<div dir="ltr"><div>Hi,</div><div><br></div><div>I got confused with the documentation because they was not using boolean values. I suggest to modify the documentation (here for example <a href="https://wiki.evolveum.com/display/midPoint/Connector+Development+Guide#ConnectorDevelopmentGuide-DiscoverySupport" target="_blank">https://wiki.evolveum.com/<wbr>display/midPoint/Connector+<wbr>Development+Guide#<wbr>ConnectorDevelopmentGuide-<wbr>DiscoverySupport</a>) for prevent confusion between secondaryIdentifier in schema and secondaryIdentifier in schemaHandling.</div><div><br></div><div>Not modifying the schema and setting secondaryIdentifier to true solved the issue.<br></div><div><br></div><div>Thank you so much guys!</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-06-28 4:11 GMT-03:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>are you setting the secondaryIdentifier in <schema> or
<schemaHandling>?</p>
<p>Because in AD, distinguished name is also secondary identifier
(primary is objectGUID) so if you override <schema>, that
will probably not work without having dn also there.<br>
</p>
<p>You should use schema handling for that as in the email you
referenced earlier:
<a class="m_1041481195061437510moz-txt-link-freetext" href="http://lists.evolveum.com/pipermail/midpoint/2016-June/001923.html" target="_blank">http://lists.evolveum.com/<wbr>pipermail/midpoint/2016-June/<wbr>001923.html</a></p>
<p>Have you already tried that?<br>
</p>
<p>Example:<br>
</p>
<p>...</p>
<pre> <attribute>
<ref>ri:sAMAccountName</ref>
<b><secondaryIdentifier>true</<wbr>secondaryIdentifier></b>
<displayName>Login name</displayName>
<description></description>
<outbound>
<strength>strong</strength>
<source>
<path>$user/name</path>
</source>
</outbound>
</attribute></pre>
...<br>
<br>
This will set the sAMAccountName as secondary identifier and AFAIK
it will be an <i>additional</i> secondary identifier. So DN +
sAMAccountName are both secondary identifiers.<br>
And, it will survive refetching/refresh of resource schema.<br>
<br>
I remember I have seen this, but I have no customer/project where I
actually used that.<br>
<br>
Best regards,<br>
Ivan<div><div class="h5"><br>
<br>
<div class="m_1041481195061437510moz-cite-prefix">On 27.06.2018 20:01, Ezequiel Alonso
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hello Radovan and thank you for your answer,</div>
<div><br>
</div>
<div>The are not two accounts. There IS <span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><i>CN=User123,OU=Office123,OU=<wbr>People,DC=example,DC=net</i> </span>but
SHOULD BE <span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><i>CN=User123,OU=People,DC=<wbr>example,DC=net</i></span>.</span></div>
<div>The issue appears when the account exists in an unknown DN
(<i style="font-size:small;text-decoration-style:initial;text-decoration-color:initial">CN=User123,OU=Office123,OU=<wbr>People,DC=example,DC=net</i>)
that is not equal to the DN generated by the DN mapping (<i style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">CN=User123,OU=People,DC=<wbr>example,DC=net</i>).</div>
<div><br>
</div>
<div>We agree with the 5 steps you mention, but after the
"already exist" exception, midPoint tries to create the user
account instead of linking with the existing account and
recompute the DN.</div>
<div><br>
</div>
<div>When we assign the AD resource to the user, midPoint search
the account and throws "entry already exists".</div>
<div><a href="https://pastebin.com/xHmRy2r1" target="_blank">https://pastebin.com/xHmRy2r1</a><br>
</div>
<div><br>
</div>
<div>But if we set sAMAccountName as secondaryIdentifier
midPoint generates an invalid DN.</div>
<div><a href="https://pastebin.com/BhZsDGFV" target="_blank">https://pastebin.com/BhZsDGFV</a></div>
<div><br>
</div>
<div><span style="font-size:14.4px"></span></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2018-06-27 12:43 GMT-03:00 Radovan
Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a><wbr>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_1041481195061437510m_-7469955683806945634moz-cite-prefix">Ah, I
forgot one thing: this whole process will work correctly
only if midPoint can detect that the account which
conflicted with CN=User123,OU=People,DC=
<div class="m_1041481195061437510m_-7469955683806945634moz-cite-prefix">example,DC=net
is in fact CN=User123,OU=Office123,OU=Peo<wbr>ple,DC=example,DC=net.
