<div dir="ltr">Thanks for the explanation,<div><br></div><div>AD only needs to be authoritative during the initial deployment since we have thousands of accounts in AD, after that, all accounts will be modified/added using midpoint.</div><div><br></div><div>I think using the method I outlined last to build the DN is more or less what I am moving towards. I have looked through AD attributes and the attribute, "ou" in AD is not used and would make sense to populate that attribute with the actual OU. I can simply use a powershell script to add the correct value to this attribute based on the users current ou and then build the DN in midpoint off this value.</div><div><br></div><div>Using the "ou" attribute in AD might also be the best way since later on I can use the attribute in roles and orgs, I have been looking to the orgsync story test on github for inspiration.</div><div><br></div><div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 16, 2014 at 3:14 AM, Ivan Noris <span dir="ltr"><<a href="mailto:Ivan.Noris@evolveum.com" target="_blank">Ivan.Noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-family:times new roman,new york,times,serif;font-size:12pt;color:#000000"><div>Hi Jason,<br></div><div><br></div><div>setting modify=false will dissallow midPoint to change this attribute, but be adwised that if you disable modification of icfs:name attribute, you will be unable to rename/move the AD accounts.<br></div><div><br></div><div>I believe that the moving of your users (described in your earlier emails) could be caused by the resource configuration being two-direction.<br></div><div><br></div><div>If you are using AD for Active Sync, you are making it authoritative source. If account is synchronized to midPoint and midPoint is modifying it back, it will evaluate icfs:name outbound expression and behave accordingly.<br></div><div><br></div><div>So, midPoint was trying to update icfs:name (DN) because of the configuration in midPoint.<br></div><div><br></div><div>You can also have the icfs:name mapping configured as "weak" so it will never recompute values if the target (AD) value already exists.<br></div><div><br></div><div>This will effectively disable automatic renaming/moving as well.<br></div><div><br></div><div>Disabling modification of the attribute does also prevent you from modifying that attribute in GUI. Setting weak strength in outbound for icfs:name will only limit propagation of changes from midPoint to AD.<br></div><div>The example of weak mapping:<br></div><div><br></div><div><attribute><br></div><div> <ref>icfs:name</ref><br></div><div> <outbound><br></div><div> <strength>weak</strength><br></div><div> <source><br></div><div> ....<br></div><div><br></div><div>Do you need your Active Directory to be authoritative for changes, or only for first importing of user data?<br></div><div>Is there any attribute in AD that you could use to store in midPoint user's attribute when importing and then in provisioning you could deduce the correct DN from it? In your case the extended attribute eduPersonAffiliation could hold the value.<br></div><div><br></div><div>Regards,<br></div><div>ivan<br></div><div><br></div><hr><blockquote style="border-left:2px solid #1010ff;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><b>From: </b>"Jason Everling" <<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>><br><b>To: </b>"midPoint General Discussion" <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>><br><b>Sent: </b>Wednesday, October 15, 2014 4:41:06 PM<br><b>Subject: </b>Re: [midPoint] Existing Active Directory Users<div><div class="h5"><br><div><br></div><div dir="ltr">Just a follow up on this, I was comparing the AD Sync Resource XML with the OpenDJ sample and I noticed within that field on how the DN should look like I added the below to the <limitations> section<div><br></div><div><modify>false</modify><br></div><div><br></div><div>After adding that, existing accounts in AD are not moved into the OU defined in the <code> section. The user is imported into Midpoint and the account stays in the original OU.</div><div><br></div><div>Am I correct on why the account stays in the correct OU after adding <modify>false</modify> ?</div><div><br></div><div>Additionally, I did some further testing with this:</div><div><br></div><div><div><span style="white-space:pre-wrap"> </span><expression></div><div><span style="white-space:pre-wrap"> </span><script></div><div><span style="white-space:pre-wrap"> </span><code></div><div><span style="white-space:pre-wrap"> </span>'cn='+givenName+' '+familyName+iterationToken+',ou=The '+eduPersonAffiliation+',dc=test,dc=local'</div><div><span style="white-space:pre-wrap"> </span></code></div><div><span style="white-space:pre-wrap"> </span></script></div><div><span style="white-space:pre-wrap"> </span></expression></div></div><div><br></div><div>This actually works! New accounts are added to the OU in AD based on the attribute 'eduPersonAffiliation' so if the value is Student then the new account is built/placed in OU=The Student,DC=TEST,DC=LOCAL</div><div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 10, 2014 at 5:50 PM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Jason,<br> <br> look at the following:<br> <br> 'cn='+givenName+' '+familyName+iterationToken+',cn=Users,dc=test,dc=local'<br> <br> It is in schemaHandling -> objectType (account) -> attribute (icfs:name) -> outbound -> expression. It tells midPoint how the Distinguished Name for user accounts should look like - and it points to the Users container. (I'm not 100% sure why midPoint moved the user during initial import, but definitely this is the place where you tell midPoint where should your accounts go.)