[midPoint] Import AD Users and Groups via CSV

Mon Aug 17 12:18:35 CEST 2020

Hello, for certain reasons I cannot use the LDAP/AD connector so I have to import Active Directory accounts (and users) and groups from a CSV. I create this CSV via Powershell script getting the information from the AD. Each row has empty columns depending if the row represents an account or a group.
FYI my CSV headers are: dn;sAMAccountName;cn;sn;objectCategory;givenName;mail;title;employeeID;l;department;telephoneNumber;c;manager;userAccountControl;memberOf;employeeType;description;member
If the row is a user, the memberOf column will contain the list of groups. And if the row is a user, the column member contains the members of the groups

This CSV is going to act as an authoritative resource, so what I want to do:

  *   Create users in Midpoint -> done
  *   Import accounts -> done
  *   Import groups -> I tried to use the GroupObjectClass but couldn't make it work. In this threat (https://lists.evolveum.com/pipermail/midpoint/2016-May/001876.html) it is explained that the CSV connector only supports accounts, is this still working the same way?. At the end I managed to import the groups as an Account of intent group, and then in the synchronization part, import it as RoleType
  *   Create the entitlement/association among each user and its groups -> FAILS

I have created a synchronization sorter that check the objectCategory column to know if the row is a user or a group. So at this point I am able to create the users/accounts and import the groups as roles. Then configured the association as follows, also tried the opposite approach using objectoToSubject
            <association>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:AccountObjectClass</c:ref>
                <displayName>AD Group Membership</displayName>
                <kind>account</kind>
                <intent>group</intent>
                <direction>subjectToObject</direction>
                <associationAttribute>ri:memberOf</associationAttribute>
                <valueAttribute>ri:dn</valueAttribute>
                <shortcutAssociationAttribute>ri:member</shortcutAssociationAttribute>
                <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
            </association>

But if I import a user, and then want to get the account details, it shows a 500 error, and the log shows (I have removed some information from the DN):

  *   WARN (com.evolveum.midpoint.provisioning.impl.ShadowCache): The entitlement identified by PCV(null):[PP({.../common/common-3}name):[PPV(ItemName:AccountObjectClass)], RAC(identifiers):[PCV(null):[RA({.../resource/instance-3}dn):[PPV(String:CN=Product Management,OU=Security Groups,DC=,DC=,DC=)]]]] referenced from shadow:null(null) violates the schema. Skipping. Original error: No secondary identifier defined, cannot search-{}
  *   ERROR (com.evolveum.midpoint.gui.impl.factory.ShadowAssociationWrapperFactoryImpl): Couldn't create container for associations. java.lang.NullPointerException: null
  *   ERROR (com.evolveum.midpoint.web.security.LoggingRequestCycleListener): Error occurred during page rendering. java.lang.NullPointerException: null
  *   WARN (com.evolveum.midpoint.web.page.error.PageError): Creating error page for code java.lang.NullPointerException, exception null: {} java.lang.NullPointerException: null

Hope you can help me, thanks in advance

La informaci?n contenida en este mensaje es confidencial. En caso de que reciba este mensaje por error le rogamos lo comunique a la mayor brevedad al emisor y proceda a su eliminaci?n definitiva, absteni?ndose de copiar, almacenar o difundir su contenido. De acuerdo con lo establecido en la Ley Org?nica 15/1999, de Protecci?n de Datos de Car?cter Personal y en el Reglamento de Desarrollo 1720/2007, los datos personales que facilite a trav?s de la direcci?n de correo indicada ser?n incorporados a un fichero titularidad de INGRAM MICRO, S.L.U., con domicilio en C/ Antonio Machado, 78-80 1? y 2? pl. Business Park ( 08840-Viladecans). Mediante el env?o de sus datos, Ud. otorga su consentimiento expreso a INGRAM MICRO, S.L.U, para el tratamiento de sus datos, con la finalidad de atender a su consulta y/o mantener la relaci?n profesional, comercial, y/o contractual que en su caso establezca con INGRAM MICRO, S.L.U. Puede ejercitar sus derechos de acceso, rectificaci?n, cancelaci?n y oposici?n notific?ndolo por escrito a la direcci?n del remitente, o a la siguiente direcci?n de correo nuevascuentas at ingrammicro.es. De acuerdo con la Ley 34/2002, de Servicios de la Sociedad de la Informaci?n y de Comercio Electr?nico, Vd. podr? oponerse en cualquier momento al tratamiento de sus datos con fines promocionales notific?ndonoslo por escrito a la direcci?n de correo mencionada.
.................................................................................................................................................................................................................................................
The information contained in this message is confidential. If you receive this message by error please notify it as soon as possible to the sender and proceed to their final elimination by not copy, store or distribute its content. In accordance of what is stated in the Law 15/1999, of Data Personal Protection and Regulation Rule 1720/2007, the personal data provided through the email address you entered will be included in a file owned by INGRAM MICRO, SLU, located at C/ Antonio Machado, 78-80 1? y 2? pl. Business Park ( 08840-Viladecans). By submitting your data, you expressly give your consent to INGRAM MICRO, SLU, to the treatment of your data, in order to answer to your questions and / or keep the professional, commercial relationship  and / or contractual set with INGRAM MICRO, SLU You can exercise your rights of access, rectification, cancellation and opposition by giving written notification to the sender address or to  the following email:  nuevascuentas at ingrammicro.es. According to Law 34/2002, of the Information Society and Electronic Commerce, you may object at any time to your data treatment for promotional purposes by notifying us in writing to the email address above.
[Ingram_2818e5de]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200817/3b8e0a74/attachment.htm>