[midPoint] Active Directory userAccountControl modification problem
Ivan Noris
ivan.noris at evolveum.com
Wed Mar 23 15:10:40 CET 2016
Strange indeed. I can find this in my older setups... but maybe there
was something fixed meanwhile. Anyway I'm using
<activation>
<administrativeStatus>
<outbound/>
</administrativeStatus>
</activation>
in multiple resources and it seems to work as it should.
Best regards,
Ivan
On 03/23/2016 03:00 PM, Jason Everling wrote:
> Oh Ok thanks for the explanation, but I think a year or so ago when I
> first started setting up midpoint with AD I could not get it working
> properly using just what you posted so that is why I have our's that
> way, maybe it was a bug in the earlier versions of midpoint. And yeah,
> a little over a year ago and it was 3.0/3.1 and now you are at 3.3
> with 3.4 on the horizon.
>
> JASON
>
> JASON
>
> On Wed, Mar 23, 2016 at 8:56 AM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
> Hi Jason,
>
> <expression><asIs/></expression> is the "copy value" expression.
> Empty <outbound> or <inbound> is the same.
>
> Regards,
> Ivan
>
>
> On 03/23/2016 02:53 PM, Jason Everling wrote:
>> I am interested in what you are experiencing also. Ours seems to
>> be working as expected, I checked multiple accounts in AD that
>> were disabled in midpoint and they are correct with 0x202
>> (Disabled, Normal Account). Although I have been using the below
>> but not sure how different that is from Ivan's,
>>
>> <activation>
>> <administrativeStatus>
>> <outbound>
>> <expression>
>> <asIs/>
>> </expression>
>> </outbound>
>> <inbound>
>> <expression>
>> <asIs/>
>> </expression>
>> </inbound>
>> </administrativeStatus>
>> </activation>
>>
>> JASON
>>
>> On Wed, Mar 23, 2016 at 8:50 AM, Ivan Noris
>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>> Hi Patrick,
>>
>> are you using the mapping like this?
>>
>> <activation>
>> <administrativeStatus>
>> <outbound/>
>> </administrativeStatus>
>> </activation>
>>
>> This is everything you need to map midPoint's
>> administrativeStatus attribute from User to AD account flag
>> "disabled".
>>
>> Ivan
>>
>>
>> On 03/23/2016 02:43 PM, Schlehuber, Patrick wrote:
>>>
>>> I am wanting to manage the ACCOUNTDISABLE flag , 0x0002.
>>> This does not work as I expect when I utilize the
>>> activation/administrativeStatus
>>>
>>>
>>>
>>> Pat
>>>
>>>
>>>
>>> *From:*Jason Everling [mailto:jeverling at bshp.edu]
>>> *Sent:* Tuesday, March 22, 2016 4:13 PM
>>> *To:* midPoint General Discussion
>>> <midpoint at lists.evolveum.com>
>>> <mailto:midpoint at lists.evolveum.com>
>>> *Subject:* Re: [midPoint] Active Directory
>>> userAccountControl modification problem
>>>
>>>
>>>
>>> I
>>>
>>>
>>> JASON
>>>
>>>
>>>
>>> On Tue, Mar 22, 2016 at 4:08 PM, Ivan Noris
>>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>>
>>> wrote:
>>>
>>> Hi Patrick,
>>>
>>> what are you trying to achieve?
>>> Active Directory connector allows you to interact with
>>> userAccountControl by using the following "virtual"
>>> attributes:
>>> - passwordExpired (icfs:passwordExpired)
>>> - PasswordNeverExpires (ri:PasswordNeverExpires)
>>>
>>> and of course the activation/administrativeStatus
>>>
>>> If you need to update the other bits of
>>> userAccountControl, I'm not sure AD connector is capable
>>> of doing this.
>>>
>>> I have never tried/needed to directly modify
>>> userAccountControl yet.
>>>
>>> Regards,
>>> Ivan
>>>
>>>
>>>
>>> On 03/22/2016 08:11 PM, Schlehuber, Patrick wrote:
>>>
>>> I am wanting to modify the userAccountControl
>>> attribute on an account that is visible by my AD
>>> resource. I have extended the AD schema and added
>>> the attribute, I do see this attribute populated
>>> correctly when I view an AD account. When I try to
>>> change this attribute I receive the following error:
>>>
>>> I have tried changing the Resource definition to
>>> make this attribute, string, int, long, base64Binary
>>> all with the same result. What am I missing to make
>>> this attribute modifiable within midPoint?
>>>
>>>
>>>
>>>
>>>
>>> ConnectorServer.exe Error: 0 : Exception :
>>>
>>> Type: System.InvalidCastException
>>>
>>> Message: Specified cast is not valid.
