<div dir="ltr"><div>Hi,</div><div><br></div><div>I got confused with the documentation because they was not using boolean values. I suggest to modify the documentation (here for example <a href="https://wiki.evolveum.com/display/midPoint/Connector+Development+Guide#ConnectorDevelopmentGuide-DiscoverySupport" target="_blank">https://wiki.evolveum.com/<wbr>display/midPoint/Connector+<wbr>Development+Guide#<wbr>ConnectorDevelopmentGuide-<wbr>DiscoverySupport</a>) for prevent confusion between secondaryIdentifier in schema and secondaryIdentifier in schemaHandling.</div><div><br></div><div>Not modifying the schema and setting secondaryIdentifier to true solved the issue.<br></div><div><br></div><div>Thank you so much guys!</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-06-28 4:11 GMT-03:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    <p>Hi,</p>
    <p>are you setting the secondaryIdentifier in <schema> or
      <schemaHandling>?</p>
    <p>Because in AD, distinguished name is also secondary identifier
      (primary is objectGUID) so if you override <schema>, that
      will probably not work without having dn also there.<br>
    </p>
    <p>You should use schema handling for that as in the email you
      referenced earlier:
      <a class="m_1041481195061437510moz-txt-link-freetext" href="http://lists.evolveum.com/pipermail/midpoint/2016-June/001923.html" target="_blank">http://lists.evolveum.com/<wbr>pipermail/midpoint/2016-June/<wbr>001923.html</a></p>
    <p>Have you already tried that?<br>
    </p>
    <p>Example:<br>
    </p>
    <p>...</p>
    <pre>        <attribute>
                <ref>ri:sAMAccountName</ref>
                <b><secondaryIdentifier>true</<wbr>secondaryIdentifier></b>
                <displayName>Login name</displayName>
                <description></description>
                <outbound>
                        <strength>strong</strength>
                        <source>
                                <path>$user/name</path>
                        </source>
                </outbound>
        </attribute></pre>
    ...<br>
    <br>
    This will set the sAMAccountName as secondary identifier and AFAIK
    it will be an <i>additional</i> secondary identifier. So DN +
    sAMAccountName are both secondary identifiers.<br>
    And, it will survive refetching/refresh of resource schema.<br>
    <br>
    I remember I have seen this, but I have no customer/project where I
    actually used that.<br>
    <br>
    Best regards,<br>
    Ivan<div><div class="h5"><br>
    <br>
    <div class="m_1041481195061437510moz-cite-prefix">On 27.06.2018 20:01, Ezequiel Alonso
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">
        <div>Hello Radovan and thank you for your answer,</div>
        <div><br>
        </div>
        <div>The are not two accounts. There IS <span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><i>CN=User123,OU=Office123,OU=<wbr>People,DC=example,DC=net</i> </span>but
          SHOULD BE <span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><i>CN=User123,OU=People,DC=<wbr>example,DC=net</i></span>.</span></div>
        <div>The issue appears when the account exists in an unknown DN
          (<i style="font-size:small;text-decoration-style:initial;text-decoration-color:initial">CN=User123,OU=Office123,OU=<wbr>People,DC=example,DC=net</i>)
          that is not equal to the DN generated by the DN mapping (<i style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">CN=User123,OU=People,DC=<wbr>example,DC=net</i>).</div>
        <div><br>
        </div>
        <div>We agree with the 5 steps you mention, but after the
          "already exist" exception, midPoint tries to create the user
          account instead of linking with the existing account and
          recompute the DN.</div>
        <div><br>
        </div>
        <div>When we assign the AD resource to the user, midPoint search
          the account and throws "entry already exists".</div>
        <div><a href="https://pastebin.com/xHmRy2r1" target="_blank">https://pastebin.com/xHmRy2r1</a><br>
        </div>
        <div><br>
        </div>
        <div>But if we set sAMAccountName as secondaryIdentifier
          midPoint generates an invalid DN.</div>
        <div><a href="https://pastebin.com/BhZsDGFV" target="_blank">https://pastebin.com/BhZsDGFV</a></div>
        <div><br>
        </div>
        <div><span style="font-size:14.4px"></span></div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">2018-06-27 12:43 GMT-03:00 Radovan
          Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a><wbr>></span>:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF">
              <div class="m_1041481195061437510m_-7469955683806945634moz-cite-prefix">Ah, I
                forgot one thing: this whole process will work correctly
                only if midPoint can detect that the account which
                conflicted with CN=User123,OU=People,DC=
                <div class="m_1041481195061437510m_-7469955683806945634moz-cite-prefix">example,DC=net
                  is in fact CN=User123,OU=Office123,OU=Peo<wbr>ple,DC=example,DC=net.
