[midPoint] Standing up midPoint with existing accounts

Andrew Morgan morgan at oregonstate.edu
Mon Aug 27 19:11:07 CEST 2018


Yes, you are reading between the lines correctly.


I have 3 resources:

1. GYBONID

This is a DatabaseTable resource with only inbound mappings.  The table 
is from our Banner system, a system of record that is our single (for now) 
source of identities.  I imported these accounts to create approximately 
113,000 users in midPoint.  I have a LiveSync task that processes updates.

2. ONIDLDAPDEV

This is an LDAP resource with only outbound mappings.It has approximately 
80,000 accounts all in the same OU.  There are 2 different types of 
accounts: Regular and Retiree.  All accounts have the inetOrgPerson 
objectclass plus eduPerson, osuPerson, and lpSghePerson auxiliary 
objectclasses.  Regular accounts also have posixAccount, shadowAccount, 
and googlePerson auxiliary objectclasses (Retirees don't get Unix or 
Google).

3. ADDEV

This is an LDAP resource with only outbound mappings. It has the same 
number of accounts as ONIDLDAPDEV because our existing provisioning 
scripts create both LDAP and AD accounts at the same time.  AD accounts 
all have the same objectclasses.  For simplicity, let's ignore this 
resource for now.



I have 3 roles:

1. Base ONID

This role induces the ONIDLDAPDEV and ADDEV resources.

2. Unix

This role induces the posixAccount and shadowAccount objectclasses on the 
ONIDLDAPDEV resource and has outbound mappings for their attributes.

3. Google

This role induces the googlePerson objectclass on the ONIDLDAPDEV 
resource and has outbound mappings for its attributes.



When I import an account from ONIDLDAPDEV, the existing user has no roles 
assigned.  Midpoint links the account to the user, but it also modifies 
the ONIDLDAPDEV account.  Let me summarize what the audit log shows:

Deltas:
   LensObjectDeltaOperation
     Delta:
       ObjectDelta<UserType>(UserType:73121f33-ee86-4d09-9769-72acecedea6e,MODIFY):
         metadata/modifyChannel
           REPLACE: http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import

   LensObjectDeltaOperation
     Delta:
       ObjectDelta<UserType>(UserType:73121f33-ee86-4d09-9769-72acecedea6e,MODIFY):
         linkRef
           ADD: oid=5ad37e7e-c783-462e-9c1f-8b9eab5816b8(ShadowType)('osuuid=88313159795,ou=people,o=midpointdev')

     Object name:
       PolyString(88313159795,88313159795)
     Resource: ONID LDAP DEV (ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa)

   LensObjectDeltaOperation
     Delta:
       ObjectDelta<ShadowType>(ShadowType:5ad37e7e-c783-462e-9c1f-8b9eab5816b8,MODIFY):
         auxiliaryObjectClass
           DELETE: {...resource/instance-3}posixAccount, {...resource/instance-3}shadowAccount, {...resource/instance-3}googlePerson
           OLD: {...resource/instance-3}posixAccount, {...resource/instance-3}shadowAccount, {...resource/instance-3}osuPerson, {...resource/instance-3}lpSghePerson, {...resource/instance-3}googlePerson, {...resource/instance-3}eduPerson
         attributes/googlePrincipalName
           DELETE: <username>@oregonstate.edu
           OLD: <username>@oregonstate.edu
         attributes/googleMailEnabled
           DELETE: 1
           OLD: 1
         attributes/gecos
           DELETE: <redacted>,,,
           OLD: <redacted>,,,
         attributes/gidNumber
           DELETE: 300
           OLD: 300
         attributes/loginShell
           DELETE: /bin/bash
           OLD: /bin/bash
         attributes/homeDirectory
           DELETE: /users/u2/a/<username>
           OLD: /users/u2/a/<username>
         attributes/uidNumber
           DELETE: 7225
           OLD: 7225


It does this even when I have:

<globalAccountSynchronizationSettings>
   <assignmentPolicyEnforcement>none</assignmentPolicyEnforcement> 
</globalAccountSynchronizationSettings>


You can see my resource and role definitions here:

   http://people.oregonstate.edu/~morgan/midpoint/


How can I import these accounts without midPoint trying to modify them?

Thanks,

Andy Morgan
Systems Administrator, Identity & Access Management
Information Services | Oregon State University
541-737-8877 | is.oregonstate.edu

On Sun, 26 Aug 2018, Keith Hazelton wrote:

> Not sure I have a full picture of the setup, but I'd suggest looking at this: https://wiki.evolveum.com/display/midPoint/Mapping+Evaluation+Examples
>
>
> The notion of strong and weak attribute mapping seems promising here.
>
>
> Please correct my picture of how things are set up there. Reading between the lines, I get the sense that before you do anything with the LDAP or AD resources you somehow already have 80,000 user objects in midPoint. Is that correct? If so, how were they created?
>
> Mapping Evaluation Examples - midPoint - Evolveum Confluence<https://wiki.evolveum.com/display/midPoint/Mapping+Evaluation+Examples>
> wiki.evolveum.com
> Resource and Role Attribute Mappings. Resource attribute can be set by several means: manually specified in midPoint user interface, produced by a mapping in a role or in resource schema handling.
>
>
>
> __________
>
> email & jabber: keith.hazelton at wisc.edu    Sr. IT Architect
>
> calendar: http://go.wisc.edu/i6zxx0
>
> ________________________________
> From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Andrew Morgan <morgan at oregonstate.edu>
> Sent: Friday, August 24, 2018 7:42:26 PM
> To: midpoint at lists.evolveum.com
> Subject: [midPoint] Standing up midPoint with existing accounts
>
> I'm looking for advice on standing up midPoint with resources that already
> have accounts present.  I have 1 resource with inbound mappings (a
> database table) and 2 resources with outbound mappings (AD and LDAP).
> There are approximately 80,000 accounts in AD and LDAP.
>
>
> FIRST METHOD TRIED:
>
> I attempted to import accounts from LDAP in order to link to existing
> midPoint users and then assign the appropriate roles to match the existing
> state of the LDAP account.
>
> When I import an LDAP account, it is linked to the correct midPoint user.
> However, midPoint strips off the extra objectclasses and attributes that
> are defined in my roles (not in the LDAP resource).  I have tried setting
> the assignmentPolicyEnforcement to "positive" or "none", but it still
> happens.  No good.
>
>
> SECOND METHOD TRIED:
>
> Instead of importing accounts, I tried assigning the roles to the midPoint
> users to induce the correct resources, objectclasses, and roles.  That
> actually worked great, but I don't know how to get 80,000 shadows into
> midPoint's repository without importing.  I can get 20 shadows created at
> a time by browsing the Accounts in the LDAP resource, but I don't know how
> to get all of them.  If midPoint doesn't have a shadow when I assign the
> roles, it tries (and fails) to create a new account.  Then, it makes a
> bunch of modifications to the existing account because it thinks it has
> changes to process.  No good.
>
>
> NEXT???:
>
> Maybe I can define the LDAP resource with no outbound mappings, import all
> the accounts in order to link them to users, assign the correct roles, and
> then update the LDAP resource to have the outbound mappings...
>
>
> Is there a wiki page that covers this?  I'm running out of ideas...  Help!
>
> Thanks,
>
> Andy Morgan
> Systems Administrator, Identity & Access Management
> Information Services | Oregon State University
> 541-737-8877 | is.oregonstate.edu
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>



More information about the midPoint mailing list