[midPoint] Multiple AD accounts
Paulo Fernandes de Souza Junior
PFSJ at senado.leg.br
Mon Feb 14 18:01:45 CET 2022
If the number of accounts is fixed, I think you should create, in the resource configuration, a different intent for each account.
Paulo Fernandes de Souza Júnior
NQPPPS
Senado Federal - PRODASEN
Fone: 61 3303.3924
________________________________
De: midPoint <midpoint-bounces at lists.evolveum.com> em nome de Jason Everling via midPoint <midpoint at lists.evolveum.com>
Enviado: segunda-feira, 14 de fevereiro de 2022 13:30
Para: midPoint General Discussion
Cc: Jason Everling
Assunto: Re: [midPoint] Multiple AD accounts
What you are looking for is probably what Midpoint calls ‘Personas’
https://docs.evolveum.com/midpoint/reference/misc/persona/
From: Yakov Revyakin via midPoint<mailto:midpoint at lists.evolveum.com>
Sent: Monday, February 14, 2022 7:53 AM
To: midPoint General Discussion<mailto:midpoint at lists.evolveum.com>
Cc: Yakov Revyakin<mailto:yrevyakin at gmail.com>
Subject: Re: [midPoint] Multiple AD accounts
Can someone help to move forward?
On Sun, 13 Feb 2022 at 19:20, Yakov Revyakin <yrevyakin at gmail.com<mailto:yrevyakin at gmail.com>> wrote:
For example, I have something like this:
(where dn is AD namingAttribute, organization O has two org assignments Off1 & Off2, O includes single-value "department" attribute with value "O" to use it as AD OU name for org O))
I use Off1 and Off2 names as tag value.
<objectType>
<kind>generic</kind>
<intent>default</intent>
<objectClass>ri:organizationalUnit</objectClass>
<multiplicity>
<maxOccurs>unbounded</maxOccurs>
<tag>
<outbound>
<source>
<path>parentOrgRef</path>
</source>
<expression>
<script>
<code>
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
OrgType office = midpoint.getOrgByOid(parentOrgRef.oid);
log.info<http://log.info>("1.1" + String.valueOf(office.name<http://office.name>));
return office.name<http://office.name>;
</code>
</script>
</expression>
</outbound>
</tag>
</multiplicity>
<attribute>
<ref>ri:dn</ref>
<matchingRule>distinguishedName</matchingRule>
<outbound>
<strength>strong</strength>
<source>
<path>extension/department</path>
</source>
<source>
<path>parentOrgRef</path>
</source>
<source>
<path>$projection/tag</path>
</source>
<expression>
<script>
<code>
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
import javax.naming.ldap.Rdn;
import javax.naming.ldap.LdapName;
OrgType office = midpoint.getOrgByOid(parentOrgRef.oid);
log.info<http://log.info>("2.1" + String.valueOf(tag));
log.info<http://log.info>("2.2" + String.valueOf(office.name<http://office.name>));
return basic.composeDn(
new Rdn("OU", basic.stringify(department)),
new Rdn("OU", basic.stringify(office.name<http://office.name>)),
new LdapName("DC=example,DC=com")
);
</code>
</script>
</expression>
</outbound>
</attribute>
</objectType>
For my data structure I wrote above I have the following output in log:
1.1 Off1
1.1 Off2
1.1 Off1
1.1 Off2
2.1 Off1
2.2 Off1
2.1 Off1
2.2 Off2
2.1 Off1
2.2 Off1
2.1 Off1
2.2 Off2
Partial error while processing projection on resource:746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2(AD): Attempt to add 2 values to a single-valued item attributes/dn; values: [PPV(String:OU=O,OU=Off1,DC=example,DC=com), PPV(String:OU=O,OU=Off2,DC=example,DC=com)]
How to complete my conf? I don't understand how to configure the multivalued account feature. Please, help
On Sun, 13 Feb 2022 at 14:48, Yakov Revyakin <yrevyakin at gmail.com<mailto:yrevyakin at gmail.com>> wrote:
Correct, I'd like to have multiple AD accounts. How to command to create them?
On Sun, 13 Feb 2022 at 14:34, Roman Pudil - AMI Praha a.s. via midPoint <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>> wrote:
Hi,
AD schema did not allow multiple values in DN attribute. See AD schema documentation.
You have ro use multiple accounts.
Regards
Roman Pudil
Dne ne 13. 2. 2022 13:27 uživatel Yakov Revyakin via midPoint <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>> napsal:
An org (O, intent : default) is a member of two organizations (Off1 & Off2) different by name but the same by nature (intent : office).
This structure results in AD as:
Off1 dn : OU=Off1
Off2 dn : OU=Off2
O in Off1 dn : OU=O,OU=Off1
O in Off2 dn : OU=O,OU=Off2
I'd like to have multiple AD accounts under O created: OU=O,OU=Off1 and OU=O,OU=Off2.
Could someone provide schema handling with multiple accounts support for the case? I mean TAG support.
My configuration tries to save multiple values in dn attribute instead of creating different accounts.
Thanks,
J
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220214/a4322b1c/attachment-0001.htm>
More information about the midPoint
mailing list