<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Rod,</p>
<p>so the question is how the mapping in the SQL source resource
looks like. Is it really initial password (meaning: weak mapping)?</p>
<p>Can you share the mapping for credentials/password from your
source resource?</p>
<p>Regards,</p>
<p>Ivan<br>
</p>
<div class="moz-cite-prefix">On 10. 6. 2019 12:34, Rod Holman wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM6PR20MB252189907EA959AED50A3303A5130@DM6PR20MB2521.namprd20.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.xmsonormal0, li.xmsonormal0, div.xmsonormal0
{mso-style-name:x_msonormal0;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.xmsochpdefault, li.xmsochpdefault, div.xmsochpdefault
{mso-style-name:x_msochpdefault;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.xmsonormal1, li.xmsonormal1, div.xmsonormal1
{mso-style-name:x_msonormal1;
mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.xmsonormal01, li.xmsonormal01, div.xmsonormal01
{mso-style-name:x_msonormal01;
mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.xmsochpdefault1, li.xmsochpdefault1, div.xmsochpdefault1
{mso-style-name:x_msochpdefault1;
mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.xmsohyperlink
{mso-style-name:x_msohyperlink;}
span.xmsohyperlinkfollowed
{mso-style-name:x_msohyperlinkfollowed;}
span.xemailstyle20
{mso-style-name:x_emailstyle20;}
span.xmsohyperlink1
{mso-style-name:x_msohyperlink1;
color:blue;
text-decoration:underline;}
span.xmsohyperlinkfollowed1
{mso-style-name:x_msohyperlinkfollowed1;
color:purple;
text-decoration:underline;}
span.xemailstyle201
{mso-style-name:x_emailstyle201;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle31
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas",serif;
color:black;}
span.EmailStyle35
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi
Ivan,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">We
are using DatabaseTableConnector with a SQL View as our
resource. It contains an initial password for each user and
is designated as the password column in the configuration.
Yes, this was populated for the import even though we don’t
want it to change the password in AD at this point. Once
these are imported and linked we want to turn on live sync
using a Change Log Column to automatically update and add
accounts from the resource. We would only want the initial
password to update midpoint and assigned accounts when a new
person is added.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">--Rod<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
midPoint <a class="moz-txt-link-rfc2396E" href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a>
<b>On Behalf Of </b>Ivan Noris<br>
<b>Sent:</b> Monday, June 10, 2019 2:43 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<b>Subject:</b> Re: [midPoint] Link current HR account
to existing AD account<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hi Rod,<o:p></o:p></p>
<p>as Chris said, weak would be ok. But I think also normal
should not attempt to change the password. Normal means, there
is a change.<o:p></o:p></p>
<p>Are the passwords being changed in midpoint as well during
the import? (E.g. are they generated in HR resource inbounds
or object template?)<o:p></o:p></p>
<p>Ivan<o:p></o:p></p>
<div>
<p class="MsoNormal">On 9. 6. 2019 17:49, Rod Holman wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi
Chris,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The
strength was set to Normal. I will try it with it set to
weak. Would it also work if the credentials configuration
or password were temporarily disabled in capabilities?</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">--Rod</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
midPoint
<a href="mailto:midpoint-bounces@lists.evolveum.com"
moz-do-not-send="true"><midpoint-bounces@lists.evolveum.com></a>
<b>On Behalf Of </b>Chris Woods<br>
<b>Sent:</b> Sunday, June 9, 2019 10:48 AM<br>
<b>To:</b> midPoint General Discussion <a
href="mailto:midpoint@lists.evolveum.com"
moz-do-not-send="true">
<midpoint@lists.evolveum.com></a><br>
<b>Subject:</b> Re: [midPoint] Link current HR account
to existing AD account</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">Hi Rod, <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">what is the strength setting set to
for the outbound credentials mapping? I would set it to
weak. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Regards, <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Chris<o:p></o:p></p>
</div>
<div id="aqm-original">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:8.0pt;margin-right:0in;margin-bottom:8.0pt;margin-left:0in"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif">Am 9.
Juni 2019 16:09:41 schrieb Rod Holman <<a
href="mailto:rholman@oaisd.org"
moz-do-not-send="true">rholman@oaisd.org</a>>:</span><o:p></o:p></p>
<blockquote style="border:none;border-left:solid gray
1.0pt;padding:0in 0in 0in
5.0pt;margin-left:4.5pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div id="divtagdefaultwrapper">
<p class="MsoNormal">Hi All,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Since this is related I
thought I'd post my question on this stream.
