Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-7143

Assumed AD configuration when using ADConnector



    • Task
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 4.0.3
    • 4.7
    • Connectors, Provisioning
    • None
    • Presented to : Toyota Tsusho
      Subscription ID : 010721455074
      Identities : Up to 15.000
      Connectors : AD,CSV,LDAP,DBTable
      Partner : NRI
      Validity : 2021/05/17 - 2021/07/31

    • Active subscription


      I am using ADConnector with midPoint to implement live provisioning.
      Occasionally, discovery occurs and the following events occur.

      • Shadow data in dead state is created and NO_OBJECT error occurs.
      • The AD side detects the conflict and creates "CN=(username)\0ACNF:(objectGUID)" which is different from the original "CN=(username)".
      • If this happens, the ENTRY_EXISTS error will continue in subsequent live provisioning.

      The environmental conditions here are as follows.

      • AD provisioning is set up so that midPoint user registration -> AD registration is enabled.
      • When midPoint user is registered, SecondaryChange is added and updated in the hook script.
      • As a result, AD registration → AD lookup → AD update is performed in one midPoint user registration.
      • AD is a redundant configuration of DNS round robin.

      We are still investigating, but there is a case that midPoint refers to both AD1 and AD2 in a single process.
      I'm guessing that this is happening because there is a time lag in replication between AD units 1 and 2.

      In the first place, does it support DNS round robin configuration?
      Also, I'd like to know the expected AD configuration when using ADConnector.




            nriuser shingo yamazaki
            nriuser shingo yamazaki
            0 Vote for this issue
            3 Start watching this issue