[midPoint] Create Users from Midpoint to AD

Dilek Gider dilek.gider at basistek.com
Fri Mar 17 08:13:35 CET 2017


Hi Ivan,

At this moment, I dont send pasword to AD for now, I will add password
after sync works. This is test system.
All log files open in my screen.

Let me ask a question, what should I do for this scnerio?

1- Read HR database and create organizations in midpoint  --> This is OK
2- Read HR database and create users in midpoint with organization
assignment --> This is OK
3- Reconcile and send midpoint users to AD with their ou mapping with
organization --> I have resource xml with outbound mappings but it doesn't
work. What else I have to do?  I think I am missing something.  For this
scenario, what should I do , could you guide me by giving some steps or is
there any example?


On Thu, Mar 16, 2017 at 8:47 PM, Ivan Noris <Ivan.Noris at evolveum.com> wrote:

> Hi,
> well, if there is NO error, that's strange.
>
> So what exactly are you doing? You have this resource, and you are adding
> projection, or assigning account or you also have role and assigning the
> role?
>
> The first thing which is strange is that you are using port 389, but AFAIK
> AD will not allow you to set user's password using 389; for this you must
> use LDAPS/port 636. But I can imagine AD will complain about this very
> loudly in idm.log.
>
> So please check the log...
>
> Ivan
>
> ------------------------------
>
> *From: *"Dilek Gider" <dilek.gider at basistek.com>
> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
> *Sent: *Thursday, March 16, 2017 1:08:50 PM
> *Subject: *Re: [midPoint] Create Users from Midpoint to AD
>
> Hi Ivan,
>
> No need to sorry, I have sent you resource sample as you understand on 14
> March because I had changed my first AD resource xml by trying to create
> users. Lots of changes I did on my resource xml. So, as a result I am
> sending you my final resource xml. There is no error now, but it does not
> create users from midpoint to AD.
> Thank you very much for all of your support.
> Dilek.
>
> On Wed, Mar 15, 2017 at 10:58 PM, Ivan Noris <Ivan.Noris at evolveum.com>
> wrote:
>
>> Hi,
>> sorry I was maybe referring to another resource sample but I was quite
>> sure it was your example from 14. march. But as I'm currently doing onsite
>> consultations I may have missed something. I try to answer e-mail after
>> full-day of work :)
>>
>> Please send the resource as it is now, I or someone else will try to
>> understand the problem. Also please paste the error message.
>>
>> Ivan
>>
>> ------------------------------
>>
>> *From: *"Dilek Gider" <dilek.gider at basistek.com>
>> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>> *Sent: *Wednesday, March 15, 2017 1:59:30 PM
>> *Subject: *Re: [midPoint] Create Users from Midpoint to AD
>>
>> Hi Ivan,
>>
>> Thank you for your answer. First of all, my correlation rule was based on
>> $account/attributes/ri:sAMAccountName vs. c:name
>> and there wasn't #addUser reaction. But I had errors and then I supposed
>> that I am doing wrong, then I tried to change resource xml.
>>
>> Now I tried what you suggested, there is no error but nothing changed. AD
>> users shadows' are created in midpoint, but no user created in AD.
>> What should I do to create users on the target systems like AD, SAP etc?
>>
>>
>>
>> On Wed, Mar 15, 2017 at 2:23 PM, Ivan Noris <Ivan.Noris at evolveum.com>
>> wrote:
>>
>>> Hello Dilek,
>>> please see my answers in the text below:
>>>
>>> ------------------------------
>>>
>>> *From: *"Dilek Gider" <dilek.gider at basistek.com>
>>> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>>> *Sent: *Wednesday, March 15, 2017 9:01:49 AM
>>> *Subject: *Re: [midPoint] Create Users from Midpoint to AD
>>>
>>> Hi Ivan,
>>>
>>> I will reply all of your questions, but it is clear that I want to
>>> create users from midpoint to AD.
>>> I don't know how to do this, I only created users from HR db to midpoint
>>> successfully, and then try to add new resource for AD.
>>>
>>> 1. I supposed that this reaction goes to AD and it will create user on
>>> AD with #addUser
>>>
>>> Quite the opposite. The reactions in the synchronization part are
>>> reactions what midPoint should do if there are new accounts created in the
