[midPoint] Bulk import from midpoint to AD

Ivan Noris ivan.noris at evolveum.com
Thu May 11 09:51:46 CEST 2017 

Hi,

I have not previously used/needed plain resource account assignment. I
always used role assignment.

And be careful with the condition. Administrator user is a common user
and reconciling/recomputing would create the account in AD as well. I'd
recommend to use condition based on e.g. employeeType, employeeNumber or
something similar.

Regards,

Ivan


On 05/11/2017 09:17 AM, Dilek Gider wrote:
> Hi Ivan,
>
> Thank you very much for your detailed answer. 
> I had a user template, i have added and tried many things on template,
> <assignmenttargetsearch>", "<accountconstruction>", "<inducement>",
> "<construction><kind><account>"...... But none of them worked. 
>
> Now I will try what you suggested step by step, i will inform you,
> thank you again.
>
> user template:
>
> <mapping>
>       <description>AD Resource Create</description>
>       <strength>strong</strength>
>       <source>
>          <c:path>name</c:path>
>       </source>
>       <expression>
>          <value>
>             <construction>
>                <resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2"
> type="c:ResourceType"/>
>             </construction>
>          </value>
>       </expression>
>       <target>
>          <c:path>assignment</c:path>
>       </target>
>       <condition>
>          <script>
>             <code>name != null</code>
>          </script>
>       </condition>
>    </mapping>
>
> On Wed, May 10, 2017 at 5:23 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Hi Dilek,
>
>     not sure if I understand, so I try to explain what I think you want.
>
>     If you want to get your midPoint users to AD, the term "bulk
>     import" does not quite correspond to it. To me it seems you want
>     to provision your midpoint users to AD.
>
>     LiveSync and Reconciliation evaluate situations/changes in
>     resource and are able to import the accounts to midPoint and link
>     or create users.
>
>     To provision users to AD resource, you need:
>
>     1) outbound mappings in your resource. That is probably OK, as you
>     can manually add AD account to (specific) users
>
>     2) role with construction to AD resource
>
>     3) default object template which will assign role from 2) to (all
>     or specific) users in midPoint
>
>     Example of such template is:
>     https://github.com/Evolveum/midpoint/blob/v3.5.1/samples/objects/object-template-user.xml
>     <https://github.com/Evolveum/midpoint/blob/v3.5.1/samples/objects/object-template-user.xml>
>
>     See the mapping named "basic role". The "oid" referenced in
>     assignmentTargetSearch is the oid of your role (with construction
>     for AD account). In real life, there should be a condition so that
>     the role is not assigned to all users, but e.g. to employees only.
>
>     The template must be configured as default in Configuration -
>     System for UserType objects.
>
>     After that, you only need to edit any existing user and check
>     "Reconcile" checkbox and save. The account will be created
>     according to the role and AD schema handling mappings.
>
>     To populate all users, you would need to run Recompute task. That
>     would do exactly the same as "Reconcile" checkbox for all users.
>
>     Regards,
>
>     Ivan
>
>
>     On 05/10/2017 11:52 AM, Dilek Gider wrote:
>>     Hi All,
>>
>>     I have a resource with ADLDAPConnector. I want to add  all of
>>     midpoint users to AD.
>>     I have a resource xml, it works by manually adding user to AD
>>     account. But when I run recon job task or live synch task, it
>>     only evaluates AD users, doesn't evaluate midpoint users. Is
>>     there any other method to create midpoint users in any resource?
>>
>>     Thank you very much.
>>
>>     Dilek
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>     -- 
>     Ivan Noris
>     Senior Identity Engineer
>     evolveum.com <http://evolveum.com>
>
>     _______________________________________________ midPoint mailing
>     list midPoint at lists.evolveum.com
>     <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint> 
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-- 
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170511/d5e2bbd5/attachment.htm>

More information about the midPoint mailing list