Rectify unauthorized changes on target resource

Last modified 21 Nov 2025 21:14 +01:00
Table of Contents

In this module, you will test how your midPoint configuration enforces data consistency across resources. You have already seen how midPoint detects orphaned accounts and deletes them unless explicitly told otherwise. However, what about unauthorized changes to legitimate accounts made on directly on the target LDAP resource?

What awaits you in this module

You will make several "mistakes" or "malicious attacks" on the target LDAP system, and then observe how midPoint fixes the data inconsistencies you will have introduced:

  1. Pause the recurring HRIS reconciliation task to so that it does not fix all the issues immediately without you knowing what exactly happened.

  2. "Make a mistake" and delete an account on the LDAP server.

  3. "Malevolently" edit a few account attributes on the LDAP server, as well as remove someone from the all-users group.

  4. Simulate production reconciliation to confirm midPoint reverts your edits according to your configuration rules.

  5. Resume the HRIS reconciliation task to make your verified disaster recovery setup automated again.

1. Put automatic HRIS reconciliation on hold

In order to observe midPoint behavior in detail, you need to stop the recurring HRIS reconciliation task that automatically synchronizes HRIS accounts with the rest of your IGA ecosystem (midPoint and LDAP).

  1. In the HRIS resource, go to Defined Tasks and click the production HRIS reconciliation task to open it for editing.

    • You can easily identify the task by the Execution state—it should be the only one in the Runnable state.

  2. In the top task bar, under Task operations, click the red Suspend button.

With the task suspended, new or changed accounts on HRIS cannot be picked up and provisioned automatically, and changes performed directly on the target LDAP resource cannot be overwritten with correct HRIS data.

HRIS reconciliation task with the mouse pointer on the Suspend button
Figure 1. Suspend the recurring reconciliation task on the HRIS resource before you start testing your configuration

2. Delete an account directly on the target system

Now, make the first of a series of "mistakes": Delete one account directly on the LDAP system. Such an action is certainly possible, as an LDAP administrator may, in error or not, delete an account managed by midPoint.

  1. Navigate to the LDAP user interface.

  2. In the left-side navigation, expand c=example,dc=com.

  3. Expand ou=users.

  4. Pick whichever user you like, e.g., cn=Alexander Freeman, and click the item to edit the entry.

  5. In the toolbar at the top, click Delete this entry to delete the user.

  6. Click Delete on the confirmation screen.

LDAP UI with user details opened and mouse pointer on the delete user button.
Figure 2. Delete an arbitrary user directly on the LDAP to test midPoint provisioning configuration

3. Change account data directly on the target system

The next step is to edit some user’s data directly on the target LDAP resource. This action is fairly realistic as well, for an LDAP admin may make a mistake or even go wrong and start making malevolent changes for whatever reason. Your goal is to test the resiliency of your setup against such actions.

  1. In the LDAP user interface, open a whichever user for editing, e.g., cn=Alice Baker.

  2. Change some attributes of hers. For example:

    • l (locality) to Black Ash City

    • givenName to Rabbit

  3. Click Update Object.

Next, remove the user (or any other user) from the all-users group:

  1. Under c=example,dc=com, expand ou=groups.

  2. Click cn=all-users to open the group for editing.

  3. Scroll down and click modify group members beneath the group member list.

  4. Select the user you want to remove from the group

  5. Click <<< Remove selected.

  6. Click Save changes.

  7. The confirmation screen that appears highlights the removed member. Click Update Object to confirm the change.

ldap remove user from group in ldap ui

Now, this is enough sabotage activities, let us see what midPoint does about the situation.

4. Run simulated reclassification to observe data rectification

To get the opportunity to observe how midPoint deals with the new discrepancies on the target system, run simulated production reconciliation on the HRIS resource first. The simulation needs to use the production configuration because all your settings are in the Active lifecycle state.

If you do not yet have a task to simulate on production, create one:

  • Refer to Create and Run Tasks in GUI for a guide on working with tasks.

    1. Select Reconciliation Task type.

    2. Set the Simulate task toggle to ON.

    3. Name the task, e.g., HRIS reconciliation - production simulation

    4. Keep kind and intent at their default (Account, default).

    5. On the Execution screen, set Mode to Preview and Configuration to Production.

    6. Keep the rest at default and Save & Run the task.

After it finishes, click Show simulation result to observe the outcome.

  • You should see that one projection entitlement has changed—that means Alice Baker getting back her membership in the all-users group.

  • There should be two resource objects affected—Alice Baker getting the changed attributes corrected, and Alexander Freeman getting his account on LDAP back.

Simulated production reconciliation of the HRIS resource fixed all unauthorized changes made directly on the LDAP server
Figure 3. Simulated production reconciliation of the HRIS resource fixed all unauthorized changes made directly on the LDAP server

Obviously, the numbers may differ if you made changes that deviated from the examples in this module. Nevertheless, the end result should be the same: All accounts impacted by unauthorized changes made directly on the target LDAP server should have their data corrected based on the HRIS resource data, mappings, and other applicable rules.

5. Put the disaster recovery plan to production

You have verified your configuration acts exactly as it should: It rectifies incorrectly edited attributes, recreates wrongfully deleted accounts, and places users back to groups of which they are supposed to be members. With this confirmed, resume the recurring HRIS reconciliation task.

HRIS reconciliation task with the mouse pointer on the Resume button
Figure 4. HRIS reconciliation task with the mouse pointer on the Resume button

Next steps

You now know that your midPoint setup handles well unauthorized changes on the target system, and puts everything into order automatically with every run of the HRIS reconciliation task. With possible damage done by deranged or simply tired LDAP administrator mitigated, it is now time to verify that changes done on existing users in the source HR information system propagate well into the target LDAP system. This may sound similar to what you have already confirmed—that is, you can create new users in the HRIS and they get into the LDAP system fine—but you have yet to confirm the same happens for changes on existing users.

Was this page helpful?
YES NO
Thanks for your feedback