>>> AD. To detect locally created accounts for example.
>>> AddUser action means, midPoint should take the AD account and create new
>>> USER in midPoint.
>>> This is completely opposite way of what you want. You want to create AD
>>> account from midPoint user. For that you don't need the inbounds and you
>>> don't need the addUser reaction.
>>>
>>> The quick fix would be to comment out the #addUser reaction.
>>> But I believe your problem lies in the correlation rule. It is
>>> completely incorrect. MidPoint creates a new account and tries to lookup
>>> the user in midPoint by searching by name which is equal to icfs:uid. AD
>>> LDAP connector does not even have such attribute. Your correlation rule
>>> should be based on $account/attributes/ri:sAMAccountName vs. c:name,
>>> because that's exactly how you create the account.
>>>
>>> So, you need to fix the correlation rule, because now it's incorrect.
>>> And remove the #adduser reaction for unmatched.
>>>
>>>
>>> 2. I didn't add inbounds becaus I don't want to create users in midpoint
>>> with this connector. I have another connector scripttedsql and I'm creating
>>> users with it.
>>>
>>> 3. Which object template?
>>>
>>>
>>> I don't know your setup, but according to the error message I assumed
>>> there was some default object template. But the problem (as far as I can
>>> see) is in the synchronization part.
>>>
>>> Ivan
>>>
>>>
>>> I am running task to create users from midpoint to AD by setting schema
>>> handling outbounds.
>>>
>>> Thank you for your reply, I think I am confused too, and I don't know
>>> how to do this sync.
>>>
>>> On Tue, Mar 14, 2017 at 9:10 PM, Ivan Noris <ivan.noris at evolveum.com>
>>> wrote:
>>>
>>>> Hi,
>>>> I'm confused.
>>>> You say you create users in AD from midpoint. For that you only need
>>>> outbound mappings, which you seem to have.
>>>> But the screenshot is from "ADSynchronization" task, which is clearly
>>>> synchronization task. And the task is complaining, because:
>>>>
>>>> 1. you have this in the synchronization for accounts:
>>>>          <reaction>
>>>>             <situation>unmatched</situation>
>>>>             <synchronize>true</synchronize>
>>>>             <action>
>>>>                <handlerUri>http://midpoint.evolveum.com/xml/ns/public/
>>>> model/action-3#addUser</handlerUri>
>>>>             </action>
>>>>          </reaction>
>>>>
>>>> So midpoint tries to create new USER from account.
>>>>
>>>> 2. there are no inbounds
>>>> So midpoint cannot create user.
>>>>
>>>> 3. object template does not have any rule how to generate user/name
>>>> attribute.
>>>> Poor midpoint does not have anything to do.
>>>>
>>>> The question is, why are you running the task with no inbounds but
>>>> #addUser reaction for unmatched...?
>>>>
>>>> Regards,
>>>> Ivan
>>>>
>>>> On 03/14/2017 04:27 PM, Dilek Gider wrote:
>>>>
>>>> Hi All,
>>>>
>>>> I want to create users in AD from Midpoint. I have trusted resource in
>>>> HR DB, I can take users to Midpoint. I want to send these users to AD. So,
>>>> I have created new Resource, attached as attachment. I am working on it for
>>>> two weeks, and couldn't succeded.
>>>>
>>>> Now, I can take all AD users to midpoint with correlation, but it gives
>>>> error like below and no users created on AD. I only set outbound attributes
>>>> in SchemaHandling.
>>>>
>>>> [image: Inline image 1]
>>>>
>>>> *SystemException: No name in new object null as produced by template
>>>> null in iteration 0, we cannot process an object without a name*
>>>>
>>>>
>>>> I'm afraid of if there is no syncronization from midpoint to AD?
>>>>
>>>> Thank you...
>>>>
>>>> Dilek.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>> --
>>>> Ivan Noris
>>>> Senior Identity Engineerevolveum.com
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>> --
>>> Ivan Noris
>>> Senior Identity Engineer
>>> evolveum.com
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> --
>> Ivan Noris
>> Senior Identity Engineer
>> evolveum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170317/0c5abdba/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 96807 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170317/0c5abdba/attachment.png>


More information about the midPoint mailing list