[midPoint] Link current HR account to existing AD account
Chris Woods
chris at cmwoods.com
Sun Jun 9 18:10:52 CEST 2019
Hi Rod,
That would have been my other suggestion. Just for the initial import.
However, I think the weak setting should be OK.
Regards, Chris
Am 9. Juni 2019 17:49:37 schrieb Rod Holman <rholman at oaisd.org>:
> Hi Chris,
>
> The strength was set to Normal. I will try it with it set to weak. Would
> it also work if the credentials configuration or password were temporarily
> disabled in capabilities?
>
> Thanks,
>
> --Rod
>
> From: midPoint <midpoint-bounces at lists.evolveum.com>
> On Behalf Of Chris Woods
> Sent: Sunday, June 9, 2019 10:48 AM
> To: midPoint General Discussion <midpoint at lists.evolveum.com>
> Subject: Re: [midPoint] Link current HR account to existing AD account
>
> Hi Rod,
>
> what is the strength setting set to for the outbound credentials mapping? I
> would set it to weak.
>
> Regards,
> Chris
> Am 9. Juni 2019 16:09:41 schrieb Rod Holman <rholman at oaisd.org>:
> Hi All,
>
> Since this is related I thought I'd post my question on this stream. When
> we imported hr accounts in an attempt to link them with existing Active
> Directory accounts some (not all) of the Active Directory passwords
> changed. We do not want any Active Directory passwords to change during
> the import, but still want the users to be added to Active Directory groups
> if applicable. What do we have to set to insure that all Active Directory
> accounts maintain their passwords on this type of import?
>
> Thanks,
> --Rod
>
> From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Rod
> Holman <rholman at oaisd.org>
> Sent: Friday, March 15, 2019 1:28:46 PM
> To: midPoint General Discussion
> Subject: Re: [midPoint] Link current HR account to existing AD account
>
> Thanks Arnost. I guess that’s the question I should have asked Jason,
> should we also import from AD? After I set up the import from AD and
> imported the user everything synced.
>
> Thanks to all who pitched in to help!
>
> --Rod
>
> From: midPoint <midpoint-bounces at lists.evolveum.com>
> On Behalf Of Arnošt Starosta - AMI Praha a.s.
> Sent: Friday, March 15, 2019 1:01 PM
> To: midPoint General Discussion <midpoint at lists.evolveum.com>
> Subject: Re: [midPoint] Link current HR account to existing AD account
>
> Hi Rod,
>
> as Jason pointed out you should first import or reconcile your AD accounts.
> Does your problem happen when importing from or reconciling AD resource? If
> your correlation rule is ok, midpoint should find the corresponding
> identities and link the existing AD accounts.
>
> Also reaction unmatched -> addFocus in your config seems to be wrong - you
> don't want to create identities from AD accounts but from HR accounts, right?
>
> arnost
>
> pá 15. 3. 2019 v 17:16 odesílatel Rod Holman <rholman at oaisd.org> napsal:
> Thanks for the quick response, but that didn’t work. In my previous post I
> stated we are adding the AD resource to the user via inducement. I meant
> projection.
>
> By the way, we are already successfully importing (in test) new HR users
> and they are being added to AD. That works great! It’s just this initial
> synchronization of current users.
>
> --Rod
>
> From: midPoint <midpoint-bounces at lists.evolveum.com>
> On Behalf Of Gruber, Michael
> Sent: Friday, March 15, 2019 12:02 PM
> To: midPoint General Discussion <midpoint at lists.evolveum.com>
> Subject: Re: [midPoint] Link current HR account to existing AD account
>
> Maybe you have to add a matching rule
>
> <q:equal>
> <q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#polyStringNorm</q:matching>
> <q:path>c:name</q:path>
> [..]
>
> Von: midPoint [mailto:midpoint-bounces at lists.evolveum.com]
> Im Auftrag von Rod Holman
> Gesendet: Freitag, 15. März 2019 16:33
> An: midPoint General Discussion
> Betreff: Re: [midPoint] Link current HR account to existing AD account
>
> We are only working with one user until successful then will add the rest.
> We imported the HR user into Midpoint and are now trying to sync by adding
> Medusa Active Directory to that user via inducement. We do not have the AD
> resource set up for importing. The HR resource name value is the same as
> the samaccountname value for that user in AD.