There is no standard way to do this. AD won't tell
which account has conflicted. It also won't tell which
attribute caused the conflict. And from the
LDAP-compliant point of view there should not be any
conflict. But there is a way ... kind of hack. You can
add samAccountName (or a similar attribute) as an
additional secondary identifier for the AD resource.
In that case midPoint will try to look up the
conflicting account using both DN and samAccountName.
And that's how it discovers which account was the
cause of the conflict.<br>
<br>
I think we have this configuration in some AD samples.<span><br>
<br>
<pre class="m_1041481195061437510m_-7469955683806945634moz-signature" cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<br>
</span></div>
<div>
<div class="m_1041481195061437510h5"> <br>
<br>
On 06/27/2018 05:30 PM, Radovan Semancik wrote:<br>
</div>
</div>
</div>
<div>
<div class="m_1041481195061437510h5">
<blockquote type="cite">
<div class="m_1041481195061437510m_-7469955683806945634moz-cite-prefix">Hi,<br>
<br>
MidPoint cannot link those two accounts
immediately. MidPoint has no way of knowing that <i>CN=User123,OU=People,DC=exampl<wbr>e,DC=net</i>
and <i>CN=User123,OU=Office123,OU=Peo<wbr>ple,DC=example,DC=net</i>
should be the same account. Those have different
identifiers (GUIDs and DNs). In fact, in any real
LDAP server it is perfectly possible for such
accounts to exist at the same time. And this may
be actually desired configuration in some
deployment. Well, AD is slightly special here. But
midPoint will not behave differently just because
it talks to AD. Correlation rule won't help here
either. At least not directly. Correlation rule is
applied only to accounts that do not have owner
already. But the new account that is just created
has an owner. Therefore correlation rules is not
applied.<br>
<br>
MidPoint supports this situation. But it should go
like this:<br>
1. MidPoint tries to create new account
CN=User123,OU=People,DC=exampl<wbr>e,DC=net<br>
2. Create operation fails, because there is
already account with username User123 ... and that
account has DN <i>CN=User123,OU=Office123,OU=Peo<wbr>ple,DC=example,DC=net</i><br>
3. MidPoint forgets about operation 1. for a
while. MidPoint tries to figure out what to do
with the account that was just "discovered" (that
Office123 account)<br>
4. Correlation rule is used at this point. In your
case the correction rule should correlate user123
with his existing Office123 account.<br>
5. Operation 1. is restarted. Everything is
recomputed. MidPoint figures out that it no longer
needs to create User123 account on AD because such
account already exist.<br>
<br>
This is what we call "self healing" or
"consistency mechanism". The usual problem here is
that it depends on the connector to positively
detect "account already exist" situation. Which
may seem as an easy task. But it is not. There are
many error conditions that are reported in various
ways - especially with old and
non-standard-compliant resources such as Active
Directory. So there may be problem. Please make
sure that the connector detect the "object not
found" situation correctly. If there is any other
error then midPoint will stop at step 3 because in
that case midPoint is not sure what is going on.
And the default behavior is to be conservative: we
would do nothing rather than risking wrong action
which could cause damage. And that may be what is
happening in your case. The error below is "InvalidAttributeValueExceptio<wbr>n".
Is should be "ObjectNotFoundException".<br>
<br>
For that reasons and also for other various
reasons this approach may be quite fragile.
