[midPoint] Ignore Active Directory OUs
Ivan Noris
Ivan.Noris at evolveum.com
Mon Oct 27 09:53:13 CET 2014
Hi Jason,
> Back to AD Resource, Just thinking about our production AD Farm:
> Can I have midpoint ignore certain OUs from the resource xml? There are some
> OUs in AD I would really not like for Midpoint to see or manage, maybe a
> filter?
> JASON
There are multiple ways of configuring this:
1) you can have your permissions in AD restricted to be able to see only what you want to see
2) configuration property Container might be (never tested for AD) multivalue and you can specify multiple subtrees (for OpenDJ and LDAP connector this works)
3) you can configure Protected Accounts
https://wiki.evolveum.com/display/midPoint/Protected+Accounts
https://jira.evolveum.com/browse/MID-859
Some examples for Protected Accounts:
- to ignore all (account) objects with carLicense=ignoreme
<protected>
<filter>
<q:equal>
<q:matching>stringIgnoreCase</q:matching>
<q:path>
declare namespace ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3";
attributes/ri:carLicense
</q:path>
<q:value>ignoreme</q:value>
</q:equal>
</filter>
</protected>
- to ignore all (account) objects under ou=supersecret:
<protected>
<filter>
<q:substring>
<q:matching>stringIgnoreCase</q:matching>
<q:path>
declare namespace icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3";
attributes/icfs:name
</q:path>
<q:value>ou=supersecret,ou=Users,ou=BA,ou=CUSTOMER,dc=example,dc=com</q:value>
<q:anchorEnd>true</q:anchorEnd>
</q:substring>
</filter>
</protected>
midPoint will "see" the protected accounts, but it will mark each such account in the Shadow object as protected and will not allow its modification.
Regards,
Ivan
--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com
___________________________________________
"Idem per idem - semper idem Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141027/32cb6ded/attachment.htm>
More information about the midPoint
mailing list