[midPoint] Link current HR account to existing AD account

Ivan Noris ivan.noris at evolveum.com
Mon Jun 10 08:43:15 CEST 2019


Hi Rod,

as Chris said, weak would be ok. But I think also normal should not
attempt to change the password. Normal means, there is a change.

Are the passwords being changed in midpoint as well during the import?
(E.g. are they generated in HR resource inbounds or object template?)

Ivan

On 9. 6. 2019 17:49, Rod Holman wrote:
>
> Hi Chris,
>
>  
>
> The strength was set to Normal.  I will try it with it set to weak. 
> Would it also work if the credentials configuration or password were
> temporarily disabled in capabilities?
>
>  
>
> Thanks,
>
>  
>
> --Rod
>
>  
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com> *On Behalf Of
> *Chris Woods
> *Sent:* Sunday, June 9, 2019 10:48 AM
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
> *Subject:* Re: [midPoint] Link current HR account to existing AD account
>
>  
>
> Hi Rod, 
>
>  
>
> what is the strength setting set to for the outbound credentials
> mapping? I would set it to weak. 
>
>  
>
> Regards, 
>
> Chris
>
> Am 9. Juni 2019 16:09:41 schrieb Rod Holman <rholman at oaisd.org
> <mailto:rholman at oaisd.org>>:
>
>     Hi All,
>
>      
>
>     Since this is related I thought I'd post my question on this
>     stream.  When we imported hr accounts in an attempt to link them
>     with existing Active Directory accounts some (not all) of the
>     Active Directory passwords changed.  We do not want any Active
>     Directory passwords to change during the import, but still want
>     the users to be added to Active Directory groups if applicable. 
>     What do we have to set to insure that all Active Directory
>     accounts maintain their passwords on this type of import?
>
>      
>
>     Thanks,
>
>     --Rod
>
>     ------------------------------------------------------------------------
>
>     *From:*midPoint <midpoint-bounces at lists.evolveum.com
>     <mailto:midpoint-bounces at lists.evolveum.com>> on behalf of Rod
>     Holman <rholman at oaisd.org <mailto:rholman at oaisd.org>>
>     *Sent:* Friday, March 15, 2019 1:28:46 PM
>     *To:* midPoint General Discussion
>     *Subject:* Re: [midPoint] Link current HR account to existing AD
>     account
>
>      
>
>     Thanks Arnost.  I guess that’s the question I should have asked
>     Jason, should we also import from AD?  After I set up the import
>     from AD and imported the user everything synced. 
>
>      
>
>     Thanks to all who pitched in to help!
>
>      
>
>     --Rod
>
>      
>
>     *From:*midPoint <midpoint-bounces at lists.evolveum.com
>     <mailto:midpoint-bounces at lists.evolveum.com>> *On Behalf Of
>     *Arnošt Starosta - AMI Praha a.s.
>     *Sent:* Friday, March 15, 2019 1:01 PM
>     *To:* midPoint General Discussion <midpoint at lists.evolveum.com
>     <mailto:midpoint at lists.evolveum.com>>
>     *Subject:* Re: [midPoint] Link current HR account to existing AD
>     account
>
>      
>
>     Hi Rod,
>
>      
>
>     as Jason pointed out you should first import or reconcile your AD
>     accounts. Does your problem happen when importing from or
>     reconciling AD resource? If your correlation rule is ok, midpoint
>     should find the corresponding identities and link the existing AD
>     accounts.
>
>      
>
>     Also reaction unmatched -> addFocus in your config seems to be
>     wrong - you don't want to create identities from AD accounts but
>     from HR accounts, right?
>
>      
>
>     arnost
>
>      
>
>     pá 15. 3. 2019 v 17:16 odesílatel Rod Holman <rholman at oaisd.org
>     <mailto:rholman at oaisd.org>> napsal:
>
>         Thanks for the quick response, but that didn’t work.  In my
>         previous post I stated we are adding the AD resource to the
>         user via inducement.  I meant projection.
>
>          
>
>         By the way, we are already successfully importing (in test)
>         new HR users and they are being added to AD.  That works
>         great!  It’s just this initial synchronization of current users.
>
>          
>
>         --Rod
>
>          
>
>         *From:*midPoint <midpoint-bounces at lists.evolveum.com
>         <mailto:midpoint-bounces at lists.evolveum.com>> *On Behalf Of
