[midPoint] AD userAccountControl provisioning
Samuel Harmon
samuel.harmon at case.edu
Tue Dec 21 19:34:13 CET 2021
For the record, I did solve the UAC issue - It turned out that I had an
unnecessary auxiliaryObjectClass configured for organizationalPerson, and
once I removed that, UACs started getting updated correctly.
Sam
On Thu, Dec 16, 2021 at 4:59 PM Samuel Harmon <samuel.harmon at case.edu>
wrote:
> We have midPoint (4.4) configured more-or-less like the internet2 Grouper
> demo, with one group adding/removing users from a midPoint Org. That Org,
> in turn, has an inducement to our AD resource, with the idea being that
> users in the Org have an ‘active’ AD account (with UAC set to 66048) and
> those removed from it marked as inactive (UAC 514).
>
> I have the following in my AD connector configuration:
>
> <attribute id="149">
> <ref>ri:userAccountControl</ref>
> <outbound>
> <strength>strong</strength>
> <expression>
> <script>
> <code>
> if(assigned){
> return '66048'
> } else {
> return '514'
> }
> </code>
> </script>
> </expression>
> </outbound>
> </attribute>
>
> And when I reconcile a user that should get their value changed from one
> to the other, the preview indicates it should change it to the correct
> value, and continuing the operation indicates it ran successfully, but then
> re-checking the user’s AD shadow shows the UAC did not change at all.
>
> I’ve tried various iterations of setting up and removing <activation>,
> both settings of rawuseraccountcontrol (currently set as true), and any
> other options I could think of. UAC doesn’t seem to change with anything I
> try.
>
> Any ideas?
>
> For what it’s worth my current activation settings on the resource are:
>
> <activation>
> <existence>
> <outbound id="166">
> <expression>
> <path>$focusExists</path>
> </expression>
> </outbound>
> </existence>
> <administrativeStatus>
> <outbound id="167">
> <expression>
> <script>
> <code>
> import
> com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
>
> if (assigned) {
> input;
> } else {
> ActivationStatusType.DISABLED;
> }
> </code>
> </script>
> </expression>
> </outbound>
> </administrativeStatus>
> </activation>
>
> I’ve also tried enabling Functional Tracing on the reconcile operation to
> see if that might yield some additional information, but the trace files
> are nowhere to be found in $MIDPOINT_HOME/var/trace/ or in the reports
> section of the UI- did I miss a step in setting it up?
>
> Sam
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20211221/287ce42a/attachment.htm>
More information about the midPoint
mailing list