Rectify unauthorized changes in Active Directory

Table of Contents

Test how your midPoint configuration enforces data consistency across connected applications. You have already seen how midPoint detects orphaned accounts and deletes them unless explicitly told otherwise. However, what about unauthorized changes to legitimate accounts made directly on the Active Directory server?

What awaits you in this module

You will make several "mistakes" or "malicious attacks" on the target AD system without changing the source HRIS data. You will then observe how midPoint fixes the data inconsistencies you will have introduced:

  1. Pause the recurring HRIS reconciliation task to so that it does not fix all the issues immediately without you knowing what exactly happened.

  2. "Make a mistake" and delete an account on the AD server.

  3. "Malevolently" edit a few account attributes on the AD server, as well as remove someone from the all-users group.

  4. Simulate production reconciliation to confirm midPoint reverts your edits according to your configuration rules.

  5. Resume the HRIS reconciliation task to make the disaster recovery setup automated again.

1. Put automatic HRIS reconciliation on hold

In order to observe midPoint behavior in detail, you need to stop the recurring HRIS reconciliation task that automatically synchronizes HRIS accounts with the rest of your IGA ecosystem (midPoint and AD).

  1. In the HRIS resource, go to Defined Tasks and open the production HRIS reconciliation task for editing.

    • You can easily identify the task by the Execution state—it should be the only one in the Runnable state.

  2. In the top task bar, under Task operations, click the red Suspend button.

HRIS reconciliation task with the mouse pointer on the Suspend button
Figure 1. Suspend the recurring reconciliation task on the HRIS resource before you start testing your configuration

With the task suspended, accounts added or changed in the HRIS cannot be picked up and provisioned automatically, and changes performed directly in Active Directory cannot be overwritten with the correct HRIS data.

2. Delete an account directly in Active Directory

Now, make the first "mistake": Delete one account directly on the AD server. Such an action is certainly possible, as an AD administrator may, in error or not, delete an account managed by midPoint.

  1. Navigate to the AD server web UI.

  2. In the left-side navigation, expand dc=example,dc=com.

  3. Expand ou=users.

  4. Pick whichever user you like, e.g., cn=Alexander Freeman, and click the item to edit the user.

  5. In the toolbar at the top, click Delete this entry to delete the user.

  6. Click Delete on the confirmation screen.

AD UI with user details opened and mouse pointer on the delete user button.
Figure 2. Delete an arbitrary user directly on the AD to test midPoint provisioning configuration

3. Change account data directly in Active Directory

The next step is to edit some user’s data directly on the target AD server. This action is fairly realistic as well, for an AD admin may make a mistake or even go rogue and start making malevolent changes all over the place. Your goal is to test the resiliency of your setup against such actions.

  1. In the AD user interface, open a whichever user for editing, e.g., cn=Alice Baker.

  2. Change some attributes of hers. For example:

    • l (locality) to Black Ash City

    • givenName to Rabbit

  3. Click Update Object.

Next, remove the user (or any other user) from the all-users group:

  1. Under dc=example,dc=com, expand ou=groups.

  2. Click cn=all-users to open the group for editing.

  3. Scroll down and click modify group members beneath the group member list.

  4. Select the user you want to remove from the group

  5. Click <<< Remove selected.

  6. Click Save changes.

  7. The confirmation screen that appears highlights the removed member. Click Update Object to confirm the change.

ldap remove user from group in ldap ui

Now, this is enough sabotage activities, let us see what midPoint does about the situation.

4. Simulate reclassification to observe data rectification

To get the opportunity to observe how midPoint deals with the new discrepancies on the target system, run a simulated production reconciliation task on the HRIS resource. The simulation needs to use the production configuration because all your settings are in the Active lifecycle state.

If you do not yet have a task to simulate reconciliation on production, create one.

Follow this guide: Create and Run Tasks in GUI

  1. In the HRIS resource, create a new reconciliation task with the simulation toggle on.

  2. Name the task, e.g., HRIS reconciliation - production simulation

  3. Keep kind and intent to their default (Account, default).

  4. On the Execution screen, set Mode to Preview and Configuration to Production.

  5. Save the task and run it.

After it finishes, click Show simulation result to observe the outcome.

  • You should see that one projection entitlement has changed—that means Alice Baker would get back her membership in the all-users group.

  • There should be two resource objects affected—Alice Baker getting the changed attributes corrected, and Alexander Freeman getting his account in AD back.

Simulated production reconciliation of the HRIS resource fixed all unauthorized changes made directly on the AD server
Figure 3. Simulated production reconciliation of the HRIS resource fixed all unauthorized changes made directly on the AD server

Obviously, the numbers may differ based on the number of changes you have actually made. Nevertheless, the end result should be the same: All accounts impacted by unauthorized changes made directly on the target AD server should have their data corrected based on the HRIS resource data.

What if I need to make changes in AD and keep them?

If you find yourself in need of changing the AD data directly, then mark the affected accounts in midPoint as Do not touch, for example. With that, the reconciliation task will not touch their data on AD.

5. Put the disaster recovery plan to production

You have verified your configuration acts exactly as it should: It rectifies illegally edited attributes, recreates wrongfully deleted accounts, and places users back to groups of which they are supposed to be members. With this confirmed, resume the recurring HRIS reconciliation task:

  1. Open the production HRIS reconciliation task for editing as you did when suspending it.

  2. Click Resume

HRIS reconciliation task with the mouse pointer on the Resume button
Figure 4. Resume the recurring HRIS reconciliation task

Next steps

You now know that your midPoint setup handles unauthorized changes on the target system well. It puts everything back in line automatically with every run of the HRIS reconciliation task.

With the possible damage done by a deranged or simply tired AD administrator mitigated, it is now time to verify that changes done on existing users in the source HR information system propagate well into the target AD system. This may sound similar to what you have already confirmed—that is, that you can create new users in the HRIS and they get into the AD system fine—but you have yet to confirm the same happens for changes on existing users.

link

Was this page helpful?
YES NO
Thanks for your feedback