<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi,</p>
<p>I have not previously used/needed plain resource account
assignment. I always used role assignment.</p>
<p>And be careful with the condition. Administrator user is a common
user and reconciling/recomputing would create the account in AD as
well. I'd recommend to use condition based on e.g. employeeType,
employeeNumber or something similar.</p>
<p>Regards,</p>
<p>Ivan<br>
</p>
<br>
<div class="moz-cite-prefix">On 05/11/2017 09:17 AM, Dilek Gider
wrote:<br>
</div>
<blockquote
cite="mid:CAL797Gm7g-Orp5CmSO4MaEkmWG6ie=0WKyVmHq6oEnAjiUmKrQ@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Ivan,
<div><br>
</div>
<div>Thank you very much for your detailed answer. </div>
<div>I had a user template, i have added and tried many things
on template, <assignmenttargetsearch>",
"<accountconstruction>", "<inducement>",
"<construction><kind><account>"...... But
none of them worked. </div>
<div><br>
</div>
<div>Now I will try what you suggested step by step, i will
inform you, thank you again.</div>
<div><br>
</div>
<div>user template:</div>
<div><br>
</div>
<div>
<div><mapping></div>
<div> <description>AD Resource
Create</description></div>
<div> <strength>strong</strength></div>
<div> <source></div>
<div> <c:path>name</c:path></div>
<div> </source></div>
<div> <expression></div>
<div> <value></div>
<div> <construction></div>
<div> <resourceRef
oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2"
type="c:ResourceType"/></div>
<div> </construction></div>
<div> </value></div>
<div> </expression></div>
<div> <target></div>
<div> <c:path>assignment</c:path></div>
<div> </target></div>
<div> <condition></div>
<div> <script></div>
<div> <code>name != null</code></div>
<div> </script></div>
<div> </condition></div>
<div> </mapping></div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, May 10, 2017 at 5:23 PM,
Ivan Noris <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>Hi Dilek,</p>
<p>not sure if I understand, so I try to explain what
I think you want.</p>
<p>If you want to get your midPoint users to AD, the
term "bulk import" does not quite correspond to it.
To me it seems you want to provision your midpoint
users to AD.</p>
<p>LiveSync and Reconciliation evaluate
situations/changes in resource and are able to
import the accounts to midPoint and link or create
users.<br>
</p>
<p>To provision users to AD resource, you need:<br>
</p>
<p>1) outbound mappings in your resource. That is
probably OK, as you can manually add AD account to
(specific) users</p>
<p>2) role with construction to AD resource</p>
<p>3) default object template which will assign role
from 2) to (all or specific) users in midPoint</p>
<p>Example of such template is:
<a moz-do-not-send="true"
class="gmail-m_-5082767416142375561moz-txt-link-freetext"
href="https://github.com/Evolveum/midpoint/blob/v3.5.1/samples/objects/object-template-user.xml"
target="_blank">https://github.com/Evolveum/<wbr>midpoint/blob/v3.5.1/samples/<wbr>objects/object-template-user.<wbr>xml</a></p>
<p>See the mapping named "basic role". The "oid"
referenced in assignmentTargetSearch is the oid of
your role (with construction for AD account). In
real life, there should be a condition so that the
role is not assigned to all users, but e.g. to
employees only.<br>
</p>
<p>The template must be configured as default in
Configuration - System for UserType objects.</p>
<p>After that, you only need to edit any existing user
and check "Reconcile" checkbox and save. The account
will be created according to the role and AD schema
handling mappings.</p>
<p>To populate all users, you would need to run
Recompute task. That would do exactly the same as
"Reconcile" checkbox for all users.</p>
<p>Regards,</p>
<p>Ivan<br>
</p>
<br>
<div
class="gmail-m_-5082767416142375561moz-cite-prefix">On
05/10/2017 11:52 AM, Dilek Gider wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi All,
<div><br>
</div>
<div>I have a resource with ADLDAPConnector. I
want to add all of midpoint users to AD.</div>
<div>I have a resource xml, it works by manually
adding user to AD account. But when I run recon
job task or live synch task, it only evaluates
AD users, doesn't evaluate midpoint users. Is
there any other method to create midpoint users
in any resource?</div>
<div><br>
</div>
<div>Thank you very much.</div>
<div><br>
</div>
<div>Dilek</div>
</div>
<br>
<fieldset
class="gmail-m_-5082767416142375561mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="gmail-m_-5082767416142375561moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="gmail-m_-5082767416142375561moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><span class="gmail-HOEnZb"><font color="#888888">
</font></span></pre><span class="gmail-HOEnZb"><font color="#888888">
</font></span></blockquote><span class="gmail-HOEnZb"><font color="#888888">
<pre class="gmail-m_-5082767416142375561moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</font></span></div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</blockquote></div>
</div></div></div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre></body></html>