[midPoint] Standing up midPoint with existing accounts

Jason Everling jeverling at bshp.edu
Tue Aug 28 00:33:23 CEST 2018 

Try removing the objectClasses from your Roles (leave the account
construction ) and define all of them (each and every objectclass you use)
in the resource config itself.



On Mon, Aug 27, 2018 at 4:15 PM Andrew Morgan <morgan at oregonstate.edu>
wrote:

> My configuration is pretty simple.  In the resource, I have:
>
> <objectType>
>         <kind>account</kind>
>         <default>true</default>
>         <objectClass>ri:inetOrgPerson</objectClass>
>         <auxiliaryObjectClass>ri:osuPerson</auxiliaryObjectClass>
>         <auxiliaryObjectClass>ri:eduPerson</auxiliaryObjectClass>
>         <auxiliaryObjectClass>ri:lpSghePerson</auxiliaryObjectClass>
>
> In the Unix role:
>
> <inducement id="1">
>         <construction>
>                 <!-- This is the ONIDLDAPDEV resource -->
>                 <resourceRef oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa"
> relation="org:default" type="c:ResourceType"/>
>                 <kind>account</kind>
>
> <auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>
>
> <auxiliaryObjectClass>ri:shadowAccount</auxiliaryObjectClass>
>
> In the Google role:
>
> <inducement id="1">
>         <construction>
>                 <!-- This is the ONIDLDAPDEV resource -->
>                 <resourceRef oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa"
> relation="org:default" type="c:ResourceType"/>
>                 <kind>account</kind>
>
> <auxiliaryObjectClass>ri:googlePerson</auxiliaryObjectClass>
>
>
> Even when I have assigned the Unix and Google roles to the user, importing
> an account from ONIDLDAPDEV is stripping those objectclasses and
> attributes off the ONIDLDAPDEV account.  :(
>
> I can protect my resource by disabling the create, update, and delete
> capabilities, but it throws large Java errors in the audit log still...
> :(
>
> Andy Morgan
> Systems Administrator, Identity & Access Management
> Information Services | Oregon State University
> 541-737-8877 | is.oregonstate.edu
>
> On Mon, 27 Aug 2018, Jason Everling wrote:
>
> > at the resource level config do you have each objectclass defined for
> each intent that these accounts fall under?
> >
> >      <objectType>
> >         <displayName>Person Registry Account</displayName>
> >         <default>true</default>
> >         <objectClass>ri:inetOrgPerson</objectClass>
> >         <auxiliaryObjectClass>ri:yourClass1</auxiliaryObjectClass>
> >         <auxiliaryObjectClass>ri:yourClass2</auxiliaryObjectClass>
> >         <auxiliaryObjectClass>ri:yourClass3</auxiliaryObjectClass>
> >
> >      <objectType>
> >         <kind>entitlement</kind>
> >         <intent>registryGroup</intent>
> >         <displayName>Person Registry Group</displayName>
> >         <default>true</default>
> >         <objectClass>ri:groupOfNames</objectClass>
> >         <auxiliaryObjectClass>ri:customGrpClass1</auxiliaryObjectClass>
> >         <auxiliaryObjectClass>ri:customGrpClass2</auxiliaryObjectClass>
> >
> >
> >
> >
> >
> > On Mon, Aug 27, 2018 at 3:24 PM Andrew Morgan <morgan at oregonstate.edu
> <mailto:morgan at oregonstate.edu>> wrote:
> > I conducted a further test, and I'm confused by what I'm seeing.
> >
> > I set the global Projection Policy to "none".  I assigned my 3 roles
> (Base
> > ONID, Unix, and Google) to a user.  No changes were made to any accounts.
> > The assignments were present on the user, but no projections were added.
> > This is what I expected to see.  Great!
> >
> > Then, I imported the account from the ONIDLDAPDEV resource so that I
> could
> > establish the link between the user and the account.  The import removed
> > the role-assigned (from the Unix and Google roles) objectclasses and
> > attributes!  Out of curiosity, I ran a reconciliation on that user - no
> > changes.  Why did the import make any changes to the account??
> >
> > Andy Morgan
> > Systems Administrator, Identity & Access Management
> > Information Services | Oregon State University
> > 541-737-8877 | is.oregonstate.edu<http://is.oregonstate.edu>
> >
> > On Mon, 27 Aug 2018, Morgan, Andrew Jason wrote:
> >
> >> Yes, you are reading between the lines correctly.
> >>
> >>
> >> I have 3 resources:
> >>
> >> 1. GYBONID
> >>
> >> This is a DatabaseTable resource with only inbound mappings.  The table
