<div dir="ltr">Hello everyone,<div><br></div><div>We're currently integrating a set of productive users from a source application (database) to MidPoint and then to an Active Directory. We need to establish specific behavior for password synchronization on specific channels and events in accordance to the following policy:</div><div>1. User password must be propagated if the user is being created in Active Directory.</div><div>2. User password must be propagated into Active Directory if the password is updated through the midpoint GUI and midpoint REST service</div><div>3. User password must <font color="#ff0000" style="font-weight:bold">NOT</font><font color="#000000" style="font-weight:bold"> </font><font color="#000000">be propagated into Active Directory if the user already existed in the target (neither on an midpoint import event, recompute event, or manual reconciliation, etc).</font></div><div><font color="#000000"><br></font></div><div><font color="#000000"> Our current configuration for this, in the Active Directory resource, is the following:</font></div><div><font color="#000000"><br></font></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><font size="1"><span style="color:rgb(38,50,56)"><credentials><br></span><span style="color:rgb(38,50,56)">              <password><br></span><span style="color:rgb(38,50,56)">                 <outbound><br></span><span style="color:rgb(38,50,56)">                    <channel></span><a rel="nofollow noreferrer" target="_blank" href="http://www.google.com/url?q=http%3A%2F%2Fmidpoint.evolveum.com%2Fxml%2Fns%2Fpublic%2Fgui%2Fchannels-3%23user&sa=D&sntz=1&usg=AFQjCNGy2sNpVHhxVbTp5STjeFNpBThUpg" class="gmail-Xx" tabindex="-1" dir="ltr" style="unicode-bidi:isolate;color:rgb(38,50,56)">http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</a><span style="color:rgb(38,50,56)"></channel><br></span><span style="color:rgb(38,50,56)">                    <channel></span><a rel="nofollow noreferrer" target="_blank" href="http://www.google.com/url?q=http%3A%2F%2Fmidpoint.evolveum.com%2Fxml%2Fns%2Fpublic%2Fmodel%2Fchannels-3%23rest&sa=D&sntz=1&usg=AFQjCNGLNe-tF-2w3eqDD_0xLRhMBFoczQ" class="gmail-Xx" tabindex="-1" dir="ltr" style="unicode-bidi:isolate;color:rgb(38,50,56)">http://midpoint.evolveum.com/xml/ns/public/model/channels- 3#rest</a><span style="color:rgb(38,50,56)"></channel><br></span><span style="color:rgb(38,50,56)">                    <channel></span><a rel="nofollow noreferrer" target="_blank" href="http://www.google.com/url?q=http%3A%2F%2Fmidpoint.evolveum.com%2Fxml%2Fns%2Fpublic%2Fprovisioning%2Fchannels-3%23recompute&sa=D&sntz=1&usg=AFQjCNFnNhxJ-758K5xiD8QxiEz6VcwBSw" class="gmail-Xx" tabindex="-1" dir="ltr" style="unicode-bidi:isolate;color:rgb(38,50,56)">http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#recompute</a><span style="color:rgb(38,50,56)"></channel><br></span><span style="color:rgb(38,50,56)">                    <channel></span><a rel="nofollow noreferrer" target="_blank" href="http://www.google.com/url?q=http%3A%2F%2Fmidpoint.evolveum.com%2Fxml%2Fns%2Fpublic%2Fprovisioning%2Fchannels-3%23import&sa=D&sntz=1&usg=AFQjCNF7hLuyFn3T5rBZBw5qxyNsj5urFQ" class="gmail-Xx" tabindex="-1" dir="ltr" style="unicode-bidi:isolate;color:rgb(38,50,56)">http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#import</a><span style="color:rgb(38,50,56)"></channel><br></span><span style="color:rgb(38,50,56)">                    <expression><br></span><span style="color:rgb(38,50,56)">                       <asIs/><br></span><span style="color:rgb(38,50,56)">                    </expression><br></span><span style="color:rgb(38,50,56)">                 </outbound><br></span><span style="color:rgb(38,50,56)">              </password><br></span><span style="color:rgb(38,50,56)">           </credentials></span></font></blockquote><div><br></div><div>This seem to be responding properly to the policy defined above.</div><div>Do you consider this to be conceptually appropiate? Should this be accompanied with further configurations?</div><div><br></div><div>Thanks in advance, <br></div><div><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><div dir="ltr"><font face="arial, helvetica, sans-serif"><b>Rodrigo Yanis.</b><br><img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br></font>Jorge Newbery 3226<br>Tel: +54 (11) 4824-9971<font face="arial, helvetica, sans-serif"><br><a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br><a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div></div></div></div></div></div></div></div></div></div></div>
</div></div>