>         *Gruber, Michael
>         *Sent:* Friday, March 15, 2019 12:02 PM
>         *To:* midPoint General Discussion <midpoint at lists.evolveum.com
>         <mailto:midpoint at lists.evolveum.com>>
>         *Subject:* Re: [midPoint] Link current HR account to existing
>         AD account
>
>          
>
>         Maybe you have to add a matching rule
>
>          
>
>         <q:equal>
>
>                    
>         <q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#polyStringNorm</q:matching
>         <http://prism.evolveum.com/xml/ns/public/matching-rule-3#polyStringNorm%3C/q:matching>>
>
>                     <q:path>c:name</q:path>
>
>                     [..]
>
>          
>
>         *Von:*midPoint [mailto:midpoint-bounces at lists.evolveum.com]
>         *Im Auftrag von *Rod Holman
>         *Gesendet:* Freitag, 15. März 2019 16:33
>         *An:* midPoint General Discussion
>         *Betreff:* Re: [midPoint] Link current HR account to existing
>         AD account
>
>          
>
>         We are only working with one user until successful then will
>         add the rest.  We imported the HR user into Midpoint and are
>         now trying to sync by adding Medusa Active Directory to that
>         user via inducement.  We do not have the AD resource set up
>         for importing.  The HR resource name value is the same as the
>         samaccountname value for that user in AD.
>
>          
>
>         --Rod
>
>          
>
>         *From:*midPoint <midpoint-bounces at lists.evolveum.com
>         <mailto:midpoint-bounces at lists.evolveum.com>> *On Behalf Of
>         *Jason Everling
>         *Sent:* Friday, March 15, 2019 11:16 AM
>         *To:* midPoint General Discussion <midpoint at lists.evolveum.com
>         <mailto:midpoint at lists.evolveum.com>>
>         *Subject:* Re: [midPoint] Link current HR account to existing
>         AD account
>
>          
>
>         So you imported all your AD users into midpoint already and
>         then trying to import/link the HR users? Or you imported the
>         HR users and trying to import/link the AD users? What does the
>         resource contain for name and/or dn ?
>
>
>          
>
>          
>
>         On Fri, Mar 15, 2019 at 8:52 AM Rod Holman <rholman at oaisd.org
>         <mailto:rholman at oaisd.org>> wrote:
>
>             Hi All,
>
>              
>
>             For our initial implementation of Midpoint we want to link
>             existing accounts from our HR input to their existing
>             accounts in active directory.  After they are synced we
>             want to have Midpoint add/sync users from HR to AD.  As a
>             test we are trying to link an existing HR account to an
>             existing AD account.  When we do this an attempt is made
>             to add the account to AD no matter what we try causing an
>             AlreadyExistsException error.  Below is our object
>             synchronization for the account.  Is it possible that the
>             correlation is never matching the two accounts?  We tried
>             both $account and $shadow in the correlation path.  We
>             know that the “Name” attribute in the HR account is the
>             same as sAMAccountName in AD.   Is there something we’re
>             doing wrong here?
>
>              
>
>             <objectSynchronization>
>
>                         <name>Account sync</name>
>
>                         <objectClass>ri:user</objectClass>
>
>                         <kind>account</kind>
>
>                         <intent>default</intent>
>
>                         <enabled>true</enabled>
>
>                         <correlation>
>
>                             <q:equal>
>
>                                 <q:path>c:name</q:path>
>
>                                 <expression xmlns="">
>
>                                    
>             <path>$account/attributes/ri:sAMAccountName</path>
>
>                                 </expression>
>
>                             </q:equal>
>
>                         </correlation>
>
>                         <reconcile>false</reconcile>
>
>                         <reaction>
>
>                             <situation>linked</situation>
>
>                             <synchronize>true</synchronize>
