[midPoint] Import AD Users and Groups via CSV
Arnošt Starosta - AMI Praha a.s.
arnost.starosta at ami.cz
Mon Aug 17 12:59:12 CEST 2020
Hi Javier,
can't help you with <association> for csv connector, don't know if that
works.
But if your goal is to have users with ad roles as assignments in midpoint,
you can always import the memberOf values to the identity in idm and create
role assignments via object template.
arnost
po 17. 8. 2020 v 12:18 odesílatel Laza, Javier <Javier.Laza at ingrammicro.com>
napsal:
> Hello, for certain reasons I cannot use the LDAP/AD connector so I have to
> import Active Directory accounts (and users) and groups from a CSV. I
> create this CSV via Powershell script getting the information from the AD.
> Each row has empty columns depending if the row represents an account or a
> group.
>
> FYI my CSV headers are:
> dn;sAMAccountName;cn;sn;objectCategory;givenName;mail;title;employeeID;l;department;telephoneNumber;c;manager;userAccountControl;memberOf;employeeType;description;member
>
> If the row is a user, the memberOf column will contain the list of groups.
> And if the row is a user, the column member contains the members of the
> groups
>
>
>
> This CSV is going to act as an authoritative resource, so what I want to
> do:
>
> - Create users in Midpoint -> done
> - Import accounts -> done
> - Import groups -> I tried to use the GroupObjectClass but couldn’t
> make it work. In this threat (
> https://lists.evolveum.com/pipermail/midpoint/2016-May/001876.html) it
> is explained that the CSV connector only supports accounts, is this still
> working the same way?. At the end I managed to import the groups as an
> Account of intent group, and then in the synchronization part, import it as
> RoleType
> - Create the entitlement/association among each user and its groups ->
> FAILS
>
>
>
> I have created a synchronization sorter that check the objectCategory
> column to know if the row is a user or a group. So at this point I am able
> to create the users/accounts and import the groups as roles. Then
> configured the association as follows, also tried the opposite approach
> using objectoToSubject
>
> <association>
>
> <c:ref xmlns:ri="
> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
> ">ri:AccountObjectClass</c:ref>
>
> <displayName>AD Group Membership</displayName>
>
> <kind>account</kind>
>
> <intent>group</intent>
>
> <direction>subjectToObject</direction>
>
> <associationAttribute>ri:memberOf</associationAttribute>
>
> <valueAttribute>ri:dn</valueAttribute>
>
>
> <shortcutAssociationAttribute>ri:member</shortcutAssociationAttribute>
>
> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>
> </association>
>
>
>
>
>
> But if I import a user, and then want to get the account details, it shows
> a 500 error, and the log shows (I have removed some information from the
> DN):
>
> - *WARN (com.evolveum.midpoint.provisioning.impl.ShadowCache): The
> entitlement identified by
> PCV(null):[PP({.../common/common-3}name):[PPV(ItemName:AccountObjectClass)],
> RAC(identifiers):[PCV(null):[RA({.../resource/instance-3}dn):[PPV(String:CN=Product
> Management,OU=Security Groups,DC=,DC=,DC=)]]]] referenced from
> shadow:null(null) violates the schema. Skipping. Original error: No
> secondary identifier defined, cannot search-{}*
> - *ERROR
> (com.evolveum.midpoint.gui.impl.factory.ShadowAssociationWrapperFactoryImpl):
> Couldn't create container for associations. java.lang.NullPointerException:
> null*
> - *ERROR
> (com.evolveum.midpoint.web.security.LoggingRequestCycleListener): Error
> occurred during page rendering. java.lang.NullPointerException: null*
> - *WARN (com.evolveum.midpoint.web.page.error.PageError): Creating
> error page for code java.lang.NullPointerException, exception null: {}
> java.lang.NullPointerException: null*
>
>
>
> Hope you can help me, thanks in advance
>
>
> La información contenida en este mensaje es confidencial. En caso de que
> reciba este mensaje por error le rogamos lo comunique a la mayor brevedad
> al emisor y proceda a su eliminación definitiva, absteniéndose de copiar,
> almacenar o difundir su contenido. De acuerdo con lo establecido en la Ley
> Orgánica 15/1999, de Protección de Datos de Carácter Personal y en el
> Reglamento de Desarrollo 1720/2007, los datos personales que facilite a
> través de la dirección de correo indicada serán incorporados a un fichero
> titularidad de INGRAM MICRO, S.L.U., con domicilio en C/ Antonio Machado,
> 78-80 1ª y 2ª pl. Business Park ( 08840-Viladecans). Mediante el envío de
> sus datos, Ud. otorga su consentimiento expreso a INGRAM MICRO, S.L.U, para
> el tratamiento de sus datos, con la finalidad de atender a su consulta y/o
> mantener la relación profesional, comercial, y/o contractual que en su caso
> establezca con INGRAM MICRO, S.L.U. Puede ejercitar sus derechos de acceso,
> rectificación, cancelación y oposición notificándolo por escrito a la
> dirección del remitente, o a la siguiente dirección de correo
> nuevascuentas at ingrammicro.es. De acuerdo con la Ley 34/2002, de Servicios
> de la Sociedad de la Información y de Comercio Electrónico, Vd. podrá
> oponerse en cualquier momento al tratamiento de sus datos con fines
> promocionales notificándonoslo por escrito a la dirección de correo
> mencionada.
>
> .................................................................................................................................................................................................................................................
> The information contained in this message is confidential. If you receive
> this message by error please notify it as soon as possible to the sender
> and proceed to their final elimination by not copy, store or distribute its
> content. In accordance of what is stated in the Law 15/1999, of Data
> Personal Protection and Regulation Rule 1720/2007, the personal data
> provided through the email address you entered will be included in a file
> owned by INGRAM MICRO, SLU, located at C/ Antonio Machado, 78-80 1ª y 2ª
> pl. Business Park ( 08840-Viladecans). By submitting your data, you
> expressly give your consent to INGRAM MICRO, SLU, to the treatment of your
> data, in order to answer to your questions and / or keep the professional,
> commercial relationship and / or contractual set with INGRAM MICRO, SLU
> You can exercise your rights of access, rectification, cancellation and
> opposition by giving written notification to the sender address or to the
> following email: nuevascuentas at ingrammicro.es. According to Law 34/2002,
> of the Information Society and Electronic Commerce, you may object at any
> time to your data treatment for promotional purposes by notifying us in
> writing to the email address above.
> [Ingram_2818e5de]
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
--
*Arnošt Starosta*
solution architect
gsm: [+420] 603 794 932
e‑mail: arnost.starosta at ami.cz
*AMI Praha a.s.*
Pláničkova 11, 162 00 Praha 6
tel.: [+420] 274 783 239 | web: www.ami.cz
[image: AMI Praha a.s.]
Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat
důvěrné nebo osobní
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně,
informujte o tom prosím
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
všech jeho příloh. Nakládáním
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200817/424820e6/attachment.htm>
More information about the midPoint
mailing list