>
> --Rod
>
> From: midPoint <midpoint-bounces at lists.evolveum.com>
> On Behalf Of Jason Everling
> Sent: Friday, March 15, 2019 11:16 AM
> To: midPoint General Discussion <midpoint at lists.evolveum.com>
> Subject: Re: [midPoint] Link current HR account to existing AD account
>
> So you imported all your AD users into midpoint already and then trying to
> import/link the HR users? Or you imported the HR users and trying to
> import/link the AD users? What does the resource contain for name and/or dn ?
>
>
>
>
> On Fri, Mar 15, 2019 at 8:52 AM Rod Holman <rholman at oaisd.org> wrote:
> Hi All,
>
> For our initial implementation of Midpoint we want to link existing
> accounts from our HR input to their existing accounts in active directory.
> After they are synced we want to have Midpoint add/sync users from HR to
> AD. As a test we are trying to link an existing HR account to an existing
> AD account. When we do this an attempt is made to add the account to AD no
> matter what we try causing an AlreadyExistsException error. Below is our
> object synchronization for the account. Is it possible that the
> correlation is never matching the two accounts? We tried both $account and
> $shadow in the correlation path. We know that the “Name” attribute in the
> HR account is the same as sAMAccountName in AD. Is there something we’re
> doing wrong here?
>
> <objectSynchronization>
> <name>Account sync</name>
> <objectClass>ri:user</objectClass>
> <kind>account</kind>
> <intent>default</intent>
> <enabled>true</enabled>
> <correlation>
> <q:equal>
> <q:path>c:name</q:path>
> <expression xmlns="">
> <path>$account/attributes/ri:sAMAccountName</path>
> </expression>
> </q:equal>
> </correlation>
> <reconcile>false</reconcile>
> <reaction>
> <situation>linked</situation>
> <synchronize>true</synchronize>
> <reconcile>false</reconcile>
> </reaction>
> <reaction>
> <situation>deleted</situation>
> <action
> ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink"/>
> </reaction>
> <reaction>
> <situation>unlinked</situation>
> <reconcile>false</reconcile>
> <action>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
> </action>
> </reaction>
> <reaction>
> <situation>unmatched</situation>
> <reconcile>false</reconcile>
> <action>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
> </action>
> </reaction>
> </objectSynchronization>
>
> Thank You,
> Rod Holman
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> WWK Lebensversicherung a. G., Vorstand: Jürgen Schrameier (V.), Rainer
> Gebhart (stv. V.), Dirk Fassott; Vorsitzender des Aufsichtsrats: Dr. Frank
> Schindelhauer, Sitz München, Registergericht München HR B 211; WWK
> Allgemeine Versicherung AG, Vorstand: Jürgen Schrameier (V.), Rainer
> Gebhart (stv. V.), Dirk Fassott; Vorsitzender des Aufsichtsrats: Prof. Dr.
> Peter Reiff, Sitz München, Registergericht München HR B 5553; WWK
> Vermögensverwaltungs und Dienstleistungs GmbH, Geschäftsführer: Karl
> Ruffing, Stefan Sedlmeir, Sitz München, Registergericht München HR B 76323;
> WWK Pensionsfonds AG, Vorstand: Ansgar Eckert, Karl Ruffing, Heinrich
> Schüppert; Vorsitzender des Aufsichtsrats: Dirk Fassott, Sitz München,
> Registergericht München HR B 146295; Hausanschrift: Marsstraße 37, 80335
> München; WWK Investment S.A., Verwaltungsrat: Karl Ruffing (V.), Ansgar
> Eckert, Stefan Schneider (Hauck & Aufhäuser), Handelsregister: R.C.
> Luxembourg Nr. B 81 270, Sitz der Gesellschaft: 1c, rue Gabriel Lippmann,
> L-5365 Munsbach
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> --
> Arnošt Starosta
> solution architect
> gsm: [+420] 603 794 932
> e‑mail: arnost.starosta at ami.cz
> AMI Praha a.s.
> Pláničkova 11, 162 00 Praha 6
> tel.: [+420] 274 783 239 | web: www.ami.cz
>
> Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
> Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat
> důvěrné nebo osobní
> informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
> zveřejňování, zprostředkování
> nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně,
> informujte o tom prosím
> odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně všech
> jeho příloh. Nakládáním
> s neoprávněně získanými informacemi se vystavujete riziku právního postihu.
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190609/46e497f7/attachment.htm>
More information about the midPoint
mailing list