[midPoint] exclude account from synchronizaton

Brad Firestone bhotrock at gmail.com
Thu Feb 15 15:19:34 CET 2018 

Hello Marco,

I'm not sure if this will help you, but below is the conditional script 
I use in my AD Resource to import/sync only AD accounts who are members 
of one certain AD Distribution Group.  Maybe you can use something 
similar if you can find a property that is unique to people or 
computers.  I don't know enough about AD to point to the exact attribute 
you might want to use.

<condition>
<script>
<code>
                     mem = basic.getAttributeValues(shadow, "memberOf")
                         if (mem == null){
                              return false
                         }
                         else if 
(!mem.contains("CN=MyGroup,OU=Distribution 
Groups,OU=Groups,DC=domain,DC=tld")){
                              return false
                          }
                         else if 
(mem.contains("CN=MyGroup,OU=Distribution 
Groups,OU=Groups,DC=domain,DC=tld")){
                              return true
                          }
</code>
</script>
</condition>

Basically, this pulls the value of "memberOf" attributes.  If this 
attribute doesn't exist - don't import.  If the attribute exists but 
doesn't match my selected group - don't import.  If the attribute does 
match my selected group - import.  "memberOf" is a multivalued 
attribute.  I THINK you would use:  basic.getAttributeValue  (Value not 
Values) if you are using a single valued attribute.

I hope this helps!
Brad

On 2/15/18, 4:33 AM, Marco Benucci wrote:
>
> Hi all,
>
> I'm running midpoint 3.6 and I'm configuring an Active Directory 
> resource using the ADLdap connector (1.5.1).
> Now, whenever an account is considered "unmatched" i need to create an 
> user and link the user to that account, but in this AD there are also 
> many "Computer" object that, at least for now, I do not want in.
> The main problem, I think, is that Computers, in AD, have also the 
> objectClasses "top", "person", "organizationalPerson" and "user", just 
> like Users, so the workaround
>
> <generationConstraints>
> <generateObjectClass>ri:user</generateObjectClass>
> <generateObjectClass>ri:group</generateObjectClass>
> </generationConstraints>
>
> does not work because Computers shares all their classes with Users, 
> exept "computer" objectClass.
>
> Is there a smart way to exclude them during synchronization?I do not 
> want that an unmatched account for a computer create an user...
>
> Thank you,
> Marco
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180215/590ad0cc/attachment.htm>

More information about the midPoint mailing list