[midPoint] Protected / excluded accounts
midpoint at mybtinternet.com
midpoint at mybtinternet.com
Wed Jul 22 12:56:10 CEST 2015
Hi Guys,
I'm looking for a way to exclude certain account names for use on any resource; this could include:
- operating system accounts
- service accounts
- sensitive accounts
- account names generated that may be offensive words etc
I have noted the protected account feature, however this seems to require definition on every resource
which can be tedious and prone to error on large numbers of resources. Also, as this maps to the
designated repository name attribute, it is not very flexible; e.g. if you take AD built-in group Users.
While this is a group, it still has a sAMAccountName of Users. Setting a protection of "Users" does not
exclude an attempt to provision an account with sAMAccountName of users.
What happens in the above example, midPoint attempts to add the account to AD, this fails with "Already
exists". This does not seem to trigger the need for iteration. This is attempted a 1000 times until some
limit in midPoint then aborts the transaction. Needless to say, performance deteriorates rapidly during
this cycle ... I would like to understand where this limit of a 1000 is set and ideally reduce this significantly.
Another side-effect of the AD problem described above; we also have the AD "Recycle Bin" feature
enabled. Every failed attempt at provisioning the "users" account, also leaves a deleted object entry;
e.g. with a 1000 attempted adds, this results in a 1000 deleted object entries.
I'm hoping there is a way of setting a global exclusion list or policy that would reject certain values
by attribute name; e.g. filter, but not based on an individual resource.
Regards,
Anton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150722/ef39fcda/attachment.htm>
More information about the midPoint
mailing list