<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
MidPoint cannot link those two accounts immediately. MidPoint has
no way of knowing that <i>CN=User123,OU=People,DC=<wbr>example,DC=net</i>
and <i>CN=User123,OU=Office123,OU=<wbr>People,DC=example,DC=net</i>
should be the same account. Those have different identifiers
(GUIDs and DNs). In fact, in any real LDAP server it is perfectly
possible for such accounts to exist at the same time. And this may
be actually desired configuration in some deployment. Well, AD is
slightly special here. But midPoint will not behave differently
just because it talks to AD. Correlation rule won't help here
either. At least not directly. Correlation rule is applied only to
accounts that do not have owner already. But the new account that
is just created has an owner. Therefore correlation rules is not
applied.<br>
<br>
MidPoint supports this situation. But it should go like this:<br>
1. MidPoint tries to create new account CN=User123,OU=People,DC=<wbr>example,DC=net<br>
2. Create operation fails, because there is already account with
username User123 ... and that account has DN <i>CN=User123,OU=Office123,OU=<wbr>People,DC=example,DC=net</i><br>
3. MidPoint forgets about operation 1. for a while. MidPoint tries
to figure out what to do with the account that was just
"discovered" (that Office123 account)<br>
4. Correlation rule is used at this point. In your case the
correction rule should correlate user123 with his existing
Office123 account.<br>
5. Operation 1. is restarted. Everything is recomputed. MidPoint
figures out that it no longer needs to create User123 account on
AD because such account already exist.<br>
<br>
This is what we call "self healing" or "consistency mechanism".
The usual problem here is that it depends on the connector to
positively detect "account already exist" situation. Which may
seem as an easy task. But it is not. There are many error
conditions that are reported in various ways - especially with old
and non-standard-compliant resources such as Active Directory. So
there may be problem. Please make sure that the connector detect
the "object not found" situation correctly. If there is any other
error then midPoint will stop at step 3 because in that case
midPoint is not sure what is going on. And the default behavior is
to be conservative: we would do nothing rather than risking wrong
action which could cause damage. And that may be what is happening
in your case. The error below is "InvalidAttributeValueException".
Is should be "ObjectNotFoundException".<br>
<br>
For that reasons and also for other various reasons this approach
may be quite fragile. Original purpose of this process was to
handle rare cases of forgotten accounts, accounts that were
manually created by resource administrators and similar rare
cases. I would recommend to reconsider the initial migration
process. Maybe it would be better to import all the accounts from
HR systems (or other source system), then correlate them with AD
and only then start to assign roles which try to create new
accounts?<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com</pre>
<br>
<br>
On 06/27/2018 04:13 PM, Ezequiel Alonso wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAORQm42qHQ+XTf-4ofryt5OGpYLu4JzfLQt7D7WaJ24W20566g@mail.gmail.com">
<div dir="ltr">Hi Guys,
<div><br>
</div>
<div>We continued trying to fix this issue using this snippet
found in "ad-ldap-medusa-exchange" in resource schema because
we found a similar issue in the mailing list (<a
href="http://lists.evolveum.com/pipermail/midpoint/2016-June/001923.html"
moz-do-not-send="true">http://lists.evolveum.com/pipermail/midpoint/2016-June/001923.html</a>)
and they proposed to use a secondaryIdentifier.</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace"><xsd:complexType
name="user"></font></div>
<div><font face="monospace, monospace">
<xsd:annotation></font></div>
<div><font face="monospace, monospace"> <xsd:appinfo></font></div>
<div><font face="monospace, monospace">
<ra:resourceObject/></font></div>
<div><font face="monospace, monospace">
<ra:identifier>ri:objectGUID</ra:identifier></font></div>
<div><font face="monospace, monospace">
<ra:secondaryIdentifier>ri:sAMAccountName</ra:secondaryIdentifier></font></div>
<div><font face="monospace, monospace">
<ra:displayNameAttribute>ri:dn</ra:displayNameAttribute></font></div>
