[midPoint] Create Users from Midpoint to AD

Ivan Noris Ivan.Noris at evolveum.com
Wed Mar 15 12:23:39 CET 2017 

Hello Dilek, 
please see my answers in the text below: 

----- Original Message -----

> From: "Dilek Gider" <dilek.gider at basistek.com>
> To: "midPoint General Discussion" <midpoint at lists.evolveum.com>
> Sent: Wednesday, March 15, 2017 9:01:49 AM
> Subject: Re: [midPoint] Create Users from Midpoint to AD

> Hi Ivan,

> I will reply all of your questions, but it is clear that I want to create
> users from midpoint to AD.
> I don't know how to do this, I only created users from HR db to midpoint
> successfully, and then try to add new resource for AD.

> 1. I supposed that this reaction goes to AD and it will create user on AD
> with #addUser

Quite the opposite. The reactions in the synchronization part are reactions what midPoint should do if there are new accounts created in the AD. To detect locally created accounts for example. 
AddUser action means, midPoint should take the AD account and create new USER in midPoint. 
This is completely opposite way of what you want. You want to create AD account from midPoint user. For that you don't need the inbounds and you don't need the addUser reaction. 

The quick fix would be to comment out the #addUser reaction. 
But I believe your problem lies in the correlation rule. It is completely incorrect. MidPoint creates a new account and tries to lookup the user in midPoint by searching by name which is equal to icfs:uid. AD LDAP connector does not even have such attribute. Your correlation rule should be based on $account/attributes/ri:sAMAccountName vs. c:name, because that's exactly how you create the account. 

So, you need to fix the correlation rule, because now it's incorrect. And remove the #adduser reaction for unmatched. 

> 2. I didn't add inbounds becaus I don't want to create users in midpoint with
> this connector. I have another connector scripttedsql and I'm creating users
> with it.

> 3. Which object template?

I don't know your setup, but according to the error message I assumed there was some default object template. But the problem (as far as I can see) is in the synchronization part. 

Ivan 

> I am running task to create users from midpoint to AD by setting schema
> handling outbounds.

> Thank you for your reply, I think I am confused too, and I don't know how to
> do this sync.

> On Tue, Mar 14, 2017 at 9:10 PM, Ivan Noris < ivan.noris at evolveum.com >
> wrote:

> > Hi, I'm confused.
> 
> > You say you create users in AD from midpoint. For that you only need
> > outbound
> > mappings, which you seem to have.
> 
> > But the screenshot is from "ADSynchronization" task, which is clearly
> > synchronization task. And the task is complaining, because:
> 

> > 1. you have this in the synchronization for accounts:
> 
> > <reaction>
> 
> > <situation>unmatched</situation>
> 
> > <synchronize>true</synchronize>
> 
> > <action>
> 
> > <handlerUri>
> > http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser
> > </handlerUri>
> 
> > </action>
> 
> > </reaction>
> 

> > So midpoint tries to create new USER from account.
> 

> > 2. there are no inbounds
> 
> > So midpoint cannot create user.
> 

> > 3. object template does not have any rule how to generate user/name
> > attribute.
> 
> > Poor midpoint does not have anything to do.
> 

> > The question is, why are you running the task with no inbounds but #addUser
> > reaction for unmatched...?
> 

> > Regards,
> 
> > Ivan
> 

> > On 03/14/2017 04:27 PM, Dilek Gider wrote:
> 

> > > Hi All,
> > 
> 

> > > I want to create users in AD from Midpoint. I have trusted resource in HR
> > > DB,
> > > I can take users to Midpoint. I want to send these users to AD. So, I
> > > have
> > > created new Resource, attached as attachment. I am working on it for two
> > > weeks, and couldn't succeded.
> > 
> 

> > > Now, I can take all AD users to midpoint with correlation, but it gives
> > > error
> > > like below and no users created on AD. I only set outbound attributes in
> > > SchemaHandling.
> > 
> 

> > > SystemException: No name in new object null as produced by template null
> > > in
> > > iteration 0, we cannot process an object without a name
> > 
> 

> > > I'm afraid of if there is no syncronization from midpoint to AD?
> > 
> 

> > > Thank you...
> > 
> 

> > > Dilek.
> > 
> 

> > > _______________________________________________
> > 
> 
> > > midPoint mailing list midPoint at lists.evolveum.com
> > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > 
> 

> > --
> 
> > Ivan Noris
> 
> > Senior Identity Engineer evolveum.com
> 

> > _______________________________________________
> 
> > midPoint mailing list
> 
> > midPoint at lists.evolveum.com
> 
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> 

> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris 
Senior Identity Engineer 
evolveum.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170315/43976899/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 96807 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170315/43976899/attachment.png>

More information about the midPoint mailing list