> >> is from our Banner system, a system of record that is our single (for
> now)
> >> source of identities.  I imported these accounts to create approximately
> >> 113,000 users in midPoint.  I have a LiveSync task that processes
> updates.
> >>
> >> 2. ONIDLDAPDEV
> >>
> >> This is an LDAP resource with only outbound mappings.It has
> approximately
> >> 80,000 accounts all in the same OU.  There are 2 different types of
> >> accounts: Regular and Retiree.  All accounts have the inetOrgPerson
> >> objectclass plus eduPerson, osuPerson, and lpSghePerson auxiliary
> >> objectclasses.  Regular accounts also have posixAccount, shadowAccount,
> >> and googlePerson auxiliary objectclasses (Retirees don't get Unix or
> >> Google).
> >>
> >> 3. ADDEV
> >>
> >> This is an LDAP resource with only outbound mappings. It has the same
> >> number of accounts as ONIDLDAPDEV because our existing provisioning
> >> scripts create both LDAP and AD accounts at the same time.  AD accounts
> >> all have the same objectclasses.  For simplicity, let's ignore this
> >> resource for now.
> >>
> >>
> >>
> >> I have 3 roles:
> >>
> >> 1. Base ONID
> >>
> >> This role induces the ONIDLDAPDEV and ADDEV resources.
> >>
> >> 2. Unix
> >>
> >> This role induces the posixAccount and shadowAccount objectclasses on
> the
> >> ONIDLDAPDEV resource and has outbound mappings for their attributes.
> >>
> >> 3. Google
> >>
> >> This role induces the googlePerson objectclass on the ONIDLDAPDEV
> >> resource and has outbound mappings for its attributes.
> >>
> >>
> >>
> >> When I import an account from ONIDLDAPDEV, the existing user has no
> roles
> >> assigned.  Midpoint links the account to the user, but it also modifies
> >> the ONIDLDAPDEV account.  Let me summarize what the audit log shows:
> >>
> >> Deltas:
> >>   LensObjectDeltaOperation
> >>     Delta:
> >>
>  ObjectDelta<UserType>(UserType:73121f33-ee86-4d09-9769-72acecedea6e,MODIFY):
> >>         metadata/modifyChannel
> >>           REPLACE:
> http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import
> >>
> >>   LensObjectDeltaOperation
> >>     Delta:
> >>
>  ObjectDelta<UserType>(UserType:73121f33-ee86-4d09-9769-72acecedea6e,MODIFY):
> >>         linkRef
> >>           ADD:
> oid=5ad37e7e-c783-462e-9c1f-8b9eab5816b8(ShadowType)('osuuid=88313159795,ou=people,o=midpointdev')
> >>
> >>     Object name:
> >>       PolyString(88313159795,88313159795)
> >>     Resource: ONID LDAP DEV (ef2bc95b-76e0-48e2-86d6-3d4f02d3e1aa)
> >>
> >>   LensObjectDeltaOperation
> >>     Delta:
> >>
>  ObjectDelta<ShadowType>(ShadowType:5ad37e7e-c783-462e-9c1f-8b9eab5816b8,MODIFY):
> >>         auxiliaryObjectClass
> >>           DELETE: {...resource/instance-3}posixAccount,
> {...resource/instance-3}shadowAccount, {...resource/instance-3}googlePerson
> >>           OLD: {...resource/instance-3}posixAccount,
> {...resource/instance-3}shadowAccount, {...resource/instance-3}osuPerson,
> {...resource/instance-3}lpSghePerson, {...resource/instance-3}googlePerson,
> {...resource/instance-3}eduPerson
> >>         attributes/googlePrincipalName
> >>           DELETE: <username>@oregonstate.edu<http://oregonstate.edu>
> >>           OLD: <username>@oregonstate.edu<http://oregonstate.edu>
> >>         attributes/googleMailEnabled
> >>           DELETE: 1
> >>           OLD: 1
> >>         attributes/gecos
> >>           DELETE: <redacted>,,,
> >>           OLD: <redacted>,,,
> >>         attributes/gidNumber
> >>           DELETE: 300
> >>           OLD: 300
> >>         attributes/loginShell
> >>           DELETE: /bin/bash
> >>           OLD: /bin/bash
> >>         attributes/homeDirectory
> >>           DELETE: /users/u2/a/<username>
> >>           OLD: /users/u2/a/<username>
> >>         attributes/uidNumber
> >>           DELETE: 7225
> >>           OLD: 7225
> >>
> >>
> >> It does this even when I have:
> >>
> >> <globalAccountSynchronizationSettings>
> >>   <assignmentPolicyEnforcement>none</assignmentPolicyEnforcement>
> >> </globalAccountSynchronizationSettings>
> >>
> >>
> >> You can see my resource and role definitions here:
> >>
> >>   http://people.oregonstate.edu/~morgan/midpoint/
> >>
> >>
> >> How can I import these accounts without midPoint trying to modify them?
> >>
> >> Thanks,
> >>
> >> Andy Morgan
> >> Systems Administrator, Identity & Access Management
> >> Information Services | Oregon State University
> >> 541-737-8877 | is.oregonstate.edu<http://is.oregonstate.edu>
