[midPoint] Link current HR account to existing AD account

Chris Woods chris at cmwoods.com
Sun Jun 9 18:10:52 CEST 2019


Hi Rod,

That would have been my other suggestion. Just for the initial import. 
However, I think the weak setting should be OK.

Regards, Chris

Am 9. Juni 2019 17:49:37 schrieb Rod Holman <rholman at oaisd.org>:
> Hi Chris,
>
> The strength was set to Normal.  I will try it with it set to weak.  Would 
> it also work if the credentials configuration or password were temporarily 
> disabled in capabilities?
>
> Thanks,
>
> --Rod
>
> From: midPoint <midpoint-bounces at lists.evolveum.com>
> On Behalf Of Chris Woods
> Sent: Sunday, June 9, 2019 10:48 AM
> To: midPoint General Discussion <midpoint at lists.evolveum.com>
> Subject: Re: [midPoint] Link current HR account to existing AD account
>
> Hi Rod,
>
> what is the strength setting set to for the outbound credentials mapping? I 
> would set it to weak.
>
> Regards,
> Chris
> Am 9. Juni 2019 16:09:41 schrieb Rod Holman <rholman at oaisd.org>:
> Hi All,
>
> Since this is related I thought I'd post my question on this stream.  When 
> we imported hr accounts in an attempt to link them with existing Active 
> Directory accounts some (not all) of the Active Directory passwords 
> changed.  We do not want any Active Directory passwords to change during 
> the import, but still want the users to be added to Active Directory groups 
> if applicable.  What do we have to set to insure that all Active Directory 
> accounts maintain their passwords on this type of import?
>
> Thanks,
> --Rod
>
> From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Rod 
> Holman <rholman at oaisd.org>
> Sent: Friday, March 15, 2019 1:28:46 PM
> To: midPoint General Discussion
> Subject: Re: [midPoint] Link current HR account to existing AD account
>
> Thanks Arnost.  I guess that’s the question I should have asked Jason, 
> should we also import from AD?  After I set up the import from AD and 
> imported the user everything synced.
>
> Thanks to all who pitched in to help!
>
> --Rod
>
> From: midPoint <midpoint-bounces at lists.evolveum.com>
> On Behalf Of Arnošt Starosta - AMI Praha a.s.
> Sent: Friday, March 15, 2019 1:01 PM
> To: midPoint General Discussion <midpoint at lists.evolveum.com>
> Subject: Re: [midPoint] Link current HR account to existing AD account
>
> Hi Rod,
>
> as Jason pointed out you should first import or reconcile your AD accounts. 
> Does your problem happen when importing from or reconciling AD resource? If 
> your correlation rule is ok, midpoint should find the corresponding 
> identities and link the existing AD accounts.
>
> Also reaction unmatched -> addFocus in your config seems to be wrong - you 
> don't want to create identities from AD accounts but from HR accounts, right?
>
> arnost
>
> pá 15. 3. 2019 v 17:16 odesílatel Rod Holman <rholman at oaisd.org> napsal:
> Thanks for the quick response, but that didn’t work.  In my previous post I 
> stated we are adding the AD resource to the user via inducement.  I meant 
> projection.
>
> By the way, we are already successfully importing (in test) new HR users 
> and they are being added to AD.  That works great!  It’s just this initial 
> synchronization of current users.
>
> --Rod
>
> From: midPoint <midpoint-bounces at lists.evolveum.com>
> On Behalf Of Gruber, Michael
> Sent: Friday, March 15, 2019 12:02 PM
> To: midPoint General Discussion <midpoint at lists.evolveum.com>
> Subject: Re: [midPoint] Link current HR account to existing AD account
>
> Maybe you have to add a matching rule
>
> <q:equal>
>            <q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#polyStringNorm</q:matching>
>            <q:path>c:name</q:path>
>            [..]
>
> Von: midPoint [mailto:midpoint-bounces at lists.evolveum.com]
> Im Auftrag von Rod Holman
> Gesendet: Freitag, 15. März 2019 16:33
> An: midPoint General Discussion
> Betreff: Re: [midPoint] Link current HR account to existing AD account
>
> We are only working with one user until successful then will add the rest.  
> We imported the HR user into Midpoint and are now trying to sync by adding 
> Medusa Active Directory to that user via inducement.  We do not have the AD 
> resource set up for importing.  The HR resource name value is the same as 
> the samaccountname value for that user in AD.
>
> --Rod
>
> From: midPoint <midpoint-bounces at lists.evolveum.com>
> On Behalf Of Jason Everling
> Sent: Friday, March 15, 2019 11:16 AM
> To: midPoint General Discussion <midpoint at lists.evolveum.com>
> Subject: Re: [midPoint] Link current HR account to existing AD account
>
> So you imported all your AD users into midpoint already and then trying to 
