<html><body><div style="font-family: times new roman, new york, times, serif; font-size: 12pt; color: #000000"><div>Hi Jason,<br></div><div><br></div><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><div dir="ltr"><div><br></div><div>AD only needs to be authoritative during the initial deployment since we have thousands of accounts in AD, after that, all accounts will be modified/added using midpoint.</div><div><br></div><div>I think using the method I outlined last to build the DN is more or less what I am moving towards. I have looked through AD attributes and the attribute, "ou" in AD is not used and would make sense to populate that attribute with the actual OU. I can simply use a powershell script to add the correct value to this attribute based on the users current ou and then build the DN in midpoint off this value.</div><div><br></div><div>Using the "ou" attribute in AD might also be the best way since later on I can use the attribute in roles and orgs, I have been looking to the orgsync story test on github for inspiration.</div></div></blockquote><div><br></div><div>You can use PS script in AD to fill "ou" attribute in accounts and then import it to midPoint, but you can construct the value directly during initial import in inbound expression with no changes in AD. Roughly - something like this:<br></div><div><br></div><div> <attribute><br> <ref>icfs:name</ref><br> <displayName>Distinguished Name</displayName><br> <inbound><br> <expression><br> <script><br> <code><br> // parse OU value from variable named <strong>input</strong> (represents DN) using groovy regular expressions<br></div><div> // e.g. from OU=The Student,DC=TEST,DC=LOCAL take "The Student" value<br></div><div><div> // please fix the regular expression according to your setup, this is just a rough example</div><div><br></div></div><div> re = /(?i)^.*OU=(.*),DC=TEST,DC=LOCAL$/</div><div> matcher = (input =~ re)<br></div><div> if (matcher.matches()) return matcher[0][1]<br><br></div><div> // will be stored in <strong>user/organization</strong> attribute, modify as needed<br> </code><br> </script><br> </expression><br> <target><br> <path>$user/organization</path><br> </target><br> </inbound><br> </attribute><br><br></div><div>This is also to show you the power of the expressions in the mappings.<br></div><div><br></div><div>Regards,<br></div><div>Ivan<br></div><div><br></div><div>-- <br></div><div><span name="x"></span> Ing. Ivan Noris<br> Senior Identity Management Engineer<br> evolveum.com<br> ___________________________________________<br> "Idem per idem - semper idem Vix."<span name="x"></span><br></div></div></body></html>