>>>
>>> Source: FrameworkInternal
>>>
>>> Stacktrace:
>>>
>>> at
>>> Org.IdentityConnectors.ActiveDirectory.CustomAttributeHandlers.UpdateDeFromCa_PasswordNeverExpires(ObjectClass
>>> oclass, UpdateType type, DirectoryEntry
>>> directoryEntry, ConnectorAttribute attribute)
>>>
>>> in
>>> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\CustomAttributeHandlers.cs:line
>>> 667
>>>
>>> at
>>> Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.UpdateADObject(ObjectClass
>>> oclass, DirectoryEntry directoryEntry, ICollection`1
>>> attributes, UpdateType type,
>>> ActiveDirectoryConfiguration config)
>>>
>>> in
>>> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line
>>> 258
>>>
>>> at
>>> Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Update(UpdateType
>>> type, ObjectClass oclass, ICollection`1 attributes,
>>> OperationOptions options)
>>>
>>> in
>>> d:\midpoint\tgit\openicf\connectors\dotnet\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line
>>> 1091
>>>
>>> at
>>> Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.UpdateImpl.AddAttributeValues(ObjectClass
>>> objectClass, Uid uid, ICollection`1 valuesToAdd,
>>> OperationOptions options)
>>>
>>> in
>>> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line
>>> 1712
>>>
>>> at
>>> Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object
>>> proxy, MethodInfo method, Object[] args)
>>>
>>> in
>>> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\ApiLocalOperations.cs:line
>>> 247
>>>
>>> at ___proxy1.AddAttributeValues(ObjectClass , Uid
>>> , ICollection`1 , OperationOptions )
>>>
>>> at
>>> Org.IdentityConnectors.Framework.Impl.Api.DelegatingTimeoutProxy.Invoke(Object
>>> proxy, MethodInfo method, Object[] args)
>>>
>>> in
>>> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Api.cs:line
>>> 1344
>>>
>>> at ___proxy1.AddAttributeValues(ObjectClass , Uid
>>> , ICollection`1 , OperationOptions )
>>>
>>> at
>>> Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest
>>> request)
>>>
>>> in
>>> c:\Users\Pavol\Documents\GitHub\ConnId\dotnet\FrameworkInternal\Server.cs:line
>>> 626
>>>
>>>
>>>
>>> Thank you,
>>>
>>> Pat
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>> midPoint mailing list
>>>
>>> midPoint at lists.evolveum.com
>>> <mailto:midPoint at lists.evolveum.com>
>>>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=BQMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=iXq2t42tOKnUMAv8iP_A7TezRYjTq_aHZvlIZHBWsnc&m=jgt9Ei1bRa6ZyqHcG4JfjzGpu6SXg7sS7K5BEyJKyvY&s=YHVOaiCU4W0n7sPOVpEpcuz5miL7XRU4U_vv0io4sTQ&e=>
>>>
>>>
>>>
>>> --
>>>
>>> Ing. Ivan Noris
>>>
>>> Senior Identity Management Engineer & IDM Architect
>>>
>>> evolveum.com
>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__evolveum.com&d=BQMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=iXq2t42tOKnUMAv8iP_A7TezRYjTq_aHZvlIZHBWsnc&m=jgt9Ei1bRa6ZyqHcG4JfjzGpu6SXg7sS7K5BEyJKyvY&s=X8dEdktGj2pFTYawSZfP6ffysQb2h9BejafUZknuC8M&e=>
>>> evolveum.com/blog/
>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__evolveum.com_blog_&d=BQMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=iXq2t42tOKnUMAv8iP_A7TezRYjTq_aHZvlIZHBWsnc&m=jgt9Ei1bRa6ZyqHcG4JfjzGpu6SXg7sS7K5BEyJKyvY&s=aOup83RaVPRUu_STYIzWR_Y3odDB3ZMn8PvjT1UufZU&e=>
>>>
>>> ___________________________________________________
>>>
>>> "Semper ID(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=BQMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=iXq2t42tOKnUMAv8iP_A7TezRYjTq_aHZvlIZHBWsnc&m=jgt9Ei1bRa6ZyqHcG4JfjzGpu6SXg7sS7K5BEyJKyvY&s=YHVOaiCU4W0n7sPOVpEpcuz5miL7XRU4U_vv0io4sTQ&e=>
>>>
>>>
>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above
>>> and may contain information that is privileged. You should
>>> not retain, copy or use this e-mail or any attachments for
>>> any purpose, or disclose all or any part of the contents to
>>> any person. Any views or opinions expressed in this e-mail
>>> are those of the author and do not represent those of the
>>> Baptist School of Health Professions. If you have received
>>> this e-mail in error, or are not the named recipient(s), you
>>> are hereby notified that any review, dissemination,
>>> distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of
>>> the Electronic Communications Privacy Act, 18 U.S.C. section
>>> 2510-2521. Please immediately notify the sender and delete
>>> this e-mail and any attachments from your computer.
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer & IDM Architect
>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>> ___________________________________________________
>> "Semper ID(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and
>> may contain information that is privileged. You should not
>> retain, copy or use this e-mail or any attachments for any
>> purpose, or disclose all or any part of the contents to any
>> person. Any views or opinions expressed in this e-mail are those
>> of the author and do not represent those of the Baptist School of
>> Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any
>> review, dissemination, distribution or copying of this
>> communication is prohibited by the sender and to do so might
>> constitute a violation of the Electronic Communications Privacy
>> Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>> sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer & IDM Architect
> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
> ___________________________________________________
> "Semper ID(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160323/3cd4c418/attachment.htm>
More information about the midPoint
mailing list