[midPoint] Create Users from Midpoint to AD

Wed Mar 15 20:58:49 CET 2017

Hi, 
sorry I was maybe referring to another resource sample but I was quite sure it was your example from 14. march. But as I'm currently doing onsite consultations I may have missed something. I try to answer e-mail after full-day of work :) 

Please send the resource as it is now, I or someone else will try to understand the problem. Also please paste the error message. 

Ivan 

----- Original Message -----

> From: "Dilek Gider" <dilek.gider at basistek.com>
> To: "midPoint General Discussion" <midpoint at lists.evolveum.com>
> Sent: Wednesday, March 15, 2017 1:59:30 PM
> Subject: Re: [midPoint] Create Users from Midpoint to AD

> Hi Ivan,

> Thank you for your answer. First of all, my correlation rule was based on
> $account/attributes/ri: sAMAccountName vs. c:name
> and there wasn't #addUser reaction. But I had errors and then I supposed that
> I am doing wrong, then I tried to change resource xml.

> Now I tried what you suggested, there is no error but nothing changed. AD
> users shadows' are created in midpoint, but no user created in AD.
> What should I do to create users on the target systems like AD, SAP etc?

> On Wed, Mar 15, 2017 at 2:23 PM, Ivan Noris < Ivan.Noris at evolveum.com >
> wrote:

> > Hello Dilek,
> 
> > please see my answers in the text below:
> 

> > > From: "Dilek Gider" < dilek.gider at basistek.com >
> > 
> 
> > > To: "midPoint General Discussion" < midpoint at lists.evolveum.com >
> > 
> 
> > > Sent: Wednesday, March 15, 2017 9:01:49 AM
> > 
> 
> > > Subject: Re: [midPoint] Create Users from Midpoint to AD
> > 
> 

> > > Hi Ivan,
> > 
> 

> > > I will reply all of your questions, but it is clear that I want to create
> > > users from midpoint to AD.
> > 
> 
> > > I don't know how to do this, I only created users from HR db to midpoint
> > > successfully, and then try to add new resource for AD.
> > 
> 

> > > 1. I supposed that this reaction goes to AD and it will create user on AD
> > > with #addUser
> > 
> 

> > Quite the opposite. The reactions in the synchronization part are reactions
> > what midPoint should do if there are new accounts created in the AD. To
> > detect locally created accounts for example.
> 
> > AddUser action means, midPoint should take the AD account and create new
> > USER
> > in midPoint.
> 
> > This is completely opposite way of what you want. You want to create AD
> > account from midPoint user. For that you don't need the inbounds and you
> > don't need the addUser reaction.
> 

> > The quick fix would be to comment out the #addUser reaction.
> 
> > But I believe your problem lies in the correlation rule. It is completely
> > incorrect. MidPoint creates a new account and tries to lookup the user in
> > midPoint by searching by name which is equal to icfs:uid. AD LDAP connector
> > does not even have such attribute. Your correlation rule should be based on
> > $account/attributes/ri:sAMAccountName vs. c:name, because that's exactly
> > how
> > you create the account.
> 

> > So, you need to fix the correlation rule, because now it's incorrect. And
> > remove the #adduser reaction for unmatched.
> 

> > > 2. I didn't add inbounds becaus I don't want to create users in midpoint
> > > with
> > > this connector. I have another connector scripttedsql and I'm creating
> > > users
> > > with it.
> > 
> 

> > > 3. Which object template?
> > 
> 

> > I don't know your setup, but according to the error message I assumed there
> > was some default object template. But the problem (as far as I can see) is
> > in the synchronization part.
> 

> > Ivan
> 

> > > I am running task to create users from midpoint to AD by setting schema
> > > handling outbounds.
> > 
> 

> > > Thank you for your reply, I think I am confused too, and I don't know how
> > > to
> > > do this sync.
> > 
> 

> > > On Tue, Mar 14, 2017 at 9:10 PM, Ivan Noris < ivan.noris at evolveum.com >
> > > wrote:
> > 
> 

