[midPoint] Import from LDAP connector for a subset of OUs

Ivan Noris ivan.noris at evolveum.com
Tue Aug 21 15:27:29 CEST 2018 

Hi Carl,


On 21.08.2018 15:10, Carl Waldbieser wrote:
> I am attempting to determine how to integrate Midpoint into existing business processes at my institution.  Our current process for onboarding employees has an intake form that stores account data in a relational database, and then a series of scheduled jobs create the enterprise account in our OpenLDAP directory information tree.
>
> I have Midpoint set up to synchronize users from the RDBMS resource.  I also set up a connector to the OpenLDAP resource to provision accounts from Midpoint.  The accounts are created in a single container, "ou=people,o=lafayette".
>
> This works great for new accounts.  Existing accounts, however, may exist in various containers that have been created in the DIT over the years.  To let Midpoint know where these entries actually live in the DIT, I can run an import task from the OpenLDAP resource to link the accounts.  So far so good.
>
> The issue I am facing is that our OpenLDAP DIT contains many different cohorts besides employees-- we also have students and alumni which outnumber employee accounts by quite a bit, and they do not exist in the employee onboarding database.
>
> All the employee accounts are scattered throughout about 50 different OUs.  Is there a way that I can import/link the accounts from my OpenLDAP resource without having to process all the student and alumni accounts as well?

If you need only to link existing LDAP accounts with already
imported/created users in midPoint (created from DB), you can have
synchronization section in your OpenLDAP resource without any reaction
to "unmatched". Similarly this is done in CSV-2 resource from the training:

                   <reaction>
                        <situation>unmatched</situation>
                    </reaction>
 
If you, however, need to also create new users from data in OpenLDAP,
but not for every single account (as you have alumni and other
accounts), is there any difference between the accounts which can be
imported and accounts that should never be imported or synchronized (but
skipped)? That could be done using a condition in synchronization.

Best regards,
Ivan

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

More information about the midPoint mailing list