> import/link the HR users? Or you imported the HR users and trying to 
> import/link the AD users? What does the resource contain for name and/or dn ?
>
>
>
>
> On Fri, Mar 15, 2019 at 8:52 AM Rod Holman <rholman at oaisd.org> wrote:
> Hi All,
>
> For our initial implementation of Midpoint we want to link existing 
> accounts from our HR input to their existing accounts in active directory.  
> After they are synced we want to have Midpoint add/sync users from HR to 
> AD.  As a test we are trying to link an existing HR account to an existing 
> AD account.  When we do this an attempt is made to add the account to AD no 
> matter what we try causing an AlreadyExistsException error.  Below is our 
> object synchronization for the account.  Is it possible that the 
> correlation is never matching the two accounts?  We tried both $account and 
> $shadow in the correlation path.  We know that the “Name” attribute in the 
> HR account is the same as sAMAccountName in AD.   Is there something we’re 
> doing wrong here?
>
> <objectSynchronization>
>            <name>Account sync</name>
>            <objectClass>ri:user</objectClass>
>            <kind>account</kind>
>            <intent>default</intent>
>            <enabled>true</enabled>
>            <correlation>
>                <q:equal>
>                    <q:path>c:name</q:path>
>                    <expression xmlns="">
>                        <path>$account/attributes/ri:sAMAccountName</path>
>                    </expression>
>                </q:equal>
>            </correlation>
>            <reconcile>false</reconcile>
>            <reaction>
>                <situation>linked</situation>
>                <synchronize>true</synchronize>
>                <reconcile>false</reconcile>
>            </reaction>
>            <reaction>
>                <situation>deleted</situation>
>                <action 
>                ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink"/>
>            </reaction>
>            <reaction>
>                <situation>unlinked</situation>
>                <reconcile>false</reconcile>
>                <action>
>                    <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
>                </action>
>            </reaction>
>            <reaction>
>                <situation>unmatched</situation>
>                <reconcile>false</reconcile>
>                <action>
>                    <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
>                </action>
>            </reaction>
>        </objectSynchronization>
>
> Thank You,
> Rod Holman
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> WWK Lebensversicherung a. G., Vorstand: Jürgen Schrameier (V.), Rainer 
> Gebhart (stv. V.), Dirk Fassott; Vorsitzender des Aufsichtsrats: Dr. Frank 
> Schindelhauer, Sitz München, Registergericht München HR B 211; WWK 
> Allgemeine Versicherung AG, Vorstand: Jürgen Schrameier (V.), Rainer 
> Gebhart (stv. V.), Dirk Fassott; Vorsitzender des Aufsichtsrats: Prof. Dr. 
> Peter Reiff, Sitz München, Registergericht München HR B 5553; WWK 
> Vermögensverwaltungs und Dienstleistungs GmbH, Geschäftsführer: Karl 
> Ruffing, Stefan Sedlmeir, Sitz München, Registergericht München HR B 76323; 
> WWK Pensionsfonds AG, Vorstand: Ansgar Eckert, Karl Ruffing, Heinrich 
> Schüppert; Vorsitzender des Aufsichtsrats: Dirk Fassott, Sitz München, 
> Registergericht München HR B 146295; Hausanschrift: Marsstraße 37, 80335 
> München; WWK Investment S.A., Verwaltungsrat: Karl Ruffing (V.), Ansgar 
> Eckert, Stefan Schneider (Hauck & Aufhäuser), Handelsregister: R.C. 
> Luxembourg Nr. B 81 270, Sitz der Gesellschaft: 1c, rue Gabriel Lippmann, 
> L-5365 Munsbach
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> --
> Arnošt Starosta
> solution architect
> gsm: [+420] 603 794 932
> e‑mail: arnost.starosta at ami.cz
> AMI Praha a.s.
> Pláničkova 11, 162 00 Praha 6
> tel.: [+420] 274 783 239 | web: www.ami.cz
>
> Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá za 
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně 
> písemnou formu.
>
> Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat 
> důvěrné nebo osobní
> informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv 
> zveřejňování, zprostředkování
> nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně, 
> informujte o tom prosím
> odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně všech 
> jeho příloh. Nakládáním
> s neoprávněně získanými informacemi se vystavujete riziku právního postihu.
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190609/46e497f7/attachment.htm>


More information about the midPoint mailing list