[midPoint] exclude account from synchronizaton
Jason Everling
jeverling at bshp.edu
Thu Feb 15 16:39:30 CET 2018
If you go the route Brad mentioned you wouldn't run into that issue because
you can have a condition for each intent. You can also use the builtin AD
groups for users and computers
Going off his,
Intent:user
<condition>
<script>
<code>
mem = basic.getAttributeValues(shadow, "memberOf")
if (mem == null){
return false
}
else if (!mem.contains("CN=Domain Users,CN=Users
,DC=domain,DC=tld")){
return false
}
else if (mem.contains("CN=Domain Users,CN=Users
,DC=domain,DC=tld")){
return true
}
</code>
</script>
</condition>
Intent: computer
<condition>
<script>
<code>
mem = basic.getAttributeValues(shadow, "memberOf")
if (mem == null){
return false
}
else if (!mem.contains("CN=Domain Computers,CN=Users
,DC=domain,DC=tld")){
return false
}
else if (mem.contains("CN=Domain Computers,CN=Users
,DC=domain,DC=tld")){
return true
}
</code>
</script>
</condition>
JASON
On Thu, Feb 15, 2018 at 9:11 AM, Marco Benucci <m.benucci at nsr.it> wrote:
> Thank you for your reply Brad, it surely works.
>
> By the way, I have found another solution on the wiki to handle such
> situations. It's about Protected Accounts (https://wiki.evolveum.com/
> display/midPoint/Protected+Accounts)
> Basically, protected accounts will be ignored in import, live sync,
> reconciliation or any other synchronization mechanism.
> You can just add the "protected" code to filter object during the above
> phases.
> <schemaHandling>
> ...
> <objectType>
> <protected>
> <filter>
> <q:equal>
> <q:path>declare namespace ri="http://midpoint.evolveum.
> com/xml/ns/public/resource/instance-3"
> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>;
> attributes/ri:objectCategory</q:path>
> <q:value>CN=Computer,CN=Schema,CN=Configuration,DC=
> example,DC=com</q:value>
> </q:equal>
> </filter>
> </protected>
> ...
> </objectType>
> <schemaHandling>
>
> I think it's a viable solution, for now, but maybe it's not the perfect
> one...
> E.G. in future I would like to manage Computers too (maybe as a Service?),
> using the "Computer" class loaded by the connector in the resource schema.
> What happen if I marked that account as "protected" in a schemaHandling,
> but in another schemaHandling that account (is that actually the same
> account??) is not protected?
>
> I'll let you know.
>
> Marco
>
>
>
> On 02/15/2018 03:19 PM, Brad Firestone wrote:
>
> Hello Marco,
>
> I'm not sure if this will help you, but below is the conditional script I
> use in my AD Resource to import/sync only AD accounts who are members of
> one certain AD Distribution Group. Maybe you can use something similar if
> you can find a property that is unique to people or computers. I don't
> know enough about AD to point to the exact attribute you might want to use.
>
> <condition>
> <script>
> <code>
> mem = basic.getAttributeValues(shadow, "memberOf")
> if (mem == null){
> return false
> }
> else if (!mem.contains("CN=MyGroup,OU=Distribution
> Groups,OU=Groups,DC=domain,DC=tld")){
> return false
> }
> else if (mem.contains("CN=MyGroup,OU=Distribution
> Groups,OU=Groups,DC=domain,DC=tld")){
> return true
> }
> </code>
> </script>
> </condition>
>
> Basically, this pulls the value of "memberOf" attributes. If this
> attribute doesn't exist - don't import. If the attribute exists but
> doesn't match my selected group - don't import. If the attribute does
> match my selected group - import. "memberOf" is a multivalued attribute.
> I THINK you would use: basic.getAttributeValue (Value not Values) if you
> are using a single valued attribute.
>
> I hope this helps!
> Brad
>
> On 2/15/18, 4:33 AM, Marco Benucci wrote:
>
> Hi all,
>
> I'm running midpoint 3.6 and I'm configuring an Active Directory resource
> using the ADLdap connector (1.5.1).
> Now, whenever an account is considered "unmatched" i need to create an
> user and link the user to that account, but in this AD there are also many
> "Computer" object that, at least for now, I do not want in.
> The main problem, I think, is that Computers, in AD, have also the
> objectClasses "top", "person", "organizationalPerson" and "user", just like
> Users, so the workaround
>
> <generationConstraints>
> <generateObjectClass>ri:user</generateObjectClass>
> <generateObjectClass>ri:group</generateObjectClass>
> </generationConstraints>
>
> does not work because Computers shares all their classes with Users, exept
> "computer" objectClass.
>
> Is there a smart way to exclude them during synchronization?I do not want
> that an unmatched account for a computer create an user...
>
> Thank you,
> Marco
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180215/0afb5926/attachment.htm>
More information about the midPoint
mailing list