<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Dharmendra,<br>
<br>
I'm not sure if I understand what you try to achieve.<br>
<br>
Do you want to create AD group for given user in midPoint? Or do you
want to create the group through midPoint and then assign to user?<br>
<br>
I would definitely not change the default object class for "account"
to CustomGroupObjectClass. Just use kinds and intents in schema
handling.<br>
<br>
In my project I have the following setup: I want to create users in
midPoint, accounts for them in AD. I also want to create groups (and
other objects) in AD that belong to organizations in midPoint (part
of org. structure replication). And I also want to put AD accounts
to these groups. The simplified example follows:<br>
<br>
1. in resource, I define new kind=entitlement and
intent=group-municipality, e.g.:<br>
<objectType><br>
<kind><b>entitlement</b></kind><br>
<intent><b>group-municipality</b></intent><br>
<displayName>Municipality
groups</displayName><br>
<default>true</default><br>
<objectClass>ri:<b>CustomGroupObjectClass</b></objectClass><br>
<attribute><br>
. . .<br>
<br>
This means that I'm able to reference groups of this "type" (I have
several different types of groups) as kind=entitlement and
intent=group-municipality.<br>
<br>
2. in resource, I define association for <b>accounts</b> with this
kind of groups:<br>
<objectType><br>
<kind><b>account</b></kind><br>
<intent><b>default</b></intent><br>
<displayName>Default Account -
Municipality users</displayName><br>
<default>true</default><br>
<objectClass>ri:<b>AccountObjectClass</b></objectClass><br>
. . .<br>
<association><br>
<ref>ri:adGroups</ref><br>
<tolerant>true</tolerant><br>
<matchingRule>mr:stringIgnoreCase</matchingRule><br>
<kind><b>entitlement</b></kind><br>
<intent><b>group-municipality</b></intent><br>
<direction>objectToSubject</direction><br>
<associationAttribute>ri:member</associationAttribute><br>
<valueAttribute>icfs:name</valueAttribute><br>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity><br>
</association><br>
</objectType><br>
<br>
This means midPoint is able to associate AD accounts with this type
of groups and will show the "Association" part in GUI when editing
user - list of groups for that account.<br>
<br>
3. to <b>assign AD account to any existing AD group</b>
(EmailAllUsers in this example), I have a role in midPoint:<br>
<br>
<role
xmlns=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:c=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:icfs=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</a><br>
xmlns:q=<a class="moz-txt-link-rfc2396E" href="http://prism.evolveum.com/xml/ns/public/query-3">"http://prism.evolveum.com/xml/ns/public/query-3"</a><br>
xmlns:ri=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a><br>
oid="b4b5059a-5cdc-4a2c-a184-bb6e0c67e064"><br>
<name>E-Mail</name><br>
<inducement><br>
<construction><br>
<!-- The c: prefix in type must be there due to a
JAXB bug --><br>
<resourceRef
oid="00000000-0000-0000-0001-100000000002"
type="c:ResourceType"/><br>
<association><br>
<ref>ri:adGroups</ref><br>
<outbound><br>
<strength>strong</strength><br>
<expression><br>
<associationTargetSearch><br>
<filter><br>
<q:equal><br>
<q:path><br>
declare namespace
icfs=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</a>;<br>
declare namespace
ri=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a>;<br>
attributes/ri:samAccountName<br>
</q:path><br>
<expression><br>
<script><br>
<code><br>
return '<b>EmailAllUsers</b>' <!-- group's sAMAccountName in AD
--><br>
</code><br>
</script><br>
</expression><br>
</q:equal><br>
</filter><br>
<searchOnResource>true</searchOnResource><br>
</associationTargetSearch><br>
</expression><br>
</outbound><br>
</association><br>
</construction><br>
</inducement><br>
</role><br>
<br>
If this role is assigned to user in midPoint, it will create AD
account (if it does not exist yet) it will search for a group named
"EmailAllUsers" (by sAMAccountName) and add user to that group if
such group exists.<br>
<br>
4. if you want to <b>create groups</b> in AD from midPoint, they
must be regarded as a projection of either User, Organization or
Role in midPoint. In my scenario, for some Organization I create the
type of groups I referred to above by assignin a role to an <b>organization</b>,
e.g.:<br>
