[midPoint] Problem Unassigning LDAP Group Metarole
Shawn McKinney
smckinney at symas.com
Wed Apr 6 16:38:30 CEST 2016
Hello,
I am following the unix story:
https://github.com/Evolveum/midpoint/tree/master/testing/story/src/test/resources/unix
and have a problem unassigning ldap group (metaroles) from a user. When I pull up the user, select the group and unassign, it disappears from the console but the association remains in the corresponding LDAP group.
Is there something more I have to do in order to make this op remove the member from the group?
Thanks,
Shawn
Here’s is config for metarole:
<role oid="9c6d1dbe-1a87-11e5-b107-001e8c717e5b"
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy">
<name>LDAP Group Metarole</name>
<inducement>
<description>LDAPGROUP-I</description>
<construction>
<description>LDAPGROUP-I</description>
<!-- OpenLDAP resource -->
<resourceRef oid="d0811790-1d80-11e4-86b2-3c970e467874" type="c:ResourceType"/>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
</construction>
</inducement>
<inducement>
<description>LDAPGROUP-I2</description>
<construction>
<description>LDAPGROUP-I2</description>
<resourceRef oid="d0811790-1d80-11e4-86b2-3c970e467874" type="c:ResourceType"/>
<kind>account</kind>
<intent>default</intent>
<association>
<ref>ri:ldapGroup</ref>
<outbound>
<expression>
<associationFromLink>
<projectionDiscriminator>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
</inducement>
</role>
****
And its config in the ldap resource:
<association>
<ref>ri:ldapGroup</ref>
<displayName>LDAP Group Membership</displayName>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:uniqueMember</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
<shortcutAssociationAttribute>ri:isMemberOf</shortcutAssociationAttribute>
<shortcutValueAttribute>ri:dn</shortcutValueAttribute>
<explicitReferentialIntegrity>true</explicitReferentialIntegrity>
</association>
...
<objectType>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<displayName>LDAP Group</displayName>
<objectClass>ri:groupOfUniqueNames</objectClass>
<baseContext>
<objectClass>ri:organizationalUnit</objectClass>
<filter>
<q:equal>
<q:path>attributes/dn</q:path>
<q:value>ou=groups,dc=example,dc=com</q:value>
</q:equal>
</filter>
</baseContext>
<attribute>
<ref>ri:dn</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<source>
<path>$focus/name</path>
</source>
<expression>
<script>
<code>
import javax.naming.ldap.Rdn
import javax.naming.ldap.LdapName
dn = new LdapName('ou=groups,dc=example,dc=com')
dn.add(new Rdn('cn', name.toString()))
return dn.toString()
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:uniqueMember</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>strong</strength>
<source>
<path>$focus/name</path>
</source>
<expression>
<script>
<code>
import javax.naming.ldap.Rdn
import javax.naming.ldap.LdapName
uniqueMember = new LdapName('ou=groups,dc=example,dc=com')
uniqueMember.add(new Rdn('uid', 'foo1'))
return uniqueMember.toString()
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:cn</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<path>$focus/name</path>
</source>
</outbound>
</attribute>
<attribute>
<ref>ri:description</ref>
<outbound>
<strength>strong</strength>
<source>
<path>description</path>
</source>
</outbound>
</attribute>
</objectType>
More information about the midPoint
mailing list