<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <p>Hi,<br>

    </p>

    <p>think of objectSynchronization condition as a filter - objects

      not matched by condition will not be synchronized (and not marked

      by intent specified in the objectSynchronization). The primary

      purpose is when having multiple account intents, you need to

      distinguish between them using such conditions.<br>

    </p>

    <p>From the MidPoint Deployment Fundamentals training:</p>

    <p>        <synchronization><br>

                      <objectSynchronization>   <br>

                          <name>Default account</name><br>

                          <description>Normal accounts are NOT in

      ou=_Administrators container</description><br>

                          <kind>account</kind><br>

                          <intent>default</intent><br>

                          <enabled>true</enabled><br>

      <b>                    <condition></b><b><br>

      </b><b>                        <script></b><b><br>

      </b><b>                            <code></b><b><br>

      </b><b>tmpSuffix =

        '(?i).*,ou=_Administrators_,ou=ExAmPLE,dc=example,dc=com$'</b><b><br>

      </b><b>re = ~tmpSuffix</b><b><br>

      </b><b>!(basic.getAttributeValue(shadow, "dn") ==~ re)</b><b><br>

      </b><b>                            </code></b><b><br>

      </b><b>                        </script></b><b><br>

      </b><b>                    </condition></b><b><br>

      </b><b>                    <correlation></b><b><br>

      </b>...</p>

    <p>The correlation will not be done for not matching objects.<br>

    </p>

    As the example above is using regexp, it can be used to match

    "ou=users".<br>

    <br>

    I don't have AD now handy, but from the samples, ri:sAMAccountName

    is correct name of the attribute. Maybe you have some other problem.

    Can you e.g. check if you have this:<br>

    <br>

    ...<br>

           <icfc:resultsHandlerConfiguration><br>

<icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler><br>

<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler><br>

<icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler><br>

                    </icfc:resultsHandlerConfiguration><br>

        </connectorConfiguration><br>

    ...<br>

    <br>

    I remember some "invisible" attributes when the

    enableAttributesToGetSearchResultsHandler was true. For our LDAP

    connector, keep those to false.<br>

    <br>

    Best regards,<br>

    Ivan<br>

    <br>

    <br>

    <div class="moz-cite-prefix">On 18.05.2018 15:39, Peter Viskup

      wrote:<br>

    </div>

    <blockquote type="cite"

cite="mid:CAPa6PsFxnb_vt0-y60A539tgvi568pyQ1U2-YuPjq63QomvjVw@mail.gmail.com">

      <pre wrap="">Yes, only users should be imported from "OU=Users" containers, which

are located in the search base "OU=COMPANY,DC=company,DC=corp" more

times and in different depth.

e.g.:

CN=Name Surname,OU=Employees,OU=Users,OU=Bratislava,OU=SK,OU=COMPANY,DC=company,DC=corp

CN=Name Surname,OU=Administration,OU=Users,OU=Singapore,OU=SG,OU=COMPANY,DC=company,DC=corp

CN=Name Surname,OU=Account Management,OU=Sales,OU=Users,OU=Buenos

Aires,OU=AR,OU=COMPANY,DC=company,DC=corp

In the same search base there are other objects which are not users

(resources, groups, computers, ...). Thought this as "efficient"

pre-filtering of user objects only.

Is the condition in objectSynchronization better way of doing this?

Maybe misunderstood something.

With $shadow/attributes/dn the value is taken as expected. The input

is still null.

Is the <c:ref>ri:sAMAccountName</c:ref> correct?

When browsing resource objects, the sAMAccountName is not visible for

account objects (even with "show empty fields") and the only filled

attributes are objectGUID and dn.

