[midPoint] Active Directory quirks

Andrew Morgan morgan at oregonstate.edu
Wed Aug 15 00:02:12 CEST 2018 

I ran into a few Active Directory quirks when setting up the 
AdLdapConnector (v1.6).  I think the wiki documentation could be improved.

First, I tried to map an attribute named "legacyExchangeDN", but midPoint 
gave me an error because it isn't in the "user" objectclass:

com.evolveum.midpoint.util.exception.SchemaException: Definition of attribute legacyExchangeDN not found in object class {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}user as defined in definition of resource:724ba798-90cd-4c5a-bdf7-2ea7f1f6de3b(midPoint AD DEV)

This attribute is allowed on user objects by Active Directory due to the 
weird way AD adds auxiliary objectclasses.  The wiki page 
(https://wiki.evolveum.com/display/midPoint/Active+Directory+with+LDAP+connector) 
mentions this under "Active Directory LDAP Strangeness":

"The objects can easily have attributes that are not defined in any object 
classes that they have. E.g. a normal user (the user object class) may 
have attribute info. If such extra attributes are used in your AD instance 
then the best way is to define them explicitly in Resource Schema 
Handling."

I couldn't find any mention how to define them on the Resource Schema 
Handling wiki page.  However, I found the workaround in MID-3379 
(https://jira.evolveum.com/browse/MID-3379), which says to define it as an 
oeprational attribute in the connector configuration.  This works:

<icfcldap:operationalAttributes>legacyExchangeDN</icfcldap:operationalAttributes>

It would be nice if the note under "Active Directory LDAP Strangeness" 
explicitly said this.


Second, I wanted direct control over the userAccountControl attribute so 
that I can create an AD account that is initially disabled, even though 
the midPoint user is enabled.  I couldn't figure out how to do this using 
administrativeStatus.  I was getting a strange error message like "unable 
to map integer to boolean" when I adding an outbound mapping for 
userAccountControl.  I eventually discovered this connector configuration 
to disable the special handling of userAccountControl:

<icfcldap:rawUserAccountControlAttribute>true</icfcldap:rawUserAccountControlAttribute>

It would be great if there was documentation (wiki?) for all the possible 
settings on the connectors.  I found this setting by searching the mailing 
list and reading the source code of the connector.

Thanks,

Andy Morgan
Systems Administrator, Identity & Access Management
Information Services | Oregon State University
541-737-8877 | is.oregonstate.edu

More information about the midPoint mailing list