<div dir="ltr">If you go the route Brad mentioned you wouldn't run into that issue because you can have a condition for each intent. You can also use the builtin AD groups for users and computers<div><br></div><div>Going off his,</div><div><br></div><div>Intent:user</div><div><br></div><div><span style="font-size:12.8px"> <condition></span><br style="font-size:12.8px"><span style="font-size:12.8px"> <script></span><br style="font-size:12.8px"><span style="font-size:12.8px"> <code></span><br style="font-size:12.8px"><span style="font-size:12.8px"> mem = basic.getAttributeValues(</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">shadow, "memberOf")</span><br style="font-size:12.8px"><span style="font-size:12.8px"> if (mem == null){</span><br style="font-size:12.8px"><span style="font-size:12.8px"> return false</span><br style="font-size:12.8px"><span style="font-size:12.8px"> }</span><br style="font-size:12.8px"><span style="font-size:12.8px"> else if (!mem.contains("CN=Domain Users,CN=Users</span><span style="font-size:12.8px">,DC=domain,DC=</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">tld")){</span><br style="font-size:12.8px"><span style="font-size:12.8px"> return false</span><br style="font-size:12.8px"><span style="font-size:12.8px"> }</span><br style="font-size:12.8px"><span style="font-size:12.8px"> else if (mem.contains("</span><span style="font-size:12.8px">CN=Domain Users,CN=Users</span><span style="font-size:12.8px">,DC=domain,DC=</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">tld</span><span style="font-size:12.8px">")){</span><br style="font-size:12.8px"><span style="font-size:12.8px"> return true</span><br style="font-size:12.8px"><span style="font-size:12.8px"> }</span><br style="font-size:12.8px"><span style="font-size:12.8px"> </code></span><br style="font-size:12.8px"><span style="font-size:12.8px"> </script></span><br style="font-size:12.8px"><span style="font-size:12.8px"> </condition></span><br></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Intent: computer</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px"> <condition></span><br style="font-size:12.8px"><span style="font-size:12.8px"> <script></span><br style="font-size:12.8px"><span style="font-size:12.8px"> <code></span><br style="font-size:12.8px"><span style="font-size:12.8px"> mem = basic.getAttributeValues(</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">shadow, "memberOf")</span><br style="font-size:12.8px"><span style="font-size:12.8px"> if (mem == null){</span><br style="font-size:12.8px"><span style="font-size:12.8px"> return false</span><br style="font-size:12.8px"><span style="font-size:12.8px"> }</span><br style="font-size:12.8px"><span style="font-size:12.8px"> else if (!mem.contains("CN=Domain Computers,CN=Users</span><span style="font-size:12.8px">,DC=domain,DC=</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">tld")){</span><br style="font-size:12.8px"><span style="font-size:12.8px"> return false</span><br style="font-size:12.8px"><span style="font-size:12.8px"> }</span><br style="font-size:12.8px"><span style="font-size:12.8px"> else if (mem.contains("</span><span style="font-size:12.8px">CN=Domain </span><span style="font-size:12.8px">Computers</span><span style="font-size:12.8px">,CN=Users</span><span style="font-size:12.8px">,DC=domain,DC=</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">tld</span><span style="font-size:12.8px">")){</span><br style="font-size:12.8px"><span style="font-size:12.8px"> return true</span><br style="font-size:12.8px"><span style="font-size:12.8px"> }</span><br style="font-size:12.8px"><span style="font-size:12.8px"> </code></span><br style="font-size:12.8px"><span style="font-size:12.8px"> </script></span><br style="font-size:12.8px"><span style="font-size:12.8px"> </condition></span><span style="font-size:12.8px"><br></span></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">JASON</div></div></div>
<br><div class="gmail_quote">On Thu, Feb 15, 2018 at 9:11 AM, Marco Benucci <span dir="ltr"><<a href="mailto:m.benucci@nsr.it" target="_blank">m.benucci@nsr.it</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p><font face="Roboto">Thank you for your reply Brad, it surely
works.<br>
</font></p>
<p><font face="Roboto">By the way, I have found another solution on
the wiki to handle such situations. It's about Protected
Accounts
