<div dir="ltr">Hi Ivan<div><br></div><div>I could not find the shadow in midpoint's repository page (xml). I think probably this is the problem that midpoint did not store the shadow somehow.</div><div><br></div><div>No attribute of this resource is dependent on user/role attributes, user is going to enter the value.</div><div><br></div><div>Thanks</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 5, 2015 at 3:53 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi Dharmendra,<br>
<br>
so far I can't see any reason for not working, especially if it
works in LDAP.<br>
<br>
Can you please check this:<br>
<br>
- open your user in midPoint's repository pages (XML)<br>
- check the oid of the Shadow in linkRef<br>
- open the shadow in midPoint's repository pages (XML)<br>
- check the attributes attributes/icfs:name and attributes/icfs:uid
- they should be at the bottom of the object. Are this ok?<br>
<br>
midPoint seems to be unable to find the object - as this is AD, it
should be located by the GUID (icfs:uid).<br>
I have a strange feeling that this is related to string case.<br>
<br>
BTW. I don't see any outbounds to generate icfs:name for that group;
is this done in the role(s)? Does the name somehow depend on user
attributes?<br>
<br>
Regards,<br>
Ivan<div><div class="h5"><br>
<br>
<div>On 03/05/2015 10:38 AM, Dharmendra
Parakh wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Ivan
<div><br>
</div>
<div>Thanks for all the information.</div>
<div><br>
</div>
<div>My requirement is just to create a AD group on the target
and at this point I do not want to assign this group to any
user. So basically we want to use this resource for group
creation purpose only.</div>
<div><br>
</div>
<div>I am well aware of the way you have described for group
creation as entitlement (I have tried that and it works) but
we want to avoid the multiple steps involved in entitlement
creation and also we want to create this under a user/role as
an assignment/account only because group management becomes
easy for us this way. As i have mentioned we are doing the
same in case of ldap resource and that is working for us. I
cannot think of any reason why midpoint will behave
differently for ad and ldap.</div>
<div><br>
</div>
<div>AFAIK for connector group is just an object class like
account so i think it should work logically. I think i am
missing something or i have some issue in resource. I will
appreciate any help on this.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks!</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Mar 5, 2015 at 2:39 PM, Ivan
Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi Dharmendra,<br>
<br>
I'm not sure if I understand what you try to achieve.<br>
<br>
Do you want to create AD group for given user in midPoint?
Or do you want to create the group through midPoint and
then assign to user?<br>
<br>
I would definitely not change the default object class for
"account" to CustomGroupObjectClass. Just use kinds and
intents in schema handling.<br>
<br>
In my project I have the following setup: I want to create
users in midPoint, accounts for them in AD. I also want to
create groups (and other objects) in AD that belong to
organizations in midPoint (part of org. structure
replication). And I also want to put AD accounts to these
groups. The simplified example follows:<br>
<br>
1. in resource, I define new kind=entitlement and
intent=group-municipality, e.g.:<br>
<objectType><br>
<kind><b>entitlement</b></kind><br>
<intent><b>group-municipality</b></intent><br>
<displayName>Municipality
groups</displayName><br>
<default>true</default><br>
<objectClass>ri:<b>CustomGroupObjectClass</b></objectClass><br>
<attribute><br>
. . .<br>
<br>
This means that I'm able to reference groups of this
"type" (I have several different types of groups) as
kind=entitlement and intent=group-municipality.<br>
<br>
2. in resource, I define association for <b>accounts</b>
with this kind of groups:<br>
<objectType><br>
<kind><b>account</b></kind><br>
<intent><b>default</b></intent><br>
<displayName>Default
Account - Municipality users</displayName><br>
<default>true</default><br>
<objectClass>ri:<b>AccountObjectClass</b></objectClass><br>
. . .<br>
<association><br>
<ref>ri:adGroups</ref><br>
<tolerant>true</tolerant><br>
<matchingRule>mr:stringIgnoreCase</matchingRule><br>
<kind><b>entitlement</b></kind><br>
<intent><b>group-municipality</b></intent><br>
<direction>objectToSubject</direction><br>
<associationAttribute>ri:member</associationAttribute><br>
<valueAttribute>icfs:name</valueAttribute><br>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity><br>
</association><br>
</objectType><br>
<br>
This means midPoint is able to associate AD accounts with
this type of groups and will show the "Association" part
in GUI when editing user - list of groups for that
account.<br>
<br>
3. to <b>assign AD account to any existing AD group</b>
(EmailAllUsers in this example), I have a role in
midPoint:<br>
<br>
<role xmlns=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:c=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:icfs=<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</a><br>
xmlns:q=<a href="http://prism.evolveum.com/xml/ns/public/query-3" target="_blank">"http://prism.evolveum.com/xml/ns/public/query-3"</a><br>
xmlns:ri=<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a><br>
oid="b4b5059a-5cdc-4a2c-a184-bb6e0c67e064"><br>
<name>E-Mail</name><br>
<inducement><br>
<construction><br>
<!-- The c: prefix in type must be
there due to a JAXB bug --><br>
<resourceRef
oid="00000000-0000-0000-0001-100000000002"
type="c:ResourceType"/><br>
<association><br>
<ref>ri:adGroups</ref><br>
