[midPoint] Help on disabling Active Directory account
Pavol Mederly
mederly at evolveum.com
Tue Oct 13 09:35:08 CEST 2015
Hello Fabio,
I have to correct myself with a clear head in the morning.
<c:path> assignment </c:path> is wrong, as the default input for
activation mappings is not the focal object (as it is for standard
attribute mappings).
So the working solution is:
<outbound>
<strength>strong</strength>
<source>
<c:path>$user/assignment</c:path>
</source>
<expression>
<value>enabled</value>
</expression>
<condition>
<script>
<relativityMode>absolute</relativityMode>
<code>
!midpoint.isDirectlyAssigned(user, 'a4ce0d72-ebf5-4214-9d76-65f1a98a6ea3')
</code>
</script>
</condition>
</outbound>
<outbound>
<strength>strong</strength>
<source>
<c:path>$user/assignment</c:path>
</source>
<expression>
<value>disabled</value>
</expression>
<condition>
<script>
<relativityMode>absolute</relativityMode>
<code>
midpoint.isDirectlyAssigned(user, 'a4ce0d72-ebf5-4214-9d76-65f1a98a6ea3')
</code>
</script>
</condition>
</outbound>
At least this works for me in 3.3-snapshot. Note the change from
"assignment" to "$user/assignment" and added
"<relativityMode>absolute</relativityMode>" to work around a subtle
problem in providing assignment values to the expression.
Best regards,
Pavol
> Hello Fabio,
>
> problem of your code is in that activation/administrativeStatus is not
> a real attribute. It is a property of the shadow, not an attribute of
> the resource object.
>
> I would solve your problem by setting administrativeStatus in the
> <activation> part of the AD resource schema handling - not in the Org
> inducement.
>
> The code could look like this - well, it's just one of the possibilities:
>
> <activation>
> <administrativeStatus>
> <outbound>
> <strength>strong</strength>
> <source>
> <c:path>assignment</c:path>
> </source>
> <expression>
> <value>enabled</value>
> </expression>
> <condition>
> <script>
> <code>
> !midpoint.isDirectlyAssigned(user, 'a4ce0d72-ebf5-4214-9d76-65f1a98a6ea3')
> </code>
> </script>
> </condition>
> </outbound>
> <outbound>
> <strength>strong</strength>
> <source>
> <c:path>assignment</c:path>
> </source>
> <expression>
> <value>disabled</value>
> </expression>
> <condition>
> <script>
> <code>
> midpoint.isDirectlyAssigned(user, 'a4ce0d72-ebf5-4214-9d76-65f1a98a6ea3')
> </code>
> </script>
> </condition>
> </outbound>
> </administrativeStatus>
> </activation>
>
> In 3.3-snapshot this does not work because of a bug
> <https://jira.evolveum.com/browse/MID-2618>, but in 3.2 it could work
> (please try).
>
> Best regards,
> Pavol
>
>
> On 12. 10. 2015 18:59, Fabio Contessi wrote:
>> Hi,
>>
>> I’m using midPoint 3.2 and I have an Active Directory as target
>> resource. I need to disable an Active Directory account when the user
>> linked to the account is assigned to a particular midPoint
>> Organizational Unit.
>>
>> In the inducement section of the OU I have this snippet code:
>>
>> <inducement id="1">
>> <construction>
>> <resourceRef oid="Resource-ActiveDirectory"
>> type="c:ResourceType"></resourceRef>
>> <kind>account</kind>
>> <attribute>
>> <c:ref>activation/administrativeStatus</c:ref>
>> <outbound>
>> <expression>
>> <value>disabled</value>
>> </expression>
>> </outbound>
>> </attribute>
>> </construction>
>> </inducement>
>>
>> When I assign a midPoint user to the Organizational Unit, I receive
>> an error and the operation fails.
>>
>> What I’m doing wrong? What is the correct way to do that?
>>
>> Thanks in advance for the help.
>>
>> Regards.
>>
>> Fabio
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20151013/2e50b995/attachment.htm>
More information about the midPoint
mailing list