<div dir="ltr">Just a follow up on this, I was comparing the AD Sync Resource XML with the OpenDJ sample and I noticed within that field on how the DN should look like I added the below to the <limitations> section<div><br></div><div><modify>false</modify><br></div><div><br></div><div>After adding that, existing accounts in AD are not moved into the OU defined in the <code> section. The user is imported into Midpoint and the account stays in the original OU.</div><div><br></div><div>Am I correct on why the account stays in the correct OU after adding <modify>false</modify> ?</div><div><br></div><div>Additionally, I did some further testing with this:</div><div><br></div><div><div><span class="" style="white-space:pre">                                              </span><expression></div><div><span class="" style="white-space:pre">                                                 </span><script></div><div><span class="" style="white-space:pre">                                                             </span><code></div><div><span class="" style="white-space:pre">                               </span>'cn='+givenName+' '+familyName+iterationToken+',ou=The '+eduPersonAffiliation+',dc=test,dc=local'</div><div><span class="" style="white-space:pre">                                                          </span></code></div><div><span class="" style="white-space:pre">                                                      </span></script></div><div><span class="" style="white-space:pre">                                            </span></expression></div></div><div><br></div><div>This actually works! New accounts are added to the OU in AD based on the attribute 'eduPersonAffiliation' so if the value is Student then the new account is built/placed in OU=The Student,DC=TEST,DC=LOCAL</div><div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 10, 2014 at 5:50 PM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>Jason,<br>
      <br>
      look at the following:<br>
      <br>
      'cn='+givenName+'
      '+familyName+iterationToken+',cn=Users,dc=test,dc=local'<br>
      <br>
      It is in schemaHandling -> objectType (account) -> attribute
      (icfs:name) -> outbound -> expression. It tells midPoint how
      the Distinguished Name for user accounts should look like - and it
      points to the Users container. (I'm not 100% sure why midPoint
      moved the user during initial import, but definitely this is the
      place where you tell midPoint where should your accounts go.)<br>
      <br>
      Anyway, for start, I would recommend you to deal with a much
      simpler scenario: try not to work with pre-existing accounts, but
      instead try to provision new accounts into an "empty" resource. <br>
      <br>
      It could be OpenDJ (it is preferred because of the connector
      maturity), or, if you wish, AD. But if AD, it would be better to
      create an empty OU and then do all the experiments within it. (In
      that case don't forget to set icfcad:Container to that OU, in
      order for midPoint to "see" only objects in it.) Play with
      creating user accounts, using various kinds of attribute mappings,
      etc, and you'll gradually see how things work. Then you can add
      live sync and reconciliation. <br>
      <br>
      Definitely, start with users and accounts (skipping roles, orgs,
      entitlements, groups, etc. for the time being).<br>
      <br>
      Read our wiki; there are nice explanations for basic mechanisms
      there.<br>
      <br>
      Hope this helps,<br>
      Pavol<div><div class="h5"><br>
      <br>
      <br>
      On 11. 10. 2014 0:30, Jason Everling wrote:<br>
    </div></div></div><div><div class="h5">
    <blockquote type="cite">
      <div dir="ltr">Thanks Again, Midpoient looks like it will do what
        we need it too, just a ton of configuration but first I need to
        get the basics understood,
        <div><br>
        </div>
        <div>I attached the xml</div>
        <div><br>
        </div>
        <div>JASON</div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Fri, Oct 10, 2014 at 5:03 PM, Pavol
          Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <div>Hm, that's interesting. <br>
                <br>
                Please, could you post here your resource configuration
                (i.e. AD Resource object, i.e. the "ad advanced sync"
                sample with your local changes)?<br>
                <br>
                It's too late today, so perhaps I'll be able to have a
                look at it tomorrow evening/Monday morning but
                nevertheless please send it here.<br>
                <br>
                Best regards,<br>
                Pavol
                <div>
                  <div><br>
                    <br>
                    <br>
                    On 10. 10. 2014 23:58, Jason Everling wrote:<br>
                  </div>
                </div>
              </div>
              <div>
                <div>
                  <blockquote type="cite">
                    <div dir="ltr">Yes that is correct,
                      <div><br>
                      </div>
                      <div>I have a development environment setup, I got
                        the AD Resource/Connector setup. I haven't done
                        any type of modification outside of adding the
                        sample ad advanced sync xml.</div>
                      <div><br>
                      </div>
                      <div>Before running import within Midpoint under
                        Resource, Accounts for AD the accounts resided
                        in the container "OU=Students,DC=TEST,DC=LOCAL"
                        . After I import them in Midpoint the accounts
                        get moved into "CN=Users,DC=TEST,DC=LOCAL"</div>
                      <div><br>
                      </div>
                      <div>I had thought it would have left them in the
                        current OU but they get moved, I haven't setup
                        any roles yet besides the default that are there
                        but I haven't assigned them yet. I am just
                        getting it setup so I can better understand how
                        the system works.</div>
                      <div><br>
                      </div>
                      <div>Thanks,</div>
                      <div>JASON</div>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Fri, Oct 10, 2014 at
                        4:51 PM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div bgcolor="#FFFFFF" text="#000000">
                            <div>Hello Jason,<br>
                              <br>
                              I'm not sure I understand your problem.<br>
                              <br>
                              Is it so that your users are <b>moved</b>
                              from AD container into another AD
                              container during "import into midPoint"
                              operation?<br>
                              I've never seen such behavior.<br>
                              <br>
                              BTW, of course, midPoint can put accounts
                              into any container you define - based on
                              organization or role assignment or any
                              other condition. <br>
                              <br>
                              Perhaps send here more information about
                              your situation. E.g. what was the
                              situation in your AD before the operation,
                              what exactly the operation was, and what
                              was the situation after that. <br>
                              <br>
                              Best regards,<br>
                              Pavol
                              <div>
                                <div><br>
                                  <br>
                                  On 10. 10. 2014 23:40, Jason Everling
                                  wrote:<br>
                                </div>
                              </div>
                            </div>
                            <blockquote type="cite">
                              <div>
                                <div>
                                  <div dir="ltr">Is there a way I can
                                    keep the existing Active Directory
                                    users in their current container in
                                    AD during Import/Provisioning.
