Import usernames from Active Directory

Table of Contents

When setting up the HRIS resource, you used employee numbers (empnum) for account names in midPoint because the HR system does not have any better unique identifier. Now that you have Active Directory connected, midPoint has access to more human-friendly usernames that are in AD.

What awaits you in this module

In this module, you will use the AD usernames as new identifiers for the focal objects (users) in midPoint.

  1. You will set the original HRIS mapping that fills the name attribute in midPoint focal objects with employee numbers as weak to prevent it from overwriting the new usernames.

  2. You will create a new inbound mapping for AD that will copy the AD usernames to the name attribute. You will make the new mapping strong to overwrite the original employee numbers in the attribute.

  3. As always, you will simulate reconciliation to verify the setup before you activate it.

In general, we use Active Directory in this guide as a target application, meaning we (will) write data to it rather than use it a data source. In this particular case, though, Active Directory serves as a data source. As we mentioned before, no coin is one-sided.

1. Adjust the mappings to prepare for username import

To use the AD usernames as the primary identifier for users in midPoint, you need to adjust mappings for both the HRIS and AD resources.

1.1. Make the old HRIS name mapping weak

Firstly, adjust the strenght of the HR resource name mapping so that it does not overwrite non-empty values. Refer to Mappings for details on mapping strength options.

Follow this guide: Adjust advanced mapping options

  1. In your HR resource, open inbound mapping settings.

  2. Locate the mapping populating the name attribute with the value of the source empnum attribute. In this guide, it is called empnum-to-name.

  3. In advanced settings of the mapping, change its strength to weak.

1.2. Add new mapping to AD for usernames

Secondly, add a new inbound mapping for the name attribute in the AD resource. Leave this mapping set as strong so that it can overwrite existing values. This is the default.

  1. Look into your AD data and locate the name of the attribute that holds usernames. They have to be unique across all accounts.
    In the training data used in this guide, the name of the attribute is uid.

  2. In your AD resource, open inbound mapping settings.

  3. Add a new mapping according to the table below.

Table 1. Strong inbound mapping to copy uid parameter with usernames to name parameter
Name Source Expression Target Lifecycle state Comments

inbound-uid-username-to-name

uid

As is

name

Proposed

Keep the mapping Strength set to Strong and the Use for option to Undefined.
AD resource inbound mappings
Figure 1. AD resource inbound mappings, the proposed one being the one for importing usernames

2. Test the configuration update

To check the behavior of your new configuration, use reconciliation tasks. Since you have already reconciled the AD accounts earlier in this guide, you have the reconciliation tasks defined and available for reuse.

  • Refer to the link module for a refresher on reconciliation tasks.

    • When you view the results of the simulation, you should see the focus renamed note.

  • Use the import preview functionality to simulate the effects of your configuration changes on a single account.

  • Refer to Create and Run Tasks in GUI for the guide on working with tasks in the graphical user interface.

Make sure you run the reconciliation tasks on the AD resource.
A single user import preview result showing that the username would be imported successfully and the focus object would be renamed
Figure 2. A single user import preview result showing that the username would be imported successfully and the focus object would be renamed

3. Rename users to AD usernames on production

Once you confirm the simulation yields expected results, reconcile the accounts in production:

  1. In AD mappings, change the lifecycle state for the inbound-uid-username-to-name mapping from Proposed to Active.

  2. Run the real production reconciliation task which you used to reconcile the AD accounts in link.

List of midPoint users before the import of usernames from AD
Figure 3. List of midPoint users before the import of usernames from AD
List of midPoint users after the import of usernames from AD. Notice that their primary identifier (`name`) has changed to their respective AD usernames.
Figure 4. List of midPoint users before and after the import of usernames from AD. Notice that their primary identifier (name) has changed to their respective AD usernames.

Next steps

You enabled importing nice usernames to midPoint thanks to the dynamic approach to resources midPoint can take when needed. The next step to take in the journey of integrating the target system is to automatically remove orphaned and malicious accounts. After that, you will learn how to provision data to Active Directory to fix wrong attribute values or tackle the joiner-mover-leaver process, for instance.

link

Was this page helpful?
YES NO
Thanks for your feedback