[midPoint] Standing up midPoint with existing accounts
Andrew Morgan
morgan at oregonstate.edu
Mon Aug 27 19:11:07 CEST 2018
Yes, you are reading between the lines correctly.
I have 3 resources:
1. GYBONID
This is a DatabaseTable resource with only inbound mappings. The table
is from our Banner system, a system of record that is our single (for now)
source of identities. I imported these accounts to create approximately
113,000 users in midPoint. I have a LiveSync task that processes updates.
2. ONIDLDAPDEV
This is an LDAP resource with only outbound mappings.It has approximately
80,000 accounts all in the same OU. There are 2 different types of
accounts: Regular and Retiree. All accounts have the inetOrgPerson
objectclass plus eduPerson, osuPerson, and lpSghePerson auxiliary
objectclasses. Regular accounts also have posixAccount, shadowAccount,
and googlePerson auxiliary objectclasses (Retirees don't get Unix or
Google).
3. ADDEV
This is an LDAP resource with only outbound mappings. It has the same
number of accounts as ONIDLDAPDEV because our existing provisioning
scripts create both LDAP and AD accounts at the same time. AD accounts
all have the same objectclasses. For simplicity, let's ignore this
resource for now.
I have 3 roles:
1. Base ONID
This role induces the ONIDLDAPDEV and ADDEV resources.
2. Unix
This role induces the posixAccount and shadowAccount objectclasses on the
ONIDLDAPDEV resource and has outbound mappings for their attributes.
3. Google
This role induces the googlePerson objectclass on the ONIDLDAPDEV
resource and has outbound mappings for its attributes.
When I import an account from ONIDLDAPDEV, the existing user has no roles
assigned. Midpoint links the account to the user, but it also modifies
the ONIDLDAPDEV account. Let me summarize what the audit log shows:
Deltas:
LensObjectDeltaOperation
Delta:
ObjectDelta<UserType>(UserType:73121f33-ee86-4d09-9769-72acecedea6e,MODIFY):
metadata/modifyChannel
REPLACE: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import
LensObjectDeltaOperation
Delta:
ObjectDelta<UserType>(UserType:73121f33-ee86-4d09-9769-72acecedea6e,MODIFY):
linkRef
ADD: oid=5ad37e7e-c783-462e-9c1f-8b9eab5816b8(ShadowType)('osuuid=88313159795,ou=people,o=midpointdev')
Object name:
PolyString(88313159795,88313159795)
Resource: ONID LDAP DEV (ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa)
LensObjectDeltaOperation
Delta:
ObjectDelta<ShadowType>(ShadowType:5ad37e7e-c783-462e-9c1f-8b9eab5816b8,MODIFY):
auxiliaryObjectClass
DELETE: {...resource/instance-3}posixAccount, {...resource/instance-3}shadowAccount, {...resource/instance-3}googlePerson
OLD: {...resource/instance-3}posixAccount, {...resource/instance-3}shadowAccount, {...resource/instance-3}osuPerson, {...resource/instance-3}lpSghePerson, {...resource/instance-3}googlePerson, {...resource/instance-3}eduPerson
attributes/googlePrincipalName
DELETE: <username>@oregonstate.edu
OLD: <username>@oregonstate.edu
attributes/googleMailEnabled
DELETE: 1
OLD: 1
attributes/gecos
DELETE: <redacted>,,,
OLD: <redacted>,,,
attributes/gidNumber
DELETE: 300
OLD: 300
attributes/loginShell
DELETE: /bin/bash
OLD: /bin/bash
attributes/homeDirectory
DELETE: /users/u2/a/<username>
OLD: /users/u2/a/<username>
attributes/uidNumber
DELETE: 7225
OLD: 7225
It does this even when I have:
<globalAccountSynchronizationSettings>
<assignmentPolicyEnforcement>none</assignmentPolicyEnforcement>
</globalAccountSynchronizationSettings>
You can see my resource and role definitions here:
http://people.oregonstate.edu/~morgan/midpoint/
How can I import these accounts without midPoint trying to modify them?
Thanks,
Andy Morgan
Systems Administrator, Identity & Access Management
Information Services | Oregon State University
541-737-8877 | is.oregonstate.edu
On Sun, 26 Aug 2018, Keith Hazelton wrote:
> Not sure I have a full picture of the setup, but I'd suggest looking at this: https://wiki.evolveum.com/display/midPoint/Mapping+Evaluation+Examples
>
>
> The notion of strong and weak attribute mapping seems promising here.
>
>
> Please correct my picture of how things are set up there. Reading between the lines, I get the sense that before you do anything with the LDAP or AD resources you somehow already have 80,000 user objects in midPoint. Is that correct? If so, how were they created?
>
> Mapping Evaluation Examples - midPoint - Evolveum Confluence<https://wiki.evolveum.com/display/midPoint/Mapping+Evaluation+Examples>
> wiki.evolveum.com
> Resource and Role Attribute Mappings. Resource attribute can be set by several means: manually specified in midPoint user interface, produced by a mapping in a role or in resource schema handling.
>
>
>
> __________
>
> email & jabber: keith.hazelton at wisc.edu Sr. IT Architect
>
> calendar: http://go.wisc.edu/i6zxx0
>
> ________________________________
> From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Andrew Morgan <morgan at oregonstate.edu>
> Sent: Friday, August 24, 2018 7:42:26 PM
> To: midpoint at lists.evolveum.com
> Subject: [midPoint] Standing up midPoint with existing accounts
>
> I'm looking for advice on standing up midPoint with resources that already
> have accounts present. I have 1 resource with inbound mappings (a
> database table) and 2 resources with outbound mappings (AD and LDAP).
> There are approximately 80,000 accounts in AD and LDAP.
>
>
> FIRST METHOD TRIED:
>
> I attempted to import accounts from LDAP in order to link to existing
> midPoint users and then assign the appropriate roles to match the existing
> state of the LDAP account.
>
> When I import an LDAP account, it is linked to the correct midPoint user.
> However, midPoint strips off the extra objectclasses and attributes that
> are defined in my roles (not in the LDAP resource). I have tried setting
> the assignmentPolicyEnforcement to "positive" or "none", but it still
> happens. No good.
>
>
> SECOND METHOD TRIED:
>
> Instead of importing accounts, I tried assigning the roles to the midPoint
> users to induce the correct resources, objectclasses, and roles. That
> actually worked great, but I don't know how to get 80,000 shadows into
> midPoint's repository without importing. I can get 20 shadows created at
> a time by browsing the Accounts in the LDAP resource, but I don't know how
> to get all of them. If midPoint doesn't have a shadow when I assign the
> roles, it tries (and fails) to create a new account. Then, it makes a
> bunch of modifications to the existing account because it thinks it has
> changes to process. No good.
>
>
> NEXT???:
>
> Maybe I can define the LDAP resource with no outbound mappings, import all
> the accounts in order to link them to users, assign the correct roles, and
> then update the LDAP resource to have the outbound mappings...
>
>
> Is there a wiki page that covers this? I'm running out of ideas... Help!
>
> Thanks,
>
> Andy Morgan
> Systems Administrator, Identity & Access Management
> Information Services | Oregon State University
> 541-737-8877 | is.oregonstate.edu
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
More information about the midPoint
mailing list