Object synchronization is configured as follows:

      <objectSynchronization>

         <name>CORP User sync</name>

         <objectClass>ri:user</objectClass>

         <kind>account</kind>

         <intent>corp</intent>

         <focusType>c:UserType</focusType>

         <enabled>true</enabled>

         <reconcile>false</reconcile>

         <correlation>

             <q:equal>

                 <q:path>c:name</q:path>

                 <expression>

                     <path>$shadow/attributes/sAMAccountName</path>

                 </expression>

             </q:equal>

         </correlation>

         <reaction>

            <situation>unlinked</situation>

            <action>

               <handlerUri><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#link">http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</a></handlerUri>

            </action>

         </reaction>

         <reaction>

            <situation>unmatched</situation>

            <reconcile>false</reconcile>

            <action>

               <handlerUri><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus">http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</a></handlerUri>

            </action>

         </reaction>

      </objectSynchronization>

Peter

On Fri, May 18, 2018 at 11:55 AM, Ivan Noris <a class="moz-txt-link-rfc2396E" href="mailto:ivan.noris@evolveum.com"><ivan.noris@evolveum.com></a> wrote:

</pre>

      <blockquote type="cite">

        <pre wrap="">Hi,

what do you want to achieve? Import only accounts from ou=users? That

can be done using condition in <objectSynchronization>...

Ivan

On 17.05.2018 15:17, Peter Viskup wrote:

</pre>

        <blockquote type="cite">

          <pre wrap="">Trying to import users from AD tree to Midpoint without success

(inbound mapping).

Not able to define inbound mapping condition with check of the value

of DN attribute.

This is schema handling for users:

      <objectType>

         <kind>account</kind>

         <intent>corp</intent>

         <displayName>User CORP</displayName>

         <default>true</default>

         <objectClass>ri:user</objectClass>

         <attribute>

            <c:ref>ri:sAMAccountName</c:ref>

            <displayName>Account name</displayName>

            <tolerant>true</tolerant>

            <exclusiveStrong>false</exclusiveStrong>

            <inbound>

               <authoritative>false</authoritative>

               <exclusive>true</exclusive>

               <strength>normal</strength>

               <source>

                  <name>dn</name>

                  <c:path>$shadow/attributes/distinguishedName</c:path>

               </source>

               <target>

                  <c:path>$user/name</c:path>

               </target>

               <condition>

                  <script xmlns:xsi=<a class="moz-txt-link-rfc2396E" href="http://www.w3.org/2001/XMLSchema-instance">"http://www.w3.org/2001/XMLSchema-instance"</a>

                          xsi:type="c:ScriptExpressionEvaluatorType">

                     <code>

        log.info("Attribute dn value: {}", dn.dump());

        log.info("Attribute input value: {}", input.dump());

        if (!basic.isEmpty(dn)){

          return dn.contains('OU=Users');

        }

        return false;

                     </code>

                  </script>

               </condition>

            </inbound>

         </attribute>

Getting error (seems both dn and input variables are not defined):

Cannot invoke method hashCode() on null object in condition in mapping

in inbound expression for

{<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>}sAMAccountName

in <a class="moz-txt-link-freetext" href="resource:2a59c3d6-9d65-4284-980a-3bb8404126b3(Active">resource:2a59c3d6-9d65-4284-980a-3bb8404126b3(Active</a> Directory

CORP)({.../common/common-3}input=null; dn=null; ) in condition in

mapping in inbound expression for

{<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>}sAMAccountName

in <a class="moz-txt-link-freetext" href="resource:2a59c3d6-9d65-4284-980a-3bb8404126b3(Active">resource:2a59c3d6-9d65-4284-980a-3bb8404126b3(Active</a> Directory

CORP)

What source and target paths needs to used in this case?

Peter

_______________________________________________

midPoint mailing list

<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>

<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>

</pre>

        </blockquote>

        <pre wrap="">

--

Ivan Noris

Senior Identity Engineer

evolveum.com

_______________________________________________

midPoint mailing list

<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>

<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>

</pre>

      </blockquote>

      <pre wrap="">_______________________________________________

midPoint mailing list

<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>

<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>

</pre>

    </blockquote>

    <br>

    <pre class="moz-signature" cols="72">-- 

Ivan Noris

Senior Identity Engineer

evolveum.com

</pre>

  </body>

</html>