[midPoint] Active Directory password synchronization specific channels

Rodrigo Yanis ryanis at identicum.com
Wed Jan 18 16:45:36 CET 2017


Hello everyone,

We're currently integrating a set of productive users from a source
application (database) to MidPoint and then to an Active Directory. We need
to establish specific behavior for password synchronization on specific
channels and events in accordance to the following policy:
1. User password must be propagated if the user is being created in Active
Directory.
2. User password must be propagated into Active Directory if the password
is updated through the midpoint GUI and midpoint REST service
3. User password must NOT be propagated into Active Directory if the user
already existed in the target (neither on an midpoint import event,
recompute event, or manual reconciliation, etc).

 Our current configuration for this, in the Active Directory resource, is
the following:

<credentials>
>               <password>
>                  <outbound>
>                     <channel>
> http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user
> <http://www.google.com/url?q=http%3A%2F%2Fmidpoint.evolveum.com%2Fxml%2Fns%2Fpublic%2Fgui%2Fchannels-3%23user&sa=D&sntz=1&usg=AFQjCNGy2sNpVHhxVbTp5STjeFNpBThUpg>
> </channel>
>                     <channel>http://midpoint.evolveum.com/xml/ns/public/model/channels-
> 3#rest
> <http://www.google.com/url?q=http%3A%2F%2Fmidpoint.evolveum.com%2Fxml%2Fns%2Fpublic%2Fmodel%2Fchannels-3%23rest&sa=D&sntz=1&usg=AFQjCNGLNe-tF-2w3eqDD_0xLRhMBFoczQ>
> </channel>
>                     <channel>
> http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#recompute
> <http://www.google.com/url?q=http%3A%2F%2Fmidpoint.evolveum.com%2Fxml%2Fns%2Fpublic%2Fprovisioning%2Fchannels-3%23recompute&sa=D&sntz=1&usg=AFQjCNFnNhxJ-758K5xiD8QxiEz6VcwBSw>
> </channel>
>                     <channel>
> http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import
> <http://www.google.com/url?q=http%3A%2F%2Fmidpoint.evolveum.com%2Fxml%2Fns%2Fpublic%2Fprovisioning%2Fchannels-3%23import&sa=D&sntz=1&usg=AFQjCNF7hLuyFn3T5rBZBw5qxyNsj5urFQ>
> </channel>
>                     <expression>
>                        <asIs/>
>                     </expression>
>                  </outbound>
>               </password>
>            </credentials>


This seem to be responding properly to the policy defined above.
Do you consider this to be conceptually appropiate? Should this be
accompanied with further configurations?

Thanks in advance,

*Rodrigo Yanis.*
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4824-9971
ryanis at identicum.com
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170118/f03839b1/attachment.htm>


More information about the midPoint mailing list