[midPoint] AD disable account on unlink
Jaakko Leskinen
jaakko.leskinen at qvantel.com
Thu Apr 20 08:16:36 CEST 2017
Hello all,
I have tried to search high and low but, alas, my Google-fu has failed me. So, please excuse me and feel free to point me to the applicable documentation if I have indeed missed this one :)
Now that being said, I am having hard time figuring out how to disable AD accounts when the projection is deleted or unlinked? Should this be possible?
The authoritative data flow is somewhat standard I would suspect: HR system > MidPoint > AD - meaning that we will never create user objects from AD accounts, enforce attributes from MidPoint to AD and user objects in MidPoint are created, and their status updated, based on what we have in the HR system (unless we override something in MidPoint).
In essence, what I am trying accomplish, is to provision new accounts in AD with MidPoint but I do not want to ever delete a single account from the AD resource. In all imaginable situations the AD account, once provisioned, should never get deleted.
Using MidPoint 3.5 and Active Directory with com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v1.4.3.
My resource definition:
<projection>
<assignmentPolicyEnforcement>relative</assignmentPolicyEnforcement>
<legalize>false</legalize>
</projection>
…
<cap:delete>
<cap:enabled>false</cap:enabled>
</cap:delete>
</configured>
</capabilities>
…
<activation>
<existence>
<outbound>
<strength>weak</strength>
<expression>
<c:path>$focusExists</c:path>
</expression>
</outbound>
</existence>
<administrativeStatus>
<outbound>
<strength>strong</strength>
<expression>
<script>
<code>
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
if (legal) {
input;
} else {
ActivationStatusType.DISABLED;
}
</code>
</script>
</expression>
</outbound>
</administrativeStatus>
<validFrom>
<outbound/>
</validFrom>
<validTo>
<outbound/>
</validTo>
</activation>
From our upstream HR system we have:
<activation>
<existence>
<inbound>
<expression>
<asIs/>
</expression>
</inbound>
</existence>
<administrativeStatus>
<inbound>
<strength>weak</strength>
<source>
<c:path>$c:account/c:attributes/ri:ad_status</c:path>
</source>
<expression>
<script>
<code>
import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
if (ad_status == 1) {
null;
} else {
ActivationStatusType.DISABLED;
}
</code>
</script>
</expression>
</inbound>
</administrativeStatus>
<validFrom>
<inbound>
<strength>weak</strength>
</inbound>
</validFrom>
</activation>
I have tested unlinking and deleting the projection explicitly from a given user in the MidPoint GUI and the AD account gets never disabled. It just sits there enabled or if I change the policy and enable resource delete capability, the account will get removed (as expected).
Thanks!
With best regards,
Jaakko Leskinen
--
Jaakko Leskinen
System Developer / Team Lead
Qvantel
Piippukatu 11
FI-40100 Jyväskylä, Finland
+358 44 977 3829
jaakko.leskinen at qvantel.com<mailto:jaakko.leskinen at qvantel.com>
www.qvantel.com<http://www.qvantel.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170420/a68212cb/attachment.htm>
More information about the midPoint
mailing list