<html><body><div style="font-family: times new roman, new york, times, serif; font-size: 12pt; color: #000000"><div>Hi Jason,<br></div><div><br></div><div>I'm not sure if I understand, but if you are asking if you can create (import) organization structure in midPoint according to your existing AD structure, the answer is yes.<br></div><div><br></div><div>If you are asking if you can provision your existing midPoint organization structure to AD, the answer is double-yes. You can actually see this in our generic-sync scenarios. For more simple cases where organization structure is maintained in midPoint (and not in some kind of authoritative source such as CSV) this is very simple and I'm using this just now in current projects.<br></div><div><br></div><div>It's all just configuration in midPoint (resource, roles, object templates). The inbound (from AD to midPoint) organization synchronization is a little more difficult than the outbound (midPoint to AD), but certainly doable.<br></div><div><br></div><div>Regards,<br></div><div>Ivan<br></div><div><br></div><hr id="zwchr"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;" data-mce-style="border-left: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;"><b>From: </b>"Jason Everling" <jeverling@bshp.edu><br><b>To: </b>"midPoint General Discussion" <midpoint@lists.evolveum.com><br><b>Sent: </b>Thursday, October 16, 2014 10:07:34 PM<br><b>Subject: </b>Re: [midPoint] Existing Active Directory Users<br><div><br></div><div dir="ltr">That is great! I was testing this and it seems to be working. I was thinking about this more also and down the road once I move into Orgs and such.<div><br></div><div>I am almost certain, correct me if I am wrong, but I could also base the DN by pulling information from the Orgs in Midpoint. I would pretty much be building out the Orgs in the same manner that our AD orgs are setup.</div><div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 16, 2014 at 10:27 AM, Ivan Noris <span dir="ltr"><<a href="mailto:Ivan.Noris@evolveum.com" target="_blank" data-mce-href="mailto:Ivan.Noris@evolveum.com">Ivan.Noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" data-mce-style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;"><div><div style="font-family:times new roman,new york,times,serif;font-size:12pt;color:#000000" data-mce-style="font-family: times new roman,new york,times,serif; font-size: 12pt; color: #000000;"><div>Hi Jason,<br></div><div><br></div><blockquote style="border-left:2px solid #1010ff;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt" data-mce-style="border-left: 2px solid #1010ff; margin-left: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;"><div dir="ltr"><div><br></div><div>AD only needs to be authoritative during the initial deployment since we have thousands of accounts in AD, after that, all accounts will be modified/added using midpoint.</div><div><br></div><div>I think using the method I outlined last to build the DN is more or less what I am moving towards. I have looked through AD attributes and the attribute, "ou" in AD is not used and would make sense to populate that attribute with the actual OU. I can simply use a powershell script to add the correct value to this attribute based on the users current ou and then build the DN in midpoint off this value.</div><div><br></div><div>Using the "ou" attribute in AD might also be the best way since later on I can use the attribute in roles and orgs, I have been looking to the orgsync story test on github for inspiration.</div></div></blockquote><div><br></div><div>You can use PS script in AD to fill "ou" attribute in accounts and then import it to midPoint, but you can construct the value directly during initial import in inbound expression with no changes in AD. Roughly - something like this:<br></div><div><br></div><div><span class=""> <attribute><br> <ref>icfs:name</ref><br></span> <displayName>Distinguished Name</displayName><br> <inbound><br> <expression><br> <script><br> <code><br> // parse OU value from variable named <strong>input</strong> (represents DN) using groovy regular expressions<br></div><div> // e.g. from OU=The Student,DC=TEST,DC=LOCAL take "The Student" value<br></div><div><div> // please fix the regular expression according to your setup, this is just a rough example</div><div><br></div></div><div> re = /(?i)^.*OU=(.*),DC=TEST,DC=LOCAL$/</div><div> matcher = (input =~ re)<br></div><div> if (matcher.matches()) return matcher[0][1]<br><div><br></div></div><div> // will be stored in <strong>user/organization</strong> attribute, modify as needed<br> </code><br> </script><br> </expression><br> <target><br> <path>$user/organization</path><br> </target><br> </inbound><br> </attribute><br><div><br></div></div><div>This is also to show you the power of the expressions in the mappings.<br></div><div><br></div><div>Regards,<br></div><div>Ivan<br></div><div><br></div><div>-- <br></div><div><span></span> Ing. Ivan Noris<br> Senior Identity Management Engineer<br> <a href="http://evolveum.com" target="_blank" data-mce-href="http://evolveum.com">evolveum.com</a><br> ___________________________________________<br> "Idem per idem - semper idem Vix."<span></span><br></div></div></div><br>_______________________________________________<br> midPoint mailing list<br> <a href="mailto:midPoint@lists.evolveum.com" target="_blank" data-mce-href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" data-mce-href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br> <br></blockquote></div><br></div><br> <span style="font-size: small;" data-mce-style="font-size: small;" size="2"><span style="font-size: small;" data-mce-style="font-size: small;" size="2"><br></span></span><div><br></div><span style="font-size: small;" data-mce-style="font-size: small;" size="2">CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </span><br><div><br></div>_______________________________________________<br>midPoint mailing list<br>midPoint@lists.evolveum.com<br>http://lists.evolveum.com/mailman/listinfo/midpoint<br></blockquote><div><br><br></div><div><br></div><div>-- <br></div><div><span name="x"></span> Ing. Ivan Noris<br> Senior Identity Management Engineer<br> evolveum.com<br> ___________________________________________<br> "Idem per idem - semper idem Vix."<span name="x"></span><br></div></div></body></html>