[midPoint] Create Users from Midpoint to AD

Ivan Noris Ivan.Noris at evolveum.com
Thu Mar 16 18:47:47 CET 2017


Hi, 
well, if there is NO error, that's strange. 

So what exactly are you doing? You have this resource, and you are adding projection, or assigning account or you also have role and assigning the role? 

The first thing which is strange is that you are using port 389, but AFAIK AD will not allow you to set user's password using 389; for this you must use LDAPS/port 636. But I can imagine AD will complain about this very loudly in idm.log. 

So please check the log... 

Ivan 

----- Original Message -----

> From: "Dilek Gider" <dilek.gider at basistek.com>
> To: "midPoint General Discussion" <midpoint at lists.evolveum.com>
> Sent: Thursday, March 16, 2017 1:08:50 PM
> Subject: Re: [midPoint] Create Users from Midpoint to AD

> Hi Ivan,

> No need to sorry, I have sent you resource sample as you understand on 14
> March because I had changed my first AD resource xml by trying to create
> users. Lots of changes I did on my resource xml. So, as a result I am
> sending you my final resource xml. There is no error now, but it does not
> create users from midpoint to AD.
> Thank you very much for all of your support.
> Dilek.

> On Wed, Mar 15, 2017 at 10:58 PM, Ivan Noris < Ivan.Noris at evolveum.com >
> wrote:

> > Hi,
> 
> > sorry I was maybe referring to another resource sample but I was quite sure
> > it was your example from 14. march. But as I'm currently doing onsite
> > consultations I may have missed something. I try to answer e-mail after
> > full-day of work :)
> 

> > Please send the resource as it is now, I or someone else will try to
> > understand the problem. Also please paste the error message.
> 

> > Ivan
> 

> > > From: "Dilek Gider" < dilek.gider at basistek.com >
> > 
> 
> > > To: "midPoint General Discussion" < midpoint at lists.evolveum.com >
> > 
> 
> > > Sent: Wednesday, March 15, 2017 1:59:30 PM
> > 
> 
> > > Subject: Re: [midPoint] Create Users from Midpoint to AD
> > 
> 

> > > Hi Ivan,
> > 
> 

> > > Thank you for your answer. First of all, my correlation rule was based on
> > > $account/attributes/ri: sAMAccountName vs. c:name
> > 
> 
> > > and there wasn't #addUser reaction. But I had errors and then I supposed
> > > that
> > > I am doing wrong, then I tried to change resource xml.
> > 
> 

> > > Now I tried what you suggested, there is no error but nothing changed. AD
> > > users shadows' are created in midpoint, but no user created in AD.
> > 
> 
> > > What should I do to create users on the target systems like AD, SAP etc?
> > 
> 

> > > On Wed, Mar 15, 2017 at 2:23 PM, Ivan Noris < Ivan.Noris at evolveum.com >
> > > wrote:
> > 
> 

> > > > Hello Dilek,
> > > 
> > 
> 
> > > > please see my answers in the text below:
> > > 
> > 
> 

> > > > > From: "Dilek Gider" < dilek.gider at basistek.com >
> > > > 
> > > 
> > 
> 
> > > > > To: "midPoint General Discussion" < midpoint at lists.evolveum.com >
> > > > 
> > > 
> > 
> 
> > > > > Sent: Wednesday, March 15, 2017 9:01:49 AM
> > > > 
> > > 
> > 
> 
> > > > > Subject: Re: [midPoint] Create Users from Midpoint to AD
> > > > 
> > > 
> > 
> 

> > > > > Hi Ivan,
> > > > 
> > > 
> > 
> 

> > > > > I will reply all of your questions, but it is clear that I want to
> > > > > create
> > > > > users from midpoint to AD.
> > > > 
> > > 
> > 
> 
> > > > > I don't know how to do this, I only created users from HR db to
> > > > > midpoint
> > > > > successfully, and then try to add new resource for AD.
> > > > 
> > > 
> > 
> 

> > > > > 1. I supposed that this reaction goes to AD and it will create user
> > > > > on
> > > > > AD
> > > > > with #addUser
> > > > 
> > > 
> > 
> 

> > > > Quite the opposite. The reactions in the synchronization part are
> > > > reactions
> > > > what midPoint should do if there are new accounts created in the AD. To
> > > > detect locally created accounts for example.
> > > 
> > 
> 
> > > > AddUser action means, midPoint should take the AD account and create
> > > > new
> > > > USER
> > > > in midPoint.
> > > 
> > 
> 
> > > > This is completely opposite way of what you want. You want to create AD
> > > > account from midPoint user. For that you don't need the inbounds and
> > > > you
> > > > don't need the addUser reaction.
> > > 
> > 
> 

> > > > The quick fix would be to comment out the #addUser reaction.
> > > 
> > 
> 
> > > > But I believe your problem lies in the correlation rule. It is
> > > > completely
> > > > incorrect. MidPoint creates a new account and tries to lookup the user
> > > > in
> > > > midPoint by searching by name which is equal to icfs:uid. AD LDAP
> > > > connector
> > > > does not even have such attribute. Your correlation rule should be
> > > > based
> > > > on
> > > > $account/attributes/ri:sAMAccountName vs. c:name, because that's
> > > > exactly
> > > > how
> > > > you create the account.
> > > 
> > 
> 