When we imported hr accounts in an attempt to
link them with existing Active Directory
accounts some (not all) of the Active Directory
passwords changed. We do not want any Active
Directory passwords to change during the import,
but still want the users to be added to Active
Directory groups if applicable. What do we have
to set to insure that all Active Directory
accounts maintain their passwords on this type
of import?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">--Rod<o:p></o:p></p>
</div>
<div class="MsoNormal" style="text-align:center"
align="center">
<hr width="98%" size="3" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span
style="font-family:"Calibri",sans-serif">From:</span></b><span
style="font-family:"Calibri",sans-serif"> midPoint <<a
href="mailto:midpoint-bounces@lists.evolveum.com"
moz-do-not-send="true">midpoint-bounces@lists.evolveum.com</a>>
on behalf of Rod Holman <<a
href="mailto:rholman@oaisd.org"
moz-do-not-send="true">rholman@oaisd.org</a>><br>
<b>Sent:</b> Friday, March 15, 2019 1:28:46 PM<br>
<b>To:</b> midPoint General Discussion<br>
<b>Subject:</b> Re: [midPoint] Link current HR
account to existing AD account</span>
<o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks
Arnost. I guess that’s the question I
should have asked Jason, should we also
import from AD? After I set up the import
from AD and imported the user everything
synced. </span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks
to all who pitched in to help!</span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">--Rod</span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="xmsonormal1"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
midPoint <<a
href="mailto:midpoint-bounces@lists.evolveum.com"
moz-do-not-send="true">midpoint-bounces@lists.evolveum.com</a>>
<b>On Behalf Of </b>Arnošt Starosta - AMI
Praha a.s.<br>
<b>Sent:</b> Friday, March 15, 2019 1:01 PM<br>
<b>To:</b> midPoint General Discussion <<a
href="mailto:midpoint@lists.evolveum.com"
moz-do-not-send="true">midpoint@lists.evolveum.com</a>><br>
<b>Subject:</b> Re: [midPoint] Link current
HR account to existing AD account</span><o:p></o:p></p>
<p class="xmsonormal1"> <o:p></o:p></p>
<div>
<p class="xmsonormal1">Hi Rod,<o:p></o:p></p>
<div>
<p class="xmsonormal1"> <o:p></o:p></p>
</div>
<div>
<p class="xmsonormal1">as Jason pointed out
you should first import or reconcile your
AD accounts. Does your problem happen when
importing from or reconciling AD resource?
If your correlation rule is ok, midpoint
should find the corresponding identities
and link the existing AD accounts.<o:p></o:p></p>
</div>
<div>
<p class="xmsonormal1"> <o:p></o:p></p>
</div>
<div>
<p class="xmsonormal1">Also reaction
unmatched -> addFocus in your config
seems to be wrong - you don't want to
create identities from AD accounts but
from HR accounts, right?<o:p></o:p></p>
</div>
<div>
<p class="xmsonormal1"> <o:p></o:p></p>
</div>
<div>
<p class="xmsonormal1">arnost<o:p></o:p></p>
</div>
</div>
<p class="xmsonormal1"> <o:p></o:p></p>
<div>
<div>
<p class="xmsonormal1">pá 15. 3. 2019
v 17:16 odesílatel Rod Holman <<a
href="mailto:rholman@oaisd.org"
moz-do-not-send="true">rholman@oaisd.org</a>>
napsal:<o:p></o:p></p>
</div>
<blockquote
style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks
for the quick response, but that
didn’t work. In my previous post I
stated we are adding the AD resource
to the user via inducement. I meant
projection.</span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">By
the way, we are already successfully
importing (in test) new HR users and
they are being added to AD. That
works great! It’s just this initial
synchronization of current users.</span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<div>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">--Rod</span><o:p></o:p></p>
</div>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<div>
<div
style="border:none;border-top:solid
#E1E1E1 1.0pt;padding:3.0pt 0in 0in
0in">
<p class="xmsonormal1"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
midPoint <<a
href="mailto:midpoint-bounces@lists.evolveum.com"
target="_blank"
moz-do-not-send="true">midpoint-bounces@lists.evolveum.com</a>>
<b>On Behalf Of </b>Gruber,
Michael<br>
<b>Sent:</b> Friday, March 15,
2019 12:02 PM<br>