> >>
> >> On Sun, 26 Aug 2018, Keith Hazelton wrote:
> >>
> >>> Not sure I have a full picture of the setup, but I'd suggest looking
> at this:
> https://wiki.evolveum.com/display/midPoint/Mapping+Evaluation+Examples
> >>>
> >>>
> >>> The notion of strong and weak attribute mapping seems promising here.
> >>>
> >>>
> >>> Please correct my picture of how things are set up there. Reading
> between the lines, I get the sense that before you do anything with the
> LDAP or AD resources you somehow already have 80,000 user objects in
> midPoint. Is that correct? If so, how were they created?
> >>>
> >>> Mapping Evaluation Examples - midPoint - Evolveum Confluence<
> https://wiki.evolveum.com/display/midPoint/Mapping+Evaluation+Examples>
> >>> wiki.evolveum.com<http://wiki.evolveum.com>
> >>> Resource and Role Attribute Mappings. Resource attribute can be set by
> several means: manually specified in midPoint user interface, produced by a
> mapping in a role or in resource schema handling.
> >>>
> >>>
> >>>
> >>> __________
> >>>
> >>> email & jabber: keith.hazelton at wisc.edu<mailto:keith.hazelton at wisc.edu>
>   Sr. IT Architect
> >>>
> >>> calendar: http://go.wisc.edu/i6zxx0
> >>>
> >>> ________________________________
> >>> From: midPoint <midpoint-bounces at lists.evolveum.com<mailto:
> midpoint-bounces at lists.evolveum.com>> on behalf of Andrew Morgan <
> morgan at oregonstate.edu<mailto:morgan at oregonstate.edu>>
> >>> Sent: Friday, August 24, 2018 7:42:26 PM
> >>> To: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
> >>> Subject: [midPoint] Standing up midPoint with existing accounts
> >>>
> >>> I'm looking for advice on standing up midPoint with resources that
> already
> >>> have accounts present.  I have 1 resource with inbound mappings (a
> >>> database table) and 2 resources with outbound mappings (AD and LDAP).
> >>> There are approximately 80,000 accounts in AD and LDAP.
> >>>
> >>>
> >>> FIRST METHOD TRIED:
> >>>
> >>> I attempted to import accounts from LDAP in order to link to existing
> >>> midPoint users and then assign the appropriate roles to match the
> existing
> >>> state of the LDAP account.
> >>>
> >>> When I import an LDAP account, it is linked to the correct midPoint
> user.
> >>> However, midPoint strips off the extra objectclasses and attributes
> that
> >>> are defined in my roles (not in the LDAP resource).  I have tried
> setting
> >>> the assignmentPolicyEnforcement to "positive" or "none", but it still
> >>> happens.  No good.
> >>>
> >>>
> >>> SECOND METHOD TRIED:
> >>>
> >>> Instead of importing accounts, I tried assigning the roles to the
> midPoint
> >>> users to induce the correct resources, objectclasses, and roles.  That
> >>> actually worked great, but I don't know how to get 80,000 shadows into
> >>> midPoint's repository without importing.  I can get 20 shadows created
> at
> >>> a time by browsing the Accounts in the LDAP resource, but I don't know
> how
> >>> to get all of them.  If midPoint doesn't have a shadow when I assign
> the
> >>> roles, it tries (and fails) to create a new account.  Then, it makes a
> >>> bunch of modifications to the existing account because it thinks it has
> >>> changes to process.  No good.
> >>>
> >>>
> >>> NEXT???:
> >>>
> >>> Maybe I can define the LDAP resource with no outbound mappings, import
> all
> >>> the accounts in order to link them to users, assign the correct roles,
> and
> >>> then update the LDAP resource to have the outbound mappings...
> >>>
> >>>
> >>> Is there a wiki page that covers this?  I'm running out of ideas...
> Help!
> >>>
> >>> Thanks,
> >>>
> >>> Andy Morgan
> >>> Systems Administrator, Identity & Access Management
> >>> Information Services | Oregon State University
> >>> 541-737-8877 | is.oregonstate.edu<http://is.oregonstate.edu>
> >>> _______________________________________________
> >>> midPoint mailing list
> >>> midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
> >>> http://lists.evolveum.com/mailman/listinfo/midpoint
> >>>
> >> _______________________________________________
> >> midPoint mailing list
> >> midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
> >> http://lists.evolveum.com/mailman/listinfo/midpoint
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> >
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180827/6f62e6e1/attachment.htm>

More information about the midPoint mailing list