<div dir="ltr">Hi Aivo,<div>I have this solution - try:</div><div><br></div><div>- Remove "outbound" element from credentials</div><div>- create "after-add" action</div><div><br></div><div><div><br></div></div><div><b>After-Add action calls dsmod on cmdline of AD server:</b></div><div><br></div><div><div>    <scripts></div><div>       <script></div><div>           <host>resource</host></div><div>           <language>Shell</language></div><div>           <argument></div><div>               <script></div><div>                   <code></div><div>                       currDN = '';</div><div>                       currADDispName = basic.stringify(basic.getExtensionPropertyValues(user, '<a href="http://ami.cz/xml/ns/userExtension">http://ami.cz/xml/ns/userExtension</a>', 'currentADDisplayName'));</div><div>                       currADOrgUnit = basic.stringify(basic.getExtensionPropertyValues(user, '<a href="http://ami.cz/xml/ns/userExtension">http://ami.cz/xml/ns/userExtension</a>', 'currentADOrgUnit'));</div><div>                       if (currADDispName != '' &amp;&amp; currADOrgUnit != '') {</div><div>                            currDN = 'CN=' + currADDispName + ',' + currADOrgUnit + ',' + basic.getResourceIcfConfigurationPropertyValue(resource, 'Container');</div><div>                            <a href="http://log.info">log.info</a>('AD: Create NEW user {}', currDN);</div><div>                    </div><div>                       }</div><div>                       return currDN;</div><div>                   </code></div><div>               </script></div><div>               <name>userDN</name></div><div>           </argument></div><div>           <argument></div><div>               <script></div><div>                   <code></div><div>                       <a href="http://log.info">log.info</a>('Init Pwd of user {} = {}',user.getName(),basic.decrypt(basic.getPropertyValue(user, 'credentials/password/value')));</div><div>                       return basic.decrypt(basic.getPropertyValue(user, 'credentials/password/value'));</div><div>                   </code></div><div>               </script></div><div>               <name>initPwd</name></div><div>           </argument></div><div>           <code></div><div><b>               IF "%userDN%" NEQ "" dsmod user "%userDN%" -disabled yes -pwd "%initPwd%" -mustchpwd yes</b></div><div>               exit</div><div>           </code></div><div>           <operation>add</operation></div><div>           <order>after</order></div><div>       </script></div><div>   </scripts></div></div><div><br></div><div><br></div><div>Regards</div><div>Roman Pudil</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><br><div class="gmail_quote"><div dir="ltr">st 31. 8. 2016 v 10:53 odesílatel Aivo Kuhlberg <<a href="mailto:aivo.kuhlberg@rmit.ee" target="_blank">aivo.kuhlberg@rmit.ee</a>> napsal:<br></div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">




<div dir="ltr" style="font-size:12pt;color:#000000;background-color:#ffffff;font-family:Calibri,Arial,Helvetica,sans-serif">
<p>Hi,<br>
I am using midPoint 3.4 with .NET AD connector and here are my current schemaHandling password settings for AD connector:<br>
</p>
<p><br>
</p>
<p><span style="font-family:Consolas,monospace;color:rgb(114,50,173)"><span style="color:rgb(114,50,173)">         <credentials></span><br style="color:rgb(114,50,173)">
<span style="color:rgb(114,50,173)">            <password></span><br style="color:rgb(114,50,173)">
<span style="color:rgb(114,50,173)">               <outbound/></span><br style="color:rgb(114,50,173)">
<span style="color:rgb(114,50,173)">            </password></span><br style="color:rgb(114,50,173)">
<span style="color:rgb(114,50,173)">         </credentials></span><br style="color:rgb(114,50,173)">
</span></p>
<p><br>
</p>
<p>These settings means that AD user password changes every time when it is changed in midPoint.<br>
I do not want to manage AD users passwords at the moment with midPoint but I still want to set AD user password in situation when midPoint creates a new AD account. In all other sync situations AD password should not be changed. How should I implement that?<br>
<br>
Thanks,<br>
Aivo Kuhlberg<br>
</p>
<br>
<hr>
<font face="Arial" color="Gray" size="2">Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.<br>
This e-mail may contain information which is classified for official use.</font>
</div>

_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div></div><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature"><div dir="ltr"><div><p>
                                        <span>Roman Pudil</span><br>
                                        solution architect<br>gsm: [+420] 775 663 666<br>
                                        e-mail: <a>roman.pudil@ami.cz</a></p><table><tbody><tr><td>
                                <p>
                                        AMI Praha a.s.<br>
                                        Pláničkova 11<br>
                                        162 00 Praha 6<br>
                                        tel./fax: [+420] 274 783 239<br>
                                        web: <a>www.ami.cz</a>
                                </p></td></tr></tbody></table></div></div></div>