[midPoint] Ignore Active Directory OUs

Jason Everling jeverling at bshp.edu
Mon Oct 27 16:07:58 CET 2014


Oh I would just lock down the midpoint ad account to the certain OUs, I
know how to do it I have just never had to do it so it wasn't something I
had thought about using.

There are multiple OUs 15-20 and Accounts, a ton more than I can count,
that I want to ignore so going this route would be easier than adding
individual accounts in the resource XML

JASON

On Mon, Oct 27, 2014 at 9:56 AM, Ivan Noris <Ivan.Noris at evolveum.com> wrote:

> Hi Jason,
>
> you can use "Delegated Administration" (or Control?) within the AD "Users
> and Computers" tool. The only disadvantage is that the wizard is usable
> only for delegating the access, not for further editing (the wizard cannot
> be used to add/remove something later).
>
> You can use either this or the Protected Accounts feature in midPoint.
> Select what's better for you.
>
> We commonly use the Delegated Administration to assign permissions for our
> technical user, to be, e.g. able to create/read/update/delete Users, Groups
> and OUs, but not other objects.
>
> Regards,
> Ivan
>
> ------------------------------
>
> *From: *"Jason Everling" <jeverling at bshp.edu>
> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
> *Sent: *Monday, October 27, 2014 3:01:52 PM
> *Subject: *Re: [midPoint] Ignore Active Directory OUs
>
>
> You know, I have been managing AD Forests for many many years and have
> never had to grant specific permissions to specific OUs, I never thought
> about doing that since I have never had to do it! Wonderful suggestion!
>
> JASON
>
> On Mon, Oct 27, 2014 at 3:53 AM, Ivan Noris <Ivan.Noris at evolveum.com>
> wrote:
>
>> Hi Jason,
>>
>>
>> Back to AD Resource, Just thinking about our production AD Farm:
>>
>> Can I have midpoint ignore certain OUs from the resource xml? There are
>> some OUs in AD I would really not like for Midpoint to see or manage, maybe
>> a filter?
>>
>> JASON
>>
>>
>>
>> There are multiple ways of configuring this:
>>
>> 1) you can have your permissions in AD restricted to be able to see only
>> what you want to see
>> 2) configuration property Container might be (never tested for AD)
>> multivalue and you can specify multiple subtrees (for OpenDJ and LDAP
>> connector this works)
>> 3) you can configure Protected Accounts
>>
>> https://wiki.evolveum.com/display/midPoint/Protected+Accounts
>> https://jira.evolveum.com/browse/MID-859
>>
>> Some examples for Protected Accounts:
>>
>> - to ignore all (account) objects with carLicense=ignoreme
>>
>>             <protected>
>>                 <filter>
>>                     <q:equal>
>>                         <q:matching>stringIgnoreCase</q:matching>
>>                         <q:path>
>> declare namespace ri="
>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3";
>> attributes/ri:carLicense
>>                          </q:path>
>>                         <q:value>ignoreme</q:value>
>>                     </q:equal>
>>                </filter>
>>             </protected>
>>
>> - to ignore all (account) objects under ou=supersecret:
>>            <protected>
>>                 <filter>
>>                     <q:substring>
>>                         <q:matching>stringIgnoreCase</q:matching>
>>                         <q:path>
>> declare namespace icfs="
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>> ";
>> attributes/icfs:name
>>                          </q:path>
>>
>> <q:value>ou=supersecret,ou=Users,ou=BA,ou=CUSTOMER,dc=example,dc=com</q:value>
>>                          *<q:anchorEnd>true</q:anchorEnd>*
>>                     </q:substring>
>>                </filter>
>>             </protected>
>>
>> midPoint will "see" the protected accounts, but it will mark each such
>> account in the Shadow object as protected and will not allow its
>> modification.
>>
>> Regards,
>> Ivan
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com
>>   ___________________________________________
>>            "Idem per idem - semper idem Vix."
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com
>   ___________________________________________
>            "Idem per idem - semper idem Vix."
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141027/f4a0c934/attachment.htm>


More information about the midPoint mailing list