Original purpose of this process was to handle
rare cases of forgotten accounts, accounts that
were manually created by resource administrators
and similar rare cases. I would recommend to
reconsider the initial migration process. Maybe it
would be better to import all the accounts from HR
systems (or other source system), then correlate
them with AD and only then start to assign roles
which try to create new accounts?<br>
<br>
<pre class="m_1041481195061437510m_-7469955683806945634moz-signature" cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a></pre>
<br>
<br>
On 06/27/2018 04:13 PM, Ezequiel Alonso wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Guys,
<div><br>
</div>
<div>We continued trying to fix this issue using
this snippet found in
"ad-ldap-medusa-exchange" in resource schema
because we found a similar issue in the
mailing list (<a href="http://lists.evolveum.com/pipermail/midpoint/2016-June/001923.html" target="_blank">http://lists.evolveum.com/pip<wbr>ermail/midpoint/2016-June/0019<wbr>23.html</a>)
and they proposed to use a
secondaryIdentifier.</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace"><xsd:complexType
name="user"></font></div>
<div><font face="monospace, monospace">
<xsd:annotation></font></div>
<div><font face="monospace, monospace">
<xsd:appinfo></font></div>
<div><font face="monospace, monospace">
<ra:resourceObject/></font></div>
<div><font face="monospace, monospace">
<ra:identifier>ri:objectGUID</<wbr>ra:identifier></font></div>
<div><font face="monospace, monospace">
<ra:secondaryIdentifier>ri:sAM<wbr>AccountName</ra:secondaryIdent<wbr>ifier></font></div>
<div><font face="monospace, monospace">
<ra:displayNameAttribute>ri:dn<wbr></ra:displayNameAttribute></font></div>
<div><font face="monospace, monospace">
<ra:namingAttribute>ri:dn</ra:<wbr>namingAttribute></font></div>
<div><font face="monospace, monospace">
<ra:nativeObjectClass>user</ra<wbr>:nativeObjectClass></font></div>
<div><font face="monospace, monospace">
</xsd:appinfo></font></div>
<div><font face="monospace, monospace">
</xsd:annotation></font></div>
<div><font face="monospace, monospace"></xsd:complexType></font></div>
</div>
<div><br>
</div>
<div>but we are getting this error:</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace">2018-06-27
06:21:49,463 [] [pool-4-thread-143] ERROR
(com.evolveum.midpoint.provisi<wbr>oning.ucf.impl.connid.ConnIdUt<wbr>il):
ConnId Exception
org.identityconnectors.framewo<wbr>rk.common.exceptions.InvalidAt<wbr>tributeValueException
in connector:c87a0797-4be5-4fde-b<wbr>6f2-770832f4a87f(ConnId
com.evolveum.polygon.<a href="http://connector.ldap.ad" target="_blank">connector<wbr>.ldap.ad</a>.AdLdapConnector
v1.5.1): ConnectorSpec(<a class="m_1041481195061437510m_-7469955683806945634moz-txt-link-freetext">resource:dad0110<wbr>d-77ed-408d-a1a8-044dee06facb(<wbr>LDAP</a>
SigleDomain), name=null,
oid=c87a0797-4be5-4fde-b6f2-77<wbr>0832f4a87f)
while getting object identified by ConnId
UID 'fcda49c9-ec77-499e-a39b-70c15<wbr>82d8051':
Invalid DN 'username': ERR_04202 A value
is missing on some RDN</font></div>
<div><font face="monospace, monospace">org.identityconnectors.framewo<wbr>rk.common.exceptions.InvalidAt<wbr>tributeValueException:
Invalid DN 'username': ERR_04202 A value
is missing on some RDN</font></div>
<div><font face="monospace, monospace">
at
com.evolveum.polygon.connector<wbr>.ldap.schema.AbstractSchemaTra<wbr>nslator.toDn(AbstractSchemaTra<wbr>nslator.java:1389)</font></div>
<div><font face="monospace, monospace">
at
com.evolveum.polygon.connector<wbr>.ldap.schema.AbstractSchemaTra<wbr>nslator.toDn(AbstractSchemaTra<wbr>nslator.java:1372)</font></div>
<div><font face="monospace, monospace">
at
com.evolveum.polygon.<a href="http://connector.ldap.ad" target="_blank">connector<wbr>.ldap.ad</a>.AdLdapConnector.<wbr>searchByUid(AdLdapConnector.<wbr>java:246)</font></div>
<div><font face="monospace, monospace">
at
com.evolveum.polygon.connector<wbr>.ldap.AbstractLdapConnector.ex<wbr>ecuteQuery(AbstractLdapConnect<wbr>or.java:464)</font></div>
<div><font face="monospace, monospace">
at
com.evolveum.polygon.connector<wbr>.ldap.AbstractLdapConnector.ex<wbr>ecuteQuery(AbstractLdapConnect<wbr>or.java:124)</font></div>
<div><font face="monospace, monospace">
at
org.identityconnectors.framewo<wbr>rk.impl.api.local.operations.<wbr>SearchImpl.rawSearch(<wbr>SearchImpl.java:193)</font></div>
<div><font face="monospace, monospace">
at
org.identityconnectors.framewo<wbr>rk.impl.api.local.operations.<wbr>SearchImpl.search(SearchImpl.<wbr>java:130)</font></div>
