<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Hi,<br>
    </p>
    <p>think of objectSynchronization condition as a filter - objects
      not matched by condition will not be synchronized (and not marked
      by intent specified in the objectSynchronization). The primary
      purpose is when having multiple account intents, you need to
      distinguish between them using such conditions.<br>
    </p>
    <p>From the MidPoint Deployment Fundamentals training:</p>
    <p>        <synchronization><br>
                      <objectSynchronization>   <br>
                          <name>Default account</name><br>
                          <description>Normal accounts are NOT in
      ou=_Administrators container</description><br>
                          <kind>account</kind><br>
                          <intent>default</intent><br>
                          <enabled>true</enabled><br>
      <b>                    <condition></b><b><br>
      </b><b>                        <script></b><b><br>
      </b><b>                            <code></b><b><br>
      </b><b>tmpSuffix =
        '(?i).*,ou=_Administrators_,ou=ExAmPLE,dc=example,dc=com$'</b><b><br>
      </b><b>re = ~tmpSuffix</b><b><br>
      </b><b>!(basic.getAttributeValue(shadow, "dn") ==~ re)</b><b><br>
      </b><b>                            </code></b><b><br>
      </b><b>                        </script></b><b><br>
      </b><b>                    </condition></b><b><br>
      </b><b>                    <correlation></b><b><br>
      </b>...</p>
    <p>The correlation will not be done for not matching objects.<br>
    </p>
    As the example above is using regexp, it can be used to match
    "ou=users".<br>
    <br>
    I don't have AD now handy, but from the samples, ri:sAMAccountName
    is correct name of the attribute. Maybe you have some other problem.
    Can you e.g. check if you have this:<br>
    <br>
    ...<br>
           <icfc:resultsHandlerConfiguration><br>
                           
<icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler><br>
                           
<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler><br>
                           
<icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler><br>
                    </icfc:resultsHandlerConfiguration><br>
        </connectorConfiguration><br>
    ...<br>
    <br>
    I remember some "invisible" attributes when the
    enableAttributesToGetSearchResultsHandler was true. For our LDAP
    connector, keep those to false.<br>
    <br>
    Best regards,<br>
    Ivan<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 18.05.2018 15:39, Peter Viskup
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAPa6PsFxnb_vt0-y60A539tgvi568pyQ1U2-YuPjq63QomvjVw@mail.gmail.com">
      <pre wrap="">Yes, only users should be imported from "OU=Users" containers, which
are located in the search base "OU=COMPANY,DC=company,DC=corp" more
times and in different depth.

e.g.:
CN=Name Surname,OU=Employees,OU=Users,OU=Bratislava,OU=SK,OU=COMPANY,DC=company,DC=corp
CN=Name Surname,OU=Administration,OU=Users,OU=Singapore,OU=SG,OU=COMPANY,DC=company,DC=corp
CN=Name Surname,OU=Account Management,OU=Sales,OU=Users,OU=Buenos
Aires,OU=AR,OU=COMPANY,DC=company,DC=corp

In the same search base there are other objects which are not users
(resources, groups, computers, ...). Thought this as "efficient"
pre-filtering of user objects only.
Is the condition in objectSynchronization better way of doing this?
Maybe misunderstood something.

With $shadow/attributes/dn the value is taken as expected. The input
is still null.
Is the <c:ref>ri:sAMAccountName</c:ref> correct?
When browsing resource objects, the sAMAccountName is not visible for
account objects (even with "show empty fields") and the only filled
attributes are objectGUID and dn.

Object synchronization is configured as follows:
      <objectSynchronization>
         <name>CORP User sync</name>
         <objectClass>ri:user</objectClass>
         <kind>account</kind>
         <intent>corp</intent>
         <focusType>c:UserType</focusType>
         <enabled>true</enabled>
         <reconcile>false</reconcile>
         <correlation>
             <q:equal>
                 <q:path>c:name</q:path>
                 <expression>
                     <path>$shadow/attributes/sAMAccountName</path>
                 </expression>
             </q:equal>
         </correlation>
         <reaction>
            <situation>unlinked</situation>
            <action>
               <handlerUri><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#link">http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</a></handlerUri>
            </action>
         </reaction>
         <reaction>
            <situation>unmatched</situation>
            <reconcile>false</reconcile>
            <action>
               <handlerUri><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus">http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</a></handlerUri>
            </action>
         </reaction>
      </objectSynchronization>

Peter

On Fri, May 18, 2018 at 11:55 AM, Ivan Noris <a class="moz-txt-link-rfc2396E" href="mailto:ivan.noris@evolveum.com"><ivan.noris@evolveum.com></a> wrote:
</pre>
      <blockquote type="cite">
        <pre wrap="">Hi,

what do you want to achieve? Import only accounts from ou=users? That
can be done using condition in <objectSynchronization>...

Ivan


On 17.05.2018 15:17, Peter Viskup wrote:
</pre>
        <blockquote type="cite">
          <pre wrap="">Trying to import users from AD tree to Midpoint without success
(inbound mapping).
Not able to define inbound mapping condition with check of the value
of DN attribute.

This is schema handling for users:

      <objectType>
         <kind>account</kind>
         <intent>corp</intent>
         <displayName>User CORP</displayName>
         <default>true</default>
         <objectClass>ri:user</objectClass>
         <attribute>
            <c:ref>ri:sAMAccountName</c:ref>
            <displayName>Account name</displayName>
            <tolerant>true</tolerant>
            <exclusiveStrong>false</exclusiveStrong>
            <inbound>
               <authoritative>false</authoritative>
               <exclusive>true</exclusive>
               <strength>normal</strength>
               <source>
                  <name>dn</name>
                  <c:path>$shadow/attributes/distinguishedName</c:path>
               </source>
               <target>
                  <c:path>$user/name</c:path>
               </target>
               <condition>
                  <script xmlns:xsi=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/XMLSchema-instance">"http://www.w3.org/2001/XMLSchema-instance"</a>
                          xsi:type="c:ScriptExpressionEvaluatorType">
                     <code>
        log.info("Attribute dn value: {}", dn.dump());
        log.info("Attribute input value: {}", input.dump());
        if (!basic.isEmpty(dn)){
          return dn.contains('OU=Users');
        }
        return false;
                     </code>
                  </script>
               </condition>
            </inbound>
         </attribute>

Getting error (seems both dn and input variables are not defined):

Cannot invoke method hashCode() on null object in condition in mapping
in inbound expression for
{<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>}sAMAccountName
in <a class="moz-txt-link-freetext" href="resource:2a59c3d6-9d65-4284-980a-3bb8404126b3(Active">resource:2a59c3d6-9d65-4284-980a-3bb8404126b3(Active</a> Directory
CORP)({.../common/common-3}input=null; dn=null; ) in condition in
mapping in inbound expression for
{<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>}sAMAccountName
in <a class="moz-txt-link-freetext" href="resource:2a59c3d6-9d65-4284-980a-3bb8404126b3(Active">resource:2a59c3d6-9d65-4284-980a-3bb8404126b3(Active</a> Directory
CORP)

What source and target paths needs to used in this case?

Peter
_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
        </blockquote>
        <pre wrap="">
--
Ivan Noris
Senior Identity Engineer
evolveum.com

_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
      </blockquote>
      <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
  </body>
</html>