<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Vorformatiert Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLVorformatiertZchn
{mso-style-name:"HTML Vorformatiert Zchn";
mso-style-priority:99;
mso-style-link:"HTML Vorformatiert";
font-family:Consolas;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE" link="#0563C1" vlink="#954F72" style="word-wrap:break-word;overflow-wrap: break-word;-webkit-nbsp-mode: space;line-break:after-white-space">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Hi Alcides,<br>
<br>
this is exactly the same issue we faced in our deployment. MidPoint will fetch every group from the ad which is mentioned in the memberOf attribute to fill the “entitlement” variable in the inbound mapping.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">If those groups have many members it will be especially bad because midpoint will fetch every member attribute value, which can even
result in multiple pages for one group. This will have a big memory footpring and also long fetching times and a high CPU usage on the domain controller.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">We fixed this issue by removing the inbound mapping in the association and converting it to an inbound mapping for a simple attribute
“memberOf”. Depending how your inbound mapping looks like this is possible quite easily.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">You will only have the dn of the group available but doing a raw repository search in midpoint is possible if you want to check the
intent etc.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Outbound mappings in metaroles for associations do not cause every group to be loaded but only the group which will be assigned/removed.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">If you have any more questions feel free to ask.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Kind Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Emil<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-family:"Calibri",sans-serif;color:black">Von:
</span></b><span style="font-family:"Calibri",sans-serif;color:black">Alcides Moraes <alcides.neto@gmail.com><br>
<b>Datum: </b>Mittwoch, 10. Juli 2024 um 20:30<br>
<b>An: </b>midPoint General Discussion <midpoint@lists.evolveum.com><br>
<b>Cc: </b>iam-mailing <iam-mailing@tk.de><br>
<b>Betreff: </b>[Signatur ungueltig] Re: [midPoint] Slow Active Directory getoperations for groups<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><strong><span style="font-size:10.0pt;font-family:Helvetica;color:black;background:#FFEB9C">EXTERNE E-MAIL - Bitte prüfen Sie die Vertrauenswürdigkeit der Absender-Informationen, bevor Sie Links oder Anhänge öffnen.</span></strong>
<o:p></o:p></p>
<div class="MsoNormal" align="center" style="text-align:center"><strong><span style="font-family:"Aptos",sans-serif">
<hr size="0" width="100%" align="center">
</span></strong></div>
<p class="MsoNormal">Hi Emil, <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks your reaching out. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Yes, I have an inbound mapping restricted to the reconciliation channel. I’ll try disabling it, see if it changes anything.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Here’s my association configuration, I have redacted some intents (I have about 20 group intents) and the inbound mapping (it’s a simple assignmentTargetSearch with createOnDemand)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I have this many intents for groups in order to link many types of automatic groups to OrgTypes, with members based on the kind of employment contract (interns, externals, etc.).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<pre style="background:#2B2B2B"><span style="color:#A9B7C6"><br></span><span style="color:#6E7ED9"><association </span><span style="color:#BABABA">id</span><span style="color:#6A8759">="54"</span><span style="color:#6E7ED9">><br> </span><span style="color:#179387"><ref></span><span style="color:#A9B7C6">ri:group</span><span style="color:#179387"></ref><br> <displayName></span><span style="color:#A9B7C6">AD Group Membership</span><span style="color:#179387"></displayName><br> <tolerant></span><span style="color:#A9B7C6">true</span><span style="color:#179387"></tolerant><br> <intolerantValuePattern></span><span style="color:#A9B7C6">.