> > > > Hi, I'm confused.
> > > 
> > 
> 
> > > > You say you create users in AD from midpoint. For that you only need
> > > > outbound
> > > > mappings, which you seem to have.
> > > 
> > 
> 
> > > > But the screenshot is from "ADSynchronization" task, which is clearly
> > > > synchronization task. And the task is complaining, because:
> > > 
> > 
> 

> > > > 1. you have this in the synchronization for accounts:
> > > 
> > 
> 
> > > > <reaction>
> > > 
> > 
> 
> > > > <situation>unmatched</situation>
> > > 
> > 
> 
> > > > <synchronize>true</synchronize>
> > > 
> > 
> 
> > > > <action>
> > > 
> > 
> 
> > > > <handlerUri>
> > > > http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser
> > > > </handlerUri>
> > > 
> > 
> 
> > > > </action>
> > > 
> > 
> 
> > > > </reaction>
> > > 
> > 
> 

> > > > So midpoint tries to create new USER from account.
> > > 
> > 
> 

> > > > 2. there are no inbounds
> > > 
> > 
> 
> > > > So midpoint cannot create user.
> > > 
> > 
> 

> > > > 3. object template does not have any rule how to generate user/name
> > > > attribute.
> > > 
> > 
> 
> > > > Poor midpoint does not have anything to do.
> > > 
> > 
> 

> > > > The question is, why are you running the task with no inbounds but
> > > > #addUser
> > > > reaction for unmatched...?
> > > 
> > 
> 

> > > > Regards,
> > > 
> > 
> 
> > > > Ivan
> > > 
> > 
> 

> > > > On 03/14/2017 04:27 PM, Dilek Gider wrote:
> > > 
> > 
> 

> > > > > Hi All,
> > > > 
> > > 
> > 
> 

> > > > > I want to create users in AD from Midpoint. I have trusted resource
> > > > > in
> > > > > HR
> > > > > DB,
> > > > > I can take users to Midpoint. I want to send these users to AD. So, I
> > > > > have
> > > > > created new Resource, attached as attachment. I am working on it for
> > > > > two
> > > > > weeks, and couldn't succeded.
> > > > 
> > > 
> > 
> 

> > > > > Now, I can take all AD users to midpoint with correlation, but it
> > > > > gives
> > > > > error
> > > > > like below and no users created on AD. I only set outbound attributes
> > > > > in
> > > > > SchemaHandling.
> > > > 
> > > 
> > 
> 

> > > > > SystemException: No name in new object null as produced by template
> > > > > null
> > > > > in
> > > > > iteration 0, we cannot process an object without a name
> > > > 
> > > 
> > 
> 

> > > > > I'm afraid of if there is no syncronization from midpoint to AD?
> > > > 
> > > 
> > 
> 

> > > > > Thank you...
> > > > 
> > > 
> > 
> 

> > > > > Dilek.
> > > > 
> > > 
> > 
> 

> > > > > _______________________________________________
> > > > 
> > > 
> > 
> 
> > > > > midPoint mailing list midPoint at lists.evolveum.com
> > > > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > > > 
> > > 
> > 
> 

> > > > --
> > > 
> > 
> 
> > > > Ivan Noris
> > > 
> > 
> 
> > > > Senior Identity Engineer evolveum.com
> > > 
> > 
> 

> > > > _______________________________________________
> > > 
> > 
> 
> > > > midPoint mailing list
> > > 
> > 
> 
> > > > midPoint at lists.evolveum.com
> > > 
> > 
> 
> > > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > > 
> > 
> 

> > > _______________________________________________
> > 
> 
> > > midPoint mailing list
> > 
> 
> > > midPoint at lists.evolveum.com
> > 
> 
> > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > 
> 

> > --
> 
> > Ivan Noris
> 
> > Senior Identity Engineer
> 
> > evolveum.com
> 

> > _______________________________________________
> 
> > midPoint mailing list
> 
> > midPoint at lists.evolveum.com
> 
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> 

> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris 
Senior Identity Engineer 
evolveum.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170315/18e76ef1/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 96807 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170315/18e76ef1/attachment.png>