<div><font face="monospace, monospace">
at sun.reflect.GeneratedMethodAcc<wbr>essor1348.invoke(Unknown
Source)</font></div>
<div><font face="monospace, monospace">
at
sun.reflect.DelegatingMethodAc<wbr>cessorImpl.invoke(DelegatingMe<wbr>thodAccessorImpl.java:43)</font></div>
<div><font face="monospace, monospace">
at java.lang.reflect.Method.invok<wbr>e(Method.java:498)</font></div>
<div><font face="monospace, monospace">
at
org.identityconnectors.framewo<wbr>rk.impl.api.local.operations.C<wbr>onnectorAPIOperationRunnerProx<wbr>y.invoke(ConnectorAPIOperation<wbr>RunnerProxy.java:98)</font></div>
<div><font face="monospace, monospace">
at com.sun.proxy.$Proxy223.search<wbr>(Unknown
Source)</font></div>
<div><font face="monospace, monospace">
at
org.identityconnectors.framewo<wbr>rk.impl.api.local.operations.<wbr>GetImpl.getObject(GetImpl.<wbr>java:67)</font></div>
<div><font face="monospace, monospace">
at sun.reflect.GeneratedMethodAcc<wbr>essor1314.invoke(Unknown
Source)</font></div>
<div><font face="monospace, monospace">
at
sun.reflect.DelegatingMethodAc<wbr>cessorImpl.invoke(DelegatingMe<wbr>thodAccessorImpl.java:43)</font></div>
<div><font face="monospace, monospace">
at java.lang.reflect.Method.invok<wbr>e(Method.java:498)</font></div>
<div><font face="monospace, monospace">
at
org.identityconnectors.framewo<wbr>rk.impl.api.local.operations.T<wbr>hreadClassLoaderManagerProxy.i<wbr>nvoke(ThreadClassLoaderManager<wbr>Proxy.java:96)</font></div>
<div><font face="monospace, monospace">
at com.sun.proxy.$Proxy224.getObj<wbr>ect(Unknown
Source)</font></div>
<div><font face="monospace, monospace">
at sun.reflect.GeneratedMethodAcc<wbr>essor1314.invoke(Unknown
Source)</font></div>
<div><font face="monospace, monospace">
at
sun.reflect.DelegatingMethodAc<wbr>cessorImpl.invoke(DelegatingMe<wbr>thodAccessorImpl.java:43)</font></div>
<div><font face="monospace, monospace">
at java.lang.reflect.Method.invok<wbr>e(Method.java:498)</font></div>
<div><font face="monospace, monospace">
at
org.identityconnectors.framewo<wbr>rk.impl.api.DelegatingTimeoutP<wbr>roxy.invoke(DelegatingTimeoutP<wbr>roxy.java:99)</font></div>
</div>
<div><br>
</div>
<div>And we are generating DN this way:</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace"><attribute
id="3"></font></div>
<div><font face="monospace, monospace">
<c:ref>ri:dn</c:ref></font></div>
<div><font face="monospace, monospace">
<displayName>Distinguished
Name</displayName></font></div>
<div><font face="monospace, monospace">
<limitations></font></div>
<div><font face="monospace, monospace">
<minOccurs>0</minOccurs></font></div>
<div><font face="monospace, monospace">
<access></font></div>
<div><font face="monospace, monospace">
<read>true</read></font></div>
<div><font face="monospace, monospace">
<add>true</add></font></div>
<div><font face="monospace, monospace">
<modify>true</modify></font></div>
<div><font face="monospace, monospace">
</access></font></div>
<div><font face="monospace, monospace">
</limitations></font></div>
<div><font face="monospace, monospace">
<matchingRule xmlns:mr="<a href="http://prism.evolveum.com/xml/ns/public/matching-rule-3" target="_blank">http://prism.evolveu<wbr>m.com/xml/ns/public/matching-<wbr>rule-3</a>">mr:distinguishedName</<wbr>matchingRule></font></div>
<div><font face="monospace, monospace">
<outbound></font></div>
<div><font face="monospace, monospace">
<strength>strong</strength></font></div>
<div><font face="monospace, monospace">
<source></font></div>
<div><font face="monospace, monospace">
<c:path>$user/fullName</c:pat<wbr>h></font></div>
<div><font face="monospace, monospace">
</source></font></div>
<div><font face="monospace, monospace">
<source></font></div>
<div><font face="monospace, monospace">
<c:path>$user/locality</c:pat<wbr>h></font></div>
<div><font face="monospace, monospace">
</source></font></div>
<div><font face="monospace, monospace">
<source></font></div>
<div><font face="monospace, monospace">
<c:path>$user/activation/effe<wbr>ctiveStatus</c:path></font></div>
<div><font face="monospace, monospace">
</source></font></div>
<div><font face="monospace, monospace">
<expression></font></div>
<div><font face="monospace, monospace">
<script xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2<wbr>001/XMLSchema-instance</a>"</font></div>
<div><font face="monospace, monospace">
xsi:type="c:ScriptExpressionE<wbr>valuatorType"></font></div>
<div><font face="monospace, monospace">