<div><font face="monospace, monospace">
<ra:namingAttribute>ri:dn</ra:namingAttribute></font></div>
<div><font face="monospace, monospace">
<ra:nativeObjectClass>user</ra:nativeObjectClass></font></div>
<div><font face="monospace, monospace">
</xsd:appinfo></font></div>
<div><font face="monospace, monospace">
</xsd:annotation></font></div>
<div><font face="monospace, monospace"></xsd:complexType></font></div>
</div>
<div><br>
</div>
<div>but we are getting this error:</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace">2018-06-27 06:21:49,463
[] [pool-4-thread-143] ERROR
(com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil):
ConnId Exception
org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException
in connector:c87a0797-4be5-4fde-b6f2-770832f4a87f(ConnId
com.evolveum.polygon.connector.ldap.ad.AdLdapConnector
v1.5.1):
ConnectorSpec(<a class="moz-txt-link-freetext" href="resource:dad0110d-77ed-408d-a1a8-044dee06facb(LDAP">resource:dad0110d-77ed-408d-a1a8-044dee06facb(LDAP</a>
SigleDomain), name=null,
oid=c87a0797-4be5-4fde-b6f2-770832f4a87f) while getting
object identified by ConnId UID
'fcda49c9-ec77-499e-a39b-70c1582d8051': Invalid DN
'username': ERR_04202 A value is missing on some RDN</font></div>
<div><font face="monospace, monospace">org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException:
Invalid DN 'username': ERR_04202 A value is missing on
some RDN</font></div>
<div><font face="monospace, monospace"> at
com.evolveum.polygon.connector.ldap.schema.AbstractSchemaTranslator.toDn(AbstractSchemaTranslator.java:1389)</font></div>
<div><font face="monospace, monospace"> at
com.evolveum.polygon.connector.ldap.schema.AbstractSchemaTranslator.toDn(AbstractSchemaTranslator.java:1372)</font></div>
<div><font face="monospace, monospace"> at
com.evolveum.polygon.connector.ldap.ad.AdLdapConnector.searchByUid(AdLdapConnector.java:246)</font></div>
<div><font face="monospace, monospace"> at
com.evolveum.polygon.connector.ldap.AbstractLdapConnector.executeQuery(AbstractLdapConnector.java:464)</font></div>
<div><font face="monospace, monospace"> at
com.evolveum.polygon.connector.ldap.AbstractLdapConnector.executeQuery(AbstractLdapConnector.java:124)</font></div>
<div><font face="monospace, monospace"> at
org.identityconnectors.framework.impl.api.local.operations.SearchImpl.rawSearch(SearchImpl.java:193)</font></div>
<div><font face="monospace, monospace"> at
org.identityconnectors.framework.impl.api.local.operations.SearchImpl.search(SearchImpl.java:130)</font></div>
<div><font face="monospace, monospace"> at
sun.reflect.GeneratedMethodAccessor1348.invoke(Unknown
Source)</font></div>
<div><font face="monospace, monospace"> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</font></div>
<div><font face="monospace, monospace"> at
java.lang.reflect.Method.invoke(Method.java:498)</font></div>
<div><font face="monospace, monospace"> at
org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:98)</font></div>
<div><font face="monospace, monospace"> at
com.sun.proxy.$Proxy223.search(Unknown Source)</font></div>
<div><font face="monospace, monospace"> at
org.identityconnectors.framework.impl.api.local.operations.GetImpl.getObject(GetImpl.java:67)</font></div>
<div><font face="monospace, monospace"> at
sun.reflect.GeneratedMethodAccessor1314.invoke(Unknown
Source)</font></div>
<div><font face="monospace, monospace"> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</font></div>
<div><font face="monospace, monospace"> at
java.lang.reflect.Method.invoke(Method.java:498)</font></div>
<div><font face="monospace, monospace"> at
org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)</font></div>
<div><font face="monospace, monospace"> at
com.sun.proxy.$Proxy224.getObject(Unknown Source)</font></div>
<div><font face="monospace, monospace"> at
sun.reflect.GeneratedMethodAccessor1314.invoke(Unknown
Source)</font></div>
<div><font face="monospace, monospace"> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</font></div>
<div><font face="monospace, monospace"> at
java.lang.reflect.Method.invoke(Method.java:498)</font></div>
<div><font face="monospace, monospace"> at
org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:99)</font></div>
</div>
<div><br>
</div>
<div>And we are generating DN this way:</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace"><attribute
