[midPoint] Create Users from Midpoint to AD
Ivan Noris
Ivan.Noris at evolveum.com
Fri Mar 17 12:22:13 CET 2017
Hi,
I don't know if AD accepts account without password. I doubt it. If you have password outbound mapping in the resource, the password from midPoint user is pushed to AD.
But you can check from GUI for one user: edit some of your users and either:
a) Add projection - select your resource and save
b) Add a role (which you previously created for provisioning to AD) and save
Something should happen. It should either work or an error should be displayed and logged. This should help you (us) to diagnose.
Ivan
----- Original Message -----
> From: "Dilek Gider" <dilek.gider at basistek.com>
> To: "midPoint General Discussion" <midpoint at lists.evolveum.com>
> Sent: Friday, March 17, 2017 9:13:35 AM
> Subject: Re: [midPoint] Create Users from Midpoint to AD
> Hi Ivan,
> At this moment, I dont send pasword to AD for now, I will add password after
> sync works. This is test system.
> All log files open in my screen.
> Let me ask a question, what should I do for this scnerio?
> 1- Read HR database and create organizations in midpoint --> This is OK
> 2- Read HR database and create users in midpoint with organization assignment
> --> This is OK
> 3- Reconcile and send midpoint users to AD with their ou mapping with
> organization --> I have resource xml with outbound mappings but it doesn't
> work. What else I have to do? I think I am missing something. For this
> scenario, what should I do , could you guide me by giving some steps or is
> there any example?
> On Thu, Mar 16, 2017 at 8:47 PM, Ivan Noris < Ivan.Noris at evolveum.com >
> wrote:
> > Hi,
>
> > well, if there is NO error, that's strange.
>
> > So what exactly are you doing? You have this resource, and you are adding
> > projection, or assigning account or you also have role and assigning the
> > role?
>
> > The first thing which is strange is that you are using port 389, but AFAIK
> > AD
> > will not allow you to set user's password using 389; for this you must use
> > LDAPS/port 636. But I can imagine AD will complain about this very loudly
> > in
> > idm.log.
>
> > So please check the log...
>
> > Ivan
>
> > > From: "Dilek Gider" < dilek.gider at basistek.com >
> >
>
> > > To: "midPoint General Discussion" < midpoint at lists.evolveum.com >
> >
>
> > > Sent: Thursday, March 16, 2017 1:08:50 PM
> >
>
> > > Subject: Re: [midPoint] Create Users from Midpoint to AD
> >
>
> > > Hi Ivan,
> >
>
> > > No need to sorry, I have sent you resource sample as you understand on 14
> > > March because I had changed my first AD resource xml by trying to create
> > > users. Lots of changes I did on my resource xml. So, as a result I am
> > > sending you my final resource xml. There is no error now, but it does not
> > > create users from midpoint to AD.
> >
>
> > > Thank you very much for all of your support.
> >
>
> > > Dilek.
> >
>
> > > On Wed, Mar 15, 2017 at 10:58 PM, Ivan Noris < Ivan.Noris at evolveum.com >
> > > wrote:
> >
>
> > > > Hi,
> > >
> >
>
> > > > sorry I was maybe referring to another resource sample but I was quite
> > > > sure
> > > > it was your example from 14. march. But as I'm currently doing onsite
> > > > consultations I may have missed something. I try to answer e-mail after
> > > > full-day of work :)
> > >
> >
>
> > > > Please send the resource as it is now, I or someone else will try to
> > > > understand the problem. Also please paste the error message.
> > >
> >
>
> > > > Ivan
> > >
> >
>
> > > > > From: "Dilek Gider" < dilek.gider at basistek.com >
> > > >
> > >
> >
>
> > > > > To: "midPoint General Discussion" < midpoint at lists.evolveum.com >
> > > >
> > >
> >
>
> > > > > Sent: Wednesday, March 15, 2017 1:59:30 PM
> > > >
> > >
> >
>
> > > > > Subject: Re: [midPoint] Create Users from Midpoint to AD
> > > >
> > >
> >
>
> > > > > Hi Ivan,
> > > >
> > >
> >
>
> > > > > Thank you for your answer. First of all, my correlation rule was
> > > > > based
> > > > > on
> > > > > $account/attributes/ri: sAMAccountName vs. c:name
> > > >
> > >
> >
>
> > > > > and there wasn't #addUser reaction. But I had errors and then I
> > > > > supposed
> > > > > that
> > > > > I am doing wrong, then I tried to change resource xml.
> > > >
> > >
> >
>
> > > > > Now I tried what you suggested, there is no error but nothing
> > > > > changed.
