[midPoint] Standing up midPoint with existing accounts

Radovan Semancik radovan.semancik at evolveum.com
Mon Aug 27 10:10:03 CEST 2018 

Hi,

Import method is the right one. However, you probably need to adjust 
your mappings.
I think it would be a good idea to read through midPoint book:

https://evolveum.com/midpoint/midpoint-guide-about-practical-identity-management/

-- 
Radovan Semancik
Software Architect
evolveum.com



On 08/25/2018 02:42 AM, Andrew Morgan wrote:
> I'm looking for advice on standing up midPoint with resources that 
> already have accounts present.  I have 1 resource with inbound 
> mappings (a database table) and 2 resources with outbound mappings (AD 
> and LDAP). There are approximately 80,000 accounts in AD and LDAP.
>
>
> FIRST METHOD TRIED:
>
> I attempted to import accounts from LDAP in order to link to existing 
> midPoint users and then assign the appropriate roles to match the 
> existing state of the LDAP account.
>
> When I import an LDAP account, it is linked to the correct midPoint 
> user. However, midPoint strips off the extra objectclasses and 
> attributes that are defined in my roles (not in the LDAP resource).  I 
> have tried setting the assignmentPolicyEnforcement to "positive" or 
> "none", but it still happens.  No good.
>
>
> SECOND METHOD TRIED:
>
> Instead of importing accounts, I tried assigning the roles to the 
> midPoint users to induce the correct resources, objectclasses, and 
> roles.  That actually worked great, but I don't know how to get 80,000 
> shadows into midPoint's repository without importing.  I can get 20 
> shadows created at a time by browsing the Accounts in the LDAP 
> resource, but I don't know how to get all of them.  If midPoint 
> doesn't have a shadow when I assign the roles, it tries (and fails) to 
> create a new account.  Then, it makes a bunch of modifications to the 
> existing account because it thinks it has changes to process.  No good.
>
>
> NEXT???:
>
> Maybe I can define the LDAP resource with no outbound mappings, import 
> all the accounts in order to link them to users, assign the correct 
> roles, and then update the LDAP resource to have the outbound mappings...
>
>
> Is there a wiki page that covers this?  I'm running out of ideas...  
> Help!
>
> Thanks,
>
> Andy Morgan
> Systems Administrator, Identity & Access Management
> Information Services | Oregon State University
> 541-737-8877 | is.oregonstate.edu
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

More information about the midPoint mailing list