<div dir="ltr">Hi Ivan<div><br></div><div>Thanks for all the information.</div><div><br></div><div>My requirement is just to create a AD group on the target and at this point I do not want to assign this group to any user. So basically we want to use this resource for group creation purpose only.</div><div><br></div><div>I am well aware of the way you have described for group creation as entitlement (I have tried that and it works) but we want to avoid the multiple steps involved in entitlement creation and also we want to create this under a user/role as an assignment/account only because group management becomes easy for us this way. As i have mentioned we are doing the same in case of ldap resource and that is working for us. I cannot think of any reason why midpoint will behave differently for ad and ldap.</div><div><br></div><div>AFAIK for connector group is just an object class like account so i think it should work logically. I think i am missing something or i have some issue in resource. I will appreciate any help on this.</div><div><br></div><div><br></div><div>Thanks!</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 5, 2015 at 2:39 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi Dharmendra,<br>
<br>
I'm not sure if I understand what you try to achieve.<br>
<br>
Do you want to create AD group for given user in midPoint? Or do you
want to create the group through midPoint and then assign to user?<br>
<br>
I would definitely not change the default object class for "account"
to CustomGroupObjectClass. Just use kinds and intents in schema
handling.<br>
<br>
In my project I have the following setup: I want to create users in
midPoint, accounts for them in AD. I also want to create groups (and
other objects) in AD that belong to organizations in midPoint (part
of org. structure replication). And I also want to put AD accounts
to these groups. The simplified example follows:<br>
<br>
1. in resource, I define new kind=entitlement and
intent=group-municipality, e.g.:<br>
<objectType><br>
<kind><b>entitlement</b></kind><br>
<intent><b>group-municipality</b></intent><br>
<displayName>Municipality
groups</displayName><br>
<default>true</default><br>
<objectClass>ri:<b>CustomGroupObjectClass</b></objectClass><br>
<attribute><br>
. . .<br>
<br>
This means that I'm able to reference groups of this "type" (I have
several different types of groups) as kind=entitlement and
intent=group-municipality.<br>
<br>
2. in resource, I define association for <b>accounts</b> with this
kind of groups:<br>
<objectType><br>
<kind><b>account</b></kind><br>
<intent><b>default</b></intent><br>
<displayName>Default Account -
Municipality users</displayName><br>
<default>true</default><br>
<objectClass>ri:<b>AccountObjectClass</b></objectClass><br>
. . .<br>
<association><br>
<ref>ri:adGroups</ref><br>
<tolerant>true</tolerant><br>
<matchingRule>mr:stringIgnoreCase</matchingRule><br>
<kind><b>entitlement</b></kind><br>
<intent><b>group-municipality</b></intent><br>
<direction>objectToSubject</direction><br>
<associationAttribute>ri:member</associationAttribute><br>
<valueAttribute>icfs:name</valueAttribute><br>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity><br>
</association><br>
</objectType><br>
<br>
This means midPoint is able to associate AD accounts with this type
of groups and will show the "Association" part in GUI when editing
user - list of groups for that account.<br>
<br>
3. to <b>assign AD account to any existing AD group</b>
(EmailAllUsers in this example), I have a role in midPoint:<br>
<br>
<role
xmlns=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:c=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:icfs=<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</a><br>
xmlns:q=<a href="http://prism.evolveum.com/xml/ns/public/query-3" target="_blank">"http://prism.evolveum.com/xml/ns/public/query-3"</a><br>
xmlns:ri=<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a><br>
oid="b4b5059a-5cdc-4a2c-a184-bb6e0c67e064"><br>
<name>E-Mail</name><br>
<inducement><br>
<construction><br>
<!-- The c: prefix in type must be there due to a
JAXB bug --><br>
<resourceRef
oid="00000000-0000-0000-0001-100000000002"
type="c:ResourceType"/><br>
<association><br>
<ref>ri:adGroups</ref><br>
<outbound><br>
<strength>strong</strength><br>
<expression><br>
<associationTargetSearch><br>
<filter><br>
<q:equal><br>
<q:path><br>
declare namespace
icfs=<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</a>;<br>
declare namespace
ri=<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a>;<br>
attributes/ri:samAccountName<br>
</q:path><br>
<expression><br>
<script><br>
<code><br>
return '<b>EmailAllUsers</b>' <!-- group's sAMAccountName in AD
--><br>
</code><br>
</script><br>
</expression><br>
</q:equal><br>
</filter><br>
<searchOnResource>true</searchOnResource><br>
</associationTargetSearch><br>
</expression><br>
</outbound><br>
</association><br>
</construction><br>
</inducement><br>
</role><br>
<br>
If this role is assigned to user in midPoint, it will create AD
account (if it does not exist yet) it will search for a group named
