<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Ah, I forgot one thing: this whole
process will work correctly only if midPoint can detect that the
account which conflicted with CN=User123,OU=People,DC=
<div class="moz-cite-prefix"><wbr>example,DC=net is in fact
CN=User123,OU=Office123,OU=<wbr>People,DC=example,DC=net. There
is no standard way to do this. AD won't tell which account has
conflicted. It also won't tell which attribute caused the
conflict. And from the LDAP-compliant point of view there should
not be any conflict. But there is a way ... kind of hack. You
can add samAccountName (or a similar attribute) as an additional
secondary identifier for the AD resource. In that case midPoint
will try to look up the conflicting account using both DN and
samAccountName. And that's how it discovers which account was
the cause of the conflict.<br>
<br>
I think we have this configuration in some AD samples.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<i></i></div>
<br>
<br>
On 06/27/2018 05:30 PM, Radovan Semancik wrote:<br>
</div>
<blockquote type="cite"
cite="mid:f28d2b2a-2ae9-9057-fae7-10a80c68f15f@evolveum.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div class="moz-cite-prefix">Hi,<br>
<br>
MidPoint cannot link those two accounts immediately. MidPoint
has no way of knowing that <i>CN=User123,OU=People,DC=<wbr>example,DC=net</i>
and <i>CN=User123,OU=Office123,OU=<wbr>People,DC=example,DC=net</i>
should be the same account. Those have different identifiers
(GUIDs and DNs). In fact, in any real LDAP server it is
perfectly possible for such accounts to exist at the same time.
And this may be actually desired configuration in some
deployment. Well, AD is slightly special here. But midPoint will
not behave differently just because it talks to AD. Correlation
rule won't help here either. At least not directly. Correlation
rule is applied only to accounts that do not have owner already.
But the new account that is just created has an owner. Therefore
correlation rules is not applied.<br>
<br>
MidPoint supports this situation. But it should go like this:<br>
1. MidPoint tries to create new account CN=User123,OU=People,DC=<wbr>example,DC=net<br>
2. Create operation fails, because there is already account with
username User123 ... and that account has DN <i>CN=User123,OU=Office123,OU=<wbr>People,DC=example,DC=net</i><br>
3. MidPoint forgets about operation 1. for a while. MidPoint
tries to figure out what to do with the account that was just
"discovered" (that Office123 account)<br>
4. Correlation rule is used at this point. In your case the
correction rule should correlate user123 with his existing
Office123 account.<br>
5. Operation 1. is restarted. Everything is recomputed. MidPoint
figures out that it no longer needs to create User123 account on
AD because such account already exist.<br>
<br>
This is what we call "self healing" or "consistency mechanism".
The usual problem here is that it depends on the connector to
positively detect "account already exist" situation. Which may
seem as an easy task. But it is not. There are many error
conditions that are reported in various ways - especially with
old and non-standard-compliant resources such as Active
Directory. So there may be problem. Please make sure that the
connector detect the "object not found" situation correctly. If
there is any other error then midPoint will stop at step 3
because in that case midPoint is not sure what is going on. And
the default behavior is to be conservative: we would do nothing
rather than risking wrong action which could cause damage. And
that may be what is happening in your case. The error below is
"InvalidAttributeValueException". Is should be
"ObjectNotFoundException".<br>
<br>
For that reasons and also for other various reasons this
approach may be quite fragile. Original purpose of this process
was to handle rare cases of forgotten accounts, accounts that
were manually created by resource administrators and similar
rare cases. I would recommend to reconsider the initial
migration process. Maybe it would be better to import all the
accounts from HR systems (or other source system), then
correlate them with AD and only then start to assign roles which
try to create new accounts?<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com</pre>
<br>
<br>
On 06/27/2018 04:13 PM, Ezequiel Alonso wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAORQm42qHQ+XTf-4ofryt5OGpYLu4JzfLQt7D7WaJ24W20566g@mail.gmail.com">
<div dir="ltr">Hi Guys,
<div><br>
</div>
<div>We continued trying to fix this issue using this snippet
found in "ad-ldap-medusa-exchange" in resource schema