<b>To:</b> midPoint General
Discussion <<a
href="mailto:midpoint@lists.evolveum.com"
target="_blank"
moz-do-not-send="true">midpoint@lists.evolveum.com</a>><br>
<b>Subject:</b> Re: [midPoint]
Link current HR account to
existing AD account</span><o:p></o:p></p>
</div>
</div>
<p class="xmsonormal1"> <o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1F497D"
lang="EN-GB">Maybe you have to add a
matching rule</span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1F497D"
lang="EN-GB"> </span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1F497D"
lang="EN-GB"><q:equal></span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1F497D"
lang="EN-GB">
<q:matching><a
href="http://prism.evolveum.com/xml/ns/public/matching-rule-3#polyStringNorm%3C/q:matching"
target="_blank"
moz-do-not-send="true">http://prism.evolveum.com/xml/ns/public/matching-rule-3#polyStringNorm</q:matching</a>></span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1F497D"
lang="EN-GB">
<q:path>c:name</q:path></span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1F497D"
lang="EN-GB"> [..]</span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1F497D"
lang="EN-GB"> </span><o:p></o:p></p>
<div>
<div
style="border:none;border-top:solid
#B5C4DF 1.0pt;padding:3.0pt 0in 0in
0in">
<p class="xmsonormal1"><b><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif"
lang="DE">Von:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif"
lang="DE"> midPoint [<a
href="mailto:midpoint-bounces@lists.evolveum.com"
target="_blank"
moz-do-not-send="true">mailto:midpoint-bounces@lists.evolveum.com</a>]
<b>Im Auftrag von </b>Rod
Holman<br>
<b>Gesendet:</b> Freitag, 15.
März 2019 16:33<br>
<b>An:</b> midPoint General
Discussion<br>
<b>Betreff:</b> Re: [midPoint]
Link current HR account to
existing AD account</span><o:p></o:p></p>
</div>
</div>
<p class="xmsonormal1"><span lang="DE"> </span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">We
are only working with one user until
successful then will add the rest.
We imported the HR user into
Midpoint and are now trying to sync
by adding Medusa Active Directory to
that user via inducement. We do not
have the AD resource set up for
importing. The HR resource name
value is the same as the
samaccountname value for that user
in AD.</span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">--Rod</span><o:p></o:p></p>
<p class="xmsonormal1"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="xmsonormal1"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
midPoint <<a
href="mailto:midpoint-bounces@lists.evolveum.com"
target="_blank"
moz-do-not-send="true">midpoint-bounces@lists.evolveum.com</a>>
<b>On Behalf Of </b>Jason Everling<br>
<b>Sent:</b> Friday, March 15, 2019
11:16 AM<br>
<b>To:</b> midPoint General
Discussion <<a
href="mailto:midpoint@lists.evolveum.com"
target="_blank"
moz-do-not-send="true">midpoint@lists.evolveum.com</a>><br>
<b>Subject:</b> Re: [midPoint] Link
current HR account to existing AD
account</span><o:p></o:p></p>
<p class="xmsonormal1"> <o:p></o:p></p>
<div>
<p class="xmsonormal1">So you imported
all your AD users into midpoint
already and then trying to
import/link the HR users? Or you
imported the HR users and trying to
import/link the AD users? What does
the resource contain for name and/or
dn ?<o:p></o:p></p>
<div>
<p class="xmsonormal1"><br
clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<p class="xmsonormal1"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class="xmsonormal1"> <o:p></o:p></p>
<div>
<div>
<p class="xmsonormal1">On Fri, Mar
15, 2019 at 8:52 AM Rod Holman
<<a
href="mailto:rholman@oaisd.org"
target="_blank"
moz-do-not-send="true">rholman@oaisd.org</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote
style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="xmsonormal1">Hi All,<o:p></o:p></p>
<p class="xmsonormal1"> <o:p></o:p></p>
<p class="xmsonormal1">For our
initial implementation of
Midpoint we want to link
existing accounts from our HR
input to their existing
accounts in active directory.
After they are synced we want
to have Midpoint add/sync
users from HR to AD. As a
test we are trying to link an
existing HR account to an
existing AD account. When we
do this an attempt is made to
add the account to AD no
matter what we try causing an
AlreadyExistsException error.