<br>
<role oid="00000000-0000-0000-0004-000000000010"<br>
xmlns=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:c=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:t=<a class="moz-txt-link-rfc2396E" href="http://prism.evolveum.com/xml/ns/public/types-3">"http://prism.evolveum.com/xml/ns/public/types-3"</a>><br>
<name>Meta-role for organizational structure replication
to AD</name><br>
<inducement><br>
<construction><br>
<!-- AD resource --><br>
<resourceRef
oid="00000000-0000-0000-0001-100000000002"
type="c:ResourceType"/><br>
<b> <kind>entitlement</kind></b><b><br>
</b><b>
<intent>group-municipality</intent></b><br>
</construction><br>
</inducement><br>
...<br>
</role><br>
<br>
This means that midPoint will create a group of that type for the
organization in midPoint. Of course, in schemaHandling for AD
resource, in the kind=entitlement and intent=group-municipality
part, you have to define proper outbound mappings (icfs:name = DN;
sAMAccountName and possibly other attributes) to actually create the
group.<br>
<br>
And that's all, so simple.<br>
<br>
Some examples can be also seen in our OrgSync scenario wiki page:
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test">https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test</a> (it is
different scenario as I've described in my example, but it's very
usable for concept understanding).<br>
<br>
Hope this helps.<br>
Regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 03/05/2015 09:44 AM, Dharmendra
Parakh wrote:<br>
</div>
<blockquote
cite="mid:CAJG9dDsai+E6UEigkWFxmmk9oRC2jVXX1HY2qtK=D=_aH49G+g@mail.gmail.com"
type="cite">
<div dir="ltr">Hi
<div><br>
</div>
<div>I have been playing around with AD Connector and i am
facing an issue where i was trying to create an AD group using
the AD Connector.</div>
<div><br>
</div>
<div>I have a resource configured where the default object class
is my AD Group object class and kind is set to account.</div>
<div>When i try to create the group by creating a account of
this resource i see the<b> group is created on Active
Directory</b> but same does not show up in the midpoint UI
under User's accounts panel.<br>
</div>
<div><br>
</div>
<div>I can see the linkRef in user's xml but it is not getting
loaded in UI and also when i open the user xml i see an
error: </div>
<div><br>
</div>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div>
<div><font color="#000000" size="1">[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]],
objectclass={.../resource/instance-3}CustomGroupObjectClass:
Object identified by
[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]]
was not found by
connector:1529887f-2adc-4a76-99fd-75d34c865332(ICF
Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector
v1.4.1.20257 @ConnectorServer27:22:8759)</font></div>
</div>
<div>
<div><font color="#000000" size="1">com.evolveum.midpoint.util.exception.ObjectNotFoundException:
Object not found.
identifiers=[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]],
objectclass={.../resource/instance-3}CustomGroupObjectClass:
Object identified by
[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]]
was not found by
connector:1529887f-2adc-4a76-99fd-75d34c865332(ICF
Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector
v1.4.1.20257 @ConnectorServer27:22:8759)</font></div>
</div>
<div>
<div><font color="#000000" size="1"><span class=""
style="white-space:pre"> </span>at
com.evolveum.midpoint.provisioning.consistency.impl.ObjectNotFoundHandler.handleError(ObjectNotFoundHandler.java:268)
~[provisioning-impl-3.2-SNAPSHOT.jar:na]</font></div>
</div>
<div>
<div><font color="#000000" size="1"><span class=""
style="white-space:pre"> </span>at
com.evolveum.midpoint.provisioning.impl.ShadowCache.handleError(ShadowCache.java:683)
~[provisioning-impl-3.2-SNAPSHOT.jar:na]</font></div>
</div>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>We have similar setup for ldap group provisioning and that
works very fine.</div>
<div><br>
</div>
<div>I have attached my resource xml with the email, please have
a look and let me know if i am doing anything wrong here.</div>
<div><br>
</div>
<div><br>
</div>
<div>Regards</div>
<div>Dharmendra</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint-dev@lists.evolveum.com">midPoint-dev@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</body>
</html>