                  There is no standard way to do this. AD won't tell
                  which account has conflicted. It also won't tell which
                  attribute caused the conflict. And from the
                  LDAP-compliant point of view there should not be any
                  conflict. But there is a way ... kind of hack. You can
                  add samAccountName (or a similar attribute) as an
                  additional secondary identifier for the AD resource.
                  In that case midPoint will try to look up the
                  conflicting account using both DN and samAccountName.
                  And that's how it discovers which account was the
                  cause of the conflict.<br>
                  <br>
                  I think we have this configuration in some AD samples.<span><br>
                    <br>
                    <pre class="m_1041481195061437510m_-7469955683806945634moz-signature" cols="72">-- 
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
                    <br>
                  </span></div>
                <div>
                  <div class="m_1041481195061437510h5"> <br>
                    <br>
                    On 06/27/2018 05:30 PM, Radovan Semancik wrote:<br>
                  </div>
                </div>
              </div>
              <div>
                <div class="m_1041481195061437510h5">
                  <blockquote type="cite">
                    <div class="m_1041481195061437510m_-7469955683806945634moz-cite-prefix">Hi,<br>
                      <br>
                      MidPoint cannot link those two accounts
                      immediately. MidPoint has no way of knowing that <i>CN=User123,OU=People,DC=exampl<wbr>e,DC=net</i>
                      and <i>CN=User123,OU=Office123,OU=Peo<wbr>ple,DC=example,DC=net</i>
                      should be the same account. Those have different
                      identifiers (GUIDs and DNs). In fact, in any real
                      LDAP server it is perfectly possible for such
                      accounts to exist at the same time. And this may
                      be actually desired configuration in some
                      deployment. Well, AD is slightly special here. But
                      midPoint will not behave differently just because
                      it talks to AD. Correlation rule won't help here
                      either. At least not directly. Correlation rule is
                      applied only to accounts that do not have owner
                      already. But the new account that is just created
                      has an owner. Therefore correlation rules is not
                      applied.<br>
                      <br>
                      MidPoint supports this situation. But it should go
                      like this:<br>
                      1. MidPoint tries to create new account
                      CN=User123,OU=People,DC=exampl<wbr>e,DC=net<br>
                      2. Create operation fails, because there is
                      already account with username User123 ... and that
                      account has DN <i>CN=User123,OU=Office123,OU=Peo<wbr>ple,DC=example,DC=net</i><br>
                      3. MidPoint forgets about operation 1. for a
                      while. MidPoint tries to figure out what to do
                      with the account that was just "discovered" (that
                      Office123 account)<br>
                      4. Correlation rule is used at this point. In your
                      case the correction rule should correlate user123
                      with his existing Office123 account.<br>
                      5. Operation 1. is restarted. Everything is
                      recomputed. MidPoint figures out that it no longer
                      needs to create User123 account on AD because such
                      account already exist.<br>
                      <br>
                      This is what we call "self healing" or
                      "consistency mechanism". The usual problem here is
                      that it depends on the connector to positively
                      detect "account already exist" situation. Which
                      may seem as an easy task. But it is not. There are
                      many error conditions that are reported in various
                      ways - especially with old and
                      non-standard-compliant resources such as Active
                      Directory. So there may be problem. Please make
                      sure that the connector detect the "object not
                      found" situation correctly. If there is any other
                      error then midPoint will stop at step 3 because in
                      that case midPoint is not sure what is going on.
                      And the default behavior is to be conservative: we
                      would do nothing rather than risking wrong action
                      which could cause damage. And that may be what is
                      happening in your case. The error below is "InvalidAttributeValueExceptio<wbr>n".
                      Is should be "ObjectNotFoundException".<br>
                      <br>
                      For that reasons and also for other various
                      reasons this approach may be quite fragile.