> > > > > AD
> > > > > users shadows' are created in midpoint, but no user created in AD.
> > > >
> > >
> >
>
> > > > > What should I do to create users on the target systems like AD, SAP
> > > > > etc?
> > > >
> > >
> >
>
> > > > > On Wed, Mar 15, 2017 at 2:23 PM, Ivan Noris < Ivan.Noris at evolveum.com
> > > > > >
> > > > > wrote:
> > > >
> > >
> >
>
> > > > > > Hello Dilek,
> > > > >
> > > >
> > >
> >
>
> > > > > > please see my answers in the text below:
> > > > >
> > > >
> > >
> >
>
> > > > > > > From: "Dilek Gider" < dilek.gider at basistek.com >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > To: "midPoint General Discussion" < midpoint at lists.evolveum.com >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > Sent: Wednesday, March 15, 2017 9:01:49 AM
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > Subject: Re: [midPoint] Create Users from Midpoint to AD
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > Hi Ivan,
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > I will reply all of your questions, but it is clear that I want
> > > > > > > to
> > > > > > > create
> > > > > > > users from midpoint to AD.
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > I don't know how to do this, I only created users from HR db to
> > > > > > > midpoint
> > > > > > > successfully, and then try to add new resource for AD.
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > 1. I supposed that this reaction goes to AD and it will create
> > > > > > > user
> > > > > > > on
> > > > > > > AD
> > > > > > > with #addUser
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > Quite the opposite. The reactions in the synchronization part are
> > > > > > reactions
> > > > > > what midPoint should do if there are new accounts created in the
> > > > > > AD.
> > > > > > To
> > > > > > detect locally created accounts for example.
> > > > >
> > > >
> > >
> >
>
> > > > > > AddUser action means, midPoint should take the AD account and
> > > > > > create
> > > > > > new
> > > > > > USER
> > > > > > in midPoint.
> > > > >
> > > >
> > >
> >
>
> > > > > > This is completely opposite way of what you want. You want to
> > > > > > create
> > > > > > AD
> > > > > > account from midPoint user. For that you don't need the inbounds
> > > > > > and
> > > > > > you
> > > > > > don't need the addUser reaction.
> > > > >
> > > >
> > >
> >
>
> > > > > > The quick fix would be to comment out the #addUser reaction.
> > > > >
> > > >
> > >
> >
>
> > > > > > But I believe your problem lies in the correlation rule. It is
> > > > > > completely
> > > > > > incorrect. MidPoint creates a new account and tries to lookup the
> > > > > > user
> > > > > > in
> > > > > > midPoint by searching by name which is equal to icfs:uid. AD LDAP
> > > > > > connector
> > > > > > does not even have such attribute. Your correlation rule should be
> > > > > > based
> > > > > > on
> > > > > > $account/attributes/ri:sAMAccountName vs. c:name, because that's
> > > > > > exactly
> > > > > > how
> > > > > > you create the account.
> > > > >
> > > >
> > >
> >
>
> > > > > > So, you need to fix the correlation rule, because now it's
> > > > > > incorrect.
> > > > > > And
> > > > > > remove the #adduser reaction for unmatched.
> > > > >
> > > >
> > >
> >
>
> > > > > > > 2. I didn't add inbounds becaus I don't want to create users in
> > > > > > > midpoint
> > > > > > > with
> > > > > > > this connector. I have another connector scripttedsql and I'm
> > > > > > > creating
> > > > > > > users
> > > > > > > with it.
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > 3. Which object template?
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > I don't know your setup, but according to the error message I
> > > > > > assumed
> > > > > > there
> > > > > > was some default object template. But the problem (as far as I can
> > > > > > see)
> > > > > > is
> > > > > > in the synchronization part.
> > > > >
> > > >
> > >
> >
>
> > > > > > Ivan
> > > > >
> > > >
> > >
> >
>
> > > > > > > I am running task to create users from midpoint to AD by setting
> > > > > > > schema
> > > > > > > handling outbounds.
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > Thank you for your reply, I think I am confused too, and I don't
> > > > > > > know
> > > > > > > how
> > > > > > > to
> > > > > > > do this sync.
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > On Tue, Mar 14, 2017 at 9:10 PM, Ivan Noris <
> > > > > > > ivan.noris at evolveum.com
> > > > > > > >
> > > > > > > wrote:
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > Hi, I'm confused.
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > You say you create users in AD from midpoint. For that you only
> > > > > > > > need
> > > > > > > > outbound
> > > > > > > > mappings, which you seem to have.
