[midPoint] Standing up midPoint with existing accounts

Keith Hazelton keith.hazelton at wisc.edu
Mon Aug 27 01:17:16 CEST 2018


Not sure I have a full picture of the setup, but I'd suggest looking at this: https://wiki.evolveum.com/display/midPoint/Mapping+Evaluation+Examples


The notion of strong and weak attribute mapping seems promising here.


Please correct my picture of how things are set up there. Reading between the lines, I get the sense that before you do anything with the LDAP or AD resources you somehow already have 80,000 user objects in midPoint. Is that correct? If so, how were they created?

Mapping Evaluation Examples - midPoint - Evolveum Confluence<https://wiki.evolveum.com/display/midPoint/Mapping+Evaluation+Examples>
wiki.evolveum.com
Resource and Role Attribute Mappings. Resource attribute can be set by several means: manually specified in midPoint user interface, produced by a mapping in a role or in resource schema handling.



__________

email & jabber: keith.hazelton at wisc.edu    Sr. IT Architect

calendar: http://go.wisc.edu/i6zxx0

________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Andrew Morgan <morgan at oregonstate.edu>
Sent: Friday, August 24, 2018 7:42:26 PM
To: midpoint at lists.evolveum.com
Subject: [midPoint] Standing up midPoint with existing accounts

I'm looking for advice on standing up midPoint with resources that already
have accounts present.  I have 1 resource with inbound mappings (a
database table) and 2 resources with outbound mappings (AD and LDAP).
There are approximately 80,000 accounts in AD and LDAP.


FIRST METHOD TRIED:

I attempted to import accounts from LDAP in order to link to existing
midPoint users and then assign the appropriate roles to match the existing
state of the LDAP account.

When I import an LDAP account, it is linked to the correct midPoint user.
However, midPoint strips off the extra objectclasses and attributes that
are defined in my roles (not in the LDAP resource).  I have tried setting
the assignmentPolicyEnforcement to "positive" or "none", but it still
happens.  No good.


SECOND METHOD TRIED:

Instead of importing accounts, I tried assigning the roles to the midPoint
users to induce the correct resources, objectclasses, and roles.  That
actually worked great, but I don't know how to get 80,000 shadows into
midPoint's repository without importing.  I can get 20 shadows created at
a time by browsing the Accounts in the LDAP resource, but I don't know how
to get all of them.  If midPoint doesn't have a shadow when I assign the
roles, it tries (and fails) to create a new account.  Then, it makes a
bunch of modifications to the existing account because it thinks it has
changes to process.  No good.


NEXT???:

Maybe I can define the LDAP resource with no outbound mappings, import all
the accounts in order to link them to users, assign the correct roles, and
then update the LDAP resource to have the outbound mappings...


Is there a wiki page that covers this?  I'm running out of ideas...  Help!

Thanks,

Andy Morgan
Systems Administrator, Identity & Access Management
Information Services | Oregon State University
541-737-8877 | is.oregonstate.edu
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180826/b40756cd/attachment.htm>


More information about the midPoint mailing list