Below is our object
synchronization for the
account. Is it possible that
the correlation is never
matching the two accounts? We
tried both $account and
$shadow in the correlation
path. We know that the “Name”
attribute in the HR account is
the same as sAMAccountName in
AD. Is there something we’re
doing wrong here?<o:p></o:p></p>
<p class="xmsonormal1"> <o:p></o:p></p>
<p class="xmsonormal1"><objectSynchronization><o:p></o:p></p>
<p class="xmsonormal1">
<name>Account
sync</name><o:p></o:p></p>
<p class="xmsonormal1">
<objectClass>ri:user</objectClass><o:p></o:p></p>
<p class="xmsonormal1">
<kind>account</kind><o:p></o:p></p>
<p class="xmsonormal1">
<intent>default</intent><o:p></o:p></p>
<p class="xmsonormal1">
<enabled>true</enabled><o:p></o:p></p>
<p class="xmsonormal1">
<correlation><o:p></o:p></p>
<p class="xmsonormal1">
<q:equal><o:p></o:p></p>
<p class="xmsonormal1">
<q:path>c:name</q:path><o:p></o:p></p>
<p class="xmsonormal1">
<expression xmlns=""><o:p></o:p></p>
<p class="xmsonormal1">
<path>$account/attributes/ri:sAMAccountName</path><o:p></o:p></p>
<p class="xmsonormal1">
</expression><o:p></o:p></p>
<p class="xmsonormal1">
</q:equal><o:p></o:p></p>
<p class="xmsonormal1">
</correlation><o:p></o:p></p>
<p class="xmsonormal1">
<reconcile>false</reconcile><o:p></o:p></p>
<p class="xmsonormal1">
<reaction><o:p></o:p></p>
<p class="xmsonormal1">
<situation>linked</situation><o:p></o:p></p>
<p class="xmsonormal1">
<synchronize>true</synchronize><o:p></o:p></p>
<p class="xmsonormal1">
<reconcile>false</reconcile><o:p></o:p></p>
<p class="xmsonormal1">
</reaction><o:p></o:p></p>
<p class="xmsonormal1">
<reaction><o:p></o:p></p>
<p class="xmsonormal1">
<situation>deleted</situation><o:p></o:p></p>
<p class="xmsonormal1">
<action ref="<a
href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink"
target="_blank"
moz-do-not-send="true">http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</a>"/><o:p></o:p></p>
<p class="xmsonormal1">
</reaction><o:p></o:p></p>
<p class="xmsonormal1">
<reaction><o:p></o:p></p>
<p class="xmsonormal1">
<situation>unlinked</situation><o:p></o:p></p>
<p class="xmsonormal1">
<reconcile>false</reconcile><o:p></o:p></p>
<p class="xmsonormal1">
<action><o:p></o:p></p>
<p class="xmsonormal1">
<handlerUri><a
href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#link"
target="_blank"
moz-do-not-send="true">http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</a></handlerUri><o:p></o:p></p>
<p class="xmsonormal1">
</action><o:p></o:p></p>
<p class="xmsonormal1">
</reaction><o:p></o:p></p>
<p class="xmsonormal1">
<reaction><o:p></o:p></p>
<p class="xmsonormal1">
<situation>unmatched</situation><o:p></o:p></p>
<p class="xmsonormal1">
<reconcile>false</reconcile><o:p></o:p></p>
<p class="xmsonormal1">
<action><o:p></o:p></p>
<p class="xmsonormal1">
<handlerUri><a
href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus"
target="_blank"
moz-do-not-send="true">http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</a></handlerUri><o:p></o:p></p>
<p class="xmsonormal1">
</action><o:p></o:p></p>
<p class="xmsonormal1">
</reaction><o:p></o:p></p>
<p class="xmsonormal1">
</objectSynchronization><o:p></o:p></p>
<p class="xmsonormal1"> <o:p></o:p></p>
<p class="xmsonormal1">Thank
You,<o:p></o:p></p>
<p class="xmsonormal1">Rod
Holman<o:p></o:p></p>
<p class="xmsonormal1"> <o:p></o:p></p>
</div>
</div>
<p class="xmsonormal1">_______________________________________________<br>
midPoint mailing list<br>
<a
href="mailto:midPoint@lists.evolveum.com"
target="_blank"
moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank"
moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></p>
</blockquote>
</div>
<p class="xmsonormal1"><span lang="DE">WWK
Lebensversicherung a. G., Vorstand:
Jürgen Schrameier (V.), Rainer
Gebhart (stv. V.), Dirk Fassott;
Vorsitzender des Aufsichtsrats: Dr.