(<a class="m_-8757017099124323053moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Protected+Accounts" target="_blank">https://wiki.evolveum.com/<wbr>display/midPoint/Protected+<wbr>Accounts</a>)<br>
Basically, protected accounts will be ignored in import, live
sync, reconciliation or any other synchronization mechanism. </font><br>
You can just add the "protected" code to filter object during the
above phases.<br>
</p>
<schemaHandling><br>
...<br>
<objectType><br>
<protected><br>
<filter><br>
<q:equal><br>
<q:path>declare namespace
ri=<a class="m_-8757017099124323053moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">"http://midpoint.evolveum.<wbr>com/xml/ns/public/resource/<wbr>instance-3"</a>;
<br>
attributes/ri:objectCategory</<wbr>q:path><br>
<q:value>CN=Computer,CN=<wbr>Schema,CN=Configuration,DC=<wbr>example,DC=com</q:value><br>
</q:equal><br>
</filter><br>
</protected><br>
...<br>
</objectType><br>
<schemaHandling><br>
<br>
I think it's a viable solution, for now, but maybe it's not the
perfect one...<br>
E.G. in future I would like to manage Computers too (maybe as a
Service?), using the "Computer" class loaded by the connector in the
resource schema. What happen if I marked that account as "protected"
in a schemaHandling, but in another schemaHandling that account (is
that actually the same account??) is not protected?<br>
<br>
I'll let you know.<span class="HOEnZb"><font color="#888888"><br>
<br>
Marco</font></span><div><div class="h5"><br>
<br>
<br>
<div class="m_-8757017099124323053moz-cite-prefix">On 02/15/2018 03:19 PM, Brad Firestone
wrote:<br>
</div>
<blockquote type="cite">
Hello Marco,<br>
<br>
I'm not sure if this will help you, but below is the conditional
script I use in my AD Resource to import/sync only AD accounts who
are members of one certain AD Distribution Group. Maybe you can
use something similar if you can find a property that is unique to
people or computers. I don't know enough about AD to point to the
exact attribute you might want to use.<br>
<br>
<condition><br>
<script><br>
<code><br>
mem = basic.getAttributeValues(<wbr>shadow,
"memberOf")<br>
if (mem == null){<br>
return false<br>
}<br>
else if
(!mem.contains("CN=MyGroup,OU=<wbr>Distribution
Groups,OU=Groups,DC=domain,DC=<wbr>tld")){<br>
return false<br>
}<br>
else if
(mem.contains("CN=MyGroup,OU=<wbr>Distribution
Groups,OU=Groups,DC=domain,DC=<wbr>tld")){<br>
return true<br>
}<br>
</code><br>
</script><br>
</condition><br>
<br>
Basically, this pulls the value of "memberOf" attributes. If this
attribute doesn't exist - don't import. If the attribute exists
but doesn't match my selected group - don't import. If the
attribute does match my selected group - import. "memberOf" is a
multivalued attribute. I THINK you would use:
basic.getAttributeValue (Value not Values) if you are using a
single valued attribute.<br>
<br>
I hope this helps!<br>
Brad<br>
<br>
<span>On 2/15/18, 4:33 AM, Marco Benucci wrote:</span><br>
<blockquote type="cite">
<p><font face="Roboto">Hi all,</font></p>
<p><font face="Roboto">I'm running midpoint 3.6 and I'm
configuring an Active Directory resource using the ADLdap
connector (1.5.1).<br>
Now, whenever an account is considered "unmatched" i need to
create an user and link the user to that account, but in
this AD there are also many "Computer" object that, at least
for now, I do not want in.<br>
The main problem, I think, is that Computers, in AD, have
also the objectClasses "top", "person",
"organizationalPerson" and "user", just like Users, so the
workaround<br>
<br>
<generationConstraints><br>
<generateObjectClass>ri:user</<wbr>generateObjectClass><br>
<generateObjectClass>ri:group<<wbr>/generateObjectClass><br>
</generationConstraints></font></p>
<p><font face="Roboto">does not work because Computers shares
all their classes with Users, exept "computer" objectClass.<br>
</font></p>
<p><font face="Roboto">Is there a smart way to exclude them
during synchronization?I do not want that an unmatched
account for a computer create an user...<br>
<br>
Thank you,<br>
Marco</font></p>
<p><font face="Roboto"><br>
</font></p>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-8757017099124323053moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-8757017099124323053moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="m_-8757017099124323053mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-8757017099124323053moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-8757017099124323053moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>