*(OU=AutomaticGroups|OU=ITProducts).*</span><span style="color:#179387"></intolerantValuePattern><br> <exclusiveStrong></span><span style="color:#A9B7C6">false</span><span style="color:#179387"></exclusiveStrong><br> <fetchStrategy></span><span style="color:#A9B7C6">explicit</span><span style="color:#179387"></fetchStrategy><br> <inbound </span><span style="color:#BABABA">id</span><span style="color:#6A8759">="542”</span><span style="color:#179387">></span><o:p></o:p></pre>
<pre style="background:#2B2B2B"><span style="color:#E8BA36"> </span><span style="color:#179387"></inbound><br> <kind></span><span style="color:#A9B7C6">entitlement</span><span style="color:#179387"></kind><br> <intent></span><span style="color:#A9B7C6">adGroup</span><span style="color:#179387"></intent><br> <intent></span><span style="color:#A9B7C6">intent1</span><span style="color:#179387"></intent><br> <intent></span><span style="color:#A9B7C6">intent2</span><span style="color:#179387"></intent><br> . . .<br> <intent></span><span style="color:#A9B7C6">intent20</span><span style="color:#179387"></intent><br> <direction></span><span style="color:#A9B7C6">objectToSubject</span><span style="color:#179387"></direction><br> <associationAttribute></span><span style="color:#A9B7C6">ri:member</span><span style="color:#179387"></associationAttribute><br> <valueAttribute></span><span style="color:#A9B7C6">ri:dn</span><span style="color:#179387"></valueAttribute><br> <shortcutAssociationAttribute></span><span style="color:#A9B7C6">ri:memberOf</span><span style="color:#179387"></shortcutAssociationAttribute><br> <shortcutValueAttribute></span><span style="color:#A9B7C6">ri:dn</span><span style="color:#179387"></shortcutValueAttribute><br> <explicitReferentialIntegrity></span><span style="color:#A9B7C6">false</span><span style="color:#179387"></explicitReferentialIntegrity><br></span><span style="color:#6E7ED9"></association></span><o:p></o:p></pre>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Here’s the task xml, with minor redaction. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<pre style="background:#2B2B2B"><span style="color:#E8BA36"><task ...><br> </span><span style="color:#54A857"><name></span><span style="color:#A9B7C6">Reconcile Employees</span><span style="color:#54A857"></name><br> <assignment </span><span style="color:#BABABA">id</span><span style="color:#6A8759">="6"</span><span style="color:#54A857">><br> </span><span style="color:#359FF4"><targetRef </span><span style="color:#BABABA">oid</span><span style="color:#6A8759">="00000000-0000-0000-0000-000000000501" </span><span style="color:#BABABA">relation</span><span style="color:#6A8759">="org:default" </span><span style="color:#BABABA">type</span><span style="color:#6A8759">="c:ArchetypeType"</span><span style="color:#359FF4">/><br> <activation><br> </span><span style="color:#6E7ED9"><effectiveStatus></span><span style="color:#A9B7C6">enabled</span><span style="color:#6E7ED9"></effectiveStatus><br> </span><span style="color:#359FF4"></activation><br> </span><span style="color:#54A857"></assignment><br> <archetypeRef </span><span style="color:#BABABA">oid</span><span style="color:#6A8759">="00000000-0000-0000-0000-000000000501" </span><span style="color:#BABABA">relation</span><span style="color:#6A8759">="org:default" </span><span style="color:#BABABA">type</span><span style="color:#6A8759">="c:ArchetypeType"</span><span style="color:#54A857">/><br> <roleMembershipRef </span><span style="color:#BABABA">oid</span><span style="color:#6A8759">="00000000-0000-0000-0000-000000000501" </span><span style="color:#BABABA">relation</span><span style="color:#6A8759">="org:default" </span><span style="color:#BABABA">type</span><span style="color:#6A8759">="c:ArchetypeType"</span><span style="color:#54A857">/><br> <ownerRef </span><span style="color:#BABABA">oid</span><span