                      Original purpose of this process was to handle
                      rare cases of forgotten accounts, accounts that
                      were manually created by resource administrators
                      and similar rare cases. I would recommend to
                      reconsider the initial migration process. Maybe it
                      would be better to import all the accounts from HR
                      systems (or other source system), then correlate
                      them with AD and only then start to assign roles
                      which try to create new accounts?<br>
                      <br>
                      <pre class="m_1041481195061437510m_-7469955683806945634moz-signature" cols="72">-- 
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a></pre>
                      <br>
                      <br>
                      On 06/27/2018 04:13 PM, Ezequiel Alonso wrote:<br>
                    </div>
                    <blockquote type="cite">
                      <div dir="ltr">Hi Guys,
                        <div><br>
                        </div>
                        <div>We continued trying to fix this issue using
                          this snippet found in
                          "ad-ldap-medusa-exchange" in resource schema
                          because we found a similar issue in the
                          mailing list (<a href="http://lists.evolveum.com/pipermail/midpoint/2016-June/001923.html" target="_blank">http://lists.evolveum.com/pip<wbr>ermail/midpoint/2016-June/0019<wbr>23.html</a>)
                          and they proposed to use a
                          secondaryIdentifier.</div>
                        <div><br>
                        </div>
                        <div>
                          <div><font face="monospace, monospace"><xsd:complexType
                              name="user"></font></div>
                          <div><font face="monospace, monospace"> 
                              <xsd:annotation></font></div>
                          <div><font face="monospace, monospace">   
                              <xsd:appinfo></font></div>
                          <div><font face="monospace, monospace">     
                              <ra:resourceObject/></font></div>
                          <div><font face="monospace, monospace">     
                              <ra:identifier>ri:objectGUID</<wbr>ra:identifier></font></div>
                          <div><font face="monospace, monospace">     
                              <ra:secondaryIdentifier>ri:sAM<wbr>AccountName</ra:secondaryIdent<wbr>ifier></font></div>
                          <div><font face="monospace, monospace">     
                              <ra:displayNameAttribute>ri:dn<wbr></ra:displayNameAttribute></font></div>
                          <div><font face="monospace, monospace">     
                              <ra:namingAttribute>ri:dn</ra:<wbr>namingAttribute></font></div>
                          <div><font face="monospace, monospace">     
                              <ra:nativeObjectClass>user</ra<wbr>:nativeObjectClass></font></div>
                          <div><font face="monospace, monospace">   
                              </xsd:appinfo></font></div>
                          <div><font face="monospace, monospace"> 
                              </xsd:annotation></font></div>
                          <div><font face="monospace, monospace"></xsd:complexType></font></div>
                        </div>
                        <div><br>
                        </div>
                        <div>but we are getting this error:</div>
                        <div><br>
                        </div>
                        <div>
                          <div><font face="monospace, monospace">2018-06-27
                              06:21:49,463 [] [pool-4-thread-143] ERROR
                              (com.evolveum.midpoint.provisi<wbr>oning.ucf.impl.connid.ConnIdUt<wbr>il):
                              ConnId Exception
                              org.identityconnectors.framewo<wbr>rk.common.exceptions.InvalidAt<wbr>tributeValueException
                              in connector:c87a0797-4be5-4fde-b<wbr>6f2-770832f4a87f(ConnId
                              com.evolveum.polygon.<a href="http://connector.ldap.ad" target="_blank">connector<wbr>.ldap.ad</a>.AdLdapConnector
                              v1.5.1): ConnectorSpec(<a class="m_1041481195061437510m_-7469955683806945634moz-txt-link-freetext">resource:dad0110<wbr>d-77ed-408d-a1a8-044dee06facb(<wbr>LDAP</a>
                              SigleDomain), name=null,
                              oid=c87a0797-4be5-4fde-b6f2-77<wbr>0832f4a87f)
                              while getting object identified by ConnId
                              UID 'fcda49c9-ec77-499e-a39b-70c15<wbr>82d8051':
                              Invalid DN 'username': ERR_04202 A value
                              is missing on some RDN</font></div>
                          <div><font face="monospace, monospace">org.identityconnectors.framewo<wbr>rk.common.exceptions.InvalidAt<wbr>tributeValueException:
                              Invalid DN 'username': ERR_04202 A value
                              is missing on some RDN</font></div>
                          <div><font face="monospace, monospace">       
                              at
                              com.evolveum.polygon.connector<wbr>.ldap.schema.AbstractSchemaTra<wbr>nslator.toDn(AbstractSchemaTra<wbr>nslator.java:1389)</font></div>
                          <div><font face="monospace, monospace">       
                              at
                              com.evolveum.polygon.connector<wbr>.ldap.schema.AbstractSchemaTra<wbr>nslator.toDn(AbstractSchemaTra<wbr>nslator.java:1372)</font></div>
                          <div><font face="monospace, monospace">       
                              at
                              com.evolveum.polygon.<a href="http://connector.ldap.ad" target="_blank">connector<wbr>.ldap.ad</a>.AdLdapConnector.<wbr>searchByUid(AdLdapConnector.<wbr>java:246)</font></div>
