[midPoint] Link current HR account to existing AD account
Arnošt Starosta - AMI Praha a.s.
arnost.starosta at ami.cz
Fri Mar 15 18:01:06 CET 2019
Hi Rod,
as Jason pointed out you should first import or reconcile your AD accounts.
Does your problem happen when importing from or reconciling AD resource? If
your correlation rule is ok, midpoint should find the corresponding
identities and link the existing AD accounts.
Also reaction unmatched -> addFocus in your config seems to be wrong - you
don't want to create identities from AD accounts but from HR accounts,
right?
arnost
pá 15. 3. 2019 v 17:16 odesílatel Rod Holman <rholman at oaisd.org> napsal:
> Thanks for the quick response, but that didn’t work. In my previous post
> I stated we are adding the AD resource to the user via inducement. I meant
> projection.
>
>
>
> By the way, we are already successfully importing (in test) new HR users
> and they are being added to AD. That works great! It’s just this initial
> synchronization of current users.
>
>
>
> --Rod
>
>
>
> *From:* midPoint <midpoint-bounces at lists.evolveum.com> *On Behalf Of *Gruber,
> Michael
> *Sent:* Friday, March 15, 2019 12:02 PM
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
> *Subject:* Re: [midPoint] Link current HR account to existing AD account
>
>
>
> Maybe you have to add a matching rule
>
>
>
> <q:equal>
>
> <q:matching>
> http://prism.evolveum.com/xml/ns/public/matching-rule-3#polyStringNorm</q:matching
> >
>
> <q:path>c:name</q:path>
>
> [..]
>
>
>
> *Von:* midPoint [mailto:midpoint-bounces at lists.evolveum.com
> <midpoint-bounces at lists.evolveum.com>] *Im Auftrag von *Rod Holman
> *Gesendet:* Freitag, 15. März 2019 16:33
> *An:* midPoint General Discussion
> *Betreff:* Re: [midPoint] Link current HR account to existing AD account
>
>
>
> We are only working with one user until successful then will add the
> rest. We imported the HR user into Midpoint and are now trying to sync by
> adding Medusa Active Directory to that user via inducement. We do not have
> the AD resource set up for importing. The HR resource name value is the
> same as the samaccountname value for that user in AD.
>
>
>
> --Rod
>
>
>
> *From:* midPoint <midpoint-bounces at lists.evolveum.com> *On Behalf Of *Jason
> Everling
> *Sent:* Friday, March 15, 2019 11:16 AM
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
> *Subject:* Re: [midPoint] Link current HR account to existing AD account
>
>
>
> So you imported all your AD users into midpoint already and then trying to
> import/link the HR users? Or you imported the HR users and trying to
> import/link the AD users? What does the resource contain for name and/or dn
> ?
>
>
>
>
>
>
> On Fri, Mar 15, 2019 at 8:52 AM Rod Holman <rholman at oaisd.org> wrote:
>
> Hi All,
>
>
>
> For our initial implementation of Midpoint we want to link existing
> accounts from our HR input to their existing accounts in active directory.
> After they are synced we want to have Midpoint add/sync users from HR to
> AD. As a test we are trying to link an existing HR account to an existing
> AD account. When we do this an attempt is made to add the account to AD no
> matter what we try causing an AlreadyExistsException error. Below is our
> object synchronization for the account. Is it possible that the
> correlation is never matching the two accounts? We tried both $account and
> $shadow in the correlation path. We know that the “Name” attribute in the
> HR account is the same as sAMAccountName in AD. Is there something we’re
> doing wrong here?
>
>
>
> <objectSynchronization>
>
> <name>Account sync</name>
>
> <objectClass>ri:user</objectClass>
>
> <kind>account</kind>
>
> <intent>default</intent>
>
> <enabled>true</enabled>
>
> <correlation>
>
> <q:equal>
>
> <q:path>c:name</q:path>
>
> <expression xmlns="">
>
> <path>$account/attributes/ri:sAMAccountName</path>
>
> </expression>
>
> </q:equal>
>
> </correlation>
>
> <reconcile>false</reconcile>
>
> <reaction>
>
> <situation>linked</situation>
>
> <synchronize>true</synchronize>
>
> <reconcile>false</reconcile>
>
> </reaction>
>
> <reaction>
>
> <situation>deleted</situation>
>
> <action ref="
> http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink"/>
>
> </reaction>
>
> <reaction>
>
> <situation>unlinked</situation>
>
> <reconcile>false</reconcile>
>
> <action>
>
> <handlerUri>
> http://midpoint.evolveum.com/xml/ns/public/model/action-3#link
> </handlerUri>
>
> </action>
>
> </reaction>
>
> <reaction>
>
> <situation>unmatched</situation>
>
> <reconcile>false</reconcile>
>
> <action>
>
> <handlerUri>
> http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus
> </handlerUri>
>
> </action>
>
> </reaction>
>
> </objectSynchronization>
>
>
>
> Thank You,
>
> Rod Holman
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> WWK Lebensversicherung a. G., Vorstand: Jürgen Schrameier (V.), Rainer
> Gebhart (stv. V.), Dirk Fassott; Vorsitzender des Aufsichtsrats: Dr. Frank
> Schindelhauer, Sitz München, Registergericht München HR B 211; WWK
> Allgemeine Versicherung AG, Vorstand: Jürgen Schrameier (V.), Rainer
> Gebhart (stv. V.), Dirk Fassott; Vorsitzender des Aufsichtsrats: Prof. Dr.
> Peter Reiff, Sitz München, Registergericht München HR B 5553; WWK
> Vermögensverwaltungs und Dienstleistungs GmbH, Geschäftsführer: Karl
> Ruffing, Stefan Sedlmeir, Sitz München, Registergericht München HR B 76323;
> WWK Pensionsfonds AG, Vorstand: Ansgar Eckert, Karl Ruffing, Heinrich
> Schüppert; Vorsitzender des Aufsichtsrats: Dirk Fassott, Sitz München,
> Registergericht München HR B 146295; Hausanschrift: Marsstraße 37, 80335
> München; WWK Investment S.A., Verwaltungsrat: Karl Ruffing (V.), Ansgar
> Eckert, Stefan Schneider (Hauck & Aufhäuser), Handelsregister: R.C.
> Luxembourg Nr. B 81 270, Sitz der Gesellschaft: 1c, rue Gabriel Lippmann,
> L-5365 Munsbach
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
--
*Arnošt Starosta*
solution architect
gsm: [+420] 603 794 932
e‑mail: arnost.starosta at ami.cz
*AMI Praha a.s.*
Pláničkova 11, 162 00 Praha 6
tel.: [+420] 274 783 239 | web: www.ami.cz
[image: AMI Praha a.s.]
Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat
důvěrné nebo osobní
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně,
informujte o tom prosím
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
všech jeho příloh. Nakládáním
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190315/cff05814/attachment.htm>
More information about the midPoint
mailing list