style="color:#6A8759">="00000000-0000-0000-0000-000000000002" </span><span style="color:#BABABA">relation</span><span style="color:#6A8759">="org:default" </span><span style="color:#BABABA">type</span><span style="color:#6A8759">="c:UserType"</span><span style="color:#54A857">/><br> <channel></span><span style="color:#A9B7C6">http://midpoint.evolveum.com/xml/ns/public/common/channels-3#reconciliation</span><span style="color:#54A857"></channel><br> <unpauseAction></span><span style="color:#A9B7C6">executeImmediately</span><span style="color:#54A857"></unpauseAction><br> <category></span><span style="color:#A9B7C6">Reconciliation</span><span style="color:#54A857"></category><br> <objectRef </span><span style="color:#BABABA">oid</span><span style="color:#6A8759">=“----" </span><span style="color:#BABABA">relation</span><span style="color:#6A8759">="org:default" </span><span style="color:#BABABA">type</span><span style="color:#6A8759">="c:ResourceType"</span><span style="color:#54A857">/><br> <binding></span><span style="color:#A9B7C6">loose</span><span style="color:#54A857"></binding><br> <schedule><br> </span><span style="color:#359FF4"><recurrence></span><span style="color:#A9B7C6">recurring</span><span style="color:#359FF4"></recurrence><br> <cronLikePattern></span><span style="color:#A9B7C6">1 0 0 ? * MON-FRI</span><span style="color:#359FF4"></cronLikePattern><br> <misfireAction></span><span style="color:#A9B7C6">executeImmediately</span><span style="color:#359FF4"></misfireAction><br> </span><span style="color:#54A857"></schedule><br> <threadStopAction></span><span style="color:#A9B7C6">restart</span><span style="color:#54A857"></threadStopAction><br> <activity><br> </span><span style="color:#359FF4"><work><br> </span><span style="color:#6E7ED9"><reconciliation><br> </span><span style="color:#179387"><resourceObjects><br> </span><span style="color:#E8BA36"><resourceRef </span><span style="color:#BABABA">oid</span><span style="color:#6A8759">=“----" </span><span style="color:#BABABA">relation</span><span style="color:#6A8759">="org:default" </span><span style="color:#BABABA">type</span><span style="color:#6A8759">="c:ResourceType"</span><span style="color:#E8BA36">/><br> <kind></span><span style="color:#A9B7C6">account</span><span style="color:#E8BA36"></kind><br> <intent></span><span style="color:#A9B7C6">default</span><span style="color:#E8BA36"></intent><br> <objectclass></span><span style="color:#A9B7C6">ri:AccountObjectClass</span><span style="color:#E8BA36"></objectclass><br> </span><span style="color:#179387"></resourceObjects><br> </span><span style="color:#6E7ED9"></reconciliation><br> </span><span style="color:#359FF4"></work><br> <distribution><br> </span><span style="color:#6E7ED9"><workerThreads></span><span style="color:#A9B7C6">6</span><span style="color:#6E7ED9"></workerThreads><br> <subtasks/><br> </span><span style="color:#359FF4"></distribution><br> <tailoring><br> </span><span style="color:#6E7ED9"><change </span><span style="color:#BABABA">id</span><span style="color:#6A8759">="1"</span><span style="color:#6E7ED9">><br> </span><span style="color:#179387"><reference></span><span style="color:#A9B7C6">resourceObjects</span><span style="color:#179387"></reference><br> <distribution><br> </span><span style="color:#E8BA36"><buckets><br> </span><span style="color:#54A857"><stringSegmentation><br> </span><span style="color:#359FF4"><discriminator></span><span style="color:#A9B7C6">attributes/ri:DOCUMENT_ID</span><span style="color:#359FF4"></discriminator><br> <boundary </span><span style="color:#BABABA">id</span><span style="color:#6A8759">="12"</span><span style="color:#359FF4">><br> </span><span style="color:#6E7ED9"><position></span><span style="color:#A9B7C6">1</span><span style="color:#6E7ED9"></position><br> <characters></span><span style="color:#A9B7C6">0123456789</span><span style="color:#6E7ED9"></characters><br> </span><span style="color:#359FF4"></boundary><br> <boundary </span><span style="color:#BABABA">id</span><span style="color:#6A8759">="13"</span><span style="color:#359FF4">><br> </span><span