[midPoint] Re. Group Membership in an AD Resource.

Deepak Natarajan dnataraj at trilobytesystems.com
Wed Jan 8 13:05:32 CET 2014


Hi Erik -

Thank you for your detailed email.

I will try to profile when I get a chance to run the reconciliation
again next and return to you with some results.

BR/Deepak

> Erik S(uta <mailto:suta.erik at gmail.com>
> January 8, 2014 at 11:20 AM
> Hi Deepak,
>
> MidPoint performance is an aspect that still needs a lot of work, but
> we have spent
> a significant amount of time on its improvements during last releases.
> In last release,
> we have integrated a very simple profiling tool to midPoint and I
> would like to
> ask you to use this tool during AD reconciliation and provide results
> for further
> analysis. If possible, we would like you to perform following
> measurements:
>
> 1.) Entry/Exit cycle measurement:
> Please, refer to
> https://wiki.evolveum.com/display/midPoint/Administration+Interface#AdministrationInterface-LoggingConfiguration
>  
> to turn on Entry/Exit profiling during AD reconciliation. This
> profiling performs method Entry/Exit
> analysis and it needs to be turned on for only couple of seconds, so
> it can capture several single
> user reconciliation processes.
>
> 2.) General Subsystem Profiling:
> Please, refer to:
> https://wiki.evolveum.com/display/midPoint/Administration+Interface#AdministrationInterface-ProfilingConfiguration
> to configure general profiling. Just to be sure, check all subsystems
> except "Workflow" and set Dump Interval
> to a couple of minutes (2-5) and if possible, please run AD
> reconciliation for 15-30 minutes.
>
> More on midPoint profiling concepts can also be found here:
> https://wiki.evolveum.com/display/midPoint/Profiling+Concepts#
>
> Results of measurements can be seen in 'idm-profile.log' file(s) in
> <tomcat_home>/logs directory. Please
> provide these log file(s) so we can analyse it(them), find bottleneck
> and improve performance. 
>
> P.S. If you have any problems or ideas using midPoint profiling,
> please provide feedback since this
> feature is still in development and any user feedback is much
> appreciated. 
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> Deepak Natarajan <mailto:dnataraj at trilobytesystems.com>
> January 7, 2014 at 5:39 PM
>
> Thank you very much Ivan, I will try this out.
>  
> Could you also please show me the namespace declaration for mr: ?
>
> <matchingRule>mr:stringIgnoreCase</matchingRule>
>
> I'm also curious about one other thing - how is reconcilation with AD
> performing for you? I am trying to reconcile approx 5600 users between
> Midpoint and AD, and this is typically taking our Midpoint
> installation about 5 hours to complete (!). Of course, I have various
> scripting hooks and a before-create vbs script for AD (that creates OU
> containers if they don't exist for the users - but I can see that this
> takes utmost a second or two from the connector server logs)
>
> Thanks!
>
> BR/Deepak
>
> Ivan Noris <mailto:ivan.noris at evolveum.com>
> January 7, 2014 at 5:23 PM
> Hi Deepak,
>
> I'm using the Active Directory connector to manage accounts in AD, and a
> mapping which assigns user to groups. I didn't have to change resource
> schema to use groups; it is available out of the box.
>
> The mapping is for the icfs:groups attribute and midPoint 2.2.x,
> although it should still be the same for 2.3.
>
> I've adapted this from actual customer configuration, removing the
> customer-specific code, but leaving the XML comments for you:
>
> <attribute>
> <ref>icfs:groups</ref>
> <displayName>Groups</displayName>
>
> <limitations>
> <access>
> <create>true</create>
> <read>true</read>
> <update>true</update>
> </access>
> </limitations>
> <!-- tolerant=false + strength=strong removes ALL other values including
> groups not managed by midpoint
>
> tolerant=true + strength=strong removes old group when the condition
> changes, keeping groups managed outside of midpoint -->
>
> <tolerant>true</tolerant><!-- See above -->
> <matchingRule>mr:stringIgnoreCase</matchingRule>
> <outbound>
> <strength>strong</strength><!-- See above -->
> <source>
> <path>$user/employeeType</path>
> </source>
> <expression>
> <script>
> <code>
> if (employeeType == 'FTE')
> {
> return 'CN=group1,.........................'
> }
>
> </code>
> </script>
> </expression>
> </outbound>
> </attribute>
>
> You may need to use our versions of Connector Server and Active
> Directory connector, there were some case-sensitivity issues in the
> original versions (causing groups like "cn=group1,... and CN=group1" to
> cause problems):
>
> http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/ActiveDirectory.Connector/1.0.0.20069/
>
> http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/openicf-dotnet/1.4.0.20081/
>
> And update your resource configuration:
>
> <icfc:resultsHandlerConfiguration>
> <!-- currently this requires latest Evolveum
> version of .net connector server -->
>
> <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
> </icfc:resultsHandlerConfiguration>
>
> <!-- Configuration specific for the Active Directory
> connector -->
>
> <icfc:configurationProperties
> . . .
>
> This is the combination I currently use and seems to work well.
>
> Hope this helps,
> regards,
> Ivan
>
> Deepak Natarajan <mailto:dnataraj at trilobytesystems.com>
> January 7, 2014 at 4:55 PM
> Hi -
>
> I'm trying to figure out how to implement group membership for an Active
> Directory resource.
>
> We are using Midpoint 2.3-SNAPSHOT.
>
> Is it still possible to execute this using the idea of LDAP groups
> described here :
> https://wiki.evolveum.com/display/midPoint/LDAP+Groups+HOWTO (since AD
> supports LDAPv3)?
>
> Does anyone have any working configuration they can share that they use
> against Active Directory to provision users and also set up group
> memberships?
>
> Thanks in advance!
> BR/Deepak
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140108/abf76a1a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140108/abf76a1a/attachment.jpg>


More information about the midPoint mailing list