[midPoint] create user account in ldap in correct OU

[Ivan Noris]

Hi,

yes that's perfectly possible.

I would follow this principle (very rough description):

- if the organizations are created in HR, synchronize and create
organizational structure in midPoint according to HR

- propagate midPoint organizational structure (which is synced from HR)
to AD - as OUs, groups, whatever. As organizations will be created from
upside down, first the divisions will be created and then departments
etc. This propagation is best done with a (meta)role assigned to
organizations in midPoint

- users when assigned to organizations in midPoint will be provisioned
to AD using order=2 inducements in the same metarole which creates
organizational structure. The user DN will be probably constructed in
the metarole, in order=2 inducement mapping.

Please see:
https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization
and https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test for
better understanding please.

REgards,
Ivan

On 11/23/2016 01:18 PM, oleg okunev wrote:
> hi everyone
>
> does midpoint can create user account in ldap in different OU? 
>
> i have users in differnt OU - named by different Department.
> so i want in future when HR create new user add Department field
> and midpoint will
>
> create OU in AD
> create user in this OU in AD
> create ORG in midpoint 
> associate this ORG with OU
> assign user in this ORG
>
> i dont understand can how to do this. 
> and in which order in better to do
>
> -- 
> oleg okunev 

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com