<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.xmsonormal0, li.xmsonormal0, div.xmsonormal0
{mso-style-name:x_msonormal0;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.xmsochpdefault, li.xmsochpdefault, div.xmsochpdefault
{mso-style-name:x_msochpdefault;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.xmsonormal1, li.xmsonormal1, div.xmsonormal1
{mso-style-name:x_msonormal1;
mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.xmsonormal01, li.xmsonormal01, div.xmsonormal01
{mso-style-name:x_msonormal01;
mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.xmsochpdefault1, li.xmsochpdefault1, div.xmsochpdefault1
{mso-style-name:x_msochpdefault1;
mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.xmsohyperlink
{mso-style-name:x_msohyperlink;}
span.xmsohyperlinkfollowed
{mso-style-name:x_msohyperlinkfollowed;}
span.xemailstyle20
{mso-style-name:x_emailstyle20;}
span.xmsohyperlink1
{mso-style-name:x_msohyperlink1;
color:blue;
text-decoration:underline;}
span.xmsohyperlinkfollowed1
{mso-style-name:x_msohyperlinkfollowed1;
color:purple;
text-decoration:underline;}
span.xemailstyle201
{mso-style-name:x_emailstyle201;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle31
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas",serif;
color:black;}
span.EmailStyle35
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi Ivan,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">We are using DatabaseTableConnector with a SQL View as our resource. It contains an initial password for each user and is designated as the password column in
the configuration. Yes, this was populated for the import even though we don’t want it to change the password in AD at this point. Once these are imported and linked we want to turn on live sync using a Change Log Column to automatically update and add accounts
from the resource. We would only want the initial password to update midpoint and assigned accounts when a new person is added.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">--Rod<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"> midPoint <midpoint-bounces@lists.evolveum.com>
<b>On Behalf Of </b>Ivan Noris<br>
<b>Sent:</b> Monday, June 10, 2019 2:43 AM<br>
<b>To:</b> midpoint@lists.evolveum.com<br>
<b>Subject:</b> Re: [midPoint] Link current HR account to existing AD account<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hi Rod,<o:p></o:p></p>
<p>as Chris said, weak would be ok. But I think also normal should not attempt to change the password. Normal means, there is a change.<o:p></o:p></p>
<p>Are the passwords being changed in midpoint as well during the import? (E.g. are they generated in HR resource inbounds or object template?)<o:p></o:p></p>
<p>Ivan<o:p></o:p></p>
<div>
<p class="MsoNormal">On 9. 6. 2019 17:49, Rod Holman wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi Chris,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The strength was set to Normal. I will try it with it set to weak. Would it also work if the credentials configuration or password were temporarily disabled
in capabilities?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">--Rod</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> midPoint
<a href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a>
<b>On Behalf Of </b>Chris Woods<br>
<b>Sent:</b> Sunday, June 9, 2019 10:48 AM<br>
<b>To:</b> midPoint General Discussion <a href="mailto:midpoint@lists.evolveum.com">
<midpoint@lists.evolveum.com></a><br>
<b>Subject:</b> Re: [midPoint] Link current HR account to existing AD account</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">Hi Rod, <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">what is the strength setting set to for the outbound credentials mapping? I would set it to weak. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Regards, <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Chris<o:p></o:p></p>
</div>
<div id="aqm-original">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:8.0pt;margin-right:0in;margin-bottom:8.0pt;margin-left:0in">