                                    <div><br>
                                    </div>
                                    <div>Can someone point me in the
                                      right direction so that I could do
                                      this, maybe provision new users to
                                      specific container based on
                                      membership, role or group?</div>
                                    <div><br>
                                    </div>
                                    <div>Currently when a user is
                                      imported they are put in the
                                      container that is specified in the
                                      resource xml which is fine for
                                      development but once we get into
                                      production accounts would need to
                                      be provisioned into the
                                      appropriate containers.</div>
                                    <div><br>
                                    </div>
                                    <div>Thanks Again,</div>
                                    <div><br>
                                    </div>
                                    <div>JASON</div>
                                  </div>
                                  <br>
                                </div>
                              </div>
                              <font><br>
                                <br>
                                CONFIDENTIALITY NOTICE:<br>
                                This e-mail together with any
                                attachments is proprietary and
                                confidential; intended for only the
                                recipient(s) named above and may contain
                                information that is privileged. You
                                should not retain, copy or use this
                                e-mail or any attachments for any
                                purpose, or disclose all or any part of
                                the contents to any person. Any views or
                                opinions expressed in this e-mail are
                                those of the author and do not represent
                                those of the Baptist School of Health
                                Professions. If you have received this
                                e-mail in error, or are not the named
                                recipient(s), you are hereby notified
                                that any review, dissemination,
                                distribution or copying of this
                                communication is prohibited by the
                                sender and to do so might constitute a
                                violation of the Electronic
                                Communications Privacy Act, 18 U.S.C.
                                section 2510-2521. Please immediately
                                notify the sender and delete this e-mail
                                and any attachments from your computer.
                              </font><br>
                              <br>
                              <fieldset></fieldset>
                              <br>
                              <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
                            </blockquote>
                            <br>
                          </div>
                          <br>
_______________________________________________<br>
                          midPoint mailing list<br>
                          <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
                          <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
                          <br>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                    <br>
                    <font><br>
                      <br>
                      CONFIDENTIALITY NOTICE:<br>
                      This e-mail together with any attachments is
                      proprietary and confidential; intended for only
                      the recipient(s) named above and may contain
                      information that is privileged. You should not
                      retain, copy or use this e-mail or any attachments
                      for any purpose, or disclose all or any part of
                      the contents to any person. Any views or opinions
                      expressed in this e-mail are those of the author
                      and do not represent those of the Baptist School
                      of Health Professions. If you have received this
                      e-mail in error, or are not the named
                      recipient(s), you are hereby notified that any
                      review, dissemination, distribution or copying of
                      this communication is prohibited by the sender and
                      to do so might constitute a violation of the
                      Electronic Communications Privacy Act, 18 U.S.C.
                      section 2510-2521. Please immediately notify the
                      sender and delete this e-mail and any attachments
                      from your computer. </font><br>
                    <br>
                    <fieldset></fieldset>
                    <br>
                    <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            midPoint mailing list<br>
            <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
            <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <font><br>
        <br>
        CONFIDENTIALITY NOTICE:<br>
        This e-mail together with any attachments is proprietary and
        confidential; intended for only the recipient(s) named above and
        may contain information that is privileged. You should not
        retain, copy or use this e-mail or any attachments for any
        purpose, or disclose all or any part of the contents to any
        person. Any views or opinions expressed in this e-mail are those
        of the author and do not represent those of the Baptist School
        of Health Professions. If you have received this e-mail in
        error, or are not the named recipient(s), you are hereby
        notified that any review, dissemination, distribution or copying
        of this communication is prohibited by the sender and to do so
        might constitute a violation of the Electronic Communications
        Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
        notify the sender and delete this e-mail and any attachments
        from your computer. </font><br>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>

<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>