                          <div><font face="monospace, monospace">       
                              at
                              com.evolveum.polygon.connector<wbr>.ldap.AbstractLdapConnector.ex<wbr>ecuteQuery(AbstractLdapConnect<wbr>or.java:464)</font></div>
                          <div><font face="monospace, monospace">       
                              at
                              com.evolveum.polygon.connector<wbr>.ldap.AbstractLdapConnector.ex<wbr>ecuteQuery(AbstractLdapConnect<wbr>or.java:124)</font></div>
                          <div><font face="monospace, monospace">       
                              at
                              org.identityconnectors.framewo<wbr>rk.impl.api.local.operations.<wbr>SearchImpl.rawSearch(<wbr>SearchImpl.java:193)</font></div>
                          <div><font face="monospace, monospace">       
                              at
                              org.identityconnectors.framewo<wbr>rk.impl.api.local.operations.<wbr>SearchImpl.search(SearchImpl.<wbr>java:130)</font></div>
                          <div><font face="monospace, monospace">       
                              at sun.reflect.GeneratedMethodAcc<wbr>essor1348.invoke(Unknown
                              Source)</font></div>
                          <div><font face="monospace, monospace">       
                              at
                              sun.reflect.DelegatingMethodAc<wbr>cessorImpl.invoke(DelegatingMe<wbr>thodAccessorImpl.java:43)</font></div>
                          <div><font face="monospace, monospace">       
                              at java.lang.reflect.Method.invok<wbr>e(Method.java:498)</font></div>
                          <div><font face="monospace, monospace">       
                              at
                              org.identityconnectors.framewo<wbr>rk.impl.api.local.operations.C<wbr>onnectorAPIOperationRunnerProx<wbr>y.invoke(ConnectorAPIOperation<wbr>RunnerProxy.java:98)</font></div>
                          <div><font face="monospace, monospace">       
                              at com.sun.proxy.$Proxy223.search<wbr>(Unknown
                              Source)</font></div>
                          <div><font face="monospace, monospace">       
                              at
                              org.identityconnectors.framewo<wbr>rk.impl.api.local.operations.<wbr>GetImpl.getObject(GetImpl.<wbr>java:67)</font></div>
                          <div><font face="monospace, monospace">       
                              at sun.reflect.GeneratedMethodAcc<wbr>essor1314.invoke(Unknown
                              Source)</font></div>
                          <div><font face="monospace, monospace">       
                              at
                              sun.reflect.DelegatingMethodAc<wbr>cessorImpl.invoke(DelegatingMe<wbr>thodAccessorImpl.java:43)</font></div>
                          <div><font face="monospace, monospace">       
                              at java.lang.reflect.Method.invok<wbr>e(Method.java:498)</font></div>
                          <div><font face="monospace, monospace">       
                              at
                              org.identityconnectors.framewo<wbr>rk.impl.api.local.operations.T<wbr>hreadClassLoaderManagerProxy.i<wbr>nvoke(ThreadClassLoaderManager<wbr>Proxy.java:96)</font></div>
                          <div><font face="monospace, monospace">       
                              at com.sun.proxy.$Proxy224.getObj<wbr>ect(Unknown
                              Source)</font></div>
                          <div><font face="monospace, monospace">       
                              at sun.reflect.GeneratedMethodAcc<wbr>essor1314.invoke(Unknown
                              Source)</font></div>
                          <div><font face="monospace, monospace">       
                              at
                              sun.reflect.DelegatingMethodAc<wbr>cessorImpl.invoke(DelegatingMe<wbr>thodAccessorImpl.java:43)</font></div>
                          <div><font face="monospace, monospace">       
                              at java.lang.reflect.Method.invok<wbr>e(Method.java:498)</font></div>
                          <div><font face="monospace, monospace">       
                              at
                              org.identityconnectors.framewo<wbr>rk.impl.api.DelegatingTimeoutP<wbr>roxy.invoke(DelegatingTimeoutP<wbr>roxy.java:99)</font></div>
                        </div>
                        <div><br>
                        </div>
                        <div>And we are generating DN this way:</div>
                        <div><br>
                        </div>
                        <div>
                          <div><font face="monospace, monospace"><attribute
                              id="3"></font></div>
                          <div><font face="monospace, monospace"> 
                               <c:ref>ri:dn</c:ref></font></div>
                          <div><font face="monospace, monospace"> 
                               <displayName>Distinguished
                              Name</displayName></font></div>
                          <div><font face="monospace, monospace"> 
                               <limitations></font></div>
                          <div><font face="monospace, monospace">     
                              <minOccurs>0</minOccurs></font></div>
                          <div><font face="monospace, monospace">     
                              <access></font></div>
                          <div><font face="monospace, monospace">       
                               <read>true</read></font></div>
                          <div><font face="monospace, monospace">       
                               <add>true</add></font></div>
                          <div><font face="monospace, monospace">       
                               <modify>true</modify></font></div>
                          <div><font face="monospace, monospace">     
                              </access></font></div>
                          <div><font face="monospace, monospace"> 
