[midPoint] Issues when linking an existing midPoint user to an existing AD account with different DN

Ezequiel Alonso ealonso at identicum.com
Fri Jun 1 23:01:16 CEST 2018


Hi,

We are working with "*ad-ldap-medusa-medium*" resource synchronizing
midPoint users against existing AD accounts as part of the initial
migration.

Newest AD accounts should be on "*OU=People,DC=example,DC=net*" and older
accounts maybe already placed on many different DNs on "
*OU=UnpredictableOfficeNumber,OU=People,DC=example,DC=net*"

We have already created the users on midPoint taking into account that the
correlation matching rule is user/name == sAMAccountName. So, at this point
we can see that the shadow users are presented as unlinked.

If the account DN is equal to the resource mapping generated DN, the
account gets linked when we assign the resource to the user. But if the
existing account DN is not equal to the resource generated DN (For example,
resource is generating "*CN=User123,OU=People,DC=example,DC=net*" but the
account exist on "*CN=User123,OU=Office123,OU=People,DC=example,DC=net*"),
we are getting the following issue when we assign the AD resource to the
user:
midPoint is not linking the account and it tries to create the user in "
*CN=User123,OU=People,DC=example,DC=net*" instead of modifying the user DN
to "*CN=User123,OU=People,DC=example,DC=net*" (we added strength strong to
dn mapping and we also tested with strength weak), so we are getting the
next error message:

"*Couldn't add object. Object already exists: Object already exists on the
> resource*".


It's strange because if we import the account manually from the resource,
it is linking midPoint user with AD account and modifying the DN.

Our goal is to link existing midPoint user with existing AD account by
matching name against sAMAccountName and override the unpredictable and
unknown DN with a more friendly DN, if its possible or at least link the
user without modifying the DN.

-- 
*Ezequiel Alonso*
Identicum S.A.
Jorge Newbery 3226, Buenos Aires, Argentina
<https://maps.google.com/?q=Jorge+Newbery+3226>
Tel: +54 (11) 4552-3050
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180601/bc507dc0/attachment.htm>


More information about the midPoint mailing list