<outbound><br>
<strength>strong</strength><br>
<expression><br>
<associationTargetSearch><br>
<filter><br>
<q:equal><br>
<q:path><br>
declare namespace
icfs=<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</a>;<br>
declare namespace
ri=<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a>;<br>
attributes/ri:samAccountName<br>
</q:path><br>
<expression><br>
<script><br>
<code><br>
return '<b>EmailAllUsers</b>' <!-- group's
sAMAccountName in AD --><br>
</code><br>
</script><br>
</expression><br>
</q:equal><br>
</filter><br>
<searchOnResource>true</searchOnResource><br>
</associationTargetSearch><br>
</expression><br>
</outbound><br>
</association><br>
</construction><br>
</inducement><br>
</role><br>
<br>
If this role is assigned to user in midPoint, it will
create AD account (if it does not exist yet) it will
search for a group named "EmailAllUsers" (by
sAMAccountName) and add user to that group if such group
exists.<br>
<br>
4. if you want to <b>create groups</b> in AD from
midPoint, they must be regarded as a projection of either
User, Organization or Role in midPoint. In my scenario,
for some Organization I create the type of groups I
referred to above by assignin a role to an <b>organization</b>,
e.g.:<br>
<br>
<role oid="00000000-0000-0000-0004-000000000010"<br>
xmlns=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:c=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:t=<a href="http://prism.evolveum.com/xml/ns/public/types-3" target="_blank">"http://prism.evolveum.com/xml/ns/public/types-3"</a>><br>
<name>Meta-role for organizational structure
replication to AD</name><br>
<inducement><br>
<construction><br>
<!-- AD resource --><br>
<resourceRef
oid="00000000-0000-0000-0001-100000000002"
type="c:ResourceType"/><br>
<b> <kind>entitlement</kind></b><b><br>
</b><b>
<intent>group-municipality</intent></b><br>
</construction><br>
</inducement><br>
...<br>
</role><br>
<br>
This means that midPoint will create a group of that type
for the organization in midPoint. Of course, in
schemaHandling for AD resource, in the kind=entitlement
and intent=group-municipality part, you have to define
proper outbound mappings (icfs:name = DN; sAMAccountName
and possibly other attributes) to actually create the
group.<br>
<br>
And that's all, so simple.<br>
<br>
Some examples can be also seen in our OrgSync scenario
wiki page: <a href="https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test" target="_blank">https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test</a>
(it is different scenario as I've described in my example,
but it's very usable for concept understanding).<br>
<br>
Hope this helps.<br>
Regards,<br>
Ivan
<div>
<div><br>
<br>
<div>On 03/05/2015 09:44 AM, Dharmendra Parakh wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Hi
<div><br>
</div>
<div>I have been playing around with AD Connector
and i am facing an issue where i was trying to
create an AD group using the AD Connector.</div>
<div><br>
</div>
<div>I have a resource configured where the
default object class is my AD Group object class
and kind is set to account.</div>
<div>When i try to create the group by creating a
account of this resource i see the<b> group is
created on Active Directory</b> but same does
not show up in the midpoint UI under User's
accounts panel.<br>
</div>
<div><br>
</div>
<div>I can see the linkRef in user's xml but it is
not getting loaded in UI and also when i open
the user xml i see an error: </div>
<div><br>
</div>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div>
<div><font color="#000000" size="1">[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]],
objectclass={.../resource/instance-3}CustomGroupObjectClass:
Object identified by
[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]]
was not found by
connector:1529887f-2adc-4a76-99fd-75d34c865332(ICF
Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector
v1.4.1.20257 @ConnectorServer27:22:8759)</font></div>
</div>
<div>
<div><font color="#000000" size="1">com.evolveum.midpoint.util.exception.ObjectNotFoundException:
Object not found.
identifiers=[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]],
objectclass={.../resource/instance-3}CustomGroupObjectClass:
Object identified by
[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]]
was not found by
connector:1529887f-2adc-4a76-99fd-75d34c865332(ICF
Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector
v1.4.1.20257 @ConnectorServer27:22:8759)</font></div>
</div>
<div>
<div><font color="#000000" size="1"><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.provisioning.consistency.impl.ObjectNotFoundHandler.handleError(ObjectNotFoundHandler.java:268)
~[provisioning-impl-3.2-SNAPSHOT.jar:na]</font></div>
</div>
<div>
<div><font color="#000000" size="1"><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.provisioning.impl.ShadowCache.handleError(ShadowCache.java:683)
~[provisioning-impl-3.2-SNAPSHOT.jar:na]</font></div>
</div>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>We have similar setup for ldap group
provisioning and that works very fine.</div>
<div><br>
</div>
<div>I have attached my resource xml with the
email, please have a look and let me know if i
am doing anything wrong here.</div>
<div><br>
</div>
<div><br>
</div>
<div>Regards</div>
<div>Dharmendra</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
midPoint-dev mailing list
<a href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><span><font color="#888888">
</font></span></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint-dev mailing list<br>
<a href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</div></div></div>
</blockquote></div><br></div>