<br> <br> Anyway, for start, I would recommend you to deal with a much simpler scenario: try not to work with pre-existing accounts, but instead try to provision new accounts into an "empty" resource. <br> <br> It could be OpenDJ (it is preferred because of the connector maturity), or, if you wish, AD. But if AD, it would be better to create an empty OU and then do all the experiments within it. (In that case don't forget to set icfcad:Container to that OU, in order for midPoint to "see" only objects in it.) Play with creating user accounts, using various kinds of attribute mappings, etc, and you'll gradually see how things work. Then you can add live sync and reconciliation. <br> <br> Definitely, start with users and accounts (skipping roles, orgs, entitlements, groups, etc. for the time being).<br> <br> Read our wiki; there are nice explanations for basic mechanisms there.<br> <br> Hope this helps,<br>Pavol<div><div><br> <br> <br> On 11. 10. 2014 0:30, Jason Everling wrote:<br></div></div></div><div><div><blockquote><div dir="ltr">Thanks Again, Midpoient looks like it will do what we need it too, just a ton of configuration but first I need to get the basics understood,<div><br></div><div>I attached the xml</div><div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 10, 2014 at 5:03 PM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Hm, that's interesting. <br> <br> Please, could you post here your resource configuration (i.e. AD Resource object, i.e. the "ad advanced sync" sample with your local changes)?<br> <br> It's too late today, so perhaps I'll be able to have a look at it tomorrow evening/Monday morning but nevertheless please send it here.<br> <br> Best regards,<br>Pavol<div><div><br> <br> <br> On 10. 10. 2014 23:58, Jason Everling wrote:<br></div></div></div><div><div><blockquote><div dir="ltr">Yes that is correct,<div><br></div><div>I have a development environment setup, I got the AD Resource/Connector setup. I haven't done any type of modification outside of adding the sample ad advanced sync xml.</div><div><br></div><div>Before running import within Midpoint under Resource, Accounts for AD the accounts resided in the container "OU=Students,DC=TEST,DC=LOCAL" . After I import them in Midpoint the accounts get moved into "CN=Users,DC=TEST,DC=LOCAL"</div><div><br></div><div>I had thought it would have left them in the current OU but they get moved, I haven't setup any roles yet besides the default that are there but I haven't assigned them yet. I am just getting it setup so I can better understand how the system works.</div><div><br></div><div>Thanks,</div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 10, 2014 at 4:51 PM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Hello Jason,<br> <br> I'm not sure I understand your problem.<br> <br> Is it so that your users are <b>moved</b> from AD container into another AD container during "import into midPoint" operation?<br> I've never seen such behavior.<br> <br> BTW, of course, midPoint can put accounts into any container you define - based on organization or role assignment or any other condition. <br> <br> Perhaps send here more information about your situation. E.g. what was the situation in your AD before the operation, what exactly the operation was, and what was the situation after that. <br> <br> Best regards,<br>Pavol<div><div><br> <br> On 10. 10. 2014 23:40, Jason Everling wrote:<br></div></div></div><blockquote><div><div><div dir="ltr">Is there a way I can keep the existing Active Directory users in their current container in AD during Import/Provisioning.<div><br></div><div>Can someone point me in the right direction so that I could do this, maybe provision new users to specific container based on membership, role or group?</div><div><br></div><div>Currently when a user is imported they are put in the container that is specified in the resource xml which is fine for development but once we get into production accounts would need to be provisioned into the appropriate containers.</div><div><br></div><div>Thanks Again,</div><div><br></div><div>JASON</div></div><br></div></div><span><br> <br> CONFIDENTIALITY NOTICE:<br> This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </span><br> <br><fieldset></fieldset><br><pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre></blockquote><br></div><br> _______________________________________________<br> midPoint mailing list<br> <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br> <br></blockquote></div><br></div><br> <span><br> <br> CONFIDENTIALITY NOTICE:<br> This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </span><br> <br><fieldset></fieldset><br><pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre></blockquote><br></div></div></div><br> _______________________________________________<br> midPoint mailing list<br> <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br> <br></blockquote></div><br></div><br> <span><br> <br> CONFIDENTIALITY NOTICE:<br> This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </span><br> <br><fieldset></fieldset><br><pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre></blockquote><br></div></div></div><br>_______________________________________________<br> midPoint mailing list<br> <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br> <br></blockquote></div><br></div><br> <span style="font-size:small" size="2"><span style="font-size:small" size="2"><br></span></span><div><br></div><span style="font-size:small" size="2">CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </span><br><div><br></div>_______________________________________________<br>midPoint mailing list<br><a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br><a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br></div></div></blockquote><span class="HOEnZb"><font color="#888888"><div><br><br></div><div><br></div><div>-- <br></div><div><span name="x"></span> Ing. Ivan Noris<br> Senior Identity Management Engineer<br> <a href="http://evolveum.com" target="_blank">evolveum.com</a><br> ___________________________________________<br> "Idem per idem - semper idem Vix."<span name="x"></span><br></div></font></span></div></div><br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>