[midPoint] Disable user in AD resource on delete from MidPoint

Ana Pereyra apereyra at identicum.com
Fri Nov 11 19:25:20 CET 2016 

Thanks you very much Ivan for this information. I understand the behaviour
better now.

Regards,
Ana

2016-11-10 15:45 GMT-03:00 Ivan Noris <ivan.noris at evolveum.com>:

> Hi,
>
> the configuration for "disable instead of delete" works only for
> unassigning "last role" - to tell midpoint that the account should be
> disabled instead. Delete still works as usual.
>
> Activation mapping is obviously not evaluated when you delete user (I
> think no mappings are evaluated).
>
> You can configure any resource to arbitrarily disable delete operation
> using capabilities; in which case midPoint will throw an exception when you
> try to delete the account.
>
>         <capabilities xmlns:cap="http://midpoint.
> evolveum.com/xml/ns/public/resource/capabilities-3"
> <http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3>>
>             <configured>
>                 <cap:create>
>                     <cap:enabled>true</cap:enabled>
>                 </cap:create>
>                 <cap:update>
>                     <cap:enabled>true</cap:enabled>
>                 </cap:update>
> *                <cap:delete>*
> *                    <cap:enabled>false</cap:enabled>*
> *                </cap:delete>*
>             </configured>
>         </capabilities>
>
> The drawback of disabling delete operation using capabilities is that
> every delete operation (for account or not) will fail. You can also modify
> the permissions of the technical account the connector uses, to not allow
> deletes (it will throw exception as well).
>
> The different approach is not to delete the users/accounts at all.
> Regards,
> Ivan
>
>
> On 11/10/2016 06:07 PM, Ana Pereyra wrote:
>
> Hi everyone,
>
> I have an Active Directory resource with the activation node configured
> like this:
>
> *<activation>*
> *          <!--Existence mapping hardcoded to TRUE in order not to delete
> in the resource when deleted in MidPoint -->*
> *          <existence>*
> *            <outbound>*
> *              <expression>*
> *                <value>true</value>*
> *              </expression>*
> *            </outbound>*
> *          </existence>*
> *          <!-- If user exists and account is entitled -->*
> *          <administrativeStatus>*
> *            <outbound>*
> *              <expression>*
> *                <script>*
> *                  <code>*
> *                    import
> com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;*
> *                    if (legal && assigned)*
> *                    {*
> *                      input;*
> *                    }*
> *                    else*
> *                    {*
> *                      ActivationStatusType.DISABLED;*
> *                    }*
> *                  </code>*
> *                </script>*
> *              </expression>*
> *            </outbound>*
> *          </administrativeStatus>*
> *        </activation>*
>
> What I need is the following:
>
>    - When a user that is linked is *disabled*, the account is *disabled *in
>    AD (Working)
>    - When a user has the *association *to AD *removed *(the resource is
>    removed from the user, or a role containing an inducement to the resource
>    is removed from the user), the account is *disabled *in AD (Working)
>    - When a user that is linked is *DELETED *from MidPoint, the account
>    is *disabled *in AD (NOT WORKING). Currently, with this configuration,
>    when I delete a user that is linked in AD i get the following error:
>
> *Schema violation during processing shadow: shadow:
> CN=testuser_ad,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> (OID:dfc8cf0c-d571-4e09-9e58-df9cf117f94d): Schema violation: Value of
> attribute '__NAME__' must be a single value, but it has 0values: Schema
> violation during processing shadow: shadow:
> CN=testuser_ad,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> (OID:dfc8cf0c-d571-4e09-9e58-df9cf117f94d): Schema violation: Value of
> attribute '__NAME__' must be a single value, but it has 0values: Schema
> violation during processing shadow: shadow:
> CN=testuser_ad,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> (OID:dfc8cf0c-d571-4e09-9e58-df9cf117f94d): Schema violation: Value of
> attribute '__NAME__' must be a single value, but it has 0values: Schema
> violation during processing shadow: shadow:
> CN=testuser_ad,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> (OID:dfc8cf0c-d571-4e09-9e58-df9cf117f94d): Schema violation: Value of
> attribute '__NAME__' must be a single value, but it has 0values*
>
> Can anyone please help me with this? Thanks in advanced.
>
> Regards,
> --
> *Ana Pereyra*
>  Identicum S.A.
>
> *Jorge Newbery 3226, Argentina Tel: +54 (11) **4552.3050*
> *apereyra at identicum.com <apereyra at identicum.com>*
> www.identicum.com
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>


-- 
*Ana Pereyra*
 Identicum S.A.

*Jorge Newbery 3226, ArgentinaTel: +54 (11) **4552.3050*
*apereyra at identicum.com <apereyra at identicum.com>*
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161111/554bdd08/attachment.htm>

More information about the midPoint mailing list