<div dir="ltr"><div><div dir="ltr"><p>Hi Carlos and Yakov,</p><p>Thanks for your suggestions!</p><p>Carlos, I went ahead with your recommendation and flagged the <font size="2"><code>userPrincipalName</code></font> attribute with <code>secondaryIdentifier=true</code>.
That solved the GUI error, and midPoint is now applying the necessary
updates to the AD shadow account perfectly, just as expected.</p><p>However,
as I was digging into the logs, I saw an interesting behavior. It seems
that even with the new setting, midPoint's first step is still to
attempt an "add" operation for a new user with the same <code>userPrincipalName</code> (I can see an <code>OperationLog: Add REQ Entry...</code>).
The key difference is that this operation is now logged as a warning
instead of a hard error. Right after this warning, the logs show the
expected <code>MoveAndRename</code> and <code>Modify</code> operations being successfully applied to the existing account.</p></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em sex., 26 de set. de 2025 às 11:41, Carlos Ferreira <<a href="mailto:carlos18619@gmail.com" target="_blank">carlos18619@gmail.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">João,<div><br></div><div>Have you already tried the "secondaryIdentifier" option on the attribute resource configuration?<br><br><br>Something like this:<br><br><br><i><font color="#000000"> <attribute id="3190"></font><br><font color="#000000"> <ref>ri:sAMAccountName</ref></font><br><font color="#000000"> <tolerant>true</tolerant></font><br><font color="#000000"> <exclusiveStrong>false</exclusiveStrong></font><br><font color="#ff0000"> <secondaryIdentifier>true</secondaryIdentifier><br></font><font color="#000000"> <outbound></font></i><br><br><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em qui., 25 de set. de 2025 às 12:54, João Paulo Ribeiro via midPoint <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hello!<br><br>I have a midPoint deployment with an authoritative
(inbound) resource and an outbound Active Directory resource. There's a
specific situation where a user that I haven't imported into midPoint
yet already has an account in Active Directory (outbound). In this
scenario, when I import the user from the authoritative resource, I
would expect midPoint to link the existing Active Directory account
(UNLINKED -> LINKED). However, it's trying to create another account
in AD, and because of that, the following error is being thrown:<br><br>ObjectAlreadyExistsException: org.identityconnectors.framework.common.exceptions.AlreadyExistsException(Error adding LDAP entry CN=username,OU=users,DC=example,DC=com:
constraintViolation: 000021C8: AtrErr: DSID-03200BD1, #1:??0: 000021C8:
DSID-03200BD1, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90290
(<b>userPrincipalName</b>)?? (19))<br><br>I have already checked the
correlation and synchronization rules on both the inbound
(authoritative) and outbound (AD) resources, and they seem correct. In
fact, if I try to run the "import" for the existing AD account while
it's in the UNLINKED state, it performs the expected operation: it LINKS
the account with its respective focus and applies the necessary
updates. The problem really happens when I try to run the "import" from
the authoritative resource, in which case midPoint doesn't detect the
pre-existing AD account for the user.<br><br>Has anyone else experienced this?<br><br>Versions:<br>midPoint 4.8.7<br><div>AdLdapConnector 3.7.4</div><div><br></div><div>Thanks in advance!</div></div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>
</blockquote></div>