[midPoint] Active Directory userAccountControl modification problem

Jason Everling jeverling at bshp.edu
Wed Mar 23 14:53:36 CET 2016 

I am interested in what you are experiencing also. Ours seems to be working
as expected, I checked multiple accounts in AD that were disabled in
midpoint and they are correct with 0x202 (Disabled, Normal Account).
Although I have been using the below but not sure how different that is
from Ivan's,

         <activation>
            <administrativeStatus>
               <outbound>
                  <expression>
                     <asIs/>
                  </expression>
               </outbound>
               <inbound>
                  <expression>
                     <asIs/>
                  </expression>
               </inbound>
            </administrativeStatus>
         </activation>

JASON

On Wed, Mar 23, 2016 at 8:50 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

> Hi Patrick,
>
> are you using the mapping like this?
>
>                                <activation>
>                                     <administrativeStatus>
>                                                 <outbound/>
>                                     </administrativeStatus>
>                                 </activation>
>
> This is everything you need to map midPoint's administrativeStatus
> attribute from User to AD account flag "disabled".
>
> Ivan
>
>
> On 03/23/2016 02:43 PM, Schlehuber, Patrick wrote:
>
> I am wanting to manage the ACCOUNTDISABLE flag , 0x0002. This does not
> work as I expect when I utilize the activation/administrativeStatus
>
>
>
> Pat
>
>
>
> *From:* Jason Everling [mailto:jeverling at bshp.edu <jeverling at bshp.edu>]
> *Sent:* Tuesday, March 22, 2016 4:13 PM
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
> <midpoint at lists.evolveum.com>
> *Subject:* Re: [midPoint] Active Directory userAccountControl
> modification problem
>
>
>
> I
>
>
> JASON
>
>
>
> On Tue, Mar 22, 2016 at 4:08 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
> Hi Patrick,
>
> what are you trying to achieve?
> Active Directory connector allows you to interact with userAccountControl
> by using the following "virtual" attributes:
> - passwordExpired (icfs:passwordExpired)
> - PasswordNeverExpires (ri:PasswordNeverExpires)
>
> and of course the activation/administrativeStatus
>
> If you need to update the other bits of userAccountControl, I'm not sure
> AD connector is capable of doing this.
>
> I have never tried/needed to directly modify userAccountControl yet.
>
> Regards,
> Ivan
>
>
>
> On 03/22/2016 08:11 PM, Schlehuber, Patrick wrote:
>
> I am wanting to modify the userAccountControl  attribute on an account
>  that is visible by my  AD resource. I have extended the AD schema and
> added the attribute, I do see this attribute populated correctly when I
> view an AD account. When I try to change this attribute I receive the
> following error:
>
> I have tried changing the Resource definition to make this attribute,
> string, int, long, base64Binary all with the same result. What am I missing
> to make this attribute modifiable within midPoint?
>
>
>
>
>
> ConnectorServer.exe Error: 0 : Exception :
>
> Type: System.InvalidCastException
>
> Message: Specified cast is not valid.
>
> Source: FrameworkInternal
>
> Stacktrace:
>
>    at
> Org.IdentityConnectors.ActiveDirectory.CustomAttributeHandlers.UpdateDeFromCa_PasswordNeverExpires(ObjectClass
> oclass, UpdateType type, DirectoryEntry directoryEntry, ConnectorAttribute
> attribute)
>
>                  in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\CustomAttributeHandlers.cs:line
> 667
>
>    at
> Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.UpdateADObject(ObjectClass
> oclass, DirectoryEntry directoryEntry, ICollection`1 attributes, UpdateType
> type, ActiveDirectoryConfiguration config)
>
>                  in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line
> 258
>
>    at
> Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Update(UpdateType
> type, ObjectClass oclass, ICollection`1 attributes, OperationOptions
> options)
>
>                  in
> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line
> 1091
>
>    at
> Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.UpdateImpl.AddAttributeValues(ObjectClass
> objectClass, Uid uid, ICollection`1 valuesToAdd, OperationOptions options)
>
>                  in
> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line
> 1712
>
>    at
> Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object
> proxy, MethodInfo method, Object[] args)
>
>                  in
> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line
> 247
>
>    at ___proxy1.AddAttributeValues(ObjectClass , Uid , ICollection`1 ,
> OperationOptions )
>
>    at
> Org.IdentityConnectors.Framework.Impl.Api.DelegatingTimeoutProxy.Invoke(Object
> proxy, MethodInfo method, Object[] args)
>
>                  in
> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Api.cs:line
> 1344
>
>    at ___proxy1.AddAttributeValues(ObjectClass , Uid , ICollection`1 ,
> OperationOptions )
>
>    at
> Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest
> request)
>
>                  in
> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Server.cs:line
> 626
>
>
>
> Thank you,
>
> Pat
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com
>
> http://lists.evolveum.com/mailman/listinfo/midpoint <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=BQMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=iXq2t42tOKnUMAv8iP_A7TezRYjTq_aHZvlIZHBWsnc&m=jgt9Ei1bRa6ZyqHcG4JfjzGpu6SXg7sS7K5BEyJKyvY&s=YHVOaiCU4W0n7sPOVpEpcuz5miL7XRU4U_vv0io4sTQ&e=>
>
>
>
> --
>
>   Ing. Ivan Noris
>
>   Senior Identity Management Engineer & IDM Architect
>
>   evolveum.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__evolveum.com&d=BQMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=iXq2t42tOKnUMAv8iP_A7TezRYjTq_aHZvlIZHBWsnc&m=jgt9Ei1bRa6ZyqHcG4JfjzGpu6SXg7sS7K5BEyJKyvY&s=X8dEdktGj2pFTYawSZfP6ffysQb2h9BejafUZknuC8M&e=>                     evolveum.com/blog/ <https://urldefense.proofpoint.com/v2/url?u=http-3A__evolveum.com_blog_&d=BQMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=iXq2t42tOKnUMAv8iP_A7TezRYjTq_aHZvlIZHBWsnc&m=jgt9Ei1bRa6ZyqHcG4JfjzGpu6SXg7sS7K5BEyJKyvY&s=aOup83RaVPRUu_STYIzWR_Y3odDB3ZMn8PvjT1UufZU&e=>
>
>   ___________________________________________________
>
>   "Semper ID(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=BQMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=iXq2t42tOKnUMAv8iP_A7TezRYjTq_aHZvlIZHBWsnc&m=jgt9Ei1bRa6ZyqHcG4JfjzGpu6SXg7sS7K5BEyJKyvY&s=YHVOaiCU4W0n7sPOVpEpcuz5miL7XRU4U_vv0io4sTQ&e=>
>
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer & IDM Architect
>   evolveum.com                     evolveum.com/blog/
>   ___________________________________________________
>   "Semper ID(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160323/e959bf13/attachment.htm>

More information about the midPoint mailing list