id="3"></font></div>
<div><font face="monospace, monospace">
<c:ref>ri:dn</c:ref></font></div>
<div><font face="monospace, monospace">
<displayName>Distinguished Name</displayName></font></div>
<div><font face="monospace, monospace"> <limitations></font></div>
<div><font face="monospace, monospace">
<minOccurs>0</minOccurs></font></div>
<div><font face="monospace, monospace"> <access></font></div>
<div><font face="monospace, monospace">
<read>true</read></font></div>
<div><font face="monospace, monospace">
<add>true</add></font></div>
<div><font face="monospace, monospace">
<modify>true</modify></font></div>
<div><font face="monospace, monospace"> </access></font></div>
<div><font face="monospace, monospace"> </limitations></font></div>
<div><font face="monospace, monospace"> <matchingRule
xmlns:mr="<a
href="http://prism.evolveum.com/xml/ns/public/matching-rule-3"
moz-do-not-send="true">http://prism.evolveum.com/xml/ns/public/matching-rule-3</a>">mr:distinguishedName</matchingRule></font></div>
<div><font face="monospace, monospace"> <outbound></font></div>
<div><font face="monospace, monospace">
<strength>strong</strength></font></div>
<div><font face="monospace, monospace"> <source></font></div>
<div><font face="monospace, monospace">
<c:path>$user/fullName</c:path></font></div>
<div><font face="monospace, monospace"> </source></font></div>
<div><font face="monospace, monospace"> <source></font></div>
<div><font face="monospace, monospace">
<c:path>$user/locality</c:path></font></div>
<div><font face="monospace, monospace"> </source></font></div>
<div><font face="monospace, monospace"> <source></font></div>
<div><font face="monospace, monospace">
<c:path>$user/activation/effectiveStatus</c:path></font></div>
<div><font face="monospace, monospace"> </source></font></div>
<div><font face="monospace, monospace">
<expression></font></div>
<div><font face="monospace, monospace"> <script
xmlns:xsi="<a
href="http://www.w3.org/2001/XMLSchema-instance"
moz-do-not-send="true">http://www.w3.org/2001/XMLSchema-instance</a>"</font></div>
<div><font face="monospace, monospace">
xsi:type="c:ScriptExpressionEvaluatorType"></font></div>
<div><font face="monospace, monospace">
<code></font></div>
<div><font face="monospace, monospace"> if
(effectiveStatus?.value.toString().toLowerCase().equals('disabled'))</font></div>
<div><font face="monospace, monospace"> {</font></div>
<div><font face="monospace, monospace">
return basic.composeDnWithSuffix('CN', fullName,
'OU=Disabled,OU=People,DC=<span
style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">example</span>,DC=net');</font></div>
<div><font face="monospace, monospace"> } else
{</font></div>
<div><font face="monospace, monospace"> if
(locality.toString().toLowerCase() == "argentina") {</font></div>
<div><font face="monospace, monospace">
return basic.composeDnWithSuffix('CN', fullName,
'OU=AR,OU=People,DC=<span
style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">example</span>,DC=net')</font></div>
<div><font face="monospace, monospace"> }
else {</font></div>
<div><font face="monospace, monospace">
return basic.composeDnWithSuffix('CN', fullName,
'OU=People,DC=<span
style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">example</span>,DC=net')</font></div>
<div><font face="monospace, monospace"> }</font></div>
<div><font face="monospace, monospace"> }</font></div>
<div><font face="monospace, monospace">
</code></font></div>
<div><font face="monospace, monospace">
</script></font></div>
<div><font face="monospace, monospace">
</expression></font></div>
<div><font face="monospace, monospace"> </outbound></font></div>
<div><font face="monospace, monospace"></attribute></font></div>
</div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">Thanks in advance!</font></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2018-06-01 18:01 GMT-03:00 Ezequiel
Alonso <span dir="ltr"><<a
href="mailto:ealonso@identicum.com" target="_blank"
moz-do-not-send="true">ealonso@identicum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>We are working with "<i>ad-ldap-medusa-medium</i>"
resource synchronizing midPoint users against existing
AD accounts as part of the initial migration.</div>
<div><br>
</div>
<div>Newest AD accounts should be on "<i>OU=People,DC=example,DC=net</i>"
and older accounts maybe already placed on many