style="color:#6E7ED9"><position></span><span style="color:#A9B7C6">2</span><span style="color:#6E7ED9"></position><br> <characters></span><span style="color:#A9B7C6">0123456789</span><span style="color:#6E7ED9"></characters><br> </span><span style="color:#359FF4"></boundary><br> <comparisonMethod></span><span style="color:#A9B7C6">prefix</span><span style="color:#359FF4"></comparisonMethod><br> </span><span style="color:#54A857"></stringSegmentation><br> </span><span style="color:#E8BA36"></buckets><br> <workers><br> </span><span style="color:#54A857"><workersPerNode </span><span style="color:#BABABA">id</span><span style="color:#6A8759">="3"</span><span style="color:#54A857">><br> </span><span style="color:#359FF4"><count></span><span style="color:#A9B7C6">1</span><span style="color:#359FF4"></count><br> </span><span style="color:#54A857"></workersPerNode><br> </span><span style="color:#E8BA36"></workers><br> <workerThreads></span><span style="color:#A9B7C6">6</span><span style="color:#E8BA36"></workerThreads><br> </span><span style="color:#179387"></distribution><br> </span><span style="color:#6E7ED9"></change><br> <change </span><span style="color:#BABABA">id</span><span style="color:#6A8759">="2"</span><span style="color:#6E7ED9">><br> </span><span style="color:#179387"><reference></span><span style="color:#A9B7C6">remainingShadows</span><span style="color:#179387"></reference><br> <distribution><br> </span><span style="color:#E8BA36"><buckets><br> </span><span style="color:#54A857"><oidSegmentation><br> </span><span style="color:#359FF4"><depth></span><span style="color:#A9B7C6">1</span><span style="color:#359FF4"></depth><br> </span><span style="color:#54A857"></oidSegmentation><br> </span><span style="color:#E8BA36"></buckets><br> <workers><br> </span><span style="color:#54A857"><workersPerNode </span><span style="color:#BABABA">id</span><span style="color:#6A8759">="4"</span><span style="color:#54A857">><br> </span><span style="color:#359FF4"><count></span><span style="color:#A9B7C6">1</span><span style="color:#359FF4"></count><br> </span><span style="color:#54A857"></workersPerNode><br> </span><span style="color:#E8BA36"></workers><br> <workerThreads></span><span style="color:#A9B7C6">6</span><span style="color:#E8BA36"></workerThreads><br> </span><span style="color:#179387"></distribution><br> </span><span style="color:#6E7ED9"></change><br> </span><span style="color:#359FF4"></tailoring><br> </span><span style="color:#54A857"></activity><br></span><span style="color:#E8BA36"></task></span><o:p></o:p></pre>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Em 10 de jul. de 2024, à(s) 12:18, iam-mailing--- via midPoint <midpoint@lists.evolveum.com> escreveu:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Hi,<br>
<br>
can you provide your association configuration? Do you use an inbound mapping inside the association configuration?<br>
Also the task configuration for the reconciliation could help.<br>
<br>
We had an issue regarding get operations in the AD so I would have a look if it’s a similar problem.<br>
<br>
Kind Regards,<br>
Emil Militzer<br>
<br>
<br>
<br>
<br>
Am 28.06.24, 19:03 schrieb "midPoint im Auftrag von Alcides Moraes via midPoint" <midpoint-bounces@lists.evolveum.com <mailto:midpoint-bounces@lists.evolveum.com> im Auftrag von midpoint@lists.evolveum.com <mailto:midpoint@lists.evolveum.com>>:<br>
<br>
<br>
EXTERNE E-MAIL - Bitte prüfen Sie die Vertrauenswürdigkeit der Absender-Informationen, bevor Sie Links oder Anhänge öffnen.<br>
<br>
<br>
------------------------------------------------------------------------------<br>
<br>
<br>
_______________________________________________<br>
midPoint mailing list<br>
midPoint@lists.evolveum.com <mailto:midPoint@lists.evolveum.com><br>
https://lists.evolveum.com/mailman/listinfo/midpoint <https://lists.evolveum.com/mailman/listinfo/midpoint><br>
<br>
<br>
<br>
_______________________________________________<br>
midPoint mailing list<br>
midPoint@lists.evolveum.com<br>
https://lists.evolveum.com/mailman/listinfo/midpoint<o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>