[midPoint] Ignore Active Directory OUs
Jason Everling
jeverling at bshp.edu
Mon Oct 27 15:01:52 CET 2014
You know, I have been managing AD Forests for many many years and have
never had to grant specific permissions to specific OUs, I never thought
about doing that since I have never had to do it! Wonderful suggestion!
JASON
On Mon, Oct 27, 2014 at 3:53 AM, Ivan Noris <Ivan.Noris at evolveum.com> wrote:
> Hi Jason,
>
>
> Back to AD Resource, Just thinking about our production AD Farm:
>
> Can I have midpoint ignore certain OUs from the resource xml? There are
> some OUs in AD I would really not like for Midpoint to see or manage, maybe
> a filter?
>
> JASON
>
>
>
> There are multiple ways of configuring this:
>
> 1) you can have your permissions in AD restricted to be able to see only
> what you want to see
> 2) configuration property Container might be (never tested for AD)
> multivalue and you can specify multiple subtrees (for OpenDJ and LDAP
> connector this works)
> 3) you can configure Protected Accounts
>
> https://wiki.evolveum.com/display/midPoint/Protected+Accounts
> https://jira.evolveum.com/browse/MID-859
>
> Some examples for Protected Accounts:
>
> - to ignore all (account) objects with carLicense=ignoreme
>
> <protected>
> <filter>
> <q:equal>
> <q:matching>stringIgnoreCase</q:matching>
> <q:path>
> declare namespace ri="
> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3";
> attributes/ri:carLicense
> </q:path>
> <q:value>ignoreme</q:value>
> </q:equal>
> </filter>
> </protected>
>
> - to ignore all (account) objects under ou=supersecret:
> <protected>
> <filter>
> <q:substring>
> <q:matching>stringIgnoreCase</q:matching>
> <q:path>
> declare namespace icfs="
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
> ";
> attributes/icfs:name
> </q:path>
>
> <q:value>ou=supersecret,ou=Users,ou=BA,ou=CUSTOMER,dc=example,dc=com</q:value>
> *<q:anchorEnd>true</q:anchorEnd>*
> </q:substring>
> </filter>
> </protected>
>
> midPoint will "see" the protected accounts, but it will mark each such
> account in the Shadow object as protected and will not allow its
> modification.
>
> Regards,
> Ivan
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com
> ___________________________________________
> "Idem per idem - semper idem Vix."
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
--
CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential;
intended for only the recipient(s) named above and may contain information
that is privileged. You should not retain, copy or use this e-mail or any
attachments for any purpose, or disclose all or any part of the contents to
any person. Any views or opinions expressed in this e-mail are those of the
author and do not represent those of the Baptist School of Health
Professions. If you have received this e-mail in error, or are not the
named recipient(s), you are hereby notified that any review, dissemination,
distribution or copying of this communication is prohibited by the sender
and to do so might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141027/cd72c296/attachment.htm>
More information about the midPoint
mailing list