>
>                             <reconcile>false</reconcile>
>
>                         </reaction>
>
>                         <reaction>
>
>                             <situation>deleted</situation>
>
>                             <action
>             ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink"/>
>
>                         </reaction>
>
>                         <reaction>
>
>                             <situation>unlinked</situation>
>
>                             <reconcile>false</reconcile>
>
>                             <action>
>
>                                
>             <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
>
>                             </action>
>
>                         </reaction>
>
>                         <reaction>
>
>                             <situation>unmatched</situation>
>
>                             <reconcile>false</reconcile>
>
>                             <action>
>
>                                
>             <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
>
>                             </action>
>
>                         </reaction>
>
>                     </objectSynchronization>
>
>              
>
>             Thank You,
>
>             Rod Holman
>
>              
>
>             _______________________________________________
>             midPoint mailing list
>             midPoint at lists.evolveum.com
>             <mailto:midPoint at lists.evolveum.com>
>             http://lists.evolveum.com/mailman/listinfo/midpoint
>
>         WWK Lebensversicherung a. G., Vorstand: Jürgen Schrameier
>         (V.), Rainer Gebhart (stv. V.), Dirk Fassott; Vorsitzender des
>         Aufsichtsrats: Dr. Frank Schindelhauer, Sitz München,
>         Registergericht München HR B 211; WWK Allgemeine Versicherung
>         AG, Vorstand: Jürgen Schrameier (V.), Rainer Gebhart (stv.
>         V.), Dirk Fassott; Vorsitzender des Aufsichtsrats: Prof. Dr.
>         Peter Reiff, Sitz München, Registergericht München HR B 5553;
>         WWK Vermögensverwaltungs und Dienstleistungs GmbH,
>         Geschäftsführer: Karl Ruffing, Stefan Sedlmeir, Sitz München,
>         Registergericht München HR B 76323; WWK Pensionsfonds AG,
>         Vorstand: Ansgar Eckert, Karl Ruffing, Heinrich Schüppert;
>         Vorsitzender des Aufsichtsrats: Dirk Fassott, Sitz München,
>         Registergericht München HR B 146295; Hausanschrift: Marsstraße
>         37, 80335 München; WWK Investment S.A., Verwaltungsrat: Karl
>         Ruffing (V.), Ansgar Eckert, Stefan Schneider (Hauck &
>         Aufhäuser), Handelsregister: R.C. Luxembourg Nr. B 81 270,
>         Sitz der Gesellschaft: 1c, rue Gabriel Lippmann, L-5365 Munsbach
>
>         _______________________________________________
>         midPoint mailing list
>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>      
>
>     -- 
>
>     *Arnošt Starosta*
>     solution architect
>
>     gsm: [+420] 603 794 932
>     e‑mail: arnost.starosta at ami.cz <mailto:arnost.starosta at ami.cz>
>
>     *AMI Praha a.s.*
>     Pláničkova 11, 162 00 Praha 6
>
>     tel.: [+420] 274 783 239 | web: www.ami.cz <https://www.ami.cz>
>
>     AMI Praha a.s.
>
>     Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
>     za společnost AMI Praha a.s.
>     jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>     výhradně písemnou formu.
>      
>     Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může
>     obsahovat důvěrné nebo osobní
>     informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
>     zveřejňování, zprostředkování
>     nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail
>     neoprávněně, informujte o tom prosím
>     odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu
>     včetně všech jeho příloh. Nakládáním
>     s neoprávněně získanými informacemi se vystavujete riziku právního
>     postihu.
>
>     _______________________________________________
>
>     midPoint mailing list
>
>     midPoint at lists.evolveum.com <mailto:midPoint%40lists.evolveum.com>
>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>  
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190610/9aa7fa3e/attachment.htm>


More information about the midPoint mailing list