Details
-
Type:
Task
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 4.0.3
-
Fix Version/s: 4.6
-
Component/s: Connectors, Provisioning
-
Labels:None
-
Environment:
Presented to : Toyota Tsusho
Subscription ID : 010721455074
Identities : Up to 15.000
Connectors : AD,CSV,LDAP,DBTable
Partner : NRI
Validity : 2021/05/17 - 2021/07/31
-
Subscription:Active subscription
Description
I am using ADConnector with midPoint to implement live provisioning.
Occasionally, discovery occurs and the following events occur.
- Shadow data in dead state is created and NO_OBJECT error occurs.
- The AD side detects the conflict and creates "CN=(username)\0ACNF:(objectGUID)" which is different from the original "CN=(username)".
- If this happens, the ENTRY_EXISTS error will continue in subsequent live provisioning.
The environmental conditions here are as follows.
- AD provisioning is set up so that midPoint user registration -> AD registration is enabled.
- When midPoint user is registered, SecondaryChange is added and updated in the hook script.
- As a result, AD registration → AD lookup → AD update is performed in one midPoint user registration.
- AD is a redundant configuration of DNS round robin.
We are still investigating, but there is a case that midPoint refers to both AD1 and AD2 in a single process.
I'm guessing that this is happening because there is a time lag in replication between AD units 1 and 2.
In the first place, does it support DNS round robin configuration?
Also, I'd like to know the expected AD configuration when using ADConnector.