<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello Petr,</p>
<p>let me try to answer your question. I do not have much experience
in this area, but ... let me give the best I can.</p>
<p><u>As for approach </u><u><b>one</b></u><u> ("</u><u>set search
timeout to 1ms in XML resource definition")</u></p>
<p>
<blockquote type="cite">is hashed password delta safe this way?</blockquote>
If you mean the deltas with password change, that are being sent
to the resource, I assume these are stored in "pending operations"
with password encrypted (not hashed). So they should be re-applied
after resource going online. But this would need to be tried.</p>
<p><u>As for approach </u><u><b>two</b></u><u> ("</u><u>set
consistency/connectorErrorCriticality to ignore for generic,
network and configuration")</u></p>
<p>
<blockquote type="cite">will the deltas be cached?</blockquote>
I have no idea. This needs to be experimented with.</p>
<p><u>As for approach </u><u><b>three</b></u><u> ("delete resource
object (and upload again afterward)")</u></p>
<p>
<blockquote type="cite">
<ul>
<li>will the deltas be cached?</li>
</ul>
</blockquote>
Almost certainly not.<br>
<blockquote type="cite">
<ul>
<li>how will the projections work?</li>
</ul>
</blockquote>
They will not (AFAIK). The projector would simply loudly complain
about the situation and won't do almost nothing.</p>
<p><u>As for approach </u><u><b>four</b></u><u> ("resource assigned
only via inducements")</u></p>
<p>This is really interesting idea.<br>
</p>
<p>
<blockquote type="cite">
<ul>
<li>will the errors be gone?</li>
</ul>
</blockquote>
I am not sure. I assume midPoint would try to remove now-obsolete
(from its point of view) accounts from the users, and this would
generate errors in itself.<br>
<blockquote type="cite">
<ul>
<li>where to put the flag to?</li>
</ul>
</blockquote>
It depends on how you would like to manage it. You could use e.g.
a server file to signal this.<br>
<blockquote type="cite">
<ul>
<li>how will assignemnts work in this enviroment? will shadows
be preserved?</li>
</ul>
</blockquote>
Shadows will be probably deleted. Assignments will stay. After
resource is online, they would get synchronized. (Except for
passwords, if you do not store their values in user records.)</p>
<p>A colleague of mine suggested also an approach to create a fake
resource with the same schema. Then, of course, changes would get
redirected to it (so they would get lost, or needed to be manually
synchronized). After original resource is online, a reconciliation
would synchronize user objects with resource objects, except for
passwords.</p>
<p>--</p>
<p>A second suggestion of him was to temporarily replace a connector
with a manual one. I have almost no experiences in this area, so
cannot tell if this could work. Probably yes. :)</p>
<p>---</p>
<p>
<blockquote type="cite">I think this is good candidate for <a
href="https://wanted.evolveum.com">wanted.evolveum.com</a>, if
we can gather enough votes.</blockquote>
Probably so. I don't know much about this mechanism.</p>
<p><br>
<blockquote type="cite"> On other side, I can't shatter the
feeling that midPoint _should_have_ this solved.</blockquote>
Definitely yes. But... there is a lot of things that midPoint
"should have" solved. All of us are intensively working on them.
