[midPoint] AD userAccountControl provisioning

Samuel Harmon samuel.harmon at case.edu
Thu Dec 16 22:59:58 CET 2021 

We have midPoint (4.4) configured more-or-less like the internet2 Grouper
demo, with one group adding/removing users from a midPoint Org. That Org,
in turn, has an inducement to our AD resource, with the idea being that
users in the Org have an ‘active’ AD account (with UAC set to 66048) and
those removed from it marked as inactive (UAC 514).

I have the following in my AD connector configuration:

 <attribute id="149">
                <ref>ri:userAccountControl</ref>
                <outbound>
                    <strength>strong</strength>
                    <expression>
                        <script>
                            <code>
                                     if(assigned){
                                  return '66048'
                                } else {
                                  return '514'
                                }
                            </code>
                        </script>
                    </expression>
                </outbound>
     </attribute>

And when I reconcile a user that should get their value changed from one to
the other, the preview indicates it should change it to the correct value,
and continuing the operation indicates it ran successfully, but then
re-checking the user’s AD shadow shows the UAC did not change at all.

I’ve tried various iterations of setting up and removing <activation>, both
settings of rawuseraccountcontrol (currently set as true), and any other
options I could think of. UAC doesn’t seem to change with anything I try.

Any ideas?

For what it’s worth my current activation settings on the resource are:

 <activation>
                <existence>
                    <outbound id="166">
                        <expression>
                            <path>$focusExists</path>
                        </expression>
                    </outbound>
                </existence>
                <administrativeStatus>
                    <outbound id="167">
                        <expression>
                            <script>
                                <code>
                                    import
com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;

                                    if  (assigned) {
                                        input;
                                    } else {
                                        ActivationStatusType.DISABLED;
                                    }
                                </code>
                            </script>
                        </expression>
                    </outbound>
                </administrativeStatus>
            </activation>

I’ve also tried enabling Functional Tracing on the reconcile operation to
see if that might yield some additional information, but the trace files
are nowhere to be found in $MIDPOINT_HOME/var/trace/ or in the reports
section of the UI- did I miss a step in setting it up?

Sam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20211216/3437221d/attachment.htm>

More information about the midPoint mailing list