <blockquote type="cite" cite="eaa-5a993680-29-7b032a80@239844974"> </blockquote><p>Hello,<br /><br />I have a really strange event in my AD synch .. I explain, I have the following setup :<br />- 1 resource Active directory<br />- 1 Metarole for Group Ad sync (based on sample : https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO)<br />- 1 Role with assignement on the metarole<br />- 1 User with assignement on the previous role.<br /><br /><br />- When I assign metarole to my role : OK, all elements make the job and my role in now a group in my AD<br />- When I assign a user (with or without AD constrcution already done) to my role : OK, my user have a AD account and this account is memberOf my group<br />- When I make a reconcile on my role : NOK, Midpoint execute delta for delete all the member (delete the association memberOf, not the member himself)<br />If i reconcile my user, nothing is do.<br /><br />My resource and mly metarole are like the sample.. Any Idée ?<br /><br /><img type="image/png" src="cid:EAA-5A993680-2B-7B032A80" /><br /><br /><br /><u><strong>METRAROLE : </strong></u><br /><role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="41746865-6e61-2001-0001-000000000010" version="1"><br /> <name>metarole-ad-sync</name><br /> <activation><br /> <effectiveStatus>enabled</effectiveStatus><br /> <enableTimestamp>2017-08-08T14:30:44.995Z</enableTimestamp><br /> </activation><br /> <iteration>0</iteration><br /> <iterationToken/><br /> <inducement id="1"><br /> <construction><br /> <resourceRef oid="41746865-6e61-1000-0001-000000000001" relation="org:default" type="c:ResourceType"/><br /> <kind>entitlement</kind><br /> <intent>group</intent><br /> </construction><br /> </inducement><br /> <inducement id="2"><br /> <construction><br /> <resourceRef oid="41746865-6e61-1000-0001-000000000001" relation="org:default" type="c:ResourceType"/><br /> <kind>account</kind><br /> <intent>default</intent><br /> <association><br /> <c:ref>ri:group</c:ref><br /> <outbound><br /> <expression><br /> <associationFromLink xsi:type="c:AssociationFromLinkExpressionEvaluatorType"><br /> <projectionDiscriminator><br /> <kind>entitlement</kind><br /> <intent>group</intent><br /> </projectionDiscriminator><br /> </associationFromLink><br /> </expression><br /> </outbound><br /> </association><br /> </construction><br /> <order>2</order><br /> </inducement><br /> </role><br /><br /><br /><br /><u><strong>Resource : </strong></u><br /><schemaHandling><br /> <objectType><br /> <kind>account</kind><br /> <displayName>User Account</displayName><br /> <default>true</default><br /> <objectClass>ri:user</objectClass><br /> <attribute><br /> <c:ref>ri:dn</c:ref><br /> <displayName>Distinguished Name</displayName><br /> <limitations><br /> <access><br /> <read>true</read><br /> <add>true</add><br /> <modify>false</modify><br /> </access><br /> </limitations><br /> <tolerant>false</tolerant><br /> <exclusiveStrong>false</exclusiveStrong><br /> <outbound><br /> <authoritative>false</authoritative><br /> <exclusive>false</exclusive><br /> <strength>weak</strength><br /> <source><br /> <c:path>$user/fullName</c:path><br /> </source><br /> <expression><br /> <script xsi:type="c:ScriptExpressionEvaluatorType"><br /> <code><br /> 'CN=' + fullName + iterationToken + ',OU=Users,OU=AGORA-T PREPROD,DC=users,DC=pprod,DC=agorat,DC=local'<br /> </code><br /> </script><br /> </expression><br /> </outbound><br /> </attribute><br /> <attribute><br /> <c:ref>ri:sAMAccountName</c:ref><br /> <limitations><br /> <access><br /> <read>true</read><br /> <add>true</add><br /> <modify>false</modify><br /> </access><br /> </limitations><br /> <matchingRule xmlns:gen730="http://prism.evolveum.com/xml/ns/public/matching-rule-3">gen730:stringIgnoreCase</matchingRule><br /> <tolerant>false</tolerant><br /> <exclusiveStrong>false</exclusiveStrong><br /> <outbound><br /> <authoritative>false</authoritative><br /> <exclusive>false</exclusive><br /> <strength>weak</strength><br /> <source><br /> <c:path>$user/name</c:path><br /> </source><br /> </outbound><br /> </attribute><br /> <attribute><br /> <c:ref>ri:cn</c:ref><br /> <limitations><br /> <minOccurs>0</minOccurs><br /> </limitations><br /> <tolerant>false</tolerant><br /> <exclusiveStrong>false</exclusiveStrong><br /> <outbound><br /> <authoritative>false</authoritative><br /> <exclusive>false</exclusive><br /> <strength>weak</strength><br /> <source><br /> <c:path>fullName</c:path><br /> </source><br /> </outbound><br /> </attribute><br /> <attribute><br /> <c:ref>ri:sn</c:ref><br /> <limitations><br /> <minOccurs>0</minOccurs><br /> </limitations><br /> <outbound><br /> <source><br /> <c:path>familyName</c:path><br /> </source><br /> </outbound><br /> </attribute><br /> <attribute><br /> <c:ref>ri:givenName</c:ref><br /> <outbound><br /> <source><br /> <c:path>givenName</c:path><br /> </source><br /> </outbound><br /> </attribute><br /> <attribute><br /> <c:ref>ri:userPrincipalName</c:ref><br /> <outbound><br /> <source><br /> <c:path>$user/name</c:path><br /> </source><br /> <expression><br /> <script xsi:type="c:ScriptExpressionEvaluatorType"><br /> <code><br /> name + iterationToken + '@pprod.agora-t.net'<br /> </code><br /> </script><br /> </expression><br /> </outbound><br /> </attribute><br /> <attribute><br /> <c:ref>ri:pwdLastSet</c:ref><br /> <outbound><br /> <expression><br /> <value xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:long">-1</value><br /> </expression><br /> </outbound><br /> </attribute><br /> <attribute><br /> <c:ref>ri:createTimeStamp</c:ref><br /> <fetchStrategy>explicit</fetchStrategy><br /> </attribute><br /> <attribute><br /> <c:ref>ri:nTSecurityDescriptor</c:ref><br /> <limitations><br /> <minOccurs>0</minOccurs><br /> </limitations><br /> </attribute><br /> <attribute><br /> <c:ref>ri:instanceType</c:ref><br /> <limitations><br /> <minOccurs>0</minOccurs><br /> </limitations><br /> </attribute><br /> <attribute><br /> <c:ref>ri:objectCategory</c:ref><br /> <limitations><br /> <minOccurs>0</minOccurs><br /> </limitations><br /> <outbound><br /> <expression><br /> <value>CN=Person,CN=Schema,CN=Configuration,DC=users,DC=pprod,DC=agorat,DC=local</value><br /> </expression><br /> </outbound><br /> </attribute><br /> <attribute><br /> <c:ref>ri:displayName</c:ref><br /> <tolerant>false</tolerant><br /> <exclusiveStrong>false</exclusiveStrong><br /> <outbound><br /> <authoritative>false</authoritative><br /> <exclusive>false</exclusive><br /> <strength>normal</strength><br /> <source><br /> <c:path>$user/givenName</c:path><br /> </source><br /> <source><br /> <c:path>$user/familyName</c:path><br /> </source><br /> <expression><br /> <script xsi:type="c:ScriptExpressionEvaluatorType"><br /> <code><br /> (givenName + '.' + familyName).toString().toLowerCase()<br /> </code><br /> </script><br /> </expression><br /> </outbound><br /> </attribute><br /> <attribute><br /> <c:ref>ri:mail</c:ref><br /> <outbound><br /> <source><br /> <c:path>$user/emailAddress</c:path><br /> </source><br /> </outbound><br /> </attribute><br /> <association><br /> <c:ref>ri:group</c:ref><br /> <displayName>AD Group Membership</displayName><br /> <kind>entitlement</kind><br /> <intent>group</intent><br /> <direction>objectToSubject</direction><br /> <associationAttribute>ri:member</associationAttribute><br /> <valueAttribute>ri:dn</valueAttribute><br /> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute><br /> <shortcutValueAttribute>ri:dn</shortcutValueAttribute><br /> <explicitReferentialIntegrity>false</explicitReferentialIntegrity><br /> </association><br /> <activation><br /> <administrativeStatus><br /> <outbound/><br /> </administrativeStatus><br /> </activation><br /> <credentials><br /> <password><br /> <outbound/><br /> </password><br /> </credentials><br /> </objectType><br /> <objectType><br /> <kind>entitlement</kind><br /> <intent>group</intent><br /> <displayName>Athena Groups</displayName><br /> <default>true</default><br /> <objectClass>ri:group</objectClass><br /> <attribute><br /> <c:ref>ri:dn</c:ref><br /> <tolerant>false</tolerant><br /> <exclusiveStrong>false</exclusiveStrong><br /> <outbound><br /> <authoritative>true</authoritative><br /> <exclusive>false</exclusive><br /> <strength>normal</strength><br /> <source><br /> <c:path>$focus/name</c:path><br /> </source><br /> <expression><br /> <script xsi:type="c:ScriptExpressionEvaluatorType"><br /> <code><br /> 'CN=' + name + ',OU=Groups,OU=AGORA-T PREPROD,DC=users,DC=pprod,DC=agorat,DC=local'<br /> </code><br /> </script><br /> </expression><br /> </outbound><br /> </attribute><br /> <attribute><br /> <c:ref>ri:cn</c:ref><br /> <tolerant>false</tolerant><br /> <exclusiveStrong>false</exclusiveStrong><br /> <outbound><br /> <authoritative>true</authoritative><br /> <exclusive>false</exclusive><br /> <strength>normal</strength><br /> <source><br /> <c:path>$focus/name</c:path><br /> </source><br /> </outbound><br /> </attribute><br /> <attribute><br /> <c:ref>ri:description</c:ref><br /> <tolerant>false</tolerant><br /> <exclusiveStrong>false</exclusiveStrong><br /> <outbound><br /> <source><br /> <c:path>description</c:path><br /> </source><br /> </outbound><br /> </attribute><br /> <attribute><br /> <c:ref>ri:member</c:ref><br /> <displayName>Member</displayName><br /> <tolerant>false</tolerant><br /> <exclusiveStrong>false</exclusiveStrong><br /> </attribute><br /> <attribute><br /> <c:ref>ri:groupType</c:ref><br /> <tolerant>false</tolerant><br /> <exclusiveStrong>false</exclusiveStrong><br /> <outbound><br /> <expression><br /> <value>-2147483646</value><br /> </expression><br /> </outbound><br /> </attribute><br /> <attribute><br /> <c:ref>ri:sAMAccountName</c:ref><br /> <tolerant>false</tolerant><br /> <exclusiveStrong>false</exclusiveStrong><br /> <outbound><br /> <authoritative>true</authoritative><br /> <exclusive>false</exclusive><br /> <strength>normal</strength><br /> <source><br /> <c:path>$focus/name</c:path><br /> </source><br /> </outbound><br /> </attribute><br /> </objectType><br /> </schemaHandling><br /> <capabilities><br /> <cachingMetadata><br /> <retrievalTimestamp>2017-10-03T08:28:33.067Z</retrievalTimestamp><br /> <serialNumber>2af0af9006ddad16-bd8b78664df70159</serialNumber><br /> </cachingMetadata><br /> <native xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3" xsi:type="c:CapabilityCollectionType"><br /> <cap:schema/><br /> <cap:liveSync/><br /> <cap:testConnection/><br /> <cap:create/><br /> <cap:read/><br /> <cap:update/><br /> <cap:delete/><br /> <cap:script><br /> <cap:host><br /> <cap:type>resource</cap:type><br /> </cap:host><br /> <cap:host><br /> <cap:type>connector</cap:type><br /> </cap:host><br /> </cap:script><br /> <cap:addRemoveAttributeValues/><br /> <cap:activation><br /> <cap:status/><br /> </cap:activation><br /> <cap:credentials><br /> <cap:password><br /> <cap:returnedByDefault>false</cap:returnedByDefault><br /> </cap:password><br /> </cap:credentials><br /> <cap:auxiliaryObjectClasses/><br /> <cap:pagedSearch/><br /> </native><br /> <configured xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3" xsi:type="c:CapabilityCollectionType"><br /> <cap:liveSync><br /> <cap:enabled>true</cap:enabled><br /> </cap:liveSync><br /> <cap:testConnection><br /> <cap:enabled>true</cap:enabled><br /> </cap:testConnection><br /> <cap:create><br /> <cap:enabled>true</cap:enabled><br /> </cap:create><br /> <cap:read><br /> <cap:enabled>true</cap:enabled><br /> </cap:read><br /> <cap:update><br /> <cap:enabled>true</cap:enabled><br /> </cap:update><br /> <cap:delete><br /> <cap:enabled>true</cap:enabled><br /> </cap:delete><br /> <cap:script><br /> <cap:enabled>true</cap:enabled><br /> <cap:host><br /> <cap:type>resource</cap:type><br /> </cap:host><br /> <cap:host><br /> <cap:type>connector</cap:type><br /> </cap:host><br /> </cap:script><br /> <cap:addRemoveAttributeValues><br /> <cap:enabled>true</cap:enabled><br /> </cap:addRemoveAttributeValues><br /> <cap:activation><br /> <cap:enabled>true</cap:enabled><br /> <cap:status><br /> <cap:enabled>true</cap:enabled><br /> <cap:returnedByDefault>true</cap:returnedByDefault><br /> <cap:ignoreAttribute>true</cap:ignoreAttribute><br /> </cap:status><br /> <cap:validFrom><br /> <cap:enabled>false</cap:enabled><br /> <cap:returnedByDefault>false</cap:returnedByDefault><br /> </cap:validFrom><br /> <cap:validTo><br /> <cap:enabled>false</cap:enabled><br /> <cap:returnedByDefault>false</cap:returnedByDefault><br /> </cap:validTo><br /> <cap:lockoutStatus><br /> <cap:enabled>false</cap:enabled><br /> <cap:returnedByDefault>false</cap:returnedByDefault><br /> <cap:ignoreAttribute>true</cap:ignoreAttribute><br /> </cap:lockoutStatus><br /> </cap:activation><br /> <cap:credentials><br /> <cap:enabled>true</cap:enabled><br /> <cap:password><br /> <cap:enabled>true</cap:enabled><br /> <cap:returnedByDefault>false</cap:returnedByDefault><br /> </cap:password><br /> </cap:credentials><br /> <cap:auxiliaryObjectClasses><br /> <cap:enabled>true</cap:enabled><br /> </cap:auxiliaryObjectClasses><br /> </configured><br /> </capabilities><br /> <scripts><br /> <script><br /> <host>resource</host><br /> <language>powershell</language><br /> <argument><br /> <c:path xsi:type="t:ItemPathType">$user/name</c:path><br /> <name>identity</name><br /> </argument><br /> <code>powershell "D:\midpoint\create-certificate\create-certificate.ps1 $identity"</code><br /> <operation>add</operation><br /> <kind>account</kind><br /> <order>after</order><br /> </script><br /> </scripts><br /> <synchronization><br /> <objectSynchronization><br /> <name>Account sync</name><br /> <objectClass>ri:user</objectClass><br /> <kind>account</kind><br /> <intent>default</intent><br /> <focusType>c:UserType</focusType><br /> <enabled>true</enabled><br /> <correlation><br /> <q:equal><br /> <q:path>c:name</q:path><br /> <expression xmlns=""><br /> <path>$user/sAMAccountName</path><br /> </expression><br /> </q:equal><br /> </correlation><br /> <reconcile>false</reconcile><br /> <opportunistic>true</opportunistic><br /> <reaction><br /> <situation>linked</situation><br /> <synchronize>true</synchronize><br /> <reconcile>false</reconcile><br /> </reaction><br /> <reaction><br /> <situation>deleted</situation><br /> <reconcile>false</reconcile><br /> <action ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink"><br /> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#deleteFocus</handlerUri><br /> </action><br /> </reaction><br /> <reaction><br /> <situation>unlinked</situation><br /> <reconcile>false</reconcile><br /> <action><br /> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri><br /> </action><br /> </reaction><br /> <reaction><br /> <situation>unmatched</situation><br /> <channel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</channel><br /> <synchronize>true</synchronize><br /> <reconcile>false</reconcile><br /> <objectTemplateRef oid="41746865-6e61-9001-0000-000000000010" type="c:ObjectTemplateType"><br /> <targetName>Athena User Template</targetName><br /> </objectTemplateRef><br /> <action><br /> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri><br /> </action><br /> </reaction><br /> </objectSynchronization><br /> <objectSynchronization><br /> <name>Athena Transversal Group sync</name><br /> <objectClass>ri:group</objectClass><br /> <kind>entitlement</kind><br /> <intent>group</intent><br /> <focusType>c:RoleType</focusType><br /> <enabled>true</enabled><br /> <correlation><br /> <q:equal><br /> <q:path>c:name</q:path><br /> <expression><br /> <path>$shadow/attributes/cn</path><br /> </expression><br /> </q:equal><br /> </correlation><br /> <reconcile>false</reconcile><br /> <reaction><br /> <situation>linked</situation><br /> <synchronize>true</synchronize><br /> <reconcile>false</reconcile><br /> </reaction><br /> <reaction><br /> <situation>deleted</situation><br /> <reconcile>false</reconcile><br /> <action/><br /> </reaction><br /> <reaction><br /> <situation>unlinked</situation><br /> <reconcile>false</reconcile><br /> <action><br /> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri><br /> </action><br /> </reaction><br /> <reaction><br /> <situation>unmatched</situation><br /> <reconcile>false</reconcile><br /> <action><br /> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri><br /> </action><br /> </reaction><br /> </objectSynchronization><br /> </synchronization><br /> </resource><br /><br /><br />--</p><p>Cordialement.</p><br /> </html>