[midPoint] Link current HR account to existing AD account
Ivan Noris
ivan.noris at evolveum.com
Mon Jun 10 13:24:20 CEST 2019
Hi Rod,
so the question is how the mapping in the SQL source resource looks
like. Is it really initial password (meaning: weak mapping)?
Can you share the mapping for credentials/password from your source
resource?
Regards,
Ivan
On 10. 6. 2019 12:34, Rod Holman wrote:
>
> Hi Ivan,
>
>
>
> We are using DatabaseTableConnector with a SQL View as our resource.
> It contains an initial password for each user and is designated as the
> password column in the configuration. Yes, this was populated for the
> import even though we don’t want it to change the password in AD at
> this point. Once these are imported and linked we want to turn on
> live sync using a Change Log Column to automatically update and add
> accounts from the resource. We would only want the initial password
> to update midpoint and assigned accounts when a new person is added.
>
>
>
> --Rod
>
>
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com> *On Behalf Of
> *Ivan Noris
> *Sent:* Monday, June 10, 2019 2:43 AM
> *To:* midpoint at lists.evolveum.com
> *Subject:* Re: [midPoint] Link current HR account to existing AD account
>
>
>
> Hi Rod,
>
> as Chris said, weak would be ok. But I think also normal should not
> attempt to change the password. Normal means, there is a change.
>
> Are the passwords being changed in midpoint as well during the import?
> (E.g. are they generated in HR resource inbounds or object template?)
>
> Ivan
>
> On 9. 6. 2019 17:49, Rod Holman wrote:
>
> Hi Chris,
>
>
>
> The strength was set to Normal. I will try it with it set to
> weak. Would it also work if the credentials configuration or
> password were temporarily disabled in capabilities?
>
>
>
> Thanks,
>
>
>
> --Rod
>
>
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com>
> <mailto:midpoint-bounces at lists.evolveum.com> *On Behalf Of *Chris
> Woods
> *Sent:* Sunday, June 9, 2019 10:48 AM
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
> <mailto:midpoint at lists.evolveum.com>
> *Subject:* Re: [midPoint] Link current HR account to existing AD
> account
>
>
>
> Hi Rod,
>
>
>
> what is the strength setting set to for the outbound credentials
> mapping? I would set it to weak.
>
>
>
> Regards,
>
> Chris
>
> Am 9. Juni 2019 16:09:41 schrieb Rod Holman <rholman at oaisd.org
> <mailto:rholman at oaisd.org>>:
>
> Hi All,
>
>
>
> Since this is related I thought I'd post my question on this
> stream. When we imported hr accounts in an attempt to link
> them with existing Active Directory accounts some (not all) of
> the Active Directory passwords changed. We do not want any
> Active Directory passwords to change during the import, but
> still want the users to be added to Active Directory groups if
> applicable. What do we have to set to insure that all Active
> Directory accounts maintain their passwords on this type of
> import?
>
>
>
> Thanks,
>
> --Rod
>
> ------------------------------------------------------------------------
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com
> <mailto:midpoint-bounces at lists.evolveum.com>> on behalf of Rod
> Holman <rholman at oaisd.org <mailto:rholman at oaisd.org>>
> *Sent:* Friday, March 15, 2019 1:28:46 PM
> *To:* midPoint General Discussion
> *Subject:* Re: [midPoint] Link current HR account to existing
> AD account
>
>
>
> Thanks Arnost. I guess that’s the question I should have
> asked Jason, should we also import from AD? After I set up
> the import from AD and imported the user everything synced.
>
>
>
> Thanks to all who pitched in to help!
>
>
>
> --Rod
>
>
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com
> <mailto:midpoint-bounces at lists.evolveum.com>> *On Behalf Of
> *Arnošt Starosta - AMI Praha a.s.
> *Sent:* Friday, March 15, 2019 1:01 PM
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>>
> *Subject:* Re: [midPoint] Link current HR account to existing
> AD account
>
>
>
> Hi Rod,
>
>
>
> as Jason pointed out you should first import or reconcile your
> AD accounts. Does your problem happen when importing from or
> reconciling AD resource? If your correlation rule is ok,
> midpoint should find the corresponding identities and link the
> existing AD accounts.
>
>
>
> Also reaction unmatched -> addFocus in your config seems to be
> wrong - you don't want to create identities from AD accounts
> but from HR accounts, right?
>
>
>
> arnost
>
>
>
> pá 15. 3. 2019 v 17:16 odesílatel Rod Holman
> <rholman at oaisd.org <mailto:rholman at oaisd.org>> napsal:
>
> Thanks for the quick response, but that didn’t work. In
> my previous post I stated we are adding the AD resource to
> the user via inducement. I meant projection.
>
>
>
> By the way, we are already successfully importing (in
> test) new HR users and they are being added to AD. That
> works great! It’s just this initial synchronization of
> current users.
>
>
>
> --Rod
>
>
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com
> <mailto:midpoint-bounces at lists.evolveum.com>> *On Behalf
> Of *Gruber, Michael
> *Sent:* Friday, March 15, 2019 12:02 PM
> *To:* midPoint General Discussion
> <midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>>
> *Subject:* Re: [midPoint] Link current HR account to
> existing AD account
>
>
>
> Maybe you have to add a matching rule
>
>
>
> <q:equal>
>
>
> <q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#polyStringNorm</q:matching
> <http://prism.evolveum.com/xml/ns/public/matching-rule-3#polyStringNorm%3C/q:matching>>
>
> <q:path>c:name</q:path>
>
> [..]
