[midPoint] Create Users from Midpoint to AD

Dilek Gider dilek.gider at basistek.com
Fri Mar 17 13:38:11 CET 2017 

Thank you Ivan, I am trying them. I will inform you, it takes a bit long
time.

On Fri, Mar 17, 2017 at 2:22 PM, Ivan Noris <Ivan.Noris at evolveum.com> wrote:

> Hi,
>
> I don't know if AD accepts account without password. I doubt it. If you
> have password outbound mapping in the resource, the password from midPoint
> user is pushed to AD.
> But you can check from GUI for one user: edit some of your users and
> either:
>   a) Add projection - select your resource and save
>   b) Add a role (which you previously created for provisioning to AD) and
> save
>
> Something should happen. It should either work or an error should be
> displayed and logged. This should help you (us) to diagnose.
>
> Ivan
>
> ------------------------------
>
> *From: *"Dilek Gider" <dilek.gider at basistek.com>
> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
> *Sent: *Friday, March 17, 2017 9:13:35 AM
> *Subject: *Re: [midPoint] Create Users from Midpoint to AD
>
> Hi Ivan,
>
> At this moment, I dont send pasword to AD for now, I will add password
> after sync works. This is test system.
> All log files open in my screen.
>
> Let me ask a question, what should I do for this scnerio?
>
> 1- Read HR database and create organizations in midpoint  --> This is OK
> 2- Read HR database and create users in midpoint with organization
> assignment --> This is OK
> 3- Reconcile and send midpoint users to AD with their ou mapping with
> organization --> I have resource xml with outbound mappings but it doesn't
> work. What else I have to do?  I think I am missing something.  For this
> scenario, what should I do , could you guide me by giving some steps or is
> there any example?
>
>
> On Thu, Mar 16, 2017 at 8:47 PM, Ivan Noris <Ivan.Noris at evolveum.com>
> wrote:
>
>> Hi,
>> well, if there is NO error, that's strange.
>>
>> So what exactly are you doing? You have this resource, and you are adding
>> projection, or assigning account or you also have role and assigning the
>> role?
>>
>> The first thing which is strange is that you are using port 389, but
>> AFAIK AD will not allow you to set user's password using 389; for this you
>> must use LDAPS/port 636. But I can imagine AD will complain about this very
>> loudly in idm.log.
>>
>> So please check the log...
>>
>> Ivan
>>
>> ------------------------------
>>
>> *From: *"Dilek Gider" <dilek.gider at basistek.com>
>> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>> *Sent: *Thursday, March 16, 2017 1:08:50 PM
>> *Subject: *Re: [midPoint] Create Users from Midpoint to AD
>>
>> Hi Ivan,
>>
>> No need to sorry, I have sent you resource sample as you understand on 14
>> March because I had changed my first AD resource xml by trying to create
>> users. Lots of changes I did on my resource xml. So, as a result I am
>> sending you my final resource xml. There is no error now, but it does not
>> create users from midpoint to AD.
>> Thank you very much for all of your support.
>> Dilek.
>>
>> On Wed, Mar 15, 2017 at 10:58 PM, Ivan Noris <Ivan.Noris at evolveum.com>
>> wrote:
>>
>>> Hi,
>>> sorry I was maybe referring to another resource sample but I was quite
>>> sure it was your example from 14. march. But as I'm currently doing onsite
>>> consultations I may have missed something. I try to answer e-mail after
>>> full-day of work :)
>>>
>>> Please send the resource as it is now, I or someone else will try to
>>> understand the problem. Also please paste the error message.
>>>
>>> Ivan
>>>
>>> ------------------------------
>>>
>>> *From: *"Dilek Gider" <dilek.gider at basistek.com>
>>> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>>> *Sent: *Wednesday, March 15, 2017 1:59:30 PM
>>> *Subject: *Re: [midPoint] Create Users from Midpoint to AD
>>>
>>> Hi Ivan,
>>>
>>> Thank you for your answer. First of all, my correlation rule was based
>>> on $account/attributes/ri:sAMAccountName vs. c:name
>>> and there wasn't #addUser reaction. But I had errors and then I supposed
>>> that I am doing wrong, then I tried to change resource xml.
>>>
>>> Now I tried what you suggested, there is no error but nothing changed.
>>> AD users shadows' are created in midpoint, but no user created in AD.
>>> What should I do to create users on the target systems like AD, SAP etc?
>>>
>>>
>>>
>>> On Wed, Mar 15, 2017 at 2:23 PM, Ivan Noris <Ivan.Noris at evolveum.com>
>>> wrote:
>>>
>>>> Hello Dilek,
>>>> please see my answers in the text below:
>>>>
>>>> ------------------------------
>>>>
>>>> *From: *"Dilek Gider" <dilek.gider at basistek.com>
>>>> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>>>> *Sent: *Wednesday, March 15, 2017 9:01:49 AM
>>>> *Subject: *Re: [midPoint] Create Users from Midpoint to AD
>>>>
>>>> Hi Ivan,
>>>>
>>>> I will reply all of your questions, but it is clear that I want to
