[midPoint] Re. Group Membership in an AD Resource.

Erik Ĺ uta suta.erik at gmail.com
Wed Jan 8 11:20:33 CET 2014


Hi Deepak,

MidPoint performance is an aspect that still needs a lot of work, but we
have spent
a significant amount of time on its improvements during last releases. In
last release,
we have integrated a very simple profiling tool to midPoint and I would
like to
ask you to use this tool during AD reconciliation and provide results for
further
analysis. If possible, we would like you to perform following measurements:

1.) Entry/Exit cycle measurement:
Please, refer to
https://wiki.evolveum.com/display/midPoint/Administration+Interface#AdministrationInterface-LoggingConfiguration
to turn on Entry/Exit profiling during AD reconciliation. This profiling
performs method Entry/Exit
analysis and it needs to be turned on for only couple of seconds, so it can
capture several single
user reconciliation processes.

2.) General Subsystem Profiling:
Please, refer to:
https://wiki.evolveum.com/display/midPoint/Administration+Interface#AdministrationInterface-ProfilingConfiguration
to configure general profiling. Just to be sure, check all subsystems
except "Workflow" and set Dump Interval
to a couple of minutes (2-5) and if possible, please run AD reconciliation
for 15-30 minutes.

More on midPoint profiling concepts can also be found here:
https://wiki.evolveum.com/display/midPoint/Profiling+Concepts#

Results of measurements can be seen in 'idm-profile.log' file(s) in
<tomcat_home>/logs directory. Please
provide these log file(s) so we can analyse it(them), find bottleneck and
improve performance.

P.S. If you have any problems or ideas using midPoint profiling, please
provide feedback since this
feature is still in development and any user feedback is much appreciated.


On Tue, Jan 7, 2014 at 5:39 PM, Deepak Natarajan <
dnataraj at trilobytesystems.com> wrote:

>
> Thank you very much Ivan, I will try this out.
>
> Could you also please show me the namespace declaration for mr: ?
>
> <matchingRule>mr:stringIgnoreCase</matchingRule>
>
> I'm also curious about one other thing - how is reconcilation with AD
> performing for you? I am trying to reconcile approx 5600 users between
> Midpoint and AD, and this is typically taking our Midpoint installation
> about 5 hours to complete (!). Of course, I have various scripting hooks
> and a before-create vbs script for AD (that creates OU containers if they
> don't exist for the users - but I can see that this takes utmost a second
> or two from the connector server logs)
>
> Thanks!
>
> BR/Deepak
>
>   Ivan Noris <ivan.noris at evolveum.com>
>  January 7, 2014 at 5:23 PM
> Hi Deepak,
>
> I'm using the Active Directory connector to manage accounts in AD, and a
> mapping which assigns user to groups. I didn't have to change resource
> schema to use groups; it is available out of the box.
>
> The mapping is for the icfs:groups attribute and midPoint 2.2.x,
> although it should still be the same for 2.3.
>
> I've adapted this from actual customer configuration, removing the
> customer-specific code, but leaving the XML comments for you:
>
> <attribute>
> <ref>icfs:groups</ref>
> <displayName>Groups</displayName>
>
> <limitations>
> <access>
> <create>true</create>
> <read>true</read>
> <update>true</update>
> </access>
> </limitations>
> <!-- tolerant=false + strength=strong removes ALL other values including
> groups not managed by midpoint
>
> tolerant=true + strength=strong removes old group when the condition
> changes, keeping groups managed outside of midpoint -->
>
> <tolerant>true</tolerant><!-- See above -->
> <matchingRule>mr:stringIgnoreCase</matchingRule>
> <outbound>
> <strength>strong</strength><!-- See above -->
> <source>
> <path>$user/employeeType</path>
> </source>
> <expression>
> <script>
> <code>
> if (employeeType == 'FTE')
> {
> return 'CN=group1,.........................'
> }
>
> </code>
> </script>
> </expression>
> </outbound>
> </attribute>
>
> You may need to use our versions of Connector Server and Active
> Directory connector, there were some case-sensitivity issues in the
> original versions (causing groups like "cn=group1,... and CN=group1" to
> cause problems):
>
>
> http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/ActiveDirectory.Connector/1.0.0.20069/
>
>
> http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/openicf-dotnet/1.4.0.20081/
>
> And update your resource configuration:
>
> <icfc:resultsHandlerConfiguration>
> <!-- currently this requires latest Evolveum
> version of .net connector server -->
>
>
> <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
> </icfc:resultsHandlerConfiguration>
>
> <!-- Configuration specific for the Active Directory
> connector -->
>
> <icfc:configurationProperties
> . . .
>
> This is the combination I currently use and seems to work well.
>
> Hope this helps,
> regards,
> Ivan
>
>   Deepak Natarajan <dnataraj at trilobytesystems.com>
>  January 7, 2014 at 4:55 PM
> Hi -
>
> I'm trying to figure out how to implement group membership for an Active
> Directory resource.
>
> We are using Midpoint 2.3-SNAPSHOT.
>
> Is it still possible to execute this using the idea of LDAP groups
> described here :
> https://wiki.evolveum.com/display/midPoint/LDAP+Groups+HOWTO (since AD
> supports LDAPv3)?
>
> Does anyone have any working configuration they can share that they use
> against Active Directory to provision users and also set up group
> memberships?
>
> Thanks in advance!
> BR/Deepak
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140108/d9d8dc67/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140108/d9d8dc67/attachment.jpg>


More information about the midPoint mailing list