<div dir="ltr">Just a follow up on this, I was comparing the AD Sync Resource XML with the OpenDJ sample and I noticed within that field on how the DN should look like I added the below to the <limitations> section<div><br></div><div><modify>false</modify><br></div><div><br></div><div>After adding that, existing accounts in AD are not moved into the OU defined in the <code> section. The user is imported into Midpoint and the account stays in the original OU.</div><div><br></div><div>Am I correct on why the account stays in the correct OU after adding <modify>false</modify> ?</div><div><br></div><div>Additionally, I did some further testing with this:</div><div><br></div><div><div><span class="" style="white-space:pre"> </span><expression></div><div><span class="" style="white-space:pre"> </span><script></div><div><span class="" style="white-space:pre"> </span><code></div><div><span class="" style="white-space:pre"> </span>'cn='+givenName+' '+familyName+iterationToken+',ou=The '+eduPersonAffiliation+',dc=test,dc=local'</div><div><span class="" style="white-space:pre"> </span></code></div><div><span class="" style="white-space:pre"> </span></script></div><div><span class="" style="white-space:pre"> </span></expression></div></div><div><br></div><div>This actually works! New accounts are added to the OU in AD based on the attribute 'eduPersonAffiliation' so if the value is Student then the new account is built/placed in OU=The Student,DC=TEST,DC=LOCAL</div><div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 10, 2014 at 5:50 PM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Jason,<br>
<br>
look at the following:<br>
<br>
'cn='+givenName+'
'+familyName+iterationToken+',cn=Users,dc=test,dc=local'<br>
<br>
It is in schemaHandling -> objectType (account) -> attribute
(icfs:name) -> outbound -> expression. It tells midPoint how
the Distinguished Name for user accounts should look like - and it
points to the Users container. (I'm not 100% sure why midPoint
moved the user during initial import, but definitely this is the
place where you tell midPoint where should your accounts go.)<br>
<br>
Anyway, for start, I would recommend you to deal with a much
simpler scenario: try not to work with pre-existing accounts, but
instead try to provision new accounts into an "empty" resource. <br>
<br>
It could be OpenDJ (it is preferred because of the connector
maturity), or, if you wish, AD. But if AD, it would be better to
create an empty OU and then do all the experiments within it. (In
that case don't forget to set icfcad:Container to that OU, in
order for midPoint to "see" only objects in it.) Play with
creating user accounts, using various kinds of attribute mappings,
etc, and you'll gradually see how things work. Then you can add
live sync and reconciliation. <br>
<br>
Definitely, start with users and accounts (skipping roles, orgs,
entitlements, groups, etc. for the time being).<br>
<br>
Read our wiki; there are nice explanations for basic mechanisms
there.<br>
<br>
Hope this helps,<br>
Pavol<div><div class="h5"><br>
<br>
<br>
On 11. 10. 2014 0:30, Jason Everling wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">Thanks Again, Midpoient looks like it will do what
we need it too, just a ton of configuration but first I need to
get the basics understood,
<div><br>
</div>
<div>I attached the xml</div>
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Oct 10, 2014 at 5:03 PM, Pavol
Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hm, that's interesting. <br>
<br>
Please, could you post here your resource configuration
(i.e. AD Resource object, i.e. the "ad advanced sync"
sample with your local changes)?<br>
<br>
It's too late today, so perhaps I'll be able to have a
look at it tomorrow evening/Monday morning but
nevertheless please send it here.<br>
<br>
Best regards,<br>
Pavol
<div>
<div><br>
<br>
<br>
On 10. 10. 2014 23:58, Jason Everling wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">Yes that is correct,
<div><br>
</div>
<div>I have a development environment setup, I got
the AD Resource/Connector setup. I haven't done
any type of modification outside of adding the
sample ad advanced sync xml.</div>
<div><br>
</div>
<div>Before running import within Midpoint under
Resource, Accounts for AD the accounts resided
in the container "OU=Students,DC=TEST,DC=LOCAL"
. After I import them in Midpoint the accounts
get moved into "CN=Users,DC=TEST,DC=LOCAL"</div>
<div><br>
</div>
<div>I had thought it would have left them in the
current OU but they get moved, I haven't setup
any roles yet besides the default that are there
but I haven't assigned them yet. I am just
getting it setup so I can better understand how
the system works.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Oct 10, 2014 at
4:51 PM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hello Jason,<br>
<br>
I'm not sure I understand your problem.<br>
<br>
Is it so that your users are <b>moved</b>
from AD container into another AD
container during "import into midPoint"
operation?<br>
I've never seen such behavior.<br>
<br>
BTW, of course, midPoint can put accounts
into any container you define - based on
organization or role assignment or any
other condition. <br>
<br>
Perhaps send here more information about
your situation. E.g. what was the
situation in your AD before the operation,
what exactly the operation was, and what
was the situation after that. <br>
<br>
Best regards,<br>
Pavol
<div>
<div><br>
<br>
On 10. 10. 2014 23:40, Jason Everling
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Is there a way I can
keep the existing Active Directory
users in their current container in
AD during Import/Provisioning.
<div><br>
</div>
<div>Can someone point me in the
right direction so that I could do
this, maybe provision new users to
specific container based on
membership, role or group?</div>
<div><br>
</div>
<div>Currently when a user is
imported they are put in the
container that is specified in the
resource xml which is fine for
development but once we get into
production accounts would need to
be provisioned into the
appropriate containers.</div>
<div><br>
</div>
<div>Thanks Again,</div>
<div><br>
</div>
<div>JASON</div>
</div>
<br>
</div>
</div>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any
attachments is proprietary and
confidential; intended for only the
recipient(s) named above and may contain
information that is privileged. You
should not retain, copy or use this
e-mail or any attachments for any
purpose, or disclose all or any part of
the contents to any person. Any views or
opinions expressed in this e-mail are
those of the author and do not represent
those of the Baptist School of Health
Professions. If you have received this
e-mail in error, or are not the named
recipient(s), you are hereby notified
that any review, dissemination,
distribution or copying of this
communication is prohibited by the
sender and to do so might constitute a
violation of the Electronic
Communications Privacy Act, 18 U.S.C.
section 2510-2521. Please immediately
notify the sender and delete this e-mail
and any attachments from your computer.
</font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is
proprietary and confidential; intended for only
the recipient(s) named above and may contain
information that is privileged. You should not
retain, copy or use this e-mail or any attachments
for any purpose, or disclose all or any part of
the contents to any person. Any views or opinions
expressed in this e-mail are those of the author
and do not represent those of the Baptist School
of Health Professions. If you have received this
e-mail in error, or are not the named
recipient(s), you are hereby notified that any
review, dissemination, distribution or copying of
this communication is prohibited by the sender and
to do so might constitute a violation of the
Electronic Communications Privacy Act, 18 U.S.C.
section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>