<span style="font-size:10.0pt;font-family:"Arial",sans-serif">Am 9. Juni 2019 16:09:41 schrieb Rod Holman <<a href="mailto:rholman@oaisd.org">rholman@oaisd.org</a>>:</span><o:p></o:p></p>
<blockquote style="border:none;border-left:solid gray 1.0pt;padding:0in 0in 0in 5.0pt;margin-left:4.5pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div id="divtagdefaultwrapper">
<p class="MsoNormal">Hi All,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Since this is related I thought I'd post my question on this stream. When we imported hr accounts in an attempt to link them with existing Active Directory accounts some (not all) of the Active Directory passwords changed. We do not want
any Active Directory passwords to change during the import, but still want the users to be added to Active Directory groups if applicable. What do we have to set to insure that all Active Directory accounts maintain their passwords on this type of import?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">--Rod<o:p></o:p></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="3" width="98%" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span style="font-family:"Calibri",sans-serif">From:</span></b><span style="font-family:"Calibri",sans-serif"> midPoint <<a href="mailto:midpoint-bounces@lists.evolveum.com">midpoint-bounces@lists.evolveum.com</a>> on behalf of Rod Holman
<<a href="mailto:rholman@oaisd.org">rholman@oaisd.org</a>><br>
<b>Sent:</b> Friday, March 15, 2019 1:28:46 PM<br>
<b>To:</b> midPoint General Discussion<br>
<b>Subject:</b> Re: [midPoint] Link current HR account to existing AD account</span>
<o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="xmsonormal1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks Arnost. I guess that’s the question I should have asked Jason, should we also import from AD? After I set up the import from AD and imported the user
everything synced. </span><o:p></o:p></p>
<p class="xmsonormal1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="xmsonormal1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks to all who pitched in to help!</span><o:p></o:p></p>
<p class="xmsonormal1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="xmsonormal1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">--Rod</span><o:p></o:p></p>
<p class="xmsonormal1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="xmsonormal1"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> midPoint <<a href="mailto:midpoint-bounces@lists.evolveum.com">midpoint-bounces@lists.evolveum.com</a>>
<b>On Behalf Of </b>Arnošt Starosta - AMI Praha a.s.<br>
<b>Sent:</b> Friday, March 15, 2019 1:01 PM<br>
<b>To:</b> midPoint General Discussion <<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a>><br>
<b>Subject:</b> Re: [midPoint] Link current HR account to existing AD account</span><o:p></o:p></p>
<p class="xmsonormal1"> <o:p></o:p></p>
<div>
<p class="xmsonormal1">Hi Rod,<o:p></o:p></p>
<div>
<p class="xmsonormal1"> <o:p></o:p></p>
</div>
<div>
<p class="xmsonormal1">as Jason pointed out you should first import or reconcile your AD accounts. Does your problem happen when importing from or reconciling AD resource? If your correlation rule is ok, midpoint should find the corresponding identities and
link the existing AD accounts.<o:p></o:p></p>
</div>
<div>
<p class="xmsonormal1"> <o:p></o:p></p>
</div>
<div>
<p class="xmsonormal1">Also reaction unmatched -> addFocus in your config seems to be wrong - you don't want to create identities from AD accounts but from HR accounts, right?<o:p></o:p></p>
</div>
<div>
<p class="xmsonormal1"> <o:p></o:p></p>
</div>
<div>
<p class="xmsonormal1">arnost<o:p></o:p></p>
</div>
</div>
<p class="xmsonormal1"> <o:p></o:p></p>
<div>
<div>
<p class="xmsonormal1">pá 15. 3. 2019 v 17:16 odesílatel Rod Holman <<a href="mailto:rholman@oaisd.org">rholman@oaisd.org</a>> napsal:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="xmsonormal1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks for the quick response, but that didn’t work. In my previous post I stated we are adding the AD resource to the user via inducement. I meant projection.</span><o:p></o:p></p>
