[midPoint] Standing up midPoint with existing accounts
Jason Everling
jeverling at bshp.edu
Mon Aug 27 23:03:14 CEST 2018
at the resource level config do you have each objectclass defined for each
intent that these accounts fall under?
<objectType>
<displayName>Person Registry Account</displayName>
<default>true</default>
<objectClass>ri:inetOrgPerson</objectClass>
<auxiliaryObjectClass>ri:yourClass1</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:yourClass2</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:yourClass3</auxiliaryObjectClass>
<objectType>
<kind>entitlement</kind>
<intent>registryGroup</intent>
<displayName>Person Registry Group</displayName>
<default>true</default>
<objectClass>ri:groupOfNames</objectClass>
<auxiliaryObjectClass>ri:customGrpClass1</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:customGrpClass2</auxiliaryObjectClass>
On Mon, Aug 27, 2018 at 3:24 PM Andrew Morgan <morgan at oregonstate.edu>
wrote:
> I conducted a further test, and I'm confused by what I'm seeing.
>
> I set the global Projection Policy to "none". I assigned my 3 roles (Base
> ONID, Unix, and Google) to a user. No changes were made to any accounts.
> The assignments were present on the user, but no projections were added.
> This is what I expected to see. Great!
>
> Then, I imported the account from the ONIDLDAPDEV resource so that I could
> establish the link between the user and the account. The import removed
> the role-assigned (from the Unix and Google roles) objectclasses and
> attributes! Out of curiosity, I ran a reconciliation on that user - no
> changes. Why did the import make any changes to the account??
>
> Andy Morgan
> Systems Administrator, Identity & Access Management
> Information Services | Oregon State University
> 541-737-8877 | is.oregonstate.edu
>
> On Mon, 27 Aug 2018, Morgan, Andrew Jason wrote:
>
> > Yes, you are reading between the lines correctly.
> >
> >
> > I have 3 resources:
> >
> > 1. GYBONID
> >
> > This is a DatabaseTable resource with only inbound mappings. The table
> > is from our Banner system, a system of record that is our single (for
> now)
> > source of identities. I imported these accounts to create approximately
> > 113,000 users in midPoint. I have a LiveSync task that processes
> updates.
> >
> > 2. ONIDLDAPDEV
> >
> > This is an LDAP resource with only outbound mappings.It has
> approximately
> > 80,000 accounts all in the same OU. There are 2 different types of
> > accounts: Regular and Retiree. All accounts have the inetOrgPerson
> > objectclass plus eduPerson, osuPerson, and lpSghePerson auxiliary
> > objectclasses. Regular accounts also have posixAccount, shadowAccount,
> > and googlePerson auxiliary objectclasses (Retirees don't get Unix or
> > Google).
> >
> > 3. ADDEV
> >
> > This is an LDAP resource with only outbound mappings. It has the same
> > number of accounts as ONIDLDAPDEV because our existing provisioning
> > scripts create both LDAP and AD accounts at the same time. AD accounts
> > all have the same objectclasses. For simplicity, let's ignore this
> > resource for now.
> >
> >
> >
> > I have 3 roles:
> >
> > 1. Base ONID
> >
> > This role induces the ONIDLDAPDEV and ADDEV resources.
> >
> > 2. Unix
> >
> > This role induces the posixAccount and shadowAccount objectclasses on
> the
> > ONIDLDAPDEV resource and has outbound mappings for their attributes.
> >
> > 3. Google
> >
> > This role induces the googlePerson objectclass on the ONIDLDAPDEV
> > resource and has outbound mappings for its attributes.
> >
> >
> >
> > When I import an account from ONIDLDAPDEV, the existing user has no
> roles
> > assigned. Midpoint links the account to the user, but it also modifies
> > the ONIDLDAPDEV account. Let me summarize what the audit log shows:
> >
> > Deltas:
> > LensObjectDeltaOperation
> > Delta:
> >
> ObjectDelta<UserType>(UserType:73121f33-ee86-4d09-9769-72acecedea6e,MODIFY):
> > metadata/modifyChannel
> > REPLACE:
> http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import
> >
> > LensObjectDeltaOperation
> > Delta:
> >
> ObjectDelta<UserType>(UserType:73121f33-ee86-4d09-9769-72acecedea6e,MODIFY):
> > linkRef
> > ADD:
> oid=5ad37e7e-c783-462e-9c1f-8b9eab5816b8(ShadowType)('osuuid=88313159795,ou=people,o=midpointdev')
> >
> > Object name:
> > PolyString(88313159795,88313159795)
> > Resource: ONID LDAP DEV (ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa)
> >
> > LensObjectDeltaOperation
> > Delta:
> >
> ObjectDelta<ShadowType>(ShadowType:5ad37e7e-c783-462e-9c1f-8b9eab5816b8,MODIFY):
> > auxiliaryObjectClass
> > DELETE: {...resource/instance-3}posixAccount,
> {...resource/instance-3}shadowAccount, {...resource/instance-3}googlePerson
> > OLD: {...resource/instance-3}posixAccount,
> {...resource/instance-3}shadowAccount, {...resource/instance-3}osuPerson,
> {...resource/instance-3}lpSghePerson, {...resource/instance-3}googlePerson,
> {...resource/instance-3}eduPerson
> > attributes/googlePrincipalName
> > DELETE: <username>@oregonstate.edu
> > OLD: <username>@oregonstate.edu
> > attributes/googleMailEnabled
> > DELETE: 1
> > OLD: 1
> > attributes/gecos
> > DELETE: <redacted>,,,
> > OLD: <redacted>,,,
> > attributes/gidNumber
> > DELETE: 300
> > OLD: 300
> > attributes/loginShell
> > DELETE: /bin/bash
> > OLD: /bin/bash
> > attributes/homeDirectory
> > DELETE: /users/u2/a/<username>
> > OLD: /users/u2/a/<username>
> > attributes/uidNumber
> > DELETE: 7225
> > OLD: 7225
> >
> >
> > It does this even when I have:
> >
> > <globalAccountSynchronizationSettings>
> > <assignmentPolicyEnforcement>none</assignmentPolicyEnforcement>
> > </globalAccountSynchronizationSettings>
> >
> >
> > You can see my resource and role definitions here:
> >
> > http://people.oregonstate.edu/~morgan/midpoint/
> >
> >
> > How can I import these accounts without midPoint trying to modify them?
