[midPoint] Problem Unassigning LDAP Group Metarole

Ivan Noris ivan.noris at evolveum.com
Thu Apr 7 15:10:22 CEST 2016


Hi Shawn,

I have tried to replicate the problem in 3.3.1 (just now), with the
following configuration:
- testing/story/src/test/resources/unix/resource-opendj.xml
  - adapted to OpenLDAP, added some matching rules and removed shortcut
attributes for associations as my OpenLDAP is not configured that way.
Also I have added a mapping to put dummy member for each group I create
as a member.
- testing/story/src/test/resources/unix/role-meta-ldap-group.xml

I have created two LDAP groups like this:
1) created role named "shawnrole1-331" in midPoint and assigned LDAP
Group Metarole to this role. After saving, group named
cn=shawnrole1-331,ou=groups,dc=example,dc=com was created as a
projection of the role.
2) created role named "shawnrole2-331" in midPoint and assigned LDAP
Group Metarole to this role. After saving, group named
cn=shawnrole2-331,ou=groups,dc=example,dc=com was created as a
projection of the role.

I have created user shawnuser1-331 in midPoint:
name: shawnuser1-331
givenName, familyName, fullName, password filled
I have assigned the two previously created roles "shawnrole1-331" and
"shawnrole2-331" to the user and saved.

User was created and put to both groups.

Now I have edited user shawnuser1-331 in midPoint and unassigned
"shawnrole1-331". After saving, the uniqueMember attribute of the
cn=shawnrole1-331,ou=groups,dc=example,dc=com group no more lists
shawnuser1-331 as member.

So, unassigning works for me. At least in 3.3.1, because I have tried
something similar with 3.4 master and some issues are there.

I will continue to test the scenario with the unix roles as well and
answer that second mail when I have some resolution.

Regards,
Ivan

On 04/06/2016 04:38 PM, Shawn McKinney wrote:
> Hello,
>
> I am following the unix story:
> https://github.com/Evolveum/midpoint/tree/master/testing/story/src/test/resources/unix
>
> and have a problem unassigning ldap group (metaroles) from a user.  When I pull up the user, select the group and unassign, it disappears from the console but the association remains in the corresponding LDAP group.
>
> Is there something more I have to do in order to make this op remove the member from the group?
>
> Thanks,
>
> Shawn
>
> Here’s is config for metarole:
> <role oid="9c6d1dbe-1a87-11e5-b107-001e8c717e5b"
>         xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>         xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>         xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>         xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy">
>     <name>LDAP Group Metarole</name>
>     
>     <inducement>
>     	<description>LDAPGROUP-I</description>
>     	<construction>
>     		<description>LDAPGROUP-I</description>
>     		<!-- OpenLDAP resource -->
>     		<resourceRef oid="d0811790-1d80-11e4-86b2-3c970e467874" type="c:ResourceType"/>
>     		<kind>entitlement</kind>
>             <intent>ldapGroup</intent>
>     	</construction>
>     </inducement>
>  
>     <inducement>
>     	<description>LDAPGROUP-I2</description>
>     	<construction>
>     		<description>LDAPGROUP-I2</description>
>     		<resourceRef oid="d0811790-1d80-11e4-86b2-3c970e467874" type="c:ResourceType"/>
>     		<kind>account</kind>
>     		<intent>default</intent>
>     		<association>
>             	<ref>ri:ldapGroup</ref>
>             	<outbound>
>             		<expression>
>             			<associationFromLink>
>             				<projectionDiscriminator>
> 	            				<kind>entitlement</kind>
> 	            				<intent>ldapGroup</intent>
>             				</projectionDiscriminator>
>             			</associationFromLink>
>             		</expression>
>             	</outbound>
>             </association>
>     	</construction>  
>     	<order>2</order>
>     </inducement>
>
> </role>
>
> ****
>
> And its config in the ldap resource:
>
>                         <association>
>                         	<ref>ri:ldapGroup</ref>
>             	                <displayName>LDAP Group Membership</displayName>
>             	                <kind>entitlement</kind>
>             	                <intent>ldapGroup</intent>
>             	                <direction>objectToSubject</direction>
>             	                <associationAttribute>ri:uniqueMember</associationAttribute>
>             	                <valueAttribute>ri:dn</valueAttribute>
>             	                <shortcutAssociationAttribute>ri:isMemberOf</shortcutAssociationAttribute>
>             	                <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>             	                <explicitReferentialIntegrity>true</explicitReferentialIntegrity>
>                         </association>
>
> ...
>
>         <objectType>
>             <kind>entitlement</kind>
>             <intent>ldapGroup</intent>
>             <displayName>LDAP Group</displayName>
>             <objectClass>ri:groupOfUniqueNames</objectClass>
>             <baseContext>
>             	<objectClass>ri:organizationalUnit</objectClass>
>             	<filter>
>             		<q:equal>
>             			<q:path>attributes/dn</q:path>
>             			<q:value>ou=groups,dc=example,dc=com</q:value>
>             		</q:equal>
>             	</filter>
>             </baseContext>
>             <attribute>
>                 <ref>ri:dn</ref>
>                 <matchingRule>mr:stringIgnoreCase</matchingRule>
>                 <outbound>
> 					<source>
> 						<path>$focus/name</path>
> 					</source>
>                     <expression>
>                     	<script>
> 	                        <code>
> 	                        	import javax.naming.ldap.Rdn
> 	                        	import javax.naming.ldap.LdapName
> 	                        	
> 	                        	dn = new LdapName('ou=groups,dc=example,dc=com')
> 	                        	dn.add(new Rdn('cn', name.toString()))
>
> 	                        	return dn.toString()
> 	                        </code>
>                         </script>
>                     </expression>
>                 </outbound>
>             </attribute>
>
>             <attribute>
>                 <ref>ri:uniqueMember</ref>
>                 <matchingRule>mr:stringIgnoreCase</matchingRule>
>                 <outbound>
>                 	<strength>strong</strength>
> 					<source>
> 						<path>$focus/name</path>
> 					</source>
>                     <expression>
>                     	<script>
> 	                        <code>
> 	                        	import javax.naming.ldap.Rdn
> 	                        	import javax.naming.ldap.LdapName
>
> 	                        	uniqueMember = new LdapName('ou=groups,dc=example,dc=com')
> 	                        	uniqueMember.add(new Rdn('uid', 'foo1'))
>
> 	                        	return uniqueMember.toString()
> 	                        </code>
>                         </script>
>                     </expression>
>                 </outbound>
>             </attribute>
>
>             <attribute>
>                 <ref>ri:cn</ref>
>                 <matchingRule>mr:stringIgnoreCase</matchingRule>
>                 <outbound>
>                 	<strength>weak</strength>
>                 	<source>
>                 		<path>$focus/name</path>
>                 	</source>
>                 </outbound>
>             </attribute>
>             <attribute>
>                 <ref>ri:description</ref>
>                 <outbound>
>                 	<strength>strong</strength>
>                 	<source>
>                 		<path>description</path>
>                 	</source>
>                 </outbound>
>             </attribute>
>         </objectType>
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper ID(e)M Vix."




More information about the midPoint mailing list