<p class="xmsonormal1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="xmsonormal1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">By the way, we are already successfully importing (in test) new HR users and they are being added to AD. That works great! It’s just this initial synchronization
of current users.</span><o:p></o:p></p>
<p class="xmsonormal1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<div>
<p class="xmsonormal1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">--Rod</span><o:p></o:p></p>
</div>
<p class="xmsonormal1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="xmsonormal1"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> midPoint <<a href="mailto:midpoint-bounces@lists.evolveum.com" target="_blank">midpoint-bounces@lists.evolveum.com</a>>
<b>On Behalf Of </b>Gruber, Michael<br>
<b>Sent:</b> Friday, March 15, 2019 12:02 PM<br>
<b>To:</b> midPoint General Discussion <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>><br>
<b>Subject:</b> Re: [midPoint] Link current HR account to existing AD account</span><o:p></o:p></p>
</div>
</div>
<p class="xmsonormal1"> <o:p></o:p></p>
<p class="xmsonormal1"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1F497D">Maybe you have to add a matching rule</span><o:p></o:p></p>
<p class="xmsonormal1"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="xmsonormal1"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1F497D"><q:equal></span><o:p></o:p></p>
<p class="xmsonormal1"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1F497D"> <q:matching><a href="http://prism.evolveum.com/xml/ns/public/matching-rule-3#polyStringNorm%3C/q:matching" target="_blank">http://prism.evolveum.com/xml/ns/public/matching-rule-3#polyStringNorm</q:matching</a>></span><o:p></o:p></p>
<p class="xmsonormal1"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1F497D"> <q:path>c:name</q:path></span><o:p></o:p></p>
<p class="xmsonormal1"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1F497D"> [..]</span><o:p></o:p></p>
<p class="xmsonormal1"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="xmsonormal1"><b><span lang="DE" style="font-size:10.0pt;font-family:"Tahoma",sans-serif">Von:</span></b><span lang="DE" style="font-size:10.0pt;font-family:"Tahoma",sans-serif"> midPoint [<a href="mailto:midpoint-bounces@lists.evolveum.com" target="_blank">mailto:midpoint-bounces@lists.evolveum.com</a>]
<b>Im Auftrag von </b>Rod Holman<br>
<b>Gesendet:</b> Freitag, 15. März 2019 16:33<br>
<b>An:</b> midPoint General Discussion<br>
<b>Betreff:</b> Re: [midPoint] Link current HR account to existing AD account</span><o:p></o:p></p>
</div>
</div>
<p class="xmsonormal1"><span lang="DE"> </span><o:p></o:p></p>
<p class="xmsonormal1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">We are only working with one user until successful then will add the rest. We imported the HR user into Midpoint and are now trying to sync by adding Medusa
Active Directory to that user via inducement. We do not have the AD resource set up for importing. The HR resource name value is the same as the samaccountname value for that user in AD.</span><o:p></o:p></p>
<p class="xmsonormal1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="xmsonormal1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">--Rod</span><o:p></o:p></p>
<p class="xmsonormal1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="xmsonormal1"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> midPoint <<a href="mailto:midpoint-bounces@lists.evolveum.com" target="_blank">midpoint-bounces@lists.evolveum.com</a>>
<b>On Behalf Of </b>Jason Everling<br>
<b>Sent:</b> Friday, March 15, 2019 11:16 AM<br>
<b>To:</b> midPoint General Discussion <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>><br>
<b>Subject:</b> Re: [midPoint] Link current HR account to existing AD account</span><o:p></o:p></p>
<p class="xmsonormal1"> <o:p></o:p></p>
<div>
