[midPoint] AD User-Group Association
LECOMTE ANTOINE
antoine.lecomte at univ-lyon1.fr
Fri Apr 29 10:18:15 CEST 2016
Hello,
we're still evaluating Midpoint (3.3.1) and we achieve the midpoint-AD synchronization for accounts.
We can see them in MidPoint GUI and Active Directory.
We are following the HOWTO for synchronize AD Groups and they are correctly created in Midpoint (roles).
We removed the outbound rules in the group schema handling.
But, assignments between users and roles are not created.
We don't have errors or warning messages.
If we link them manually in midpoint, the membership is added to the group in AD.
We tried multiples valueAttribute without success : icfs:name and ri:distinguishedName.
You can see below our current schemaHandling.
<objectType>
<kind>account</kind>
<intent>default</intent>
<displayName>AD_Account</displayName>
<default>true</default>
<objectClass>ri:AccountObjectClass</objectClass>
....
<association>
<ref>ri:group</ref>
<displayName>AD Group Membership</displayName>
<kind>entitlement</kind>
<intent>group</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:distinguishedName</valueAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
</objectType>
Thanks !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160429/b168c8fb/attachment.htm>
More information about the midPoint
mailing list