[midPoint] OpenLDAP groups/users association (Midpoint 3.9)
LECOMTE ANTOINE
antoine.lecomte at univ-lyon1.fr
Tue Dec 4 14:36:57 CET 2018
Hello,
I am testing the management of identities and groups to populate an Active Directory and an openLDAP from a database.
In Midpoint, users are created and assigned to organizations.
In the AD resource, I achieve to create them as well and replicate the assignments with association.
But I need some help to parameter the association in the resource to openLDAP.
Users and groups (with a dummy account in member parameter) are created correctly.
The relation in openLDAP is not made : the association do not replicate the assignments between users and organizations.
How can I parameter the association to replicate this link ?
It seems as the resource is not using the association at all.
You can see below each objectType minus all the attributes.
<objectType>
<kind>account</kind>
<displayName>Normal Account</displayName>
<default>true</default>
<objectClass>ri:inetOrgPerson</objectClass>
<auxiliaryObjectClass>ri:eduPerson</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:supannPerson</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>
...
...
...
<association>
<ref>ri:group</ref>
<displayName>LDAP Group Membership</displayName>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
</association>
...
...
...
<objectType>
<objectType>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<displayName>LDAP Group</displayName>
<objectClass>ri:groupOfNames</objectClass>
<baseContext>
<objectClass>ri:organizationalUnit</objectClass>
<filter>
<q:equal>
<q:path>attributes/dn</q:path>
<q:value>ou=groups,dc=univ-lyon1,dc=fr</q:value>
</q:equal>
</filter>
</baseContext>
...
...
...
<objectType>
Case 1 : I specify a dummy user into the attribute member of the entitlement objectType. The group is created but with only the dummy member.
<attribute>
<ref>ri:member</ref>
<fetchStrategy>minimal</fetchStrategy>
<outbound>
<strength>weak</strength>
<expression>
<value>cn=fake,dc=evolveum,dc=net</value>
</expression>
</outbound>
</attribute>
Case 2 : no member attribute. The group cannot be created because member is needed for the creation.
Thanks.
Antoine.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181204/74582daf/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Supann-Pers.xml
Type: text/xml
Size: 17283 bytes
Desc: Supann-Pers.xml
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181204/74582daf/attachment.xml>
More information about the midPoint
mailing list