> > > > So, you need to fix the correlation rule, because now it's incorrect.
> > > > And
> > > > remove the #adduser reaction for unmatched.
> > > 
> > 
> 

> > > > > 2. I didn't add inbounds becaus I don't want to create users in
> > > > > midpoint
> > > > > with
> > > > > this connector. I have another connector scripttedsql and I'm
> > > > > creating
> > > > > users
> > > > > with it.
> > > > 
> > > 
> > 
> 

> > > > > 3. Which object template?
> > > > 
> > > 
> > 
> 

> > > > I don't know your setup, but according to the error message I assumed
> > > > there
> > > > was some default object template. But the problem (as far as I can see)
> > > > is
> > > > in the synchronization part.
> > > 
> > 
> 

> > > > Ivan
> > > 
> > 
> 

> > > > > I am running task to create users from midpoint to AD by setting
> > > > > schema
> > > > > handling outbounds.
> > > > 
> > > 
> > 
> 

> > > > > Thank you for your reply, I think I am confused too, and I don't know
> > > > > how
> > > > > to
> > > > > do this sync.
> > > > 
> > > 
> > 
> 

> > > > > On Tue, Mar 14, 2017 at 9:10 PM, Ivan Noris < ivan.noris at evolveum.com
> > > > > >
> > > > > wrote:
> > > > 
> > > 
> > 
> 

> > > > > > Hi, I'm confused.
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > You say you create users in AD from midpoint. For that you only
> > > > > > need
> > > > > > outbound
> > > > > > mappings, which you seem to have.
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > But the screenshot is from "ADSynchronization" task, which is
> > > > > > clearly
> > > > > > synchronization task. And the task is complaining, because:
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > 1. you have this in the synchronization for accounts:
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <reaction>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <situation>unmatched</situation>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <synchronize>true</synchronize>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <action>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <handlerUri>
> > > > > > http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser
> > > > > > </handlerUri>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > </action>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > </reaction>
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > So midpoint tries to create new USER from account.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > 2. there are no inbounds
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > So midpoint cannot create user.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > 3. object template does not have any rule how to generate user/name
> > > > > > attribute.
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Poor midpoint does not have anything to do.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > The question is, why are you running the task with no inbounds but
> > > > > > #addUser
> > > > > > reaction for unmatched...?
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > Regards,
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Ivan
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > On 03/14/2017 04:27 PM, Dilek Gider wrote:
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > Hi All,
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > I want to create users in AD from Midpoint. I have trusted
> > > > > > > resource
> > > > > > > in
> > > > > > > HR
> > > > > > > DB,
> > > > > > > I can take users to Midpoint. I want to send these users to AD.
> > > > > > > So,
> > > > > > > I
> > > > > > > have
> > > > > > > created new Resource, attached as attachment. I am working on it
> > > > > > > for
> > > > > > > two
> > > > > > > weeks, and couldn't succeded.
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > Now, I can take all AD users to midpoint with correlation, but it
> > > > > > > gives
> > > > > > > error
> > > > > > > like below and no users created on AD. I only set outbound
> > > > > > > attributes
> > > > > > > in
> > > > > > > SchemaHandling.
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > SystemException: No name in new object null as produced by
> > > > > > > template
> > > > > > > null
> > > > > > > in
> > > > > > > iteration 0, we cannot process an object without a name
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > I'm afraid of if there is no syncronization from midpoint to AD?
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > Thank you...
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > Dilek.
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > _______________________________________________
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > midPoint mailing list midPoint at lists.evolveum.com
> > > > > > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > --
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Ivan Noris
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Senior Identity Engineer evolveum.com
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > _______________________________________________
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > midPoint mailing list
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > midPoint at lists.evolveum.com
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > _______________________________________________
> > > > 
> > > 
> > 
> 
> > > > > midPoint mailing list
> > > > 
> > > 
> > 
> 
> > > > > midPoint at lists.evolveum.com
> > > > 
> > > 
> > 
> 
> > > > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > > > 
> > > 
> > 
> 

> > > > --
> > > 
> > 
> 
> > > > Ivan Noris
> > > 
> > 
> 
> > > > Senior Identity Engineer
> > > 
> > 
> 
> > > > evolveum.com
> > > 
> > 
> 

> > > > _______________________________________________
> > > 
> > 
> 
> > > > midPoint mailing list
> > > 
> > 
> 
> > > > midPoint at lists.evolveum.com
> > > 
> > 
> 
> > > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > > 
> > 
> 

> > > _______________________________________________
> > 
> 
> > > midPoint mailing list
> > 
> 
> > > midPoint at lists.evolveum.com
> > 
> 
> > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > 
> 

> > --
> 
> > Ivan Noris
> 
> > Senior Identity Engineer
> 
> > evolveum.com
> 

> > _______________________________________________
> 
> > midPoint mailing list
> 
> > midPoint at lists.evolveum.com
> 
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> 

> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris 
Senior Identity Engineer 
evolveum.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170316/9b6d8b4c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 96807 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170316/9b6d8b4c/attachment.png>


More information about the midPoint mailing list