                               </limitations></font></div>
                          <div><font face="monospace, monospace"> 
                               <matchingRule xmlns:mr="<a href="http://prism.evolveum.com/xml/ns/public/matching-rule-3" target="_blank">http://prism.evolveu<wbr>m.com/xml/ns/public/matching-<wbr>rule-3</a>">mr:distinguishedName</<wbr>matchingRule></font></div>
                          <div><font face="monospace, monospace"> 
                               <outbound></font></div>
                          <div><font face="monospace, monospace">     
                              <strength>strong</strength></font></div>
                          <div><font face="monospace, monospace">     
                              <source></font></div>
                          <div><font face="monospace, monospace">       
                               <c:path>$user/fullName</c:pat<wbr>h></font></div>
                          <div><font face="monospace, monospace">     
                              </source></font></div>
                          <div><font face="monospace, monospace">     
                              <source></font></div>
                          <div><font face="monospace, monospace">       
                               <c:path>$user/locality</c:pat<wbr>h></font></div>
                          <div><font face="monospace, monospace">     
                              </source></font></div>
                          <div><font face="monospace, monospace">     
                              <source></font></div>
                          <div><font face="monospace, monospace">       
                               <c:path>$user/activation/effe<wbr>ctiveStatus</c:path></font></div>
                          <div><font face="monospace, monospace">     
                              </source></font></div>
                          <div><font face="monospace, monospace">     
                              <expression></font></div>
                          <div><font face="monospace, monospace">       
                               <script xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2<wbr>001/XMLSchema-instance</a>"</font></div>
                          <div><font face="monospace, monospace">       
                                       xsi:type="c:ScriptExpressionE<wbr>valuatorType"></font></div>
                          <div><font face="monospace, monospace">       
                                  <code></font></div>
                          <div><font face="monospace, monospace">       
                                      if (effectiveStatus?.value.toStri<wbr>ng().toLowerCase().equals('<wbr>disabled'))</font></div>
                          <div><font face="monospace, monospace">       
                                      {</font></div>
                          <div><font face="monospace, monospace">       
                                          return
                              basic.composeDnWithSuffix('CN'<wbr>,
                              fullName, 'OU=Disabled,OU=People,DC=<span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">exam<wbr>ple</span>,DC=net');</font></div>
                          <div><font face="monospace, monospace">       
                                      } else {</font></div>
                          <div><font face="monospace, monospace">       
                                          if (locality.toString().toLowerCa<wbr>se()
                              == "argentina") {</font></div>
                          <div><font face="monospace, monospace">       
                                              return
                              basic.composeDnWithSuffix('CN'<wbr>,
                              fullName, 'OU=AR,OU=People,DC=<span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">example</span>,DC<wbr>=net')</font></div>
                          <div><font face="monospace, monospace">       
                                          } else {</font></div>
                          <div><font face="monospace, monospace">       
                                              return
                              basic.composeDnWithSuffix('CN'<wbr>,
                              fullName, 'OU=People,DC=<span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">example</span>,DC=net')</font></div>
                          <div><font face="monospace, monospace">       
                                          }</font></div>
                          <div><font face="monospace, monospace">       
                                      }</font></div>
                          <div><font face="monospace, monospace">       
                                  </code></font></div>
                          <div><font face="monospace, monospace">       
                               </script></font></div>
                          <div><font face="monospace, monospace">     
                              </expression></font></div>
                          <div><font face="monospace, monospace"> 
                               </outbound></font></div>
                          <div><font face="monospace, monospace"></attribute></font></div>
                        </div>
                        <div><font face="monospace, monospace"><br>
                          </font></div>
                        <div><font face="monospace, monospace">Thanks in
                            advance!</font></div>
                      </div>
                      <div class="gmail_extra"><br>
                        <div class="gmail_quote">2018-06-01 18:01
                          GMT-03:00 Ezequiel Alonso <span dir="ltr"><<a href="mailto:ealonso@identicum.com" target="_blank">ealonso@identicum.com</a>></span>:<br>
                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                            <div dir="ltr">
                              <div>Hi,</div>
                              <div><br>
                              </div>
                              <div>We are working with "<i>ad-ldap-medusa-medium</i>"
                                resource synchronizing midPoint users
                                against existing AD accounts as part of
