[midPoint] Link current HR account to existing AD account
Ivan Noris
ivan.noris at evolveum.com
Mon Jun 10 08:43:15 CEST 2019
Hi Rod,
as Chris said, weak would be ok. But I think also normal should not
attempt to change the password. Normal means, there is a change.
Are the passwords being changed in midpoint as well during the import?
(E.g. are they generated in HR resource inbounds or object template?)
Ivan
On 9. 6. 2019 17:49, Rod Holman wrote:
>
> Hi Chris,
>
>
>
> The strength was set to Normal. I will try it with it set to weak.
> Would it also work if the credentials configuration or password were
> temporarily disabled in capabilities?
>
>
>
> Thanks,
>
>
>
> --Rod
>
>
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com> *On Behalf Of
> *Chris Woods
> *Sent:* Sunday, June 9, 2019 10:48 AM
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
> *Subject:* Re: [midPoint] Link current HR account to existing AD account
>
>
>
> Hi Rod,
>
>
>
> what is the strength setting set to for the outbound credentials
> mapping? I would set it to weak.
>
>
>
> Regards,
>
> Chris
>
> Am 9. Juni 2019 16:09:41 schrieb Rod Holman <rholman at oaisd.org
> <mailto:rholman at oaisd.org>>:
>
> Hi All,
>
>
>
> Since this is related I thought I'd post my question on this
> stream. When we imported hr accounts in an attempt to link them
> with existing Active Directory accounts some (not all) of the
> Active Directory passwords changed. We do not want any Active
> Directory passwords to change during the import, but still want
> the users to be added to Active Directory groups if applicable.
> What do we have to set to insure that all Active Directory
> accounts maintain their passwords on this type of import?
>
>
>
> Thanks,
>
> --Rod
>
> ------------------------------------------------------------------------
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com
> <mailto:midpoint-bounces at lists.evolveum.com>> on behalf of Rod
> Holman <rholman at oaisd.org <mailto:rholman at oaisd.org>>
> *Sent:* Friday, March 15, 2019 1:28:46 PM
> *To:* midPoint General Discussion
> *Subject:* Re: [midPoint] Link current HR account to existing AD
> account
>
>
>
> Thanks Arnost. I guess that’s the question I should have asked
> Jason, should we also import from AD? After I set up the import
> from AD and imported the user everything synced.
>
>
>
> Thanks to all who pitched in to help!
>
>
>
> --Rod
>
>
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com
> <mailto:midpoint-bounces at lists.evolveum.com>> *On Behalf Of
> *Arnošt Starosta - AMI Praha a.s.
> *Sent:* Friday, March 15, 2019 1:01 PM
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>>
> *Subject:* Re: [midPoint] Link current HR account to existing AD
> account
>
>
>
> Hi Rod,
>
>
>
> as Jason pointed out you should first import or reconcile your AD
> accounts. Does your problem happen when importing from or
> reconciling AD resource? If your correlation rule is ok, midpoint
> should find the corresponding identities and link the existing AD
> accounts.
>
>
>
> Also reaction unmatched -> addFocus in your config seems to be
> wrong - you don't want to create identities from AD accounts but
> from HR accounts, right?
>
>
>
> arnost
>
>
>
> pá 15. 3. 2019 v 17:16 odesílatel Rod Holman <rholman at oaisd.org
> <mailto:rholman at oaisd.org>> napsal:
>
> Thanks for the quick response, but that didn’t work. In my
> previous post I stated we are adding the AD resource to the
> user via inducement. I meant projection.
>
>
>
> By the way, we are already successfully importing (in test)
> new HR users and they are being added to AD. That works
> great! It’s just this initial synchronization of current users.
>
>
>
> --Rod
>
>
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com
> <mailto:midpoint-bounces at lists.evolveum.com>> *On Behalf Of
> *Gruber, Michael
> *Sent:* Friday, March 15, 2019 12:02 PM
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>>
> *Subject:* Re: [midPoint] Link current HR account to existing
> AD account
>
>
>
> Maybe you have to add a matching rule
>
>
>
> <q:equal>
>
>
> <q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#polyStringNorm</q:matching
> <http://prism.evolveum.com/xml/ns/public/matching-rule-3#polyStringNorm%3C/q:matching>>
>
> <q:path>c:name</q:path>
>
> [..]
>
>
>
> *Von:*midPoint [mailto:midpoint-bounces at lists.evolveum.com]
> *Im Auftrag von *Rod Holman
> *Gesendet:* Freitag, 15. März 2019 16:33
> *An:* midPoint General Discussion
> *Betreff:* Re: [midPoint] Link current HR account to existing
> AD account
>
>
>
> We are only working with one user until successful then will
> add the rest. We imported the HR user into Midpoint and are
> now trying to sync by adding Medusa Active Directory to that
> user via inducement. We do not have the AD resource set up
> for importing. The HR resource name value is the same as the
> samaccountname value for that user in AD.
