[midPoint] Sync only AD accounts which are members of one AD group

Brad Firestone bhotrock at gmail.com
Tue May 16 14:12:32 CEST 2017 

I'm replying to my own question since I finally figured it out.  In case 
this might help someone else.

The main thing was to use:  basic.getAttributeValues (not Value) to work 
with a multi-valued attribute.  I added some other lines to handle 
accounts that don't have a 'memberOf' attribute, and to also handle 
those that don't have this particular 'memberOf' attribute.  So this 
completes without any null pointer exceptions.

<condition>
<script>
<code>
                     mem = basic.getAttributeValues(shadow, "memberOf")
                         if (mem == null){
                              return false
                         }
                         else if (!mem.contains("CN=Test 
Group,OU=Distribution Groups,OU=Groups,DC=example,DC=com")){
                              return false
                          }
                         else if (mem.contains("CN=Test 
Group,OU=Distribution Groups,OU=Groups,DC=example,DC=com")){
                              return true
                          }
</code>
<script>
<condition>

Brad Firestone wrote:
> I changed the subject line since I THINK I've learned more about how 
> to do this.  I don't need to sync the actual "groups", but want to 
> sync only the accounts that are members of a certain group.  After 
> lots of reading and searching, I realized that I probably need to do 
> this using a condition script in the <synchronization> section.
>
> I have it working correctly if I'm looking for an single-valued 
> attribute value using the following code:
>
> <condition>
> <script>
> <code>
>                 surname = basic.getAttributeValue(shadow, 'sn');
>                 return (surname == 'Testuser')
> </code>
> </script>
> </condition>
>
> The problem is trying to get this to work for all members of a 
> Distribution Group.  Many of the things I've tried to do give an error of:
> com.evolveum.midpoint.util.exception.ExpressionEvaluationException: 
> com.evolveum.midpoint.util.exception.SchemaException: Attempt to get 
> single value from multi-valued attribute 
> {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}memberOf 
> (new) condition in object synchronization Account sync
>
> Does anyone have any ideas of how to sync only accounts that are 
> members of a Distribution Group?
> Thanks!
>
> Brad Firestone wrote:
>> Hi All,
>>
>> I am setting up Active Directory as an authoritative source 
>> resource.  But I only want to sync in users who are members of a 
>> certain Distribution Group:
>> CN=Primary Users,OU=Distribution Groups,OU=Groups,DC=example,DC=com
>>
>> I'm guessing that I can put this filter into the resource, probably 
>> in the resultsHandlerConfiguration section, using the 
>> enableFilteredResultsHandler.  I found this page in the Wiki, but 
>> it's still a work To Do:
>> https://wiki.evolveum.com/display/midPoint/ICF+Configuration+Tips+and+Tricks
>>
>> Does anyone have any examples of how I might filter my results to 
>> just include users in this Distribution Group?
>>
>> Thanks!
>> Brad
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170516/22a87da1/attachment.htm>

More information about the midPoint mailing list