                                the initial migration.</div>
                              <div><br>
                              </div>
                              <div>Newest AD accounts should be on "<i>OU=People,DC=example,DC=net</i>"
                                and older accounts maybe already placed
                                on many different DNs on "<i>OU=UnpredictableOfficeNumber,<wbr>OU=People,DC=example,DC=net</i>"</div>
                              <div><br>
                              </div>
                              <div>We have already created the users on
                                midPoint taking into account that the
                                correlation matching rule is user/name
                                == sAMAccountName. So, at this point we
                                can see that the shadow users are
                                presented as unlinked.</div>
                              <div><br>
                              </div>
                              <div>If the account DN is equal to the
                                resource mapping generated DN, the
                                account gets linked when we assign the
                                resource to the user. But if the
                                existing account DN is not equal to the
                                resource generated DN (For example,
                                resource is generating "<i>CN=User123,OU=People,DC=examp<wbr>le,DC=net</i>"
                                but the account exist on "<i>CN=User123,OU=Office123,OU=Pe<wbr>ople,DC=example,DC=net</i>"),
                                we are getting the following issue when
                                we assign the AD resource to the user:</div>
                              <div>midPoint is not linking the account
                                and it tries to create the user in "<i>CN=User123,OU=People,DC=examp<wbr>le,DC=net</i>"
                                instead of modifying the user DN to "<i>CN=User123,OU=People,DC=examp<wbr>le,DC=net</i>"
                                (we added strength strong to dn mapping
                                and we also tested with strength weak),
                                so we are getting the next error
                                message:</div>
                              <div><br>
                              </div>
                              <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">"<i>Couldn't
                                  add object. Object already exists:
                                  Object already exists on the resource</i>".</blockquote>
                              <div><br>
                              </div>
                              <div>It's strange because if we import the
                                account manually from the resource, it
                                is linking midPoint user with AD account
                                and modifying the DN.</div>
                              <div><br>
                              </div>
                              <div>Our goal is to link existing midPoint
                                user with existing AD account by
                                matching name against sAMAccountName and
                                override the unpredictable and unknown
                                DN with a more friendly DN, if its
                                possible or at least link the user
                                without modifying the DN.</div>
                              <span class="m_1041481195061437510m_-7469955683806945634HOEnZb"><font color="#888888">
                                  <div><br>
                                  </div>
                                  -- <br>
                                  <div class="m_1041481195061437510m_-7469955683806945634m_-5143521348802394237gmail_signature">
                                    <div dir="ltr">
                                      <div>
                                        <div dir="ltr">
                                          <div dir="ltr">
                                            <div dir="ltr">
                                              <div><b style="font-family:arial,helvetica,sans-serif;font-size:14.4px;color:rgb(68,68,68)">Ezequiel
                                                  Alonso</b><br>
                                              </div>
                                              <div><font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999">Identicum
                                                  S.A.</font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
                                                <font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999"><a href="https://maps.google.com/?q=Jorge+Newbery+3226" style="color:rgb(17,85,204)" target="_blank">Jorge
                                                    Newbery 3226, Buenos
                                                    Aires, Argentina</a></font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
                                                <font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999">Tel:
                                                  +54 (11) 4552-3050</font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
                                                <font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999"><a href="http://www.identicum.com/" style="color:rgb(17,85,204)" target="_blank">www.identicum.com</a></font><font size="1" face="verdana,
                                                  sans-serif" color="#999999"><br>
                                                </font></div>
                                            </div>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </font></span></div>
                          </blockquote>
                        </div>
                        <br>
                        <br clear="all">
                        <div><br>
                        </div>
                        -- <br>
