[midPoint] Ennabling accounts in AD while importing from external resource

Ivan Noris ivan.noris at evolveum.com
Thu May 28 11:15:49 CEST 2015


Hi,

to set AD account status you need standard outbound mapping for AD:

                               <activation>
                                        <administrativeStatus>
                                                <outbound/>
                                        </administrativeStatus>
                                </activation>

Do you have this mapping, and it still does not work?

BTW to configure CSV resource to actually understand
"enabled"/"disabled" status you can use simulated capabilities:

               <capabilities
xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
                        <configured>
                                <cap:activation>
                                        <cap:status>
                                               
<cap:attribute>*ri:hrStatus*</cap:attribute>
                                                <cap:enableValue/>
                                               
<cap:disableValue>REJ</cap:disableValue>
                                        </cap:status>
                                </cap:activation>
                        </configured>
                </capabilities>

This means that resource account attribute *hrStatus* is used for
enable/disable decision. Value "REJ" means "disabled"; empty value means
"enabled". Modify as needed.

Then use standard inbound in CSV resource schema handling:
                                <activation>
                                        <administrativeStatus>
                                                <inbound/>
                                        </administrativeStatus>
                                </activation>

We use similar code in our CSV, DBTable and LDAP resources in
samples/resources. I have similar situation in multiple projects where
we create user in midPoint based on authoritative source and provision
the accounts automatically to other resources.

Hope this helps.
Regards,
Ivan

On 05/22/2015 02:12 PM, Алексей Ващенков wrote:
> Hi. 
>
> I have a troouble to configure first time user creation while importin from HR resource. We have in pur resource attribute which indicates if employee is hired or fired. And here the mapping of this attribute.
>    <mapping>
>       <authoritative>false</authoritative>
>       <exclusive>true</exclusive>
>       <source>
>          <name>hrStatus</name>
>          <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/extension/hrStatus</c:path>
>       </source>
>       <expression>
>          <script>
>             <code>
>             import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
>             return hrStatus.toString().equals('REJ')?ActivationStatusType.DISABLED:ActivationStatusType.ENABLED;
>           </code>
>          </script>
>       </expression>
>       <target>
>          <c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/activation/administrativeStatus</c:path>
>       </target>
>    </mapping>
>
> It works fine. AdministrativeStatus in midpoint sets as needed. 
> While creating user from HR resource we need to create account in AD. Accounts created but Administrative stutus of it is disabled. If I disable and then enable account in Midpoint the account in AD is anabled. 
> What should I do to set right AdministrativeStatus in AD when account is creating?
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150528/6fad10f5/attachment.htm>


More information about the midPoint mailing list