>
>
>
> --Rod
>
>
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com
> <mailto:midpoint-bounces at lists.evolveum.com>> *On Behalf Of
> *Jason Everling
> *Sent:* Friday, March 15, 2019 11:16 AM
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>>
> *Subject:* Re: [midPoint] Link current HR account to existing
> AD account
>
>
>
> So you imported all your AD users into midpoint already and
> then trying to import/link the HR users? Or you imported the
> HR users and trying to import/link the AD users? What does the
> resource contain for name and/or dn ?
>
>
>
>
>
>
> On Fri, Mar 15, 2019 at 8:52 AM Rod Holman <rholman at oaisd.org
> <mailto:rholman at oaisd.org>> wrote:
>
> Hi All,
>
>
>
> For our initial implementation of Midpoint we want to link
> existing accounts from our HR input to their existing
> accounts in active directory. After they are synced we
> want to have Midpoint add/sync users from HR to AD. As a
> test we are trying to link an existing HR account to an
> existing AD account. When we do this an attempt is made
> to add the account to AD no matter what we try causing an
> AlreadyExistsException error. Below is our object
> synchronization for the account. Is it possible that the
> correlation is never matching the two accounts? We tried
> both $account and $shadow in the correlation path. We
> know that the “Name” attribute in the HR account is the
> same as sAMAccountName in AD. Is there something we’re
> doing wrong here?
>
>
>
> <objectSynchronization>
>
> <name>Account sync</name>
>
> <objectClass>ri:user</objectClass>
>
> <kind>account</kind>
>
> <intent>default</intent>
>
> <enabled>true</enabled>
>
> <correlation>
>
> <q:equal>
>
> <q:path>c:name</q:path>
>
> <expression xmlns="">
>
>
> <path>$account/attributes/ri:sAMAccountName</path>
>
> </expression>
>
> </q:equal>
>
> </correlation>
>
> <reconcile>false</reconcile>
>
> <reaction>
>
> <situation>linked</situation>
>
> <synchronize>true</synchronize>
>
> <reconcile>false</reconcile>
>
> </reaction>
>
> <reaction>
>
> <situation>deleted</situation>
>
> <action
> ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink"/>
>
> </reaction>
>
> <reaction>
>
> <situation>unlinked</situation>
>
> <reconcile>false</reconcile>
>
> <action>
>
>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
>
> </action>
>
> </reaction>
>
> <reaction>
>
> <situation>unmatched</situation>
>
> <reconcile>false</reconcile>
>
> <action>
>
>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
>
> </action>
>
> </reaction>
>
> </objectSynchronization>
>
>
>
> Thank You,
>
> Rod Holman
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> WWK Lebensversicherung a. G., Vorstand: Jürgen Schrameier
> (V.), Rainer Gebhart (stv. V.), Dirk Fassott; Vorsitzender des
> Aufsichtsrats: Dr. Frank Schindelhauer, Sitz München,
> Registergericht München HR B 211; WWK Allgemeine Versicherung
> AG, Vorstand: Jürgen Schrameier (V.), Rainer Gebhart (stv.
> V.), Dirk Fassott; Vorsitzender des Aufsichtsrats: Prof. Dr.
> Peter Reiff, Sitz München, Registergericht München HR B 5553;
> WWK Vermögensverwaltungs und Dienstleistungs GmbH,
> Geschäftsführer: Karl Ruffing, Stefan Sedlmeir, Sitz München,
> Registergericht München HR B 76323; WWK Pensionsfonds AG,
> Vorstand: Ansgar Eckert, Karl Ruffing, Heinrich Schüppert;
> Vorsitzender des Aufsichtsrats: Dirk Fassott, Sitz München,
> Registergericht München HR B 146295; Hausanschrift: Marsstraße
> 37, 80335 München; WWK Investment S.A., Verwaltungsrat: Karl
> Ruffing (V.), Ansgar Eckert, Stefan Schneider (Hauck &
> Aufhäuser), Handelsregister: R.C. Luxembourg Nr. B 81 270,
> Sitz der Gesellschaft: 1c, rue Gabriel Lippmann, L-5365 Munsbach
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> --
>
> *Arnošt Starosta*
> solution architect
>
> gsm: [+420] 603 794 932
> e‑mail: arnost.starosta at ami.cz <mailto:arnost.starosta at ami.cz>
>
> *AMI Praha a.s.*
> Pláničkova 11, 162 00 Praha 6
>
> tel.: [+420] 274 783 239 | web: www.ami.cz <https://www.ami.cz>
>
> AMI Praha a.s.
>
> Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
> za společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
> výhradně písemnou formu.
>
> Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může
> obsahovat důvěrné nebo osobní
> informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
> zveřejňování, zprostředkování
> nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail
> neoprávněně, informujte o tom prosím
> odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu
> včetně všech jeho příloh. Nakládáním
> s neoprávněně získanými informacemi se vystavujete riziku právního
> postihu.
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com <mailto:midPoint%40lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190610/9aa7fa3e/attachment.htm>
More information about the midPoint
mailing list