[midPoint] Disable user in AD resource on delete from MidPoint

Ivan Noris ivan.noris at evolveum.com
Thu Nov 10 19:45:13 CET 2016 

Hi,

the configuration for "disable instead of delete" works only for
unassigning "last role" - to tell midpoint that the account should be
disabled instead. Delete still works as usual.

Activation mapping is obviously not evaluated when you delete user (I
think no mappings are evaluated).

You can configure any resource to arbitrarily disable delete operation
using capabilities; in which case midPoint will throw an exception when
you try to delete the account.

        <capabilities
xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
            <configured>
                <cap:create>
                    <cap:enabled>true</cap:enabled>
                </cap:create>
                <cap:update>
                    <cap:enabled>true</cap:enabled>
                </cap:update>
*                <cap:delete>**
**                    <cap:enabled>false</cap:enabled>**
**                </cap:delete>**
*            </configured>
        </capabilities>

The drawback of disabling delete operation using capabilities is that
every delete operation (for account or not) will fail. You can also
modify the permissions of the technical account the connector uses, to
not allow deletes (it will throw exception as well).

The different approach is not to delete the users/accounts at all.

Regards,
Ivan

On 11/10/2016 06:07 PM, Ana Pereyra wrote:
> Hi everyone, 
>
> I have an Active Directory resource with the activation node
> configured like this:
> /
> /
> /<activation>/
> /          <!--Existence mapping hardcoded to TRUE in order not to
> delete in the resource when deleted in MidPoint -->/
> /          <existence>/
> /            <outbound>/
> /              <expression>/
> /                <value>true</value>/
> /              </expression>/
> /            </outbound>/
> /          </existence>/
> /          <!-- If user exists and account is entitled -->/
> /          <administrativeStatus>/
> /            <outbound>/
> /              <expression>/
> /                <script>/
> /                  <code>/
> /                    import
> com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;/
> /                    if (legal && assigned)/
> /                    {/
> /                      input;/
> /                    }/
> /                    else/
> /                    {/
> /                      ActivationStatusType.DISABLED;/
> /                    }/
> /                  </code>/
> /                </script>/
> /              </expression>/
> /            </outbound>/
> /          </administrativeStatus>/
> /        </activation>/
> /
> /
> What I need is the following:
>
>   * When a user that is linked is *disabled*, the account is *disabled
>     *in AD (Working)
>   * When a user has the *association *to AD *removed *(the resource is
>     removed from the user, or a role containing an inducement to the
>     resource is removed from the user), the account is *disabled *in
>     AD (Working)
>   * When a user that is linked is *DELETED *from MidPoint, the account
>     is *disabled *in AD (NOT WORKING). Currently, with this
>     configuration, when I delete a user that is linked in AD i get the
>     following error:
>
> /Schema violation during processing shadow: shadow:
> CN=testuser_ad,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> (OID:dfc8cf0c-d571-4e09-9e58-df9cf117f94d): Schema violation: Value of
> attribute '__NAME__' must be a single value, but it has 0values:
> Schema violation during processing shadow: shadow:
> CN=testuser_ad,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> (OID:dfc8cf0c-d571-4e09-9e58-df9cf117f94d): Schema violation: Value of
> attribute '__NAME__' must be a single value, but it has 0values:
> Schema violation during processing shadow: shadow:
> CN=testuser_ad,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> (OID:dfc8cf0c-d571-4e09-9e58-df9cf117f94d): Schema violation: Value of
> attribute '__NAME__' must be a single value, but it has 0values:
> Schema violation during processing shadow: shadow:
> CN=testuser_ad,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> (OID:dfc8cf0c-d571-4e09-9e58-df9cf117f94d): Schema violation: Value of
> attribute '__NAME__' must be a single value, but it has 0values/
> /
> /
> Can anyone please help me with this? Thanks in advanced.
>
> Regards,
> -- 
> *Ana Pereyra*
>  Identicum S.A.
> /Jorge Newbery 3226, Argentina
> Tel: +54 (11) //4552.3050/
> /apereyra at identicum.com <mailto:apereyra at identicum.com>/
> www.identicum.com <http://www.identicum.com/>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161110/5d447d99/attachment.htm>

More information about the midPoint mailing list