<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><font face="Roboto">Thank you for your reply Brad, it surely
works.<br>
</font></p>
<p><font face="Roboto">By the way, I have found another solution on
the wiki to handle such situations. It's about Protected
Accounts
(<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Protected+Accounts">https://wiki.evolveum.com/display/midPoint/Protected+Accounts</a>)<br>
Basically, protected accounts will be ignored in import, live
sync, reconciliation or any other synchronization mechanism. </font><br>
You can just add the "protected" code to filter object during the
above phases.<br>
</p>
<schemaHandling><br>
...<br>
<objectType><br>
<protected><br>
<filter><br>
<q:equal><br>
<q:path>declare namespace
ri=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a>;
<br>
attributes/ri:objectCategory</q:path><br>
<q:value>CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=com</q:value><br>
</q:equal><br>
</filter><br>
</protected><br>
...<br>
</objectType><br>
<schemaHandling><br>
<br>
I think it's a viable solution, for now, but maybe it's not the
perfect one...<br>
E.G. in future I would like to manage Computers too (maybe as a
Service?), using the "Computer" class loaded by the connector in the
resource schema. What happen if I marked that account as "protected"
in a schemaHandling, but in another schemaHandling that account (is
that actually the same account??) is not protected?<br>
<br>
I'll let you know.<br>
<br>
Marco<br>
<br>
<br>
<div class="moz-cite-prefix">On 02/15/2018 03:19 PM, Brad Firestone
wrote:<br>
</div>
<blockquote type="cite" cite="mid:5A8596F6.7020101@gmail.com">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
Hello Marco,<br>
<br>
I'm not sure if this will help you, but below is the conditional
script I use in my AD Resource to import/sync only AD accounts who
are members of one certain AD Distribution Group. Maybe you can
use something similar if you can find a property that is unique to
people or computers. I don't know enough about AD to point to the
exact attribute you might want to use.<br>
<br>
<condition><br>
<script><br>
<code><br>
mem = basic.getAttributeValues(shadow,
"memberOf")<br>
if (mem == null){<br>
return false<br>
}<br>
else if
(!mem.contains("CN=MyGroup,OU=Distribution
Groups,OU=Groups,DC=domain,DC=tld")){<br>
return false<br>
}<br>
else if
(mem.contains("CN=MyGroup,OU=Distribution
Groups,OU=Groups,DC=domain,DC=tld")){<br>
return true<br>
}<br>
</code><br>
</script><br>
</condition><br>
<br>
Basically, this pulls the value of "memberOf" attributes. If this
attribute doesn't exist - don't import. If the attribute exists
but doesn't match my selected group - don't import. If the
attribute does match my selected group - import. "memberOf" is a
multivalued attribute. I THINK you would use:
basic.getAttributeValue (Value not Values) if you are using a
single valued attribute.<br>
<br>
I hope this helps!<br>
Brad<br>
<br>
<span>On 2/15/18, 4:33 AM, Marco Benucci wrote:</span><br>
<blockquote cite="mid:043ae586-8ff3-0e7b-23fa-3bc220db60a9@nsr.it"
type="cite">
<meta http-equiv="content-type" content="text/html;
charset=utf-8">
<p><font face="Roboto">Hi all,</font></p>
<p><font face="Roboto">I'm running midpoint 3.6 and I'm
configuring an Active Directory resource using the ADLdap
connector (1.5.1).<br>
Now, whenever an account is considered "unmatched" i need to
create an user and link the user to that account, but in
this AD there are also many "Computer" object that, at least
for now, I do not want in.<br>
The main problem, I think, is that Computers, in AD, have
also the objectClasses "top", "person",
"organizationalPerson" and "user", just like Users, so the
workaround<br>
<br>
<generationConstraints><br>
<generateObjectClass>ri:user</generateObjectClass><br>
<generateObjectClass>ri:group</generateObjectClass><br>
</generationConstraints></font></p>
<p><font face="Roboto">does not work because Computers shares
all their classes with Users, exept "computer" objectClass.<br>
</font></p>
<p><font face="Roboto">Is there a smart way to exclude them
during synchronization?I do not want that an unmatched
account for a computer create an user...<br>
<br>
Thank you,<br>
Marco</font></p>
<p><font face="Roboto"><br>
</font></p>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>