[midPoint] AD computer & userAccountControl if adminStatus = disabled

Yakov Revyakin yrevyakin at gmail.com
Tue Apr 23 16:54:28 CEST 2024


It looks like the auxiliaryObjectClass provides needed magic. Only the
thing which looks inconvenient is that if we'd like to import a computer
via Midpoint UI we need to go under structural resource objects ("user" in
our case) - not under  auxiliaryObjectClass one ("computer"). Under
auxiliaryObjectClass import doesn't work.

<objectType>
    <kind>account</kind>
    <intent>computer</intent>
    <default>false</default>
    <delineation>
        <objectClass>ri:user</objectClass>
        <auxiliaryObjectClass>ri:computer</auxiliaryObjectClass>
    </delineation>
..............

</objectType>




On Tue, 23 Apr 2024 at 15:25, Yakov Revyakin <yrevyakin at gmail.com> wrote:

> Hi All,
> Debugging AdLdapConnector I've found the cause of the problem.
> AdLdapConnector.java class in v.3.7 gets some more specific processing of
> UAC. It applies UAC logic (including enable/disable) only if the current AD
> object class is "user".
> The following line in udateDelta() makes it impossible to get UAC
> processing for "computer" class in the same way as for "user". So, the
> connector can't enable/disable "computer" in the same way as it can do with
> "user".
>
> boolean isUserObjectClass = getSchemaTranslator().*isUserObjectClass*
> (ldapObjectClass.getName());
> boolean hasUacPatch =
> !getConfiguration().isRawUserAccountControlAttribute() &&
> *isUserObjectClass* && hasUacDelta(deltas);
>
> *isUserObjectClass**()* simply checks if objectClass is equal to the
> string "user".
>
> I know that there is a possibility to work with UAC in raw mode but it is
> a bit uncomfortable.
> What is the best way to solve the problem? Can the connector configuration
> be improved to support a list of user objects (user, computer) instead of a
> single value (user)?
>
> Thanks,
> Yakov
>
>
>
>
>
> On Fri, 1 Mar 2024 at 14:49, Yakov Revyakin <yrevyakin at gmail.com> wrote:
>
>> I've migrated to MP v.4.8.2 with LDAP connector v3.7
>> I have AD user & computer objectTypes. I manage AD 'computer' status in
>> the same way as 'user' using MP administrative status.
>> I can see that disabling 'user' works as expected. But disabling
>> 'computer' throws the error:
>>
>> com.evolveum.midpoint.util.exception.SchemaException: Error modifying
>> LDAP entry CN=WS164,OU=Computers,OU=...........,DC=local: [
>> *replace:userAccountControl=FALSE,*]: invalid
>> AttributeSyntax: 00000057: LdapErr: DSID-0C091284, comment: Error in
>> attribute conversion operation, data 0, v4563? (21)
>>
>> It looks like MP tries to update userAccountControl with boolean
>> value when integer is expected.
>>
>> Do you have any ideas on how to solve this?
>> Yakov
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240423/c7ab956b/attachment.htm>


More information about the midPoint mailing list