<p class="xmsonormal1">So you imported all your AD users into midpoint already and then trying to import/link the HR users? Or you imported the HR users and trying to import/link the AD users? What does the resource contain for name and/or dn ?<o:p></o:p></p>
<div>
<p class="xmsonormal1"><br clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<p class="xmsonormal1"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class="xmsonormal1"> <o:p></o:p></p>
<div>
<div>
<p class="xmsonormal1">On Fri, Mar 15, 2019 at 8:52 AM Rod Holman <<a href="mailto:rholman@oaisd.org" target="_blank">rholman@oaisd.org</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="xmsonormal1">Hi All,<o:p></o:p></p>
<p class="xmsonormal1"> <o:p></o:p></p>
<p class="xmsonormal1">For our initial implementation of Midpoint we want to link existing accounts from our HR input to their existing accounts in active directory. After they are synced we want to have Midpoint add/sync users from HR to AD. As a test we
are trying to link an existing HR account to an existing AD account. When we do this an attempt is made to add the account to AD no matter what we try causing an AlreadyExistsException error. Below is our object synchronization for the account. Is it possible
that the correlation is never matching the two accounts? We tried both $account and $shadow in the correlation path. We know that the “Name” attribute in the HR account is the same as sAMAccountName in AD. Is there something we’re doing wrong here?<o:p></o:p></p>
<p class="xmsonormal1"> <o:p></o:p></p>
<p class="xmsonormal1"><objectSynchronization><o:p></o:p></p>
<p class="xmsonormal1"> <name>Account sync</name><o:p></o:p></p>
<p class="xmsonormal1"> <objectClass>ri:user</objectClass><o:p></o:p></p>
<p class="xmsonormal1"> <kind>account</kind><o:p></o:p></p>
<p class="xmsonormal1"> <intent>default</intent><o:p></o:p></p>
<p class="xmsonormal1"> <enabled>true</enabled><o:p></o:p></p>
<p class="xmsonormal1"> <correlation><o:p></o:p></p>
<p class="xmsonormal1"> <q:equal><o:p></o:p></p>
<p class="xmsonormal1"> <q:path>c:name</q:path><o:p></o:p></p>
<p class="xmsonormal1"> <expression xmlns=""><o:p></o:p></p>
<p class="xmsonormal1"> <path>$account/attributes/ri:sAMAccountName</path><o:p></o:p></p>
<p class="xmsonormal1"> </expression><o:p></o:p></p>
<p class="xmsonormal1"> </q:equal><o:p></o:p></p>
<p class="xmsonormal1"> </correlation><o:p></o:p></p>
<p class="xmsonormal1"> <reconcile>false</reconcile><o:p></o:p></p>
<p class="xmsonormal1"> <reaction><o:p></o:p></p>
<p class="xmsonormal1"> <situation>linked</situation><o:p></o:p></p>
<p class="xmsonormal1"> <synchronize>true</synchronize><o:p></o:p></p>
<p class="xmsonormal1"> <reconcile>false</reconcile><o:p></o:p></p>
<p class="xmsonormal1"> </reaction><o:p></o:p></p>
<p class="xmsonormal1"> <reaction><o:p></o:p></p>
<p class="xmsonormal1"> <situation>deleted</situation><o:p></o:p></p>
<p class="xmsonormal1"> <action ref="<a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</a>"/><o:p></o:p></p>
<p class="xmsonormal1"> </reaction><o:p></o:p></p>
<p class="xmsonormal1"> <reaction><o:p></o:p></p>
<p class="xmsonormal1"> <situation>unlinked</situation><o:p></o:p></p>
<p class="xmsonormal1"> <reconcile>false</reconcile><o:p></o:p></p>
<p class="xmsonormal1"> <action><o:p></o:p></p>
<p class="xmsonormal1"> <handlerUri><a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#link" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</a></handlerUri><o:p></o:p></p>
<p class="xmsonormal1"> </action><o:p></o:p></p>
<p class="xmsonormal1"> </reaction><o:p></o:p></p>
<p class="xmsonormal1"> <reaction><o:p></o:p></p>
<p class="xmsonormal1"> <situation>unmatched</situation><o:p></o:p></p>
<p class="xmsonormal1"> <reconcile>false</reconcile><o:p></o:p></p>
<p class="xmsonormal1"> <action><o:p></o:p></p>
<p class="xmsonormal1"> <handlerUri><a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</a></handlerUri><o:p></o:p></p>
<p class="xmsonormal1"> </action><o:p></o:p></p>
<p class="xmsonormal1"> </reaction><o:p></o:p></p>
<p class="xmsonormal1"> </objectSynchronization><o:p></o:p></p>
<p class="xmsonormal1"> <o:p></o:p></p>
<p class="xmsonormal1">Thank You,<o:p></o:p></p>
