[midPoint] Help on disabling Active Directory account

Pavol Mederly mederly at evolveum.com
Tue Oct 13 00:11:36 CEST 2015 

Hello Fabio,

problem of your code is in that activation/administrativeStatus is not a 
real attribute. It is a property of the shadow, not an attribute of the 
resource object.

I would solve your problem by setting administrativeStatus in the 
<activation> part of the AD resource schema handling - not in the Org 
inducement.

The code could look like this - well, it's just one of the possibilities:

          <activation>
             <administrativeStatus>
                <outbound>
                   <strength>strong</strength>
                   <source>
                      <c:path>assignment</c:path>
                   </source>
                   <expression>
                      <value>enabled</value>
                   </expression>
                   <condition>
                      <script>
                         <code>
                               !midpoint.isDirectlyAssigned(user, 'a4ce0d72-ebf5-4214-9d76-65f1a98a6ea3')
                           </code>
                      </script>
                   </condition>
                </outbound>
                <outbound>
                   <strength>strong</strength>
                   <source>
                      <c:path>assignment</c:path>
                   </source>
                   <expression>
                      <value>disabled</value>
                   </expression>
                   <condition>
                      <script>
                         <code>
                               midpoint.isDirectlyAssigned(user, 'a4ce0d72-ebf5-4214-9d76-65f1a98a6ea3')
                           </code>
                      </script>
                   </condition>
                </outbound>
             </administrativeStatus>
          </activation>


In 3.3-snapshot this does not work because of a bug 
<https://jira.evolveum.com/browse/MID-2618>, but in 3.2 it could work 
(please try).

Best regards,
Pavol


On 12. 10. 2015 18:59, Fabio Contessi wrote:
> Hi,
>
> I’m using midPoint 3.2 and I have an Active Directory as target 
> resource. I need to disable an Active Directory account when the user 
> linked to the account is assigned to a particular midPoint 
> Organizational Unit.
>
> In the inducement section of the OU I have this snippet code:
>
> <inducement id="1">
> <construction>
>  <resourceRef oid="Resource-ActiveDirectory" 
> type="c:ResourceType"></resourceRef>
>  <kind>account</kind>
>  <attribute>
> <c:ref>activation/administrativeStatus</c:ref>
> <outbound>
>  <expression>
>     <value>disabled</value>
>  </expression>
> </outbound>
>  </attribute>
> </construction>
>  </inducement>
>
> When I assign a midPoint user to the Organizational Unit, I receive an 
> error and the operation fails.
>
> What I’m doing wrong? What is the correct way to do that?
>
> Thanks in advance for the help.
>
> Regards.
>
>   Fabio
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20151013/33a2436b/attachment.htm>

More information about the midPoint mailing list