[midPoint] exclude account from synchronizaton

Marco Benucci m.benucci at nsr.it
Thu Feb 15 16:11:56 CET 2018


Thank you for your reply Brad, it surely works.

By the way, I have found another solution on the wiki to handle such 
situations. It's about Protected Accounts 
(https://wiki.evolveum.com/display/midPoint/Protected+Accounts)
Basically, protected accounts will be ignored in import, live sync, 
reconciliation or any other synchronization mechanism.
You can just add the "protected" code to filter object during the above 
phases.

<schemaHandling>
...
<objectType>
<protected>
             <filter>
                <q:equal>
                   <q:path>declare namespace 
ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3";
attributes/ri:objectCategory</q:path>
<q:value>CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=com</q:value>
                </q:equal>
             </filter>
          </protected>
...
       </objectType>
<schemaHandling>

I think it's a viable solution, for now, but maybe it's not the perfect 
one...
E.G. in future I would like to manage Computers too (maybe as a 
Service?), using the "Computer" class loaded by the connector in the 
resource schema. What happen if I marked that account as "protected" in 
a schemaHandling, but in another schemaHandling that account (is that 
actually the same account??) is not protected?

I'll let you know.

Marco


On 02/15/2018 03:19 PM, Brad Firestone wrote:
> Hello Marco,
>
> I'm not sure if this will help you, but below is the conditional 
> script I use in my AD Resource to import/sync only AD accounts who are 
> members of one certain AD Distribution Group.  Maybe you can use 
> something similar if you can find a property that is unique to people 
> or computers.  I don't know enough about AD to point to the exact 
> attribute you might want to use.
>
>     <condition>
>             <script>
>                <code>
>                     mem = basic.getAttributeValues(shadow, "memberOf")
>                         if (mem == null){
>                              return false
>                         }
>                         else if 
> (!mem.contains("CN=MyGroup,OU=Distribution 
> Groups,OU=Groups,DC=domain,DC=tld")){
>                              return false
>                          }
>                         else if 
> (mem.contains("CN=MyGroup,OU=Distribution 
> Groups,OU=Groups,DC=domain,DC=tld")){
>                              return true
>                          }
>                 </code>
>             </script>
>          </condition>
>
> Basically, this pulls the value of "memberOf" attributes.  If this 
> attribute doesn't exist - don't import.  If the attribute exists but 
> doesn't match my selected group - don't import.  If the attribute does 
> match my selected group - import.  "memberOf" is a multivalued 
> attribute.  I THINK you would use: basic.getAttributeValue  (Value not 
> Values) if you are using a single valued attribute.
>
> I hope this helps!
> Brad
>
> On 2/15/18, 4:33 AM, Marco Benucci wrote:
>>
>> Hi all,
>>
>> I'm running midpoint 3.6 and I'm configuring an Active Directory 
>> resource using the ADLdap connector (1.5.1).
>> Now, whenever an account is considered "unmatched" i need to create 
>> an user and link the user to that account, but in this AD there are 
>> also many "Computer" object that, at least for now, I do not want in.
>> The main problem, I think, is that Computers, in AD, have also the 
>> objectClasses "top", "person", "organizationalPerson" and "user", 
>> just like Users, so the workaround
>>
>> <generationConstraints>
>> <generateObjectClass>ri:user</generateObjectClass>
>> <generateObjectClass>ri:group</generateObjectClass>
>> </generationConstraints>
>>
>> does not work because Computers shares all their classes with Users, 
>> exept "computer" objectClass.
>>
>> Is there a smart way to exclude them during synchronization?I do not 
>> want that an unmatched account for a computer create an user...
>>
>> Thank you,
>> Marco
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180215/39f1d044/attachment.htm>


More information about the midPoint mailing list