[midPoint] AD password question
Roman Pudil - AMI Praha a.s.
roman.pudil at ami.cz
Wed Aug 31 11:22:01 CEST 2016
Hi Aivo,
I have this solution - try:
- Remove "outbound" element from credentials
- create "after-add" action
*After-Add action calls dsmod on cmdline of AD server:*
<scripts>
<script>
<host>resource</host>
<language>Shell</language>
<argument>
<script>
<code>
currDN = '';
currADDispName =
basic.stringify(basic.getExtensionPropertyValues(user, '
http://ami.cz/xml/ns/userExtension', 'currentADDisplayName'));
currADOrgUnit =
basic.stringify(basic.getExtensionPropertyValues(user, '
http://ami.cz/xml/ns/userExtension', 'currentADOrgUnit'));
if (currADDispName != '' && currADOrgUnit !=
'') {
currDN = 'CN=' + currADDispName + ',' +
currADOrgUnit + ',' +
basic.getResourceIcfConfigurationPropertyValue(resource, 'Container');
log.info('AD: Create NEW user {}', currDN);
}
return currDN;
</code>
</script>
<name>userDN</name>
</argument>
<argument>
<script>
<code>
log.info('Init Pwd of user {} =
{}',user.getName(),basic.decrypt(basic.getPropertyValue(user,
'credentials/password/value')));
return basic.decrypt(basic.getPropertyValue(user,
'credentials/password/value'));
</code>
</script>
<name>initPwd</name>
</argument>
<code>
* IF "%userDN%" NEQ "" dsmod user "%userDN%" -disabled yes
-pwd "%initPwd%" -mustchpwd yes*
exit
</code>
<operation>add</operation>
<order>after</order>
</script>
</scripts>
Regards
Roman Pudil
st 31. 8. 2016 v 10:53 odesílatel Aivo Kuhlberg <aivo.kuhlberg at rmit.ee>
napsal:
> Hi,
> I am using midPoint 3.4 with .NET AD connector and here are my current
> schemaHandling password settings for AD connector:
>
>
> <credentials>
> <password>
> <outbound/>
> </password>
> </credentials>
>
>
> These settings means that AD user password changes every time when it is
> changed in midPoint.
> I do not want to manage AD users passwords at the moment with midPoint but
> I still want to set AD user password in situation when midPoint creates a
> new AD account. In all other sync situations AD password should not be
> changed. How should I implement that?
>
> Thanks,
> Aivo Kuhlberg
>
> ------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud
> teavet.
> This e-mail may contain information which is classified for official use.
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
--
Roman Pudil
solution architect
gsm: [+420] 775 663 666
e-mail: roman.pudil at ami.cz
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel./fax: [+420] 274 783 239
web: www.ami.cz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160831/ea359a5a/attachment.htm>
More information about the midPoint
mailing list