[midPoint] Ad-hoc Reconciliation

Martin Lízner - AMI Praha a.s. martin.lizner at ami.cz
Tue Mar 31 14:13:56 CEST 2015


Hi guys, Im in situation that I have one really big LDAP with no changelog,
which can be full reconciled e.g. every 24 hours. I got new identities
being synced from DB resource every minute or so. Right after new DB user
is created in midPoint I need to adhoc reconcile this user with LDAP
resource. I can lookup user via email attribute, dont know LDAP DN yet.

I guess that typical correlation logic in synchronization wont help me
here, since I need to query resource, not IdM. I came to these two
solutions, but I dont know how to implement them in midPoint. And maybe
there is better way...

1. Query resource objects in LDAP connector. Using standard ldap filter
with email=XXX and fetching DN => linking to midpoint User. Im not sure if
midPoint can do these queries yet.

2. Query shadow objects in midPoint repo. These would have been loaded in
last reconc. It wouldnt be 100% online, but might work for my business
case. Unfortunatelly, I havent found how to extend shadow schema in the doc
:-(

Please help, if you can :-)

Regards, Martin

Martin Lízner
solution architect

gsm: [+420] 737 745 571
e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz



<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150331/e333f0fa/attachment.htm>


More information about the midPoint mailing list