[midPoint] Re. Group Membership in an AD Resource.
Deepak Natarajan
dnataraj at trilobytesystems.com
Tue Jan 7 17:39:49 CET 2014
Thank you very much Ivan, I will try this out.
Could you also please show me the namespace declaration for mr: ?
<matchingRule>mr:stringIgnoreCase</matchingRule>
I'm also curious about one other thing - how is reconcilation with AD
performing for you? I am trying to reconcile approx 5600 users between
Midpoint and AD, and this is typically taking our Midpoint installation
about 5 hours to complete (!). Of course, I have various scripting hooks
and a before-create vbs script for AD (that creates OU containers if
they don't exist for the users - but I can see that this takes utmost a
second or two from the connector server logs)
Thanks!
BR/Deepak
> Ivan Noris <mailto:ivan.noris at evolveum.com>
> January 7, 2014 at 5:23 PM
> Hi Deepak,
>
> I'm using the Active Directory connector to manage accounts in AD, and a
> mapping which assigns user to groups. I didn't have to change resource
> schema to use groups; it is available out of the box.
>
> The mapping is for the icfs:groups attribute and midPoint 2.2.x,
> although it should still be the same for 2.3.
>
> I've adapted this from actual customer configuration, removing the
> customer-specific code, but leaving the XML comments for you:
>
> <attribute>
> <ref>icfs:groups</ref>
> <displayName>Groups</displayName>
>
> <limitations>
> <access>
> <create>true</create>
> <read>true</read>
> <update>true</update>
> </access>
> </limitations>
> <!-- tolerant=false + strength=strong removes ALL other values including
> groups not managed by midpoint
>
> tolerant=true + strength=strong removes old group when the condition
> changes, keeping groups managed outside of midpoint -->
>
> <tolerant>true</tolerant><!-- See above -->
> <matchingRule>mr:stringIgnoreCase</matchingRule>
> <outbound>
> <strength>strong</strength><!-- See above -->
> <source>
> <path>$user/employeeType</path>
> </source>
> <expression>
> <script>
> <code>
> if (employeeType == 'FTE')
> {
> return 'CN=group1,.........................'
> }
>
> </code>
> </script>
> </expression>
> </outbound>
> </attribute>
>
> You may need to use our versions of Connector Server and Active
> Directory connector, there were some case-sensitivity issues in the
> original versions (causing groups like "cn=group1,... and CN=group1" to
> cause problems):
>
> http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/ActiveDirectory.Connector/1.0.0.20069/
>
> http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/openicf-dotnet/1.4.0.20081/
>
> And update your resource configuration:
>
> <icfc:resultsHandlerConfiguration>
> <!-- currently this requires latest Evolveum
> version of .net connector server -->
>
> <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
> </icfc:resultsHandlerConfiguration>
>
> <!-- Configuration specific for the Active Directory
> connector -->
>
> <icfc:configurationProperties
> . . .
>
> This is the combination I currently use and seems to work well.
>
> Hope this helps,
> regards,
> Ivan
>
> Deepak Natarajan <mailto:dnataraj at trilobytesystems.com>
> January 7, 2014 at 4:55 PM
> Hi -
>
> I'm trying to figure out how to implement group membership for an Active
> Directory resource.
>
> We are using Midpoint 2.3-SNAPSHOT.
>
> Is it still possible to execute this using the idea of LDAP groups
> described here :
> https://wiki.evolveum.com/display/midPoint/LDAP+Groups+HOWTO (since AD
> supports LDAPv3)?
>
> Does anyone have any working configuration they can share that they use
> against Active Directory to provision users and also set up group
> memberships?
>
> Thanks in advance!
> BR/Deepak
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140107/9dda9b4b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140107/9dda9b4b/attachment.jpg>
More information about the midPoint
mailing list