because we found a similar issue in the mailing list (<a
href="http://lists.evolveum.com/pipermail/midpoint/2016-June/001923.html"
moz-do-not-send="true">http://lists.evolveum.com/pipermail/midpoint/2016-June/001923.html</a>)
and they proposed to use a secondaryIdentifier.</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace"><xsd:complexType
name="user"></font></div>
<div><font face="monospace, monospace">
<xsd:annotation></font></div>
<div><font face="monospace, monospace">
<xsd:appinfo></font></div>
<div><font face="monospace, monospace">
<ra:resourceObject/></font></div>
<div><font face="monospace, monospace">
<ra:identifier>ri:objectGUID</ra:identifier></font></div>
<div><font face="monospace, monospace">
<ra:secondaryIdentifier>ri:sAMAccountName</ra:secondaryIdentifier></font></div>
<div><font face="monospace, monospace">
<ra:displayNameAttribute>ri:dn</ra:displayNameAttribute></font></div>
<div><font face="monospace, monospace">
<ra:namingAttribute>ri:dn</ra:namingAttribute></font></div>
<div><font face="monospace, monospace">
<ra:nativeObjectClass>user</ra:nativeObjectClass></font></div>
<div><font face="monospace, monospace">
</xsd:appinfo></font></div>
<div><font face="monospace, monospace">
</xsd:annotation></font></div>
<div><font face="monospace, monospace"></xsd:complexType></font></div>
</div>
<div><br>
</div>
<div>but we are getting this error:</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace">2018-06-27
06:21:49,463 [] [pool-4-thread-143] ERROR
(com.evolveum.midpoint.provisioning.ucf.impl.connid.ConnIdUtil):
ConnId Exception
org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException
in connector:c87a0797-4be5-4fde-b6f2-770832f4a87f(ConnId
com.evolveum.polygon.connector.ldap.ad.AdLdapConnector
v1.5.1): ConnectorSpec(<a class="moz-txt-link-freetext"
href="resource:dad0110d-77ed-408d-a1a8-044dee06facb%28LDAP"
moz-do-not-send="true">resource:dad0110d-77ed-408d-a1a8-044dee06facb(LDAP</a>
SigleDomain), name=null,
oid=c87a0797-4be5-4fde-b6f2-770832f4a87f) while getting
object identified by ConnId UID
'fcda49c9-ec77-499e-a39b-70c1582d8051': Invalid DN
'username': ERR_04202 A value is missing on some RDN</font></div>
<div><font face="monospace, monospace">org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException:
Invalid DN 'username': ERR_04202 A value is missing on
some RDN</font></div>
<div><font face="monospace, monospace"> at
com.evolveum.polygon.connector.ldap.schema.AbstractSchemaTranslator.toDn(AbstractSchemaTranslator.java:1389)</font></div>
<div><font face="monospace, monospace"> at
com.evolveum.polygon.connector.ldap.schema.AbstractSchemaTranslator.toDn(AbstractSchemaTranslator.java:1372)</font></div>
<div><font face="monospace, monospace"> at
com.evolveum.polygon.connector.ldap.ad.AdLdapConnector.searchByUid(AdLdapConnector.java:246)</font></div>
<div><font face="monospace, monospace"> at
com.evolveum.polygon.connector.ldap.AbstractLdapConnector.executeQuery(AbstractLdapConnector.java:464)</font></div>
<div><font face="monospace, monospace"> at
com.evolveum.polygon.connector.ldap.AbstractLdapConnector.executeQuery(AbstractLdapConnector.java:124)</font></div>
<div><font face="monospace, monospace"> at
org.identityconnectors.framework.impl.api.local.operations.SearchImpl.rawSearch(SearchImpl.java:193)</font></div>
<div><font face="monospace, monospace"> at
org.identityconnectors.framework.impl.api.local.operations.SearchImpl.search(SearchImpl.java:130)</font></div>
<div><font face="monospace, monospace"> at
sun.reflect.GeneratedMethodAccessor1348.invoke(Unknown
Source)</font></div>
<div><font face="monospace, monospace"> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</font></div>
<div><font face="monospace, monospace"> at
java.lang.reflect.Method.invoke(Method.java:498)</font></div>
<div><font face="monospace, monospace"> at
org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:98)</font></div>
<div><font face="monospace, monospace"> at
com.sun.proxy.$Proxy223.search(Unknown Source)</font></div>
<div><font face="monospace, monospace"> at
org.identityconnectors.framework.impl.api.local.operations.GetImpl.getObject(GetImpl.java:67)</font></div>
<div><font face="monospace, monospace"> at
sun.reflect.GeneratedMethodAccessor1314.invoke(Unknown
Source)</font></div>
<div><font face="monospace, monospace"> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</font></div>
<div><font face="monospace, monospace"> at
java.lang.reflect.Method.invoke(Method.java:498)</font></div>
<div><font face="monospace, monospace"> at
org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)</font></div>
<div><font face="monospace, monospace"> at
com.sun.proxy.$Proxy224.getObject(Unknown Source)</font></div>
