[midPoint] Link current HR account to existing AD account

Gruber, Michael MICHAEL.GRUBER at wwk.de
Fri Mar 15 17:02:08 CET 2019


Maybe you have to add a matching rule

<q:equal>
            <q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#polyStringNorm</q:matching>
            <q:path>c:name</q:path>
            [..]

Von: midPoint [mailto:midpoint-bounces at lists.evolveum.com] Im Auftrag von Rod Holman
Gesendet: Freitag, 15. März 2019 16:33
An: midPoint General Discussion
Betreff: Re: [midPoint] Link current HR account to existing AD account

We are only working with one user until successful then will add the rest.  We imported the HR user into Midpoint and are now trying to sync by adding Medusa Active Directory to that user via inducement.  We do not have the AD resource set up for importing.  The HR resource name value is the same as the samaccountname value for that user in AD.

--Rod

From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of Jason Everling
Sent: Friday, March 15, 2019 11:16 AM
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Link current HR account to existing AD account

So you imported all your AD users into midpoint already and then trying to import/link the HR users? Or you imported the HR users and trying to import/link the AD users? What does the resource contain for name and/or dn ?



On Fri, Mar 15, 2019 at 8:52 AM Rod Holman <rholman at oaisd.org<mailto:rholman at oaisd.org>> wrote:
Hi All,

For our initial implementation of Midpoint we want to link existing accounts from our HR input to their existing accounts in active directory.  After they are synced we want to have Midpoint add/sync users from HR to AD.  As a test we are trying to link an existing HR account to an existing AD account.  When we do this an attempt is made to add the account to AD no matter what we try causing an AlreadyExistsException error.  Below is our object synchronization for the account.  Is it possible that the correlation is never matching the two accounts?  We tried both $account and $shadow in the correlation path.  We know that the “Name” attribute in the HR account is the same as sAMAccountName in AD.   Is there something we’re doing wrong here?

<objectSynchronization>
            <name>Account sync</name>
            <objectClass>ri:user</objectClass>
            <kind>account</kind>
            <intent>default</intent>
            <enabled>true</enabled>
            <correlation>
                <q:equal>
                    <q:path>c:name</q:path>
                    <expression xmlns="">
                        <path>$account/attributes/ri:sAMAccountName</path>
                    </expression>
                </q:equal>
            </correlation>
            <reconcile>false</reconcile>
            <reaction>
                <situation>linked</situation>
                <synchronize>true</synchronize>
                <reconcile>false</reconcile>
            </reaction>
            <reaction>
                <situation>deleted</situation>
                <action ref="http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink"/>
            </reaction>
            <reaction>
                <situation>unlinked</situation>
                <reconcile>false</reconcile>
                <action>
                    <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
                </action>
            </reaction>
            <reaction>
                <situation>unmatched</situation>
                <reconcile>false</reconcile>
                <action>
                    <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
                </action>
            </reaction>
        </objectSynchronization>

Thank You,
Rod Holman

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
WWK Lebensversicherung a. G., Vorstand: Jürgen Schrameier (V.), Rainer Gebhart (stv. V.), Dirk Fassott; Vorsitzender des Aufsichtsrats: Dr. Frank Schindelhauer, Sitz München, Registergericht München HR B 211; WWK Allgemeine Versicherung AG, Vorstand: Jürgen Schrameier (V.), Rainer Gebhart (stv. V.), Dirk Fassott; Vorsitzender des Aufsichtsrats: Prof. Dr. Peter Reiff, Sitz München, Registergericht München HR B 5553; WWK Vermögensverwaltungs und Dienstleistungs GmbH, Geschäftsführer: Karl Ruffing, Stefan Sedlmeir, Sitz München, Registergericht München HR B 76323; WWK Pensionsfonds AG, Vorstand: Ansgar Eckert, Karl Ruffing, Heinrich Schüppert; Vorsitzender des Aufsichtsrats: Dirk Fassott, Sitz München, Registergericht München HR B 146295; Hausanschrift: Marsstraße 37, 80335 München; WWK Investment S.A., Verwaltungsrat: Karl Ruffing (V.), Ansgar Eckert, Stefan Schneider (Hauck & Aufhäuser), Handelsregister: R.C. Luxembourg Nr. B 81 270, Sitz der Gesellschaft: 1c, rue Gabriel Lippmann, L-5365 Munsbach
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190315/b655cdf4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7013 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190315/b655cdf4/attachment.bin>


More information about the midPoint mailing list