<p class="xmsonormal1">Rod Holman<o:p></o:p></p>
<p class="xmsonormal1"> <o:p></o:p></p>
</div>
</div>
<p class="xmsonormal1">_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></p>
</blockquote>
</div>
<p class="xmsonormal1"><span lang="DE">WWK Lebensversicherung a. G., Vorstand: Jürgen Schrameier (V.), Rainer Gebhart (stv. V.), Dirk Fassott; Vorsitzender des Aufsichtsrats: Dr. Frank Schindelhauer, Sitz München, Registergericht München HR B 211; WWK Allgemeine
Versicherung AG, Vorstand: Jürgen Schrameier (V.), Rainer Gebhart (stv. V.), Dirk Fassott; Vorsitzender des Aufsichtsrats: Prof. Dr. Peter Reiff, Sitz München, Registergericht München HR B 5553; WWK Vermögensverwaltungs und Dienstleistungs GmbH, Geschäftsführer:
Karl Ruffing, Stefan Sedlmeir, Sitz München, Registergericht München HR B 76323; WWK Pensionsfonds AG, Vorstand: Ansgar Eckert, Karl Ruffing, Heinrich Schüppert; Vorsitzender des Aufsichtsrats: Dirk Fassott, Sitz München, Registergericht München HR B 146295;
Hausanschrift: Marsstraße 37, 80335 München; WWK Investment S.A., Verwaltungsrat: Karl Ruffing (V.), Ansgar Eckert, Stefan Schneider (Hauck & Aufhäuser), Handelsregister: R.C. Luxembourg Nr. B 81 270, Sitz der Gesellschaft: 1c, rue Gabriel Lippmann, L-5365
Munsbach </span><o:p></o:p></p>
</div>
</div>
<p class="xmsonormal1">_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></p>
</blockquote>
</div>
<p class="xmsonormal1"><br clear="all">
<o:p></o:p></p>
<div>
<p class="xmsonormal1"> <o:p></o:p></p>
</div>
<p class="xmsonormal1">-- <o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Arnošt Starosta</span></strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><br>
</span><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:gray">solution architect</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial",sans-serif">gsm: [+420] 603 794 932<br>
e‑mail: <a href="mailto:arnost.starosta@ami.cz" target="_blank">arnost.starosta@ami.cz</a></span><o:p></o:p></p>
<p class="MsoNormal"><strong><span style="font-size:8.5pt;font-family:"Arial",sans-serif">AMI Praha a.s.</span></strong><span style="font-size:8.5pt;font-family:"Arial",sans-serif"><br>
Pláničkova 11, 162 00 Praha 6</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial",sans-serif">tel.: [+420] 274 783 239 | web: <a href="https://www.ami.cz" target="_blank">www.ami.cz</a></span><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:15.0pt"><span style="font-size:7.5pt;font-family:"Verdana",sans-serif"><img border="0" id="x__x005f_x0000_i1025" src="http://www.ami.cz/images/podpis/ami_logo.gif" alt="AMI Praha a.s."></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#AAAAAA">Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.<br>
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.<br>
</span><span style="font-size:4.5pt;font-family:"Arial",sans-serif;color:#AAAAAA"> </span><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#AAAAAA"><br>
Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat důvěrné nebo osobní<br>
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv zveřejňování, zprostředkování<br>
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně, informujte o tom prosím<br>
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně všech jeho příloh. Nakládáním<br>
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal">_______________________________________________<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">midPoint mailing list<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="mailto:midPoint%40lists.evolveum.com">midPoint@lists.evolveum.com</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></p>
</div>
</blockquote>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>midPoint mailing list<o:p></o:p></pre>
<pre><a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><o:p></o:p></pre>
<pre><a href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></pre>
</blockquote>
<pre>-- <o:p></o:p></pre>
<pre>Ivan Noris<o:p></o:p></pre>
<pre>Senior Identity Engineer<o:p></o:p></pre>
<pre>evolveum.com<o:p></o:p></pre>
</div>
</body>
</html>