<div><font face="monospace, monospace"> at
sun.reflect.GeneratedMethodAccessor1314.invoke(Unknown
Source)</font></div>
<div><font face="monospace, monospace"> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</font></div>
<div><font face="monospace, monospace"> at
java.lang.reflect.Method.invoke(Method.java:498)</font></div>
<div><font face="monospace, monospace"> at
org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:99)</font></div>
</div>
<div><br>
</div>
<div>And we are generating DN this way:</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace"><attribute
id="3"></font></div>
<div><font face="monospace, monospace">
<c:ref>ri:dn</c:ref></font></div>
<div><font face="monospace, monospace">
<displayName>Distinguished
Name</displayName></font></div>
<div><font face="monospace, monospace">
<limitations></font></div>
<div><font face="monospace, monospace">
<minOccurs>0</minOccurs></font></div>
<div><font face="monospace, monospace"> <access></font></div>
<div><font face="monospace, monospace">
<read>true</read></font></div>
<div><font face="monospace, monospace">
<add>true</add></font></div>
<div><font face="monospace, monospace">
<modify>true</modify></font></div>
<div><font face="monospace, monospace"> </access></font></div>
<div><font face="monospace, monospace">
</limitations></font></div>
<div><font face="monospace, monospace"> <matchingRule
xmlns:mr="<a
href="http://prism.evolveum.com/xml/ns/public/matching-rule-3"
moz-do-not-send="true">http://prism.evolveum.com/xml/ns/public/matching-rule-3</a>">mr:distinguishedName</matchingRule></font></div>
<div><font face="monospace, monospace"> <outbound></font></div>
<div><font face="monospace, monospace">
<strength>strong</strength></font></div>
<div><font face="monospace, monospace"> <source></font></div>
<div><font face="monospace, monospace">
<c:path>$user/fullName</c:path></font></div>
<div><font face="monospace, monospace"> </source></font></div>
<div><font face="monospace, monospace"> <source></font></div>
<div><font face="monospace, monospace">
<c:path>$user/locality</c:path></font></div>
<div><font face="monospace, monospace"> </source></font></div>
<div><font face="monospace, monospace"> <source></font></div>
<div><font face="monospace, monospace">
<c:path>$user/activation/effectiveStatus</c:path></font></div>
<div><font face="monospace, monospace"> </source></font></div>
<div><font face="monospace, monospace">
<expression></font></div>
<div><font face="monospace, monospace"> <script
xmlns:xsi="<a
href="http://www.w3.org/2001/XMLSchema-instance"
moz-do-not-send="true">http://www.w3.org/2001/XMLSchema-instance</a>"</font></div>
<div><font face="monospace, monospace">
xsi:type="c:ScriptExpressionEvaluatorType"></font></div>
<div><font face="monospace, monospace">
<code></font></div>
<div><font face="monospace, monospace"> if
(effectiveStatus?.value.toString().toLowerCase().equals('disabled'))</font></div>
<div><font face="monospace, monospace"> {</font></div>
<div><font face="monospace, monospace">
return basic.composeDnWithSuffix('CN', fullName,
'OU=Disabled,OU=People,DC=<span
style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">example</span>,DC=net');</font></div>
<div><font face="monospace, monospace"> }
else {</font></div>
<div><font face="monospace, monospace">
if (locality.toString().toLowerCase() == "argentina") {</font></div>
<div><font face="monospace, monospace">
return basic.composeDnWithSuffix('CN', fullName,
'OU=AR,OU=People,DC=<span
style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">example</span>,DC=net')</font></div>
<div><font face="monospace, monospace"> }
else {</font></div>
<div><font face="monospace, monospace">
return basic.composeDnWithSuffix('CN', fullName,
'OU=People,DC=<span
style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">example</span>,DC=net')</font></div>
<div><font face="monospace, monospace"> }</font></div>
<div><font face="monospace, monospace"> }</font></div>
<div><font face="monospace, monospace">
</code></font></div>
<div><font face="monospace, monospace">
</script></font></div>
<div><font face="monospace, monospace">
</expression></font></div>
<div><font face="monospace, monospace"> </outbound></font></div>
<div><font face="monospace, monospace"></attribute></font></div>
</div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">Thanks in advance!</font></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2018-06-01 18:01 GMT-03:00 Ezequiel
Alonso <span dir="ltr"><<a
href="mailto:ealonso@identicum.com" target="_blank"
moz-do-not-send="true">ealonso@identicum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>We are working with "<i>ad-ldap-medusa-medium</i>"