"EmailAllUsers" (by sAMAccountName) and add user to that group if
such group exists.<br>
<br>
4. if you want to <b>create groups</b> in AD from midPoint, they
must be regarded as a projection of either User, Organization or
Role in midPoint. In my scenario, for some Organization I create the
type of groups I referred to above by assignin a role to an <b>organization</b>,
e.g.:<br>
<br>
<role oid="00000000-0000-0000-0004-000000000010"<br>
xmlns=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:c=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:t=<a href="http://prism.evolveum.com/xml/ns/public/types-3" target="_blank">"http://prism.evolveum.com/xml/ns/public/types-3"</a>><br>
<name>Meta-role for organizational structure replication
to AD</name><br>
<inducement><br>
<construction><br>
<!-- AD resource --><br>
<resourceRef
oid="00000000-0000-0000-0001-100000000002"
type="c:ResourceType"/><br>
<b> <kind>entitlement</kind></b><b><br>
</b><b>
<intent>group-municipality</intent></b><br>
</construction><br>
</inducement><br>
...<br>
</role><br>
<br>
This means that midPoint will create a group of that type for the
organization in midPoint. Of course, in schemaHandling for AD
resource, in the kind=entitlement and intent=group-municipality
part, you have to define proper outbound mappings (icfs:name = DN;
sAMAccountName and possibly other attributes) to actually create the
group.<br>
<br>
And that's all, so simple.<br>
<br>
Some examples can be also seen in our OrgSync scenario wiki page:
<a href="https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test" target="_blank">https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test</a> (it is
different scenario as I've described in my example, but it's very
usable for concept understanding).<br>
<br>
Hope this helps.<br>
Regards,<br>
Ivan<div><div class="h5"><br>
<br>
<div>On 03/05/2015 09:44 AM, Dharmendra
Parakh wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">Hi
<div><br>
</div>
<div>I have been playing around with AD Connector and i am
facing an issue where i was trying to create an AD group using
the AD Connector.</div>
<div><br>
</div>
<div>I have a resource configured where the default object class
is my AD Group object class and kind is set to account.</div>
<div>When i try to create the group by creating a account of
this resource i see the<b> group is created on Active
Directory</b> but same does not show up in the midpoint UI
under User's accounts panel.<br>
</div>
<div><br>
</div>
<div>I can see the linkRef in user's xml but it is not getting
loaded in UI and also when i open the user xml i see an
error: </div>
<div><br>
</div>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div>
<div><font color="#000000" size="1">[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]],
objectclass={.../resource/instance-3}CustomGroupObjectClass:
Object identified by
[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]]
was not found by
connector:1529887f-2adc-4a76-99fd-75d34c865332(ICF
Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector
v1.4.1.20257 @ConnectorServer27:22:8759)</font></div>
</div>
<div>
<div><font color="#000000" size="1">com.evolveum.midpoint.util.exception.ObjectNotFoundException:
Object not found.
identifiers=[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]],
objectclass={.../resource/instance-3}CustomGroupObjectClass:
Object identified by
[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]]
was not found by
connector:1529887f-2adc-4a76-99fd-75d34c865332(ICF
Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector
v1.4.1.20257 @ConnectorServer27:22:8759)</font></div>
</div>
<div>
<div><font color="#000000" size="1"><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.provisioning.consistency.impl.ObjectNotFoundHandler.handleError(ObjectNotFoundHandler.java:268)
~[provisioning-impl-3.2-SNAPSHOT.jar:na]</font></div>
</div>
<div>
<div><font color="#000000" size="1"><span style="white-space:pre-wrap"> </span>at
com.evolveum.midpoint.provisioning.impl.ShadowCache.handleError(ShadowCache.java:683)
~[provisioning-impl-3.2-SNAPSHOT.jar:na]</font></div>
</div>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>We have similar setup for ldap group provisioning and that
works very fine.</div>
<div><br>
</div>
<div>I have attached my resource xml with the email, please have
a look and let me know if i am doing anything wrong here.</div>
<div><br>
</div>
<div><br>
</div>
<div>Regards</div>
<div>Dharmendra</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
midPoint-dev mailing list
<a href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><span class="HOEnZb"><font color="#888888">
</font></span></pre><span class="HOEnZb"><font color="#888888">
</font></span></blockquote><span class="HOEnZb"><font color="#888888">
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
<br>_______________________________________________<br>
midPoint-dev mailing list<br>
<a href="mailto:midPoint-dev@lists.evolveum.com">midPoint-dev@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><br>
<br></blockquote></div><br></div>