Frank Schindelhauer, Sitz München,
Registergericht München HR B 211;
WWK Allgemeine Versicherung AG,
Vorstand: Jürgen Schrameier (V.),
Rainer Gebhart (stv. V.), Dirk
Fassott; Vorsitzender des
Aufsichtsrats: Prof. Dr. Peter
Reiff, Sitz München, Registergericht
München HR B 5553; WWK
Vermögensverwaltungs und
Dienstleistungs GmbH,
Geschäftsführer: Karl Ruffing,
Stefan Sedlmeir, Sitz München,
Registergericht München HR B 76323;
WWK Pensionsfonds AG, Vorstand:
Ansgar Eckert, Karl Ruffing,
Heinrich Schüppert; Vorsitzender des
Aufsichtsrats: Dirk Fassott, Sitz
München, Registergericht München HR
B 146295; Hausanschrift: Marsstraße
37, 80335 München; WWK Investment
S.A., Verwaltungsrat: Karl Ruffing
(V.), Ansgar Eckert, Stefan
Schneider (Hauck & Aufhäuser),
Handelsregister: R.C. Luxembourg Nr.
B 81 270, Sitz der Gesellschaft: 1c,
rue Gabriel Lippmann, L-5365
Munsbach </span><o:p></o:p></p>
</div>
</div>
<p class="xmsonormal1">_______________________________________________<br>
midPoint mailing list<br>
<a
href="mailto:midPoint@lists.evolveum.com"
target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></p>
</blockquote>
</div>
<p class="xmsonormal1"><br clear="all">
<o:p></o:p></p>
<div>
<p class="xmsonormal1"> <o:p></o:p></p>
</div>
<p class="xmsonormal1">-- <o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><strong><span
style="font-size:10.0pt;font-family:"Arial",sans-serif">Arnošt
Starosta</span></strong><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"><br>
</span><span
style="font-size:8.5pt;font-family:"Arial",sans-serif;color:gray">solution
architect</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span
style="font-size:8.5pt;font-family:"Arial",sans-serif">gsm:
[+420] 603 794 932<br>
e‑mail: <a
href="mailto:arnost.starosta@ami.cz"
target="_blank"
moz-do-not-send="true">arnost.starosta@ami.cz</a></span><o:p></o:p></p>
<p class="MsoNormal"><strong><span
style="font-size:8.5pt;font-family:"Arial",sans-serif">AMI
Praha a.s.</span></strong><span
style="font-size:8.5pt;font-family:"Arial",sans-serif"><br>
Pláničkova 11, 162 00 Praha 6</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:8.5pt;font-family:"Arial",sans-serif">tel.:
[+420] 274 783 239 | web: <a
href="https://www.ami.cz"
target="_blank"
moz-do-not-send="true">www.ami.cz</a></span><o:p></o:p></p>
<p class="MsoNormal"
style="margin-top:15.0pt"><span
style="font-size:7.5pt;font-family:"Verdana",sans-serif"><img
id="x__x005f_x0000_i1025"
src="http://www.ami.cz/images/podpis/ami_logo.gif"
alt="AMI Praha a.s."
moz-do-not-send="true" border="0"></span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#AAAAAA">Textem
tohoto e‑mailu podepisující
neslibuje uzavřít ani neuzavírá
za společnost AMI Praha a.s.<br>
jakoukoliv smlouvu. Každá smlouva,
pokud bude uzavřena, musí mít
výhradně písemnou formu.<br>
</span><span
style="font-size:4.5pt;font-family:"Arial",sans-serif;color:#AAAAAA"> </span><span
style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#AAAAAA"><br>
Tento e‑mail je určen výhradně
pro potřeby jeho adresáta/ů a může
obsahovat důvěrné nebo osobní<br>
informace. Nejste‑li zamýšleným
příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování<br>
nebo jiné použití těchto informací.
Pokud jste obdrželi e‑mail
neoprávněně, informujte o tom prosím<br>
odesílatele a vymažte neprodleně
všechny kopie tohoto e‑mailu včetně
všech jeho příloh. Nakládáním<br>
s neoprávněně získanými informacemi
se vystavujete riziku právního
postihu.</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal">_______________________________________________<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">midPoint mailing list<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a
href="mailto:midPoint%40lists.evolveum.com"
moz-do-not-send="true">midPoint@lists.evolveum.com</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></p>
</div>
</blockquote>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>midPoint mailing list<o:p></o:p></pre>
<pre><a href="mailto:midPoint@lists.evolveum.com" moz-do-not-send="true">midPoint@lists.evolveum.com</a><o:p></o:p></pre>
<pre><a href="http://lists.evolveum.com/mailman/listinfo/midpoint" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></pre>
</blockquote>
<pre>-- <o:p></o:p></pre>
<pre>Ivan Noris<o:p></o:p></pre>
<pre>Senior Identity Engineer<o:p></o:p></pre>
<pre>evolveum.com<o:p></o:p></pre>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>