[midPoint] Help on disabling Active Directory account

Fabio Contessi f.contessi at nsr.it
Tue Oct 13 10:00:36 CEST 2015 

Hi Pavol,

I’ve applied your suggestions and it works!

Thanks a lot.

  Fabio

> Il giorno 13 ott 2015, alle ore 09:35, Pavol Mederly <mederly at evolveum.com> ha scritto:
> 
> Hello Fabio,
> 
> I have to correct myself with a clear head in the morning.
> 
> <c:path> assignment </c:path> is wrong, as the default input for activation mappings is not the focal object (as it is for standard attribute mappings).
> 
> So the working solution is:
> 
>                <outbound>
>                   <strength>strong</strength>
>                   <source>
>                      <c:path>$user/assignment</c:path>
>                   </source>
>                   <expression>
>                      <value>enabled</value>
>                   </expression>
>                   <condition>
>                      <script>
>                         <relativityMode>absolute</relativityMode>
>                         <code>
>                               !midpoint.isDirectlyAssigned(user, 'a4ce0d72-ebf5-4214-9d76-65f1a98a6ea3')
>                           </code>
>                      </script>
>                   </condition>
>                </outbound>
>                <outbound>
>                   <strength>strong</strength>
>                   <source>
>                      <c:path>$user/assignment</c:path>
>                   </source>
>                   <expression>
>                      <value>disabled</value>
>                   </expression>
>                   <condition>
>                      <script>
>                         <relativityMode>absolute</relativityMode>
>                         <code>
>                               midpoint.isDirectlyAssigned(user, 'a4ce0d72-ebf5-4214-9d76-65f1a98a6ea3')
>                           </code>
>                      </script>
>                   </condition>
>                </outbound>
> 
> At least this works for me in 3.3-snapshot. Note the change from "assignment" to "$user/assignment" and added "<relativityMode>absolute</relativityMode>" to work around a subtle problem in providing assignment values to the expression.
> 
> Best regards,
> Pavol
> 
>> Hello Fabio,
>> 
>> problem of your code is in that activation/administrativeStatus is not a real attribute. It is a property of the shadow, not an attribute of the resource object.
>> 
>> I would solve your problem by setting administrativeStatus in the <activation> part of the AD resource schema handling - not in the Org inducement.
>> 
>> The code could look like this - well, it's just one of the possibilities:
>> 
>>          <activation>
>>             <administrativeStatus>
>>                <outbound>
>>                   <strength>strong</strength>
>>                   <source>
>>                      <c:path>assignment</c:path>
>>                   </source>
>>                   <expression>
>>                      <value>enabled</value>
>>                   </expression>
>>                   <condition>
>>                      <script>
>>                         <code>
>>                               !midpoint.isDirectlyAssigned(user, 'a4ce0d72-ebf5-4214-9d76-65f1a98a6ea3')
>>                           </code>
>>                      </script>
>>                   </condition>
>>                </outbound>
>>                <outbound>
>>                   <strength>strong</strength>
>>                   <source>
>>                      <c:path>assignment</c:path>
>>                   </source>
>>                   <expression>
>>                      <value>disabled</value>
>>                   </expression>
>>                   <condition>
>>                      <script>
>>                         <code>
>>                               midpoint.isDirectlyAssigned(user, 'a4ce0d72-ebf5-4214-9d76-65f1a98a6ea3')
>>                           </code>
>>                      </script>
>>                   </condition>
>>                </outbound>
>>             </administrativeStatus>
>>          </activation>
>> 
>> In 3.3-snapshot this does not work because of a bug <https://jira.evolveum.com/browse/MID-2618>, but in 3.2 it could work (please try).
>> 
>> Best regards,
>> Pavol
>> 
>> 
>> On 12. 10. 2015 18:59, Fabio Contessi wrote:
>>> Hi,
>>> 
>>> I’m using midPoint 3.2 and I have an Active Directory as target resource. I need to disable an Active Directory account when the user linked to the account is assigned to a particular midPoint Organizational Unit.
>>> 
>>> In the inducement section of the OU I have this snippet code:
>>> 
>>> <inducement id="1">
>>>       <construction>
>>>          <resourceRef oid="Resource-ActiveDirectory" type="c:ResourceType"></resourceRef>
>>>          <kind>account</kind>
>>>          <attribute>
>>>             <c:ref>activation/administrativeStatus</c:ref>
>>>             <outbound>
>>>                <expression>
>>>                   <value>disabled</value>
>>>                </expression>
>>>             </outbound>
>>>          </attribute>
>>>       </construction>
>>>    </inducement>
>>> 
>>> When I assign a midPoint user to the Organizational Unit, I receive an error and the operation fails. 
>>> 
>>> What I’m doing wrong? What is the correct way to do that?
>>> 
>>> Thanks in advance for the help.
>>> 
>>> Regards.
>>> 
>>>   Fabio
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint <http://lists.evolveum.com/mailman/listinfo/midpoint>
>> 
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20151013/d896ba9d/attachment.htm>

More information about the midPoint mailing list