Navigation Tree

Import usernames from LDAP

Last modified 04 Nov 2025 20:57 +01:00

Table of Contents

1. Adjust the mappings to prepare for username import from LDAP
- 1.1. Make the old HRIS name mapping weak
- 1.2. Add new mapping to LDAP for usernames
2. Test the configuration update
3. Rename users to LDAP usernames on production
What is next

When setting up the HR resource, you used employee numbers (empnum) for account names in midPoint because the HR system does not have any better unique identifier.

Now, however, you have the LDAP resource connected and with that, you gave midPoint access to much more human-friendly usernames that are in the LDAP system. It is a good time now to adjust the HR and LDAP resource mappings so that account owner focal objects are named using the LDAP usernames.

Here’s the outline of what you’re going to do to achieve that:

Adjust source and target resource mappings to enable importing usernames from LDAP.
1. In the HRIS resource, set the empnum-to-name inbound mapping strength to to weak.
2. Create a new inbound mapping for name in the LDAP resource with an appropriate source attribute containing the usernames.
Run a simulated reconciliation task to validate the new setup.
Reconcile the accounts in production to rename midPoint users.

1. Adjust the mappings to prepare for username import from LDAP

To use the LDAP usernames as the primary identifier for user in midPoint, you need to adjust mappings for both the source (which is HRIS here) and target (LDAP) resources.

1.1. Make the old HRIS name mapping weak

Firstly, adjust the strenght of the HR resource name mapping so that it does not overwrite non-empty values. Refer to Mappings for details on mapping strength options.

In your HR resource, open inbound mapping settings.
Locate the mapping populating the name attribute with the value of the source empnum attribute.
In this guide, it is called empnum-to-name.
In advanced settings of the mapping, change its strength to weak.
- Refer to Resource Wizard: Advanced Object Type Mappings for a guide on setting mapping strength.

1.2. Add new mapping to LDAP for usernames

Secondly, add a new inbound mapping for the name attribute in the LDAP resource. Leave this mapping set as strong so that it can overwrite existing values. This is the default and it is useful when a user’s username changes, for instance.

Look into your LDAP data and locate the name of the attribute that holds usernames. They have to be unique across all accounts.
In the sample data used in this guide, the name of the attribute is uid.
In your LDAP resource, open inbound mapping settings.
Add a new mapping according to the table below.
Adjust the mapping name and the source attribute name according to your data.

Table 1. Strong inbound mapping to copy *uid* parameter with usernames to *name* parameter
Name	Source	Expression	Target	Lifecycle state	Comments
inbound-uid-username-to-name	uid	As is	name	Proposed	Keep the mapping Strength set to Strong and the Use for option to Undefined.

Figure 1. LDAP resource inbound mappings, the last one being the one for importing usernames

2. Test the configuration update

Before you take the leap, test the new configuration using a simulated import.

To check the behavior of your new configuration, use reconciliation tasks. Since you have already reconciled the LDAP accounts earlier in this guide, you now have both simulation and production reconciliation tasks defined and available for reuse.

Refer to the Reconcile the LDAP accounts module if you need a refresher on reconciliation tasks.
Refer to Create and Run Tasks in GUI for the guide on working with tasks in the graphical user interface.
You can also use the import preview functionality to simulate the effects of your configuration changes on a single account.

Make sure you are running the reconciliation tasks on the LDAP resource. In this guide, LDAP is, in general, a target resource, but it acts as a source resource for the usernames.

When you view the results of the simulation, you should see the focus renamed note.

ldap import username simulation focus renamed

Figure 2. A single user import preview result showing that the username would be imported successfully and the focus object would be renamed

3. Rename users to LDAP usernames on production

Once you confirm the simulation yields expected results, run the real production reconciliation task which you used to reconcile the LDAP accounts in Reconcile the LDAP accounts.

In LDAP mappings, change the lifecycle state for the inbound-uid-username-to-name mapping from Proposed to Active.
Use the reconciliation task with the Production configuration (equals to Undefined) and leave the execution mode empty.

Table 2. List of midPoint users before and after the import of usernames from LDAP. Notice that their primary identifier (`name`) has changed to their respective LDAP usernames.
Before	After

What is next

No incorrect data in your target LDAP system have been fixed yet because you have yet to configure the LDAP resource outbound operations. So far, you’ve correlated (as in connected) the identities across your source and target systems. That’s not the end of the story, though: You’ll see how to automatically remove unwanted accounts and fix incorrect data in further modules.

Proceed to the next module: Delete orphaned LDAP accounts

Was this page helpful?

YES NO

Thanks for your feedback