[midPoint] Configuring synchronisation of resource account to user
Ivan Noris
ivan.noris at evolveum.com
Thu Apr 20 09:50:12 CEST 2017
Hi Tommy,
On 04/20/2017 09:37 AM, Tommy Montegu wrote:
>
> Ivan,
>
>
>
> Thank you very much for your time. I read some LDAP samples to
> configure synchronization. I decided to setup the correlation with CN.
>
>
>
> For example, in my resource AD, I have the CN define like this :
>
>
>
> <attribute>
>
> <c:ref>ri:cn</c:ref>
>
> <limitations>
>
> <minOccurs>0</minOccurs>
>
> </limitations>
>
> <outbound>
>
> <source>
>
> <c:path>name</c:path>
>
> </source>
>
> </outbound>
>
> </attribute>
>
>
>
> In my Zimbra resource, I have the CN define like this :
>
>
>
> <attribute>
>
> <c:ref>ri:cn</c:ref>
>
> <displayName>Common Name</displayName>
>
> <limitations>
>
> <minOccurs>0</minOccurs>
>
> <access>
>
> <read>true</read>
>
> <add>true</add>
>
> <modify>true</modify>
>
> </access>
>
> </limitations>
>
> <outbound>
>
> <source>
>
> <c:path>fullName</c:path>
>
> </source>
>
> </outbound>
>
> </attribute>
>
>
>
> So I begin to write the correlation like this :
>
>
>
> <objectSynchronization>
>
> <name>Account sync</name>
>
> <objectClass>ri:zimbraAccount</objectClass>
>
> <kind>account</kind>
>
> <intent>default</intent>
>
> <focusType>UserType</focusType>
>
> <enabled>true</enabled>
>
> <correlation>
>
> <q:equal>
>
> <q:path>c:name</q:path>
>
> <expression>
>
> <path>$user/attributes/cn</path>
>
> </expression>
>
> </q:equal>
>
> </correlation>
>
> </objectSynchronization>
>
>
>
> It is the good syntax ? For me, the search query will look for users
> that have “name” equal to the “cn” of this account. So after, I need
> to configure reaction is that correct ?
>
Almost correct.
First, the <path> should be <path>$accounts/attributes/cn</path> as this
is resource-side attribute, not user.
That would search users in midPoint where midPoint user name equals
Zimbra "cn". But in your schema handling you are putting user's
"fullName" to "cn", so you need to fix one or the another. If "cn" is
actually full name of the user, you need probably change the correlation
query to use <q:path>c:fullName</q:path>. Of course this means that full
names in Zimbra are the same as in midPoint, otherwise the matching
will not be 100%. (But dry run reconciliation will help you to see how
many account matched.)
> I read that we don’t have to configure a confirmation rule because the
> search will always return at most one match.
>
>
>
> So, I think about this reaction :
>
> <reaction>
>
> <situation>linked</situation>
>
> <synchronize>true</synchronize>
>
> </reaction>
>
> <reaction>
>
> <situation>deleted</situation>
>
> <action
> ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink"/>
>
> </reaction>
>
> <reaction>
>
> <situation>unlinked</situation>
>
> <action
> ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#link"/>
>
> </reaction>
>
>
>
> But if it’s unmatched, what should I put in reaction ?
>
What do you want to achieve?
If you want to create new midPoint user if reconciliation with zimbra
detect account which is unmatched, then you need addfocus reaction action.
If you don't want zimbra to be authoritative for creating new users in
midPoint (which I think is true - Zimbra is target system and not
source), you don't need unmatched reaction at all. In such cases I use:
<reaction>
<situation>unmatched</situation>
</reaction>
Regards,
Ivan
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170420/51236f72/attachment.htm>
More information about the midPoint
mailing list