<div dir="ltr">Oh I would just lock down the midpoint ad account to the certain OUs, I know how to do it I have just never had to do it so it wasn't something I had thought about using.<div><br></div><div>There are multiple OUs 15-20 and Accounts, a ton more than I can count, that I want to ignore so going this route would be easier than adding individual accounts in the resource XML</div><div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 27, 2014 at 9:56 AM, Ivan Noris <span dir="ltr"><<a href="mailto:Ivan.Noris@evolveum.com" target="_blank">Ivan.Noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-family:times new roman,new york,times,serif;font-size:12pt;color:#000000"><div>Hi Jason,<br></div><div><br></div><div>you can use "Delegated Administration" (or Control?) within the AD "Users and Computers" tool. The only disadvantage is that the wizard is usable only for delegating the access, not for further editing (the wizard cannot be used to add/remove something later).<br></div><div><br></div><div>You can use either this or the Protected Accounts feature in midPoint. Select what's better for you.<br></div><div><br></div><div>We commonly use the Delegated Administration to assign permissions for our technical user, to be, e.g. able to create/read/update/delete Users, Groups and OUs, but not other objects.<br></div><div><br></div><div>Regards,<br></div><div>Ivan<br></div><div><br></div><hr><blockquote style="border-left:2px solid #1010ff;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><b>From: </b>"Jason Everling" <<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>><br><b>To: </b>"midPoint General Discussion" <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>><br><b>Sent: </b>Monday, October 27, 2014 3:01:52 PM<br><b>Subject: </b>Re: [midPoint] Ignore Active Directory OUs<div><div class="h5"><br><div><br></div><div dir="ltr">You know, I have been managing AD Forests for many many years and have never had to grant specific permissions to specific OUs, I never thought about doing that since I have never had to do it! Wonderful suggestion!<div><br></div><div>JASON </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 27, 2014 at 3:53 AM, Ivan Noris <span dir="ltr"><<a href="mailto:Ivan.Noris@evolveum.com" target="_blank">Ivan.Noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-family:times new roman,new york,times,serif;font-size:12pt;color:#000000"><div>Hi Jason,<br></div><span><div><br></div><blockquote style="border-left:2px solid #1010ff;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><div><br></div><div dir="ltr"><div>Back to AD Resource, Just thinking about our production AD Farm:</div><div><br></div>Can I have midpoint ignore certain OUs from the resource xml? There are some OUs in AD I would really not like for Midpoint to see or manage, maybe a filter?<div><br></div><div>JASON</div></div><br> <br></blockquote></span><div><br><div>There are multiple ways of configuring this:<br></div><div><br></div><div>1) you can have your permissions in AD restricted to be able to see only what you want to see<br></div><div>2) configuration property Container might be (never tested for AD) multivalue and you can specify multiple subtrees (for OpenDJ and LDAP connector this works)<br></div><div>3) you can configure Protected Accounts<br></div><div><br></div><div><a href="https://wiki.evolveum.com/display/midPoint/Protected+Accounts" target="_blank">https://wiki.evolveum.com/display/midPoint/Protected+Accounts</a><br></div><div><a href="https://jira.evolveum.com/browse/MID-859" target="_blank">https://jira.evolveum.com/browse/MID-859</a><br></div><div><br></div><div>Some examples for Protected Accounts:<br></div><div><br></div><div>- to ignore all (account) objects with carLicense=ignoreme<br></div><div><br></div><div> <protected><br> <filter><br> <q:equal><br> <q:matching>stringIgnoreCase</q:matching><br> <q:path><br>declare namespace ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>";<br>attributes/ri:carLicense<br> </q:path><br> <q:value>ignoreme</q:value><br> </q:equal><br> </filter><br> </protected><br><div><br></div></div><div>- to ignore all (account) objects under ou=supersecret:<br></div><div> <protected><br> <filter><br> <q:substring><br> <q:matching>stringIgnoreCase</q:matching><br> <q:path><br>declare namespace icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>";<br>attributes/icfs:name<br> </q:path><br> <q:value>ou=supersecret,ou=Users,ou=BA,ou=CUSTOMER,dc=example,dc=com</q:value><br> <strong><q:anchorEnd>true</q:anchorEnd></strong><br> </q:substring><br> </filter><br> </protected><br><div><br></div></div><div>midPoint will "see" the protected accounts, but it will mark each such account in the Shadow object as protected and will not allow its modification.<br></div><div><br></div></div><div>Regards,<br></div><div>Ivan<span><span style="color:#888888" color="#888888"><br></span></span></div><span><span style="color:#888888" color="#888888"><div><br></div><div>-- <br></div><div><span></span> Ing. Ivan Noris<br> Senior Identity Management Engineer<br> <a href="http://evolveum.com" target="_blank">evolveum.com</a><br> ___________________________________________<br> "Idem per idem - semper idem Vix."<span></span><br></div></span></span></div></div><br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>
<br>
</div></div><span style="font-size:small" size="2"><br><div><br></div>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </span><br><span class=""><div><br></div>_______________________________________________<br>midPoint mailing list<br><a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br><a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br></span></blockquote><span class=""><div><br><br></div><div><br></div><div>-- <br></div><div><span name="x"></span> Ing. Ivan Noris<br> Senior Identity Management Engineer<br> <a href="http://evolveum.com" target="_blank">evolveum.com</a><br> ___________________________________________<br> "Idem per idem - semper idem Vix."<span name="x"></span><br></div></span></div></div><br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>