resource synchronizing midPoint users against existing
AD accounts as part of the initial migration.</div>
<div><br>
</div>
<div>Newest AD accounts should be on "<i>OU=People,DC=example,DC=net</i>"
and older accounts maybe already placed on many
different DNs on "<i>OU=UnpredictableOfficeNumber,<wbr>OU=People,DC=example,DC=net</i>"</div>
<div><br>
</div>
<div>We have already created the users on midPoint
taking into account that the correlation matching rule
is user/name == sAMAccountName. So, at this point we
can see that the shadow users are presented as
unlinked.</div>
<div><br>
</div>
<div>If the account DN is equal to the resource mapping
generated DN, the account gets linked when we assign
the resource to the user. But if the existing account
DN is not equal to the resource generated DN (For
example, resource is generating "<i>CN=User123,OU=People,DC=<wbr>example,DC=net</i>"
but the account exist on "<i>CN=User123,OU=Office123,OU=<wbr>People,DC=example,DC=net</i>"),
we are getting the following issue when we assign the
AD resource to the user:</div>
<div>midPoint is not linking the account and it tries to
create the user in "<i>CN=User123,OU=People,DC=<wbr>example,DC=net</i>"
instead of modifying the user DN to "<i>CN=User123,OU=People,DC=<wbr>example,DC=net</i>"
(we added strength strong to dn mapping and we also
tested with strength weak), so we are getting the next
error message:</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">"<i>Couldn't add
object. Object already exists: Object already exists
on the resource</i>".</blockquote>
<div><br>
</div>
<div>It's strange because if we import the account
manually from the resource, it is linking midPoint
user with AD account and modifying the DN.</div>
<div><br>
</div>
<div>Our goal is to link existing midPoint user with
existing AD account by matching name against
sAMAccountName and override the unpredictable and
unknown DN with a more friendly DN, if its possible or
at least link the user without modifying the DN.</div>
<span class="HOEnZb"><font color="#888888">
<div><br>
</div>
-- <br>
<div class="m_-5143521348802394237gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div><b
style="font-family:arial,helvetica,sans-serif;font-size:14.4px;color:rgb(68,68,68)">Ezequiel
Alonso</b><br>
</div>
<div><font
style="font-family:arial,helvetica,sans-serif;font-size:14.4px"
color="#999999">Identicum S.A.</font><br
style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font
style="font-family:arial,helvetica,sans-serif;font-size:14.4px"
color="#999999"><a
href="https://maps.google.com/?q=Jorge+Newbery+3226"
style="color:rgb(17,85,204)"
target="_blank"
moz-do-not-send="true">Jorge
Newbery 3226, Buenos Aires,
Argentina</a></font><br
style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font
style="font-family:arial,helvetica,sans-serif;font-size:14.4px"
color="#999999">Tel: +54
(11) 4552-3050</font><br
style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font
style="font-family:arial,helvetica,sans-serif;font-size:14.4px"
color="#999999"><a
href="http://www.identicum.com/"
style="color:rgb(17,85,204)"
target="_blank"
moz-do-not-send="true">www.identicum.com</a></font><font
size="1" color="#999999"
face="verdana, sans-serif"><br>
</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</font></span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div><b
style="font-family:arial,helvetica,sans-serif;font-size:14.4px;color:rgb(68,68,68)">Ezequiel
Alonso</b><br>
</div>
<div><font
style="font-family:arial,helvetica,sans-serif;font-size:14.4px"
color="#999999">Identicum S.A.</font><br
style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font
style="font-family:arial,helvetica,sans-serif;font-size:14.4px"
color="#999999"><a
href="https://maps.google.com/?q=Jorge+Newbery+3226"
style="color:rgb(17,85,204)" target="_blank"
moz-do-not-send="true">Jorge Newbery 3226,
Buenos Aires, Argentina</a></font><br
style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font
style="font-family:arial,helvetica,sans-serif;font-size:14.4px"
color="#999999">Tel: +54 (11) 4552-3050</font><br
style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font
style="font-family:arial,helvetica,sans-serif;font-size:14.4px"
color="#999999"><a
href="http://www.identicum.com/"
style="color:rgb(17,85,204)" target="_blank"
moz-do-not-send="true">www.identicum.com</a></font><font
size="1" color="#999999" face="verdana,
sans-serif"><br>
</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<!--'"--><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<!--'"--><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">
</pre>
</body>
</html>