<code></font></div>
<div><font face="monospace, monospace">
if (effectiveStatus?.value.toStri<wbr>ng().toLowerCase().equals('<wbr>disabled'))</font></div>
<div><font face="monospace, monospace">
{</font></div>
<div><font face="monospace, monospace">
return
basic.composeDnWithSuffix('CN'<wbr>,
fullName, 'OU=Disabled,OU=People,DC=<span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">exam<wbr>ple</span>,DC=net');</font></div>
<div><font face="monospace, monospace">
} else {</font></div>
<div><font face="monospace, monospace">
if (locality.toString().toLowerCa<wbr>se()
== "argentina") {</font></div>
<div><font face="monospace, monospace">
return
basic.composeDnWithSuffix('CN'<wbr>,
fullName, 'OU=AR,OU=People,DC=<span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">example</span>,DC<wbr>=net')</font></div>
<div><font face="monospace, monospace">
} else {</font></div>
<div><font face="monospace, monospace">
return
basic.composeDnWithSuffix('CN'<wbr>,
fullName, 'OU=People,DC=<span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">example</span>,DC=net')</font></div>
<div><font face="monospace, monospace">
}</font></div>
<div><font face="monospace, monospace">
}</font></div>
<div><font face="monospace, monospace">
</code></font></div>
<div><font face="monospace, monospace">
</script></font></div>
<div><font face="monospace, monospace">
</expression></font></div>
<div><font face="monospace, monospace">
</outbound></font></div>
<div><font face="monospace, monospace"></attribute></font></div>
</div>
<div><font face="monospace, monospace"><br>
</font></div>
<div><font face="monospace, monospace">Thanks in
advance!</font></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2018-06-01 18:01
GMT-03:00 Ezequiel Alonso <span dir="ltr"><<a href="mailto:ealonso@identicum.com" target="_blank">ealonso@identicum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>We are working with "<i>ad-ldap-medusa-medium</i>"
resource synchronizing midPoint users
against existing AD accounts as part of
the initial migration.</div>
<div><br>
</div>
<div>Newest AD accounts should be on "<i>OU=People,DC=example,DC=net</i>"
and older accounts maybe already placed
on many different DNs on "<i>OU=UnpredictableOfficeNumber,<wbr>OU=People,DC=example,DC=net</i>"</div>
<div><br>
</div>
<div>We have already created the users on
midPoint taking into account that the
correlation matching rule is user/name
== sAMAccountName. So, at this point we
can see that the shadow users are
presented as unlinked.</div>
<div><br>
</div>
<div>If the account DN is equal to the
resource mapping generated DN, the
account gets linked when we assign the
resource to the user. But if the
existing account DN is not equal to the
resource generated DN (For example,
resource is generating "<i>CN=User123,OU=People,DC=examp<wbr>le,DC=net</i>"
but the account exist on "<i>CN=User123,OU=Office123,OU=Pe<wbr>ople,DC=example,DC=net</i>"),
we are getting the following issue when
we assign the AD resource to the user:</div>
<div>midPoint is not linking the account
and it tries to create the user in "<i>CN=User123,OU=People,DC=examp<wbr>le,DC=net</i>"
instead of modifying the user DN to "<i>CN=User123,OU=People,DC=examp<wbr>le,DC=net</i>"
(we added strength strong to dn mapping
and we also tested with strength weak),
so we are getting the next error
message:</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">"<i>Couldn't
add object. Object already exists:
Object already exists on the resource</i>".</blockquote>
<div><br>
</div>
<div>It's strange because if we import the
account manually from the resource, it
is linking midPoint user with AD account
and modifying the DN.</div>
<div><br>
</div>
<div>Our goal is to link existing midPoint
user with existing AD account by
matching name against sAMAccountName and
override the unpredictable and unknown
DN with a more friendly DN, if its
possible or at least link the user
without modifying the DN.</div>
<span class="m_1041481195061437510m_-7469955683806945634HOEnZb"><font color="#888888">
<div><br>
</div>
-- <br>
<div class="m_1041481195061437510m_-7469955683806945634m_-5143521348802394237gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div><b style="font-family:arial,helvetica,sans-serif;font-size:14.4px;color:rgb(68,68,68)">Ezequiel
Alonso</b><br>
</div>
<div><font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999">Identicum
S.A.</font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999"><a href="https://maps.google.com/?q=Jorge+Newbery+3226" style="color:rgb(17,85,204)" target="_blank">Jorge
