[midPoint] Existing Active Directory Users

Ivan Noris Ivan.Noris at evolveum.com
Thu Oct 16 17:27:36 CEST 2014 

Hi Jason, 

> AD only needs to be authoritative during the initial deployment since we have
> thousands of accounts in AD, after that, all accounts will be modified/added
> using midpoint.

> I think using the method I outlined last to build the DN is more or less what
> I am moving towards. I have looked through AD attributes and the attribute,
> "ou" in AD is not used and would make sense to populate that attribute with
> the actual OU. I can simply use a powershell script to add the correct value
> to this attribute based on the users current ou and then build the DN in
> midpoint off this value.

> Using the "ou" attribute in AD might also be the best way since later on I
> can use the attribute in roles and orgs, I have been looking to the orgsync
> story test on github for inspiration.

You can use PS script in AD to fill "ou" attribute in accounts and then import it to midPoint, but you can construct the value directly during initial import in inbound expression with no changes in AD. Roughly - something like this: 

<attribute> 
<ref>icfs:name</ref> 
<displayName>Distinguished Name</displayName> 
<inbound> 
<expression> 
<script> 
<code> 
// parse OU value from variable named input (represents DN) using groovy regular expressions 
// e.g. from OU=The Student,DC=TEST,DC=LOCAL take "The Student" value 
// please fix the regular expression according to your setup, this is just a rough example 

re = /(?i)^.*OU=(.*),DC=TEST,DC=LOCAL$/ 
matcher = (input =~ re) 
if (matcher.matches()) return matcher[0][1] 

// will be stored in user/organization attribute, modify as needed 
</code> 
</script> 
</expression> 
<target> 
<path>$user/organization</path> 
</target> 
</inbound> 
</attribute> 

This is also to show you the power of the expressions in the mappings. 

Regards, 
Ivan 

-- 
Ing. Ivan Noris 
Senior Identity Management Engineer 
evolveum.com 
___________________________________________ 
"Idem per idem - semper idem Vix." 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141016/c97a07ac/attachment.htm>

More information about the midPoint mailing list