different DNs on "<i>OU=UnpredictableOfficeNumber,<wbr>OU=People,DC=example,DC=net</i>"</div>
<div><br>
</div>
<div>We have already created the users on midPoint taking
into account that the correlation matching rule is
user/name == sAMAccountName. So, at this point we can
see that the shadow users are presented as unlinked.</div>
<div><br>
</div>
<div>If the account DN is equal to the resource mapping
generated DN, the account gets linked when we assign the
resource to the user. But if the existing account DN is
not equal to the resource generated DN (For example,
resource is generating "<i>CN=User123,OU=People,DC=<wbr>example,DC=net</i>"
but the account exist on "<i>CN=User123,OU=Office123,OU=<wbr>People,DC=example,DC=net</i>"),
we are getting the following issue when we assign the AD
resource to the user:</div>
<div>midPoint is not linking the account and it tries to
create the user in "<i>CN=User123,OU=People,DC=<wbr>example,DC=net</i>"
instead of modifying the user DN to "<i>CN=User123,OU=People,DC=<wbr>example,DC=net</i>"
(we added strength strong to dn mapping and we also
tested with strength weak), so we are getting the next
error message:</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">"<i>Couldn't add
object. Object already exists: Object already exists
on the resource</i>".</blockquote>
<div><br>
</div>
<div>It's strange because if we import the account
manually from the resource, it is linking midPoint user
with AD account and modifying the DN.</div>
<div><br>
</div>
<div>Our goal is to link existing midPoint user with
existing AD account by matching name against
sAMAccountName and override the unpredictable and
unknown DN with a more friendly DN, if its possible or
at least link the user without modifying the DN.</div>
<span class="HOEnZb"><font color="#888888">
<div><br>
</div>
-- <br>
<div class="m_-5143521348802394237gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div><b
style="font-family:arial,helvetica,sans-serif;font-size:14.4px;color:rgb(68,68,68)">Ezequiel
Alonso</b><br>
</div>
<div><font
style="font-family:arial,helvetica,sans-serif;font-size:14.4px"
color="#999999">Identicum S.A.</font><br
style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font
style="font-family:arial,helvetica,sans-serif;font-size:14.4px"
color="#999999"><a
href="https://maps.google.com/?q=Jorge+Newbery+3226"
style="color:rgb(17,85,204)"
target="_blank"
moz-do-not-send="true">Jorge Newbery
3226, Buenos Aires, Argentina</a></font><br
style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font
style="font-family:arial,helvetica,sans-serif;font-size:14.4px"
color="#999999">Tel: +54
(11) 4552-3050</font><br
style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font
style="font-family:arial,helvetica,sans-serif;font-size:14.4px"
color="#999999"><a
href="http://www.identicum.com/"
style="color:rgb(17,85,204)"
target="_blank"
moz-do-not-send="true">www.identicum.com</a></font><font
size="1" color="#999999"
face="verdana, sans-serif"><br>
</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</font></span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div><b
style="font-family:arial,helvetica,sans-serif;font-size:14.4px;color:rgb(68,68,68)">Ezequiel
Alonso</b><br>
</div>
<div><font
style="font-family:arial,helvetica,sans-serif;font-size:14.4px"
color="#999999">Identicum S.A.</font><br
style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font
style="font-family:arial,helvetica,sans-serif;font-size:14.4px"
color="#999999"><a
href="https://maps.google.com/?q=Jorge+Newbery+3226"
style="color:rgb(17,85,204)" target="_blank"
moz-do-not-send="true">Jorge Newbery 3226,
Buenos Aires, Argentina</a></font><br
style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font
style="font-family:arial,helvetica,sans-serif;font-size:14.4px"
color="#999999">Tel: +54 (11) 4552-3050</font><br
style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font
style="font-family:arial,helvetica,sans-serif;font-size:14.4px"
color="#999999"><a
href="http://www.identicum.com/"
style="color:rgb(17,85,204)" target="_blank"
moz-do-not-send="true">www.identicum.com</a></font><font
size="1" color="#999999" face="verdana,
sans-serif"><br>
</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<!--'"--><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">
</pre>
</body>
</html>