<div dir="ltr"><div>Hi
Ethan,</div><div>In my case user, reconciliation works fine for me. Try to adopt my config settings to your instance</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div> <objectSynchronization><br> <name>Users sync</name><br> <kind>account</kind><br> <intent>default</intent><br> <focusType>c:UserType</focusType><br> <enabled>true</enabled><br> <correlation><br> <q:equal xmlns=""><br> <q:matching>stringIgnoreCase</q:matching><br> <q:path xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>">c:emailAddress</q:path><br> <expression xmlns=""><br> <variable xmlns=""><br> <name>principalName</name><br> <path xmlns:icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>">$projection/attributes/icfs:name</path><br> </variable><br> <script xmlns=""><br> <code><br> return principalName;<br> </code><br> </script><br> </expression><br> </q:equal><br> </correlation><br> <reconcile>false</reconcile><br> <reaction><br> <situation>linked</situation><br> <synchronize>true</synchronize><br> </reaction><br> <reaction><br> <situation>unlinked</situation><br> <synchronize>true</synchronize><br> <reconcile>false</reconcile><br> <action><br> <handlerUri><a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#link">http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</a></handlerUri><br> </action><br> </reaction><br> </objectSynchronization></div></blockquote><div><br></div><div><br></div><div>Best regards,</div><div>Oleksandr<br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 15 Sep 2020 at 22:05, Ethan Kromhout via midPoint <<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi Chris,</p>
<p>I hit that problem with an attribute named "id" in a connector I
was writing, that one wasn't a lot of fun to track down. I've seen
this "shadow without attributes" thing in other connectors, I
think there is something fundamental I'm not understanding about
cases where midPoint isn't managing the Accounts in the resource,
but I still want it to read or right information about those
Accounts.</p>
<p>Thanks,</p>
<p>Ethan<br>
</p>
<div>On 9/15/20 11:15 AM, Chris Woods wrote:<br>
</div>
<blockquote type="cite">
<div dir="auto">
<div dir="auto">Hi Ethan, </div>
<div dir="auto"><br>
</div>
<div dir="auto">We are using the connector too. I think there
are a few bugs in the connector. All of our broken shadows
came from this connector (the schema has an "id" attribute
that causes problems in midPoint) </div>
<div dir="auto"><br>
</div>
<div dir="auto">I will be doing the same as you next week, so I
can report back then if you like. At the moment we are only
provisioning user accounts. </div>
<div dir="auto"><br>
</div>
<div dir="auto">Regards, </div>
<div dir="auto">Chris</div>
<div dir="auto"><br>
</div>
<div id="gmail-m_-8439386131556676270aqm-original" style="color:black">
<div dir="auto">Am 15. September 2020 16:45:59 schrieb Ethan
Kromhout via midPoint <a href="mailto:midpoint@lists.evolveum.com" target="_blank"><midpoint@lists.evolveum.com></a>:</div>
<div><br>
</div>
<blockquote type="cite" class="gmail_quote" style="margin:0px 0px 0px 0.75ex;border-left:1px solid rgb(128,128,128);padding-left:0.75ex">
<div dir="auto">I'm working with the experimental MS Graph
connector to Azure AD. My </div>
<div dir="auto">initial use case is just creating groups and
updating memberships, so my </div>
<div dir="auto">mappings are just an association for the
AccountObjectClass and a more </div>
<div dir="auto">complete set of mappings for the
GroupObjectClass. The schema this </div>
<div dir="auto">connector generates contain no mandatory
attributes, e.g. nothing is </div>
<div dir="auto">marked minOccurs="1".. Group creation is
working just fine, but I'm </div>
<div dir="auto">having a problem with the membership
management. If I go into a user </div>
<div dir="auto">who is a member of an organization that
should connect the user to the </div>
<div dir="auto">Azure AD group, and preview a reconciliation
change, it sees that it </div>
<div dir="auto">should add the Azure AD group, but when I
hit save on the user, the </div>
<div dir="auto">change fails with this error:</div>
<div dir="auto"><br>
</div>
<div dir="auto">2020-09-15 14:22:05,611 [MODEL]
[pool-3-thread-16] WARN </div>
<div dir="auto">(com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor): </div>
<div dir="auto">Can't do reconciliation. Account context
doesn't contain current version </div>
<div dir="auto">of account.</div>
<div dir="auto">2020-09-15 14:22:05,820 [MODEL]
[pool-3-thread-16] ERROR </div>
<div dir="auto">(com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): </div>
<div dir="auto">Attempt to add shadow without any
attributes: shadow:null(null)</div>
<div dir="auto">com.evolveum.midpoint.util.exception.SchemaException:
Attempt to add </div>
<div dir="auto">shadow without any attributes:
shadow:null(null)</div>
<div dir="auto"> at </div>
<div dir="auto">com.evolveum.midpoint.provisioning.impl.ShadowCache.addShadowAttempt(ShadowCache.java:508)</div>
<div dir="auto"><br>
</div>
<div dir="auto">And indeed, no Account shadow is created for
the Azure AD resource for </div>
<div dir="auto">that user. If I import the the Account
object for that user directly </div>
<div dir="auto">from the Azure AD resource, then the shadow
is created, and the </div>
<div dir="auto">membership in Azure AD is updated. So I'm
confused as to why saving a </div>
<div dir="auto">user on reconciliation would fail with this
error, but an import on the </div>
<div dir="auto">resource succeeds.</div>
<div dir="auto"><br>
</div>
<div dir="auto">Thanks for any experience or advise, I've
attached the resource </div>
<div dir="auto">definition in case that is of interest,</div>
<div dir="auto"><br>
</div>
<div dir="auto">Ethan</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">----------</div>
<div dir="auto">_______________________________________________</div>
<div dir="auto">midPoint mailing list</div>
<div dir="auto"><a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a></div>
<div dir="auto"><a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a></div>
</blockquote>
</div>
<div dir="auto"><br>
</div>
</div>
</blockquote>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><span style="color:rgb(76,76,76)">Best regards, <br><br><img src="cid:o.nekriach@dynatech.lv1520941785292-7770"> <br><br>Oleksandr Nekriach | Identity and access management engineer <br><br>Dynatech, <a href="https://www.google.com/maps/place/DYNATECH/@56.9575205,24.1107235,17z/data=!3m1!4b1!4m5!3m4!1s0x46eecf5753e42351:0x23b120b9745cae62!8m2!3d56.9575205!4d24.1129122" target="_blank">Jeruzalemes iela 1, Rīga, LV-1010, Latvia</a><br><br><div style="display:inline-block"><a href="tel:+371%2025%20314%20685" value="+37125314685" target="_blank">+37125314685</a></div>, <div style="display:inline-block"><a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a></div> | <div style="display:inline-block"><a href="http://www.dynatech.lv" target="_blank">www.dynatech.lv</a></div> <br><br>Stay connected: <br><div style="display:inline-block;margin:5px 5px 0px 0px"><a href="https://www.facebook.com/DynatechLatvia/?ref=br_rs" target="_blank"><img src="cid:o.nekriach@dynatech.lv1520941785292-7771"></a></div><div style="display:inline-block;margin:5px 0px 0px"><a href="https://www.linkedin.com/company-beta/17893047/" target="_blank"><img src="cid:o.nekriach@dynatech.lv1520941785292-7772"></a></div><br><br><span style="font-size:11px;color:rgb(161,161,161)">Confidentiality
Notice: This message contains confidential information and is intended
only for the named recipient(s). If you are not the addressee you may
not copy, distribute or perform any other activities with this
information. If you have received this transmission in error, please
notify us by e-mail immediately. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses.</span></span></div></div></div></div>