>
>
>
> *Von:*midPoint
> [mailto:midpoint-bounces at lists.evolveum.com] *Im Auftrag
> von *Rod Holman
> *Gesendet:* Freitag, 15. März 2019 16:33
> *An:* midPoint General Discussion
> *Betreff:* Re: [midPoint] Link current HR account to
> existing AD account
>
>
>
> We are only working with one user until successful then
> will add the rest. We imported the HR user into Midpoint
> and are now trying to sync by adding Medusa Active
> Directory to that user via inducement. We do not have the
> AD resource set up for importing. The HR resource name
> value is the same as the samaccountname value for that
> user in AD.
>
>
>
> --Rod
>
>
>
> *From:*midPoint <midpoint-bounces at lists.evolveum.com
> <mailto:midpoint-bounces at lists.evolveum.com>> *On Behalf
> Of *Jason Everling
> *Sent:* Friday, March 15, 2019 11:16 AM
> *To:* midPoint General Discussion
> <midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>>
> *Subject:* Re: [midPoint] Link current HR account to
> existing AD account
>
>
>
> So you imported all your AD users into midpoint already
> and then trying to import/link the HR users? Or you
> imported the HR users and trying to import/link the AD
> users? What does the resource contain for name and/or dn ?
>
>
>
>
>
>
> On Fri, Mar 15, 2019 at 8:52 AM Rod Holman
> <rholman at oaisd.org <mailto:rholman at oaisd.org>> wrote:
>
> Hi All,
>
>
>
> For our initial implementation of Midpoint we want to
> link existing accounts from our HR input to their
> existing accounts in active directory. After they are
> synced we want to have Midpoint add/sync users from HR
> to AD. As a test we are trying to link an existing HR
> account to an existing AD account. When we do this an
> attempt is made to add the account to AD no matter
> what we try causing an AlreadyExistsException error.
> Below is our object synchronization for the account.
> Is it possible that the correlation is never matching
> the two accounts? We tried both $account and $shadow
> in the correlation path. We know that the “Name”
> attribute in the HR account is the same as
> sAMAccountName in AD. Is there something we’re doing
> wrong here?
>
>
>
> <objectSynchronization>
>
> <name>Account sync</name>
>
> <objectClass>ri:user</objectClass>
>
> <kind>account</kind>
>
> <intent>default</intent>
>
> <enabled>true</enabled>
>
> <correlation>
>
> <q:equal>
>
> <q:path>c:name</q:path>
>
> <expression xmlns="">
>
>
> <path>$account/attributes/ri:sAMAccountName</path>
>
> </expression>
>
> </q:equal>
>
> </correlation>
>
> <reconcile>false</reconcile>
>
> <reaction>
>
> <situation>linked</situation>
>
> <synchronize>true</synchronize>
>
> <reconcile>false</reconcile>
>
> </reaction>
>
> <reaction>
>
> <situation>deleted</situation>
>
> <action
> ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink"/>
>
> </reaction>
>
> <reaction>
>
> <situation>unlinked</situation>
>
> <reconcile>false</reconcile>
>
> <action>
>
>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
>
> </action>
>
> </reaction>
>
> <reaction>
>
> <situation>unmatched</situation>
>
> <reconcile>false</reconcile>
>
> <action>
>
>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
>
> </action>
>
> </reaction>
>
> </objectSynchronization>
>
>
>
> Thank You,
>
> Rod Holman
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> WWK Lebensversicherung a. G., Vorstand: Jürgen Schrameier
> (V.), Rainer Gebhart (stv. V.), Dirk Fassott; Vorsitzender
> des Aufsichtsrats: Dr. Frank Schindelhauer, Sitz München,
> Registergericht München HR B 211; WWK Allgemeine
> Versicherung AG, Vorstand: Jürgen Schrameier (V.), Rainer
> Gebhart (stv. V.), Dirk Fassott; Vorsitzender des
> Aufsichtsrats: Prof. Dr. Peter Reiff, Sitz München,
> Registergericht München HR B 5553; WWK
> Vermögensverwaltungs und Dienstleistungs GmbH,
> Geschäftsführer: Karl Ruffing, Stefan Sedlmeir, Sitz
> München, Registergericht München HR B 76323; WWK
> Pensionsfonds AG, Vorstand: Ansgar Eckert, Karl Ruffing,
> Heinrich Schüppert; Vorsitzender des Aufsichtsrats: Dirk
> Fassott, Sitz München, Registergericht München HR B
> 146295; Hausanschrift: Marsstraße 37, 80335 München; WWK
> Investment S.A., Verwaltungsrat: Karl Ruffing (V.), Ansgar
> Eckert, Stefan Schneider (Hauck & Aufhäuser),
> Handelsregister: R.C. Luxembourg Nr. B 81 270, Sitz der
> Gesellschaft: 1c, rue Gabriel Lippmann, L-5365 Munsbach
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> --
>
> *Arnošt Starosta*
> solution architect
>
> gsm: [+420] 603 794 932
> e‑mail: arnost.starosta at ami.cz <mailto:arnost.starosta at ami.cz>
>
> *AMI Praha a.s.*
> Pláničkova 11, 162 00 Praha 6
>
> tel.: [+420] 274 783 239 | web: www.ami.cz <https://www.ami.cz>
>
> AMI Praha a.s.
>
> Textem tohoto e‑mailu podepisující neslibuje uzavřít
> ani neuzavírá za společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí
> mít výhradně písemnou formu.
>
> Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů
> a může obsahovat důvěrné nebo osobní
> informace. Nejste‑li zamýšleným příjemcem, je zakázáno
> jakékoliv zveřejňování, zprostředkování
> nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail
> neoprávněně, informujte o tom prosím
> odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu
> včetně všech jeho příloh. Nakládáním
> s neoprávněně získanými informacemi se vystavujete riziku
> právního postihu.
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com <mailto:midPoint%40lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190610/7a53d27b/attachment.htm>
More information about the midPoint
mailing list