                        <div class="m_1041481195061437510m_-7469955683806945634gmail_signature" data-smartmail="gmail_signature">
                          <div dir="ltr">
                            <div>
                              <div dir="ltr">
                                <div dir="ltr">
                                  <div dir="ltr">
                                    <div><b style="font-family:arial,helvetica,sans-serif;font-size:14.4px;color:rgb(68,68,68)">Ezequiel
                                        Alonso</b><br>
                                    </div>
                                    <div><font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999">Identicum S.A.</font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
                                      <font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999"><a href="https://maps.google.com/?q=Jorge+Newbery+3226" style="color:rgb(17,85,204)" target="_blank">Jorge
                                          Newbery 3226, Buenos Aires,
                                          Argentina</a></font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
                                      <font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999">Tel: +54
                                        (11) 4552-3050</font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
                                      <font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999"><a href="http://www.identicum.com/" style="color:rgb(17,85,204)" target="_blank">www.identicum.com</a></font><font size="1" face="verdana,
                                        sans-serif" color="#999999"><br>
                                      </font></div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                      <br>
                      <fieldset class="m_1041481195061437510m_-7469955683806945634mimeAttachmentHeader"></fieldset>
                      <br>
                      <pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_1041481195061437510m_-7469955683806945634moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_1041481195061437510m_-7469955683806945634moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
                    </blockquote>
                    <br>
                    <br>
                    <br>
                    <fieldset class="m_1041481195061437510m_-7469955683806945634mimeAttachmentHeader"></fieldset>
                    <br>
                    <pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_1041481195061437510m_-7469955683806945634moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_1041481195061437510m_-7469955683806945634moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
                  </blockquote>
                  <br>
                  <br>
                </div>
              </div>
            </div>
            <br>
            ______________________________<wbr>_________________<br>
            midPoint mailing list<br>
            <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
            <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
            <br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div class="m_1041481195061437510gmail_signature" data-smartmail="gmail_signature">
          <div dir="ltr">
            <div>
              <div dir="ltr">
                <div dir="ltr">
                  <div dir="ltr">
                    <div><b style="font-family:arial,helvetica,sans-serif;font-size:14.4px;color:rgb(68,68,68)">Ezequiel
                        Alonso</b><br>
                    </div>
                    <div><font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999">Identicum S.A.</font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
                      <font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999"><a href="https://maps.google.com/?q=Jorge+Newbery+3226" style="color:rgb(17,85,204)" target="_blank">Jorge Newbery 3226,
                          Buenos Aires, Argentina</a></font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
                      <font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999">Tel: +54 (11) 4552-3050</font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
                      <font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999"><a href="http://www.identicum.com/" style="color:rgb(17,85,204)" target="_blank">www.identicum.com</a></font><font size="1" face="verdana, sans-serif" color="#999999"><br>
                      </font></div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="m_1041481195061437510mimeAttachmentHeader"></fieldset>
      <br>
      <pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_1041481195061437510moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_1041481195061437510moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
    </div></div><span class="HOEnZb"><font color="#888888"><pre class="m_1041481195061437510moz-signature" cols="72">-- 
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
  </font></span></div>

<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><b style="font-family:arial,helvetica,sans-serif;font-size:14.4px;color:rgb(68,68,68)">Ezequiel Alonso</b><br></div><div><font color="#999999" style="font-family:arial,helvetica,sans-serif;font-size:14.4px">Identicum S.A.</font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px"><font color="#999999" style="font-family:arial,helvetica,sans-serif;font-size:14.4px"><a href="https://maps.google.com/?q=Jorge+Newbery+3226" style="color:rgb(17,85,204)" target="_blank">Jorge Newbery 3226, Buenos Aires, Argentina</a></font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px"><font color="#999999" style="font-family:arial,helvetica,sans-serif;font-size:14.4px">Tel: +54 (11) 4552-3050</font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px"><font color="#999999" style="font-family:arial,helvetica,sans-serif;font-size:14.4px"><a href="http://www.identicum.com/" style="color:rgb(17,85,204)" target="_blank">www.identicum.com</a></font><font color="#999999" face="verdana, sans-serif" size="1"><br></font></div></div></div></div></div></div></div>
</div>