[midPoint] exclude account from synchronizaton
Marco Benucci
m.benucci at nsr.it
Thu Feb 15 16:11:56 CET 2018
Thank you for your reply Brad, it surely works.
By the way, I have found another solution on the wiki to handle such
situations. It's about Protected Accounts
(https://wiki.evolveum.com/display/midPoint/Protected+Accounts)
Basically, protected accounts will be ignored in import, live sync,
reconciliation or any other synchronization mechanism.
You can just add the "protected" code to filter object during the above
phases.
<schemaHandling>
...
<objectType>
<protected>
<filter>
<q:equal>
<q:path>declare namespace
ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3";
attributes/ri:objectCategory</q:path>
<q:value>CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=com</q:value>
</q:equal>
</filter>
</protected>
...
</objectType>
<schemaHandling>
I think it's a viable solution, for now, but maybe it's not the perfect
one...
E.G. in future I would like to manage Computers too (maybe as a
Service?), using the "Computer" class loaded by the connector in the
resource schema. What happen if I marked that account as "protected" in
a schemaHandling, but in another schemaHandling that account (is that
actually the same account??) is not protected?
I'll let you know.
Marco
On 02/15/2018 03:19 PM, Brad Firestone wrote:
> Hello Marco,
>
> I'm not sure if this will help you, but below is the conditional
> script I use in my AD Resource to import/sync only AD accounts who are
> members of one certain AD Distribution Group. Maybe you can use
> something similar if you can find a property that is unique to people
> or computers. I don't know enough about AD to point to the exact
> attribute you might want to use.
>
> <condition>
> <script>
> <code>
> mem = basic.getAttributeValues(shadow, "memberOf")
> if (mem == null){
> return false
> }
> else if
> (!mem.contains("CN=MyGroup,OU=Distribution
> Groups,OU=Groups,DC=domain,DC=tld")){
> return false
> }
> else if
> (mem.contains("CN=MyGroup,OU=Distribution
> Groups,OU=Groups,DC=domain,DC=tld")){
> return true
> }
> </code>
> </script>
> </condition>
>
> Basically, this pulls the value of "memberOf" attributes. If this
> attribute doesn't exist - don't import. If the attribute exists but
> doesn't match my selected group - don't import. If the attribute does
> match my selected group - import. "memberOf" is a multivalued
> attribute. I THINK you would use: basic.getAttributeValue (Value not
> Values) if you are using a single valued attribute.
>
> I hope this helps!
> Brad
>
> On 2/15/18, 4:33 AM, Marco Benucci wrote:
>>
>> Hi all,
>>
>> I'm running midpoint 3.6 and I'm configuring an Active Directory
>> resource using the ADLdap connector (1.5.1).
>> Now, whenever an account is considered "unmatched" i need to create
>> an user and link the user to that account, but in this AD there are
>> also many "Computer" object that, at least for now, I do not want in.
>> The main problem, I think, is that Computers, in AD, have also the
>> objectClasses "top", "person", "organizationalPerson" and "user",
>> just like Users, so the workaround
>>
>> <generationConstraints>
>> <generateObjectClass>ri:user</generateObjectClass>
>> <generateObjectClass>ri:group</generateObjectClass>
>> </generationConstraints>
>>
>> does not work because Computers shares all their classes with Users,
>> exept "computer" objectClass.
>>
>> Is there a smart way to exclude them during synchronization?I do not
>> want that an unmatched account for a computer create an user...
>>
>> Thank you,
>> Marco
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180215/39f1d044/attachment.htm>
More information about the midPoint
mailing list