Newbery 3226, Buenos
Aires, Argentina</a></font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999">Tel:
+54 (11) 4552-3050</font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999"><a href="http://www.identicum.com/" style="color:rgb(17,85,204)" target="_blank">www.identicum.com</a></font><font size="1" face="verdana,
sans-serif" color="#999999"><br>
</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</font></span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="m_1041481195061437510m_-7469955683806945634gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div><b style="font-family:arial,helvetica,sans-serif;font-size:14.4px;color:rgb(68,68,68)">Ezequiel
Alonso</b><br>
</div>
<div><font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999">Identicum S.A.</font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999"><a href="https://maps.google.com/?q=Jorge+Newbery+3226" style="color:rgb(17,85,204)" target="_blank">Jorge
Newbery 3226, Buenos Aires,
Argentina</a></font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999">Tel: +54
(11) 4552-3050</font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999"><a href="http://www.identicum.com/" style="color:rgb(17,85,204)" target="_blank">www.identicum.com</a></font><font size="1" face="verdana,
sans-serif" color="#999999"><br>
</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="m_1041481195061437510m_-7469955683806945634mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_1041481195061437510m_-7469955683806945634moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_1041481195061437510m_-7469955683806945634moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<br>
<fieldset class="m_1041481195061437510m_-7469955683806945634mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_1041481195061437510m_-7469955683806945634moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_1041481195061437510m_-7469955683806945634moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="m_1041481195061437510gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div><b style="font-family:arial,helvetica,sans-serif;font-size:14.4px;color:rgb(68,68,68)">Ezequiel
Alonso</b><br>
</div>
<div><font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999">Identicum S.A.</font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999"><a href="https://maps.google.com/?q=Jorge+Newbery+3226" style="color:rgb(17,85,204)" target="_blank">Jorge Newbery 3226,
Buenos Aires, Argentina</a></font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999">Tel: +54 (11) 4552-3050</font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px">
<font style="font-family:arial,helvetica,sans-serif;font-size:14.4px" color="#999999"><a href="http://www.identicum.com/" style="color:rgb(17,85,204)" target="_blank">www.identicum.com</a></font><font size="1" face="verdana, sans-serif" color="#999999"><br>
</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="m_1041481195061437510mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_1041481195061437510moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_1041481195061437510moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div></div><span class="HOEnZb"><font color="#888888"><pre class="m_1041481195061437510moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</font></span></div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><b style="font-family:arial,helvetica,sans-serif;font-size:14.4px;color:rgb(68,68,68)">Ezequiel Alonso</b><br></div><div><font color="#999999" style="font-family:arial,helvetica,sans-serif;font-size:14.4px">Identicum S.A.</font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px"><font color="#999999" style="font-family:arial,helvetica,sans-serif;font-size:14.4px"><a href="https://maps.google.com/?q=Jorge+Newbery+3226" style="color:rgb(17,85,204)" target="_blank">Jorge Newbery 3226, Buenos Aires, Argentina</a></font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px"><font color="#999999" style="font-family:arial,helvetica,sans-serif;font-size:14.4px">Tel: +54 (11) 4552-3050</font><br style="font-family:arial,helvetica,sans-serif;font-size:14.4px"><font color="#999999" style="font-family:arial,helvetica,sans-serif;font-size:14.4px"><a href="http://www.identicum.com/" style="color:rgb(17,85,204)" target="_blank">www.identicum.com</a></font><font color="#999999" face="verdana, sans-serif" size="1"><br></font></div></div></div></div></div></div></div>
</div>