[midPoint] Mapping problems
Pertti Kellomäki
pertti.kellomaki at datactica.fi
Wed Nov 23 11:57:09 CET 2016
Hi,
Sorry in advance for the amount of inline xml below.
I am trying to create a setup, where midPoint roles create ldap groups in a tree of ou's. I am able to create the hierarchy and groups, but I am unable to actually make users be members of those groups.
Studying the unix-ldap story leads me to think that group name calculation should best be performed in the resource configuration xml file so that it is easily usable in the membership inducement. Currently I do the name calculation in a role as follows:
<inducement>
<construction>
<resourceRef oid="..." type="c:ResourceType"/>
<kind>entitlement</kind>
<intent>OrgServiceRoleLdapGroup</intent>
<attribute>
<ref>ri:dn</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<source>
<path>$assignment/orgRef</path>
</source>
<source>
<path>$immediateRole/name</path>
</source>
<expression>
<script>
<code>
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
import javax.naming.ldap.Rdn;
import javax.naming.ldap.LdapName;
org = midpoint.getObject(OrgType.class, orgRef.getOid());
dn = new LdapName('ou=Roles,dc=kapa,dc=local');
dn.add(new Rdn('ou', org.getName().getOrig()));
dn.add(new Rdn('ou', name.toString().split(' ')[0]));
dn.add(new Rdn('cn', 'viewer'));
return dn.toString();
</code>
</script>
</expression>
</outbound>
</attribute>
</construction>
</inducement>
The corresponding (kind,intent) pair in the resource configuration is
<objectType>
<kind>entitlement</kind>
<intent>OrgServiceRoleLdapGroup</intent>
<displayName>LDAP Group</displayName>
<objectClass>ri:groupOfNames</objectClass>
<attribute>
<ref>ri:member</ref>
<matchingRule>mr:distinguishedName</matchingRule>
<fetchStrategy>minimal</fetchStrategy>
<outbound>
<strength>strong</strength>
<!-- Workaround - groupOfNames MUST have at least one member. Even non-existent DN. -->
<expression>
<value>cn=dummy,o=whatever</value>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:description</ref>
<outbound>
<source>
<path>description</path>
</source>
</outbound>
</attribute>
<configuredCapabilities>
<cap:pagedSearch>
<cap:defaultSortField>ri:uid</cap:defaultSortField>
</cap:pagedSearch>
</configuredCapabilities>
<dependency>
<kind>generic</kind>
<intent>serviceOu</intent>
<strictness>relaxed</strictness>
</dependency>
</objectType>
If I naively cut the ri:dn attribute from the inducement in the role and paste it as an attribute in the above objectType, I get an error message complaining:
"No variable with name assignment in source definition in mapping in outbound mapping for {.../resource/instance-3}dn in resource:46515c38-7fd3-41ec-bbef-42756fa19845(LDAP)"
My question is, can I somehow access the assignment from an outbound mapping in the resource configuration? Or do I maybe need some kind of mediating mapping in the role?
Thanks, Pertti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161123/0488845f/attachment.htm>
More information about the midPoint
mailing list