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > But the screenshot is from "ADSynchronization" task, which is
> > > > > > > > clearly
> > > > > > > > synchronization task. And the task is complaining, because:
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > 1. you have this in the synchronization for accounts:
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > <reaction>
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > <situation>unmatched</situation>
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > <synchronize>true</synchronize>
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > <action>
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > <handlerUri>
> > > > > > > > http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser
> > > > > > > > </handlerUri>
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > </action>
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > </reaction>
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > So midpoint tries to create new USER from account.
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > 2. there are no inbounds
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > So midpoint cannot create user.
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > 3. object template does not have any rule how to generate
> > > > > > > > user/name
> > > > > > > > attribute.
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > Poor midpoint does not have anything to do.
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > The question is, why are you running the task with no inbounds
> > > > > > > > but
> > > > > > > > #addUser
> > > > > > > > reaction for unmatched...?
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > Regards,
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > Ivan
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > On 03/14/2017 04:27 PM, Dilek Gider wrote:
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > > Hi All,
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > > I want to create users in AD from Midpoint. I have trusted
> > > > > > > > > resource
> > > > > > > > > in
> > > > > > > > > HR
> > > > > > > > > DB,
> > > > > > > > > I can take users to Midpoint. I want to send these users to
> > > > > > > > > AD.
> > > > > > > > > So,
> > > > > > > > > I
> > > > > > > > > have
> > > > > > > > > created new Resource, attached as attachment. I am working on
> > > > > > > > > it
> > > > > > > > > for
> > > > > > > > > two
> > > > > > > > > weeks, and couldn't succeded.
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > > Now, I can take all AD users to midpoint with correlation,
> > > > > > > > > but
> > > > > > > > > it
> > > > > > > > > gives
> > > > > > > > > error
> > > > > > > > > like below and no users created on AD. I only set outbound
> > > > > > > > > attributes
> > > > > > > > > in
> > > > > > > > > SchemaHandling.
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > > SystemException: No name in new object null as produced by
> > > > > > > > > template
> > > > > > > > > null
> > > > > > > > > in
> > > > > > > > > iteration 0, we cannot process an object without a name
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > > I'm afraid of if there is no syncronization from midpoint to
> > > > > > > > > AD?
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > > Thank you...
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > > Dilek.
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > > _______________________________________________
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > > midPoint mailing list midPoint at lists.evolveum.com
> > > > > > > > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > --
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > Ivan Noris
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > Senior Identity Engineer evolveum.com
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > _______________________________________________
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > midPoint mailing list
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > midPoint at lists.evolveum.com
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > _______________________________________________
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > midPoint mailing list
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > midPoint at lists.evolveum.com
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > > > > >
> > > > >
> > > >
> > >
> >
>
> > > > > > --
> > > > >
> > > >
> > >
> >
>
> > > > > > Ivan Noris
> > > > >
> > > >
> > >
> >
>
> > > > > > Senior Identity Engineer
> > > > >
> > > >
> > >
> >
>
> > > > > > evolveum.com
> > > > >
> > > >
> > >
> >
>
> > > > > > _______________________________________________
> > > > >
> > > >
> > >
> >
>
> > > > > > midPoint mailing list
> > > > >
> > > >
> > >
> >
>
> > > > > > midPoint at lists.evolveum.com
> > > > >
> > > >
> > >
> >
>
> > > > > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > > > >
> > > >
> > >
> >
>
> > > > > _______________________________________________
> > > >
> > >
> >
>
> > > > > midPoint mailing list
> > > >
> > >
> >
>
> > > > > midPoint at lists.evolveum.com
> > > >
> > >
> >
>
> > > > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > > >
> > >
> >
>
> > > > --
> > >
> >
>
> > > > Ivan Noris
> > >
> >
>
> > > > Senior Identity Engineer
> > >
> >
>
> > > > evolveum.com
> > >
> >
>
> > > > _______________________________________________
> > >
> >
>
> > > > midPoint mailing list
> > >
> >
>
> > > > midPoint at lists.evolveum.com
> > >
> >
>
> > > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > >
> >
>
> > > _______________________________________________
> >
>
> > > midPoint mailing list
> >
>
> > > midPoint at lists.evolveum.com
> >
>
> > > http://lists.evolveum.com/mailman/listinfo/midpoint
> >
>
> > --
>
> > Ivan Noris
>
> > Senior Identity Engineer
>
> > evolveum.com
>
> > _______________________________________________
>
> > midPoint mailing list
>
> > midPoint at lists.evolveum.com
>
> > http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170317/76f45545/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 96807 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170317/76f45545/attachment.png>
More information about the midPoint
mailing list