[midPoint] link account in AD
Gruber, Michael
MICHAEL.GRUBER at wwk.de
Wed Jun 1 14:32:08 CEST 2016
Hi,
since it looks like a one time job to link the active directory users to midpoint you can try to do it in two steps:
1) Linking
remove all outbounds from resource
create and run a recon against active directory (kind: account / objectclass: user / intent: as defined in resource)
As result the midpoint users should have the projection-link to the existing active directory account (assumed sync/correlation is defined properly )
2) add outbound mappings to resource and reconcile midpoint users
Account in active directory should be moved as defined
For getting attributes you may also use
tmpDn = basic.getAttributeValue(shadow, 'http://midpoint.evolveum.com/xml/ns/public/resource/instance-3', 'distinguishedName')
but maybe there value was null because the account was not yet known/linked
regards, michael
-----Ursprüngliche Nachricht-----
Von: midPoint [mailto:midpoint-bounces at lists.evolveum.com] Im Auftrag von Steklac Michal
Gesendet: Mittwoch, 1. Juni 2016 12:59
An: midPoint General Discussion
Betreff: Re: [midPoint] link account in AD
Hi,
when i set secondaryIdentifier
...
<attribute>
<ref>ri:sAMAccountName</ref>
<secondaryIdentifier>true</secondaryIdentifier>
<displayName>Login name</displayName>
<description></description>
<outbound>
<strength>strong</strength>
<source>
<path>$user/name</path>
</source>
</outbound>
</attribute>
...
still receive error ObjectAlredyExists. In attachment is log.
synchronization of dn attribute
...
<attribute>
<ref>ri:dn</ref>
<displayName>Distinguished Name</displayName>
<description></description>
<limitations>
<minOccurs>0</minOccurs>
<access>
<read>true</read>
<add>true</add>
<modify>true</modify>
</access>
</limitations>
<!--matchingRule>mr:stringIgnoreCase</matchingRule -->
<inbound>
<target>
<path>$user/extension/ADDN</path>
</target>
</inbound>
<outbound>
<strength>strong</strength>
<source>
<path>$user/givenName</path>
</source>
<source>
<path>$user/familyName</path>
</source>
<source>
<path>$user/extension/ext:orgpath</path>
</source>
<source>
<path>$user/activation/administrativeStatus</path>
</source>
<source>
<path>$account/attributes/distinguishedName</path>
</source>
<expression>
<script>
<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
</language>
<code>
import javax.naming.ldap.Rdn
import javax.naming.ldap.LdapName
import
com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType
log.info('distinguishedName='+distinguishedName);
dn = new LdapName('DC=pokus,DC=sk')
if (orgpath) {
orgpath.tokenize('/').reverse().each { ouname -> dn.add(new Rdn('ou',ouname)) }
} else {
}
dn.add(new Rdn('cn',familyName.toString() + ' ' + givenName.toString()));
return dn.toString()
</code>
</script>
</expression>
</outbound>
</attribute>
...
Thanks & regards
MiSo
________________________________________
Od: midPoint [midpoint-bounces at lists.evolveum.com] v zastúpení používateľa Ivan Noris [ivan.noris at evolveum.com]
Odoslané: 31. mája 2016 18:36
Do: midpoint at lists.evolveum.com
Predmet: Re: [midPoint] link account in AD
Hi,
I remember to use something like:
<attribute>
<ref>ri:sAMAccountName</ref>
<secondaryIdentifier>true</secondaryIdentifier>
...
</attribute>
to trigger automatic AlreadyExistsException to run discovery,
correlation and link the existing account using correlation expressions.
But I have not tried it recently and not with AdLdap connector at all.
Can you paste XML code how you try to process
$account/attributes/distinguishedName attribute (where you get null)?
Ivan
On 05/31/2016 04:52 PM, Michal Štekláč wrote:
> Hi,
>
> I use ICF com.evolveum.polygon.connector.ldap.ad.AdLdapConnector
> v1.4.2.14 and I want synchronize users to AD and insert to
> organization unit. Users are in hierarchical structure in AD.
> Example:
> CN=Hrasko Janko,ou=BBB,ou=AAA,dc=example,dc=com
> Users exists in AD before start synchronization.
>
> When synchronize user from midpoint which is in OrgUnit AAA, then get
> exception object alredy exist in AD.
> In AD is user CN=Hrasko Janko,ou=BBB,ou=AAA,,dc=example,dc=com and
> synchronization try create CN=Hrasko Janko,ou=AAA,,dc=example,dc=com.
> Correlation atributte is sAMAcountName, which is same and have value
> jhrasko.
>
> 1) Can i link user which is in midpoint with user who exist in AD and
> change dn of user in AD? I don`t want to create new user in AD?
> 2) Can i get dn on user in AD? In old .Net AD connector get dn with
> $account/attributes/distinguishedName. I get null in new AD connector.
>
> Thanks & regards
> MiSo
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
WWK Lebensversicherung a. G., Vorstand: Jürgen Schrameier (V.), Rainer Gebhart (stv. V.), Dirk Fassott; Vorsitzender des Aufsichtsrats: Dr. Frank Schindelhauer, Sitz München, Registergericht München HR B 211; WWK Allgemeine Versicherung AG, Vorstand: Jürgen Schrameier (V.), Rainer Gebhart (stv. V.), Dirk Fassott; Vorsitzender des Aufsichtsrats: Werner Quante, Sitz München, Registergericht München HR B 5553; WWK Vermögensverwaltungs und Dienstleistungs GmbH, Geschäftsführer: Karl Ruffing, Stefan Sedlmeir, Sitz München, Registergericht München HR B 76323; WWK Pensionsfonds AG, Vorstand: Ansgar Eckert, Karl Ruffing, Heinrich Schüppert; Vorsitzender des Aufsichtsrats: Dirk Fassott, Sitz München, Registergericht München HR B 146295; Hausanschrift: Marsstraße 37, 80335 München; WWK Investment S.A., Verwaltungsrat: Karl Ruffing (V.), Ansgar Eckert, Stefan Schneider (Hauck & Aufhäuser), Handelsregister: R.C. Luxembourg Nr. B 81 270, Sitz der Gesellschaft: 1c, rue Gabriel Lippmann, L-5365 Munsbach
More information about the midPoint
mailing list