> >
> > Thanks,
> >
> > Andy Morgan
> > Systems Administrator, Identity & Access Management
> > Information Services | Oregon State University
> > 541-737-8877 | is.oregonstate.edu
> >
> > On Sun, 26 Aug 2018, Keith Hazelton wrote:
> >
> >> Not sure I have a full picture of the setup, but I'd suggest looking at
> this:
> https://wiki.evolveum.com/display/midPoint/Mapping+Evaluation+Examples
> >>
> >>
> >> The notion of strong and weak attribute mapping seems promising here.
> >>
> >>
> >> Please correct my picture of how things are set up there. Reading
> between the lines, I get the sense that before you do anything with the
> LDAP or AD resources you somehow already have 80,000 user objects in
> midPoint. Is that correct? If so, how were they created?
> >>
> >> Mapping Evaluation Examples - midPoint - Evolveum Confluence<
> https://wiki.evolveum.com/display/midPoint/Mapping+Evaluation+Examples>
> >> wiki.evolveum.com
> >> Resource and Role Attribute Mappings. Resource attribute can be set by
> several means: manually specified in midPoint user interface, produced by a
> mapping in a role or in resource schema handling.
> >>
> >>
> >>
> >> __________
> >>
> >> email & jabber: keith.hazelton at wisc.edu Sr. IT Architect
> >>
> >> calendar: http://go.wisc.edu/i6zxx0
> >>
> >> ________________________________
> >> From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of
> Andrew Morgan <morgan at oregonstate.edu>
> >> Sent: Friday, August 24, 2018 7:42:26 PM
> >> To: midpoint at lists.evolveum.com
> >> Subject: [midPoint] Standing up midPoint with existing accounts
> >>
> >> I'm looking for advice on standing up midPoint with resources that
> already
> >> have accounts present. I have 1 resource with inbound mappings (a
> >> database table) and 2 resources with outbound mappings (AD and LDAP).
> >> There are approximately 80,000 accounts in AD and LDAP.
> >>
> >>
> >> FIRST METHOD TRIED:
> >>
> >> I attempted to import accounts from LDAP in order to link to existing
> >> midPoint users and then assign the appropriate roles to match the
> existing
> >> state of the LDAP account.
> >>
> >> When I import an LDAP account, it is linked to the correct midPoint
> user.
> >> However, midPoint strips off the extra objectclasses and attributes that
> >> are defined in my roles (not in the LDAP resource). I have tried
> setting
> >> the assignmentPolicyEnforcement to "positive" or "none", but it still
> >> happens. No good.
> >>
> >>
> >> SECOND METHOD TRIED:
> >>
> >> Instead of importing accounts, I tried assigning the roles to the
> midPoint
> >> users to induce the correct resources, objectclasses, and roles. That
> >> actually worked great, but I don't know how to get 80,000 shadows into
> >> midPoint's repository without importing. I can get 20 shadows created
> at
> >> a time by browsing the Accounts in the LDAP resource, but I don't know
> how
> >> to get all of them. If midPoint doesn't have a shadow when I assign the
> >> roles, it tries (and fails) to create a new account. Then, it makes a
> >> bunch of modifications to the existing account because it thinks it has
> >> changes to process. No good.
> >>
> >>
> >> NEXT???:
> >>
> >> Maybe I can define the LDAP resource with no outbound mappings, import
> all
> >> the accounts in order to link them to users, assign the correct roles,
> and
> >> then update the LDAP resource to have the outbound mappings...
> >>
> >>
> >> Is there a wiki page that covers this? I'm running out of ideas...
> Help!
> >>
> >> Thanks,
> >>
> >> Andy Morgan
> >> Systems Administrator, Identity & Access Management
> >> Information Services | Oregon State University
> >> 541-737-8877 | is.oregonstate.edu
> >> _______________________________________________
> >> midPoint mailing list
> >> midPoint at lists.evolveum.com
> >> http://lists.evolveum.com/mailman/listinfo/midpoint
> >>
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180827/b8ed1040/attachment.htm>
More information about the midPoint
mailing list