[midPoint] Create Users from Midpoint to AD

Wed Mar 15 12:59:30 CET 2017

Hi Ivan,

Thank you for your answer. First of all, my correlation rule was based on
$account/attributes/ri:sAMAccountName vs. c:name
and there wasn't #addUser reaction. But I had errors and then I supposed
that I am doing wrong, then I tried to change resource xml.

Now I tried what you suggested, there is no error but nothing changed. AD
users shadows' are created in midpoint, but no user created in AD.
What should I do to create users on the target systems like AD, SAP etc?

On Wed, Mar 15, 2017 at 2:23 PM, Ivan Noris <Ivan.Noris at evolveum.com> wrote:

> Hello Dilek,
> please see my answers in the text below:
>
> ------------------------------
>
> *From: *"Dilek Gider" <dilek.gider at basistek.com>
> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
> *Sent: *Wednesday, March 15, 2017 9:01:49 AM
> *Subject: *Re: [midPoint] Create Users from Midpoint to AD
>
> Hi Ivan,
>
> I will reply all of your questions, but it is clear that I want to create
> users from midpoint to AD.
> I don't know how to do this, I only created users from HR db to midpoint
> successfully, and then try to add new resource for AD.
>
> 1. I supposed that this reaction goes to AD and it will create user on AD
> with #addUser
>
> Quite the opposite. The reactions in the synchronization part are
> reactions what midPoint should do if there are new accounts created in the
> AD. To detect locally created accounts for example.
> AddUser action means, midPoint should take the AD account and create new
> USER in midPoint.
> This is completely opposite way of what you want. You want to create AD
> account from midPoint user. For that you don't need the inbounds and you
> don't need the addUser reaction.
>
> The quick fix would be to comment out the #addUser reaction.
> But I believe your problem lies in the correlation rule. It is completely
> incorrect. MidPoint creates a new account and tries to lookup the user in
> midPoint by searching by name which is equal to icfs:uid. AD LDAP connector
> does not even have such attribute. Your correlation rule should be based on
> $account/attributes/ri:sAMAccountName vs. c:name, because that's exactly
> how you create the account.
>
> So, you need to fix the correlation rule, because now it's incorrect. And
> remove the #adduser reaction for unmatched.
>
>
> 2. I didn't add inbounds becaus I don't want to create users in midpoint
> with this connector. I have another connector scripttedsql and I'm creating
> users with it.
>
> 3. Which object template?
>
>
> I don't know your setup, but according to the error message I assumed
> there was some default object template. But the problem (as far as I can
> see) is in the synchronization part.
>
> Ivan
>
>
> I am running task to create users from midpoint to AD by setting schema
> handling outbounds.
>
> Thank you for your reply, I think I am confused too, and I don't know how
> to do this sync.
>
> On Tue, Mar 14, 2017 at 9:10 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>> Hi,
>> I'm confused.
>> You say you create users in AD from midpoint. For that you only need
>> outbound mappings, which you seem to have.
>> But the screenshot is from "ADSynchronization" task, which is clearly
>> synchronization task. And the task is complaining, because:
>>
>> 1. you have this in the synchronization for accounts:
>>          <reaction>
>>             <situation>unmatched</situation>
>>             <synchronize>true</synchronize>
>>             <action>
>>                <handlerUri>http://midpoint.evolveum.com/xml/ns/public/
>> model/action-3#addUser</handlerUri>
>>             </action>
>>          </reaction>
>>
>> So midpoint tries to create new USER from account.
>>
>> 2. there are no inbounds
>> So midpoint cannot create user.
>>
>> 3. object template does not have any rule how to generate user/name
>> attribute.
>> Poor midpoint does not have anything to do.
>>
>> The question is, why are you running the task with no inbounds but
>> #addUser reaction for unmatched...?
>>
>> Regards,
>> Ivan
>>
>> On 03/14/2017 04:27 PM, Dilek Gider wrote:
>>
>> Hi All,
>>
>> I want to create users in AD from Midpoint. I have trusted resource in HR
>> DB, I can take users to Midpoint. I want to send these users to AD. So, I
>> have created new Resource, attached as attachment. I am working on it for
>> two weeks, and couldn't succeded.
>>
>> Now, I can take all AD users to midpoint with correlation, but it gives
>> error like below and no users created on AD. I only set outbound attributes
>> in SchemaHandling.
>>
>> [image: Inline image 1]
>>
>> *SystemException: No name in new object null as produced by template null
>> in iteration 0, we cannot process an object without a name*
>>
>>
>> I'm afraid of if there is no syncronization from midpoint to AD?
>>
>> Thank you...
>>
>> Dilek.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>> Ivan Noris
>> Senior Identity Engineerevolveum.com
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170315/cbdb1d17/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 96807 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170315/cbdb1d17/attachment.png>