[midPoint] Sync AD with Midpoint for one time, not create

Dilek Gider dilek.gider at basistek.com
Thu Aug 17 13:06:51 CEST 2017 

Hi Ivan,

Then you say that it is searching in whole AD only with correlation
identifier, right? They are completely the same value, i am comparing with
polystring attribute. I will share log but it is customer's identity
number, so I can't share here.

On Thu, Aug 17, 2017 at 1:52 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:

> Hi,
>
> if it fails with UNMATCHED, it means that the correlation filter is
> incorrect. Or at least it does not allow matching. Case-sensitivity problem?
>
> In generic cases your scenario is pretty common. For one-time
> synchronization (without creating users in midPoint) you can setup
> different correlation expression in the resource object synchronization.
> The correlation expression can even be OR so two or more different
> expressions can be used.
>
> Without knowing more it's hard to tell what's wrong.
>
> Best regards,
>
> Ivan
>
> On 17.08.2017 11:42, Dilek Gider wrote:
>
> To be more descriptive, I have unique identifer as identity number and
> correlation works fine, there is a record on AD with that unique number and
> also midpoint user has the same unique identifer. But it falls into
> unmatched situation, tries to add new account with iterationToken as a new
> record.
>
> On Thu, Aug 17, 2017 at 12:11 PM, Dilek Gider <dilek.gider at basistek.com>
> wrote:
>
>> Hi,
>>
>> I have HR db resource to get users to midpoint, and then create accounts
>> on the AD,  all of these operations are working fine now.
>>
>> But I have a requirement that; all of users are also in AD now and they
>> are correct. Customer always used AD effectively by manual insert/update.
>> Now with midpoint project, we are doing automation the process from HR to
>> AD. But when project goes to production, only one time, we have to
>> syncronize midpoint users with AD users, not create. After one time
>> operation, AD account will be created automatically by midpoint, but for
>> one time , at the beginning of production, we  won't create users on AD,
>> only sync them with midpoint users.
>>
>> I tried to do this,  but I think LDAP connector searches AD accounts by
>> "objectGUID". objectGUID on AD accounts didin't generated by midpoint, they
>> generated by manuel create. How can I map midpoint users (comes from HR)
>> and old AD accounts? There is unique value in each side that is identity
>> number but i can't sync them because of searching by objectGUID.
>>
>> Thank you, I hope it is explanatory.
>>
>> Dilek.
>>
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170817/208a29b6/attachment.htm>

More information about the midPoint mailing list