[midPoint] Create Users from Midpoint to AD
Dilek Gider
dilek.gider at basistek.com
Thu Mar 16 12:08:50 CET 2017
Hi Ivan,
No need to sorry, I have sent you resource sample as you understand on 14
March because I had changed my first AD resource xml by trying to create
users. Lots of changes I did on my resource xml. So, as a result I am
sending you my final resource xml. There is no error now, but it does not
create users *from midpoint to AD. *
Thank you very much for all of your support.
Dilek.
On Wed, Mar 15, 2017 at 10:58 PM, Ivan Noris <Ivan.Noris at evolveum.com>
wrote:
> Hi,
> sorry I was maybe referring to another resource sample but I was quite
> sure it was your example from 14. march. But as I'm currently doing onsite
> consultations I may have missed something. I try to answer e-mail after
> full-day of work :)
>
> Please send the resource as it is now, I or someone else will try to
> understand the problem. Also please paste the error message.
>
> Ivan
>
> ------------------------------
>
> *From: *"Dilek Gider" <dilek.gider at basistek.com>
> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
> *Sent: *Wednesday, March 15, 2017 1:59:30 PM
> *Subject: *Re: [midPoint] Create Users from Midpoint to AD
>
> Hi Ivan,
>
> Thank you for your answer. First of all, my correlation rule was based on
> $account/attributes/ri:sAMAccountName vs. c:name
> and there wasn't #addUser reaction. But I had errors and then I supposed
> that I am doing wrong, then I tried to change resource xml.
>
> Now I tried what you suggested, there is no error but nothing changed. AD
> users shadows' are created in midpoint, but no user created in AD.
> What should I do to create users on the target systems like AD, SAP etc?
>
>
>
> On Wed, Mar 15, 2017 at 2:23 PM, Ivan Noris <Ivan.Noris at evolveum.com>
> wrote:
>
>> Hello Dilek,
>> please see my answers in the text below:
>>
>> ------------------------------
>>
>> *From: *"Dilek Gider" <dilek.gider at basistek.com>
>> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>> *Sent: *Wednesday, March 15, 2017 9:01:49 AM
>> *Subject: *Re: [midPoint] Create Users from Midpoint to AD
>>
>> Hi Ivan,
>>
>> I will reply all of your questions, but it is clear that I want to create
>> users from midpoint to AD.
>> I don't know how to do this, I only created users from HR db to midpoint
>> successfully, and then try to add new resource for AD.
>>
>> 1. I supposed that this reaction goes to AD and it will create user on AD
>> with #addUser
>>
>> Quite the opposite. The reactions in the synchronization part are
>> reactions what midPoint should do if there are new accounts created in the
>> AD. To detect locally created accounts for example.
>> AddUser action means, midPoint should take the AD account and create new
>> USER in midPoint.
>> This is completely opposite way of what you want. You want to create AD
>> account from midPoint user. For that you don't need the inbounds and you
>> don't need the addUser reaction.
>>
>> The quick fix would be to comment out the #addUser reaction.
>> But I believe your problem lies in the correlation rule. It is completely
>> incorrect. MidPoint creates a new account and tries to lookup the user in
>> midPoint by searching by name which is equal to icfs:uid. AD LDAP connector
>> does not even have such attribute. Your correlation rule should be based on
>> $account/attributes/ri:sAMAccountName vs. c:name, because that's exactly
>> how you create the account.
>>
>> So, you need to fix the correlation rule, because now it's incorrect. And
>> remove the #adduser reaction for unmatched.
>>
>>
>> 2. I didn't add inbounds becaus I don't want to create users in midpoint
>> with this connector. I have another connector scripttedsql and I'm creating
>> users with it.
>>
>> 3. Which object template?
>>
>>
>> I don't know your setup, but according to the error message I assumed
>> there was some default object template. But the problem (as far as I can
>> see) is in the synchronization part.
>>
>> Ivan
>>
>>
>> I am running task to create users from midpoint to AD by setting schema
>> handling outbounds.
>>
>> Thank you for your reply, I think I am confused too, and I don't know how
>> to do this sync.
>>
>> On Tue, Mar 14, 2017 at 9:10 PM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>> Hi,
>>> I'm confused.
>>> You say you create users in AD from midpoint. For that you only need
>>> outbound mappings, which you seem to have.
>>> But the screenshot is from "ADSynchronization" task, which is clearly
>>> synchronization task. And the task is complaining, because:
>>>
>>> 1. you have this in the synchronization for accounts:
>>> <reaction>
>>> <situation>unmatched</situation>
>>> <synchronize>true</synchronize>
>>> <action>
>>> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/
>>> model/action-3#addUser</handlerUri>
>>> </action>
>>> </reaction>
>>>
>>> So midpoint tries to create new USER from account.
>>>
>>> 2. there are no inbounds
>>> So midpoint cannot create user.
>>>
>>> 3. object template does not have any rule how to generate user/name
>>> attribute.
>>> Poor midpoint does not have anything to do.
>>>
>>> The question is, why are you running the task with no inbounds but
>>> #addUser reaction for unmatched...?
>>>
>>> Regards,
>>> Ivan
>>>
>>> On 03/14/2017 04:27 PM, Dilek Gider wrote:
>>>
>>> Hi All,
>>>
>>> I want to create users in AD from Midpoint. I have trusted resource in
>>> HR DB, I can take users to Midpoint. I want to send these users to AD. So,
>>> I have created new Resource, attached as attachment. I am working on it for
>>> two weeks, and couldn't succeded.
>>>
>>> Now, I can take all AD users to midpoint with correlation, but it gives
>>> error like below and no users created on AD. I only set outbound attributes
>>> in SchemaHandling.
>>>
>>> [image: Inline image 1]
>>>
>>> *SystemException: No name in new object null as produced by template
>>> null in iteration 0, we cannot process an object without a name*
>>>
>>>
>>> I'm afraid of if there is no syncronization from midpoint to AD?
>>>
>>> Thank you...
>>>
>>> Dilek.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>> Ivan Noris
>>> Senior Identity Engineerevolveum.com
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> --
>> Ivan Noris
>> Senior Identity Engineer
>> evolveum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170316/493c49b9/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 96807 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170316/493c49b9/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ADResource_last.xml
Type: text/xml
Size: 345267 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170316/493c49b9/attachment.xml>
More information about the midPoint
mailing list