You know :)</p>
<p>Best regards and nice Sunday :-)<br>
</p>
<pre class="moz-signature" cols="72">--
Pavol Mederly
Software developer
evolveum.com
</pre>
<p><br>
<blockquote type="cite">
<div class="moz-text-html" lang="x-unicode">
<div dir="ltr">
<div dir="ltr">Hi guys,</div>
<div>I am looking for your experience with dealing with
temporarily offline systems.</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">It means, we know they will be offline for
week or so. We are trying to find best way to deal with
this. Why we are doing that - motivators:</div>
<div>
<ul>
<li>with system being offline, midpoint still tries to
reach it</li>
<li>this tries generate ERRORs, which clogs audit log</li>
<li>plus, corresponding reconciliations and recomputes
are delayed by timeouts</li>
</ul>
<div><br>
</div>
<div>So far, we have developed three theoretical
approaches, but <b>none solves "too much errors in
audit log" challenge</b><br>
</div>
<div><br>
</div>
<div>Approach one:</div>
<div>
<ul>
<li>set search timeout to 1ms in XML resource
definition</li>
<li>pros: </li>
<ul>
<li>changes are cached</li>
</ul>
<li>cons: </li>
<ul>
<li>admin unfriendly</li>
<li>midPoint still generates timeout errors </li>
</ul>
<li>question:</li>
<ul>
<li>is hashed password delta safe this way?</li>
</ul>
</ul>
<div>Approach two:</div>
</div>
<div>
<ul>
<li>set consistency/connectorErrorCriticality to
ignore for generic, network and configuration</li>
<li>cons:</li>
<ul>
<li>admin unfriendly</li>
<li>midPoint still generates timeout errors </li>
</ul>
<li>question:</li>
<ul>
<li>will the deltas be cached?¨</li>
</ul>
</ul>
<div>Approach three:</div>
</div>
<div>
<ul>
<li>delete resource object (and upload again
afterward)</li>
<li>pros:</li>
<ul>
<li>admin friendly</li>
</ul>
<li>questions:</li>
<ul>
<li>will the deltas be cached?</li>
<li>how will the projections work?</li>
</ul>
</ul>
<div>Approcach four:</div>
</div>
<div>
<ul>
<li>resource assigned only via inducements</li>
<li>inducements conditioned by flag
"resourceXisOnline"</li>
<li>pros:</li>
<ul>
<li>admin friendly</li>
</ul>
<li>cons:</li>
<ul>
<li>deltas are not probably cached</li>
</ul>
<li>question:</li>
<ul>
<li>will the errors be gone?</li>
<li>where to put the flag to?</li>
<li>how will assignemnts work in this enviroment?
will shadows be preserved?</li>
</ul>
</ul>
<div><br>
</div>
<div>What are your experiences, guys?</div>
</div>
<div>I think this is good candidate for <a
href="https://wanted.evolveum.com">wanted.evolveum.com</a>,
if we can gather enough votes. On other side, I can't
shatter the feeling that midPoint _should_have_ this
solved.</div>
</div>
<div dir="ltr">
<div>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<p><span
style="font-family:Arial,sans-serif;font-size:10pt">--</span></p>
<p><span
style="font-family:Arial,sans-serif;font-size:10pt">regards</span></p>
<div
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:13px">
<p><strong>Petr Gašparík</strong><br>
<span
style="font-size:11px;color:rgb(128,128,128)">solution
architect</span></p>
</div>
<p
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px">gsm:
[+420] 603 523 860<br>
e‑mail: <a
href="mailto:petr.gasparik@ami.cz"
target="_blank">petr.gasparik@ami.cz</a></p>
<p
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px"><strong>AMI
Praha a.s.</strong><br>
Pláničkova 11, 162 00 Praha 6</p>
<p
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px">tel.:
[+420] 274 783 239 | web: <a
href="https://www.ami.cz"
target="_blank">www.ami.cz</a></p>
<p
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;margin-top:20px"><img
src="http://www.ami.cz/images/podpis/ami_logo.gif" alt="AMI Praha a.s."
style="border:0px"></p>
<p
style="font-family:Arial,sans-serif;font-size:11px;color:rgb(170,170,170)">Textem
tohoto e‑mailu podepisující
neslibuje uzavřít ani neuzavírá
za společnost AMI Praha a.s.<br>
jakoukoliv smlouvu. Každá
smlouva, pokud bude uzavřena,
musí mít výhradně písemnou
formu.<br>
<span style="font-size:6px"> </span><br>
Tento e‑mail je určen výhradně
pro potřeby jeho adresáta/ů
a může obsahovat důvěrné
nebo osobní<br>
informace. Nejste‑li zamýšleným
příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování<br>
nebo jiné použití těchto
informací. Pokud jste obdrželi
e‑mail neoprávněně, informujte
o tom prosím<br>
odesílatele a vymažte neprodleně
všechny kopie tohoto e‑mailu
včetně všech jeho příloh.
Nakládáním<br>
s neoprávněně získanými
informacemi se vystavujete
riziku právního postihu.</p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<div class="moz-text-plain" wrap="true" style="font-family:
-moz-fixed; font-size: 14px;" lang="x-unicode">
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</div>
</blockquote>
<br>
</p>
</body>
</html>