>>>> create users from midpoint to AD.
>>>> I don't know how to do this, I only created users from HR db to
>>>> midpoint successfully, and then try to add new resource for AD.
>>>>
>>>> 1. I supposed that this reaction goes to AD and it will create user on
>>>> AD with #addUser
>>>>
>>>> Quite the opposite. The reactions in the synchronization part are
>>>> reactions what midPoint should do if there are new accounts created in the
>>>> AD. To detect locally created accounts for example.
>>>> AddUser action means, midPoint should take the AD account and create
>>>> new USER in midPoint.
>>>> This is completely opposite way of what you want. You want to create AD
>>>> account from midPoint user. For that you don't need the inbounds and you
>>>> don't need the addUser reaction.
>>>>
>>>> The quick fix would be to comment out the #addUser reaction.
>>>> But I believe your problem lies in the correlation rule. It is
>>>> completely incorrect. MidPoint creates a new account and tries to lookup
>>>> the user in midPoint by searching by name which is equal to icfs:uid. AD
>>>> LDAP connector does not even have such attribute. Your correlation rule
>>>> should be based on $account/attributes/ri:sAMAccountName vs. c:name,
>>>> because that's exactly how you create the account.
>>>>
>>>> So, you need to fix the correlation rule, because now it's incorrect.
>>>> And remove the #adduser reaction for unmatched.
>>>>
>>>>
>>>> 2. I didn't add inbounds becaus I don't want to create users in
>>>> midpoint with this connector. I have another connector scripttedsql and I'm
>>>> creating users with it.
>>>>
>>>> 3. Which object template?
>>>>
>>>>
>>>> I don't know your setup, but according to the error message I assumed
>>>> there was some default object template. But the problem (as far as I can
>>>> see) is in the synchronization part.
>>>>
>>>> Ivan
>>>>
>>>>
>>>> I am running task to create users from midpoint to AD by setting schema
>>>> handling outbounds.
>>>>
>>>> Thank you for your reply, I think I am confused too, and I don't know
>>>> how to do this sync.
>>>>
>>>> On Tue, Mar 14, 2017 at 9:10 PM, Ivan Noris <ivan.noris at evolveum.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>> I'm confused.
>>>>> You say you create users in AD from midpoint. For that you only need
>>>>> outbound mappings, which you seem to have.
>>>>> But the screenshot is from "ADSynchronization" task, which is clearly
>>>>> synchronization task. And the task is complaining, because:
>>>>>
>>>>> 1. you have this in the synchronization for accounts:
>>>>>          <reaction>
>>>>>             <situation>unmatched</situation>
>>>>>             <synchronize>true</synchronize>
>>>>>             <action>
>>>>>                <handlerUri>http://midpoint.evolveum.com/xml/ns/public/
>>>>> model/action-3#addUser</handlerUri>
>>>>>             </action>
>>>>>          </reaction>
>>>>>
>>>>> So midpoint tries to create new USER from account.
>>>>>
>>>>> 2. there are no inbounds
>>>>> So midpoint cannot create user.
>>>>>
>>>>> 3. object template does not have any rule how to generate user/name
>>>>> attribute.
>>>>> Poor midpoint does not have anything to do.
>>>>>
>>>>> The question is, why are you running the task with no inbounds but
>>>>> #addUser reaction for unmatched...?
>>>>>
>>>>> Regards,
>>>>> Ivan
>>>>>
>>>>> On 03/14/2017 04:27 PM, Dilek Gider wrote:
>>>>>
>>>>> Hi All,
>>>>>
>>>>> I want to create users in AD from Midpoint. I have trusted resource in
>>>>> HR DB, I can take users to Midpoint. I want to send these users to AD. So,
>>>>> I have created new Resource, attached as attachment. I am working on it for
>>>>> two weeks, and couldn't succeded.
>>>>>
>>>>> Now, I can take all AD users to midpoint with correlation, but it
>>>>> gives error like below and no users created on AD. I only set outbound
>>>>> attributes in SchemaHandling.
>>>>>
>>>>> [image: Inline image 1]
>>>>>
>>>>> *SystemException: No name in new object null as produced by template
>>>>> null in iteration 0, we cannot process an object without a name*
>>>>>
>>>>>
>>>>> I'm afraid of if there is no syncronization from midpoint to AD?
>>>>>
>>>>> Thank you...
>>>>>
>>>>> Dilek.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>> --
>>>>> Ivan Noris
>>>>> Senior Identity Engineerevolveum.com
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Ivan Noris
>>>> Senior Identity Engineer
>>>> evolveum.com
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>> --
>>> Ivan Noris
>>> Senior Identity Engineer
>>> evolveum.com
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> --
>> Ivan Noris
>> Senior Identity Engineer
>> evolveum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170317/cd15b019/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 96807 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170317/cd15b019/attachment.png>

More information about the midPoint mailing list