[midPoint] OpenLDAP groups/users association (Midpoint 3.9)
Devin Rosenbauer
devin at identityworksllc.com
Wed Dec 5 19:37:00 CET 2018
Can you provide a little detail on what was the issue, just for other
readers' information?
On Wed, Dec 5, 2018 at 2:57 AM LECOMTE ANTOINE <
antoine.lecomte at univ-lyon1.fr> wrote:
> Hi again,
>
>
>
> I self-resolve my problem with the correct use of Metarole :
> https://wiki.evolveum.com/display/midPoint/Roles,+Metaroles+and+Generic+Synchronization
>
>
>
>
>
> Antoine.
>
> *De :* midPoint [mailto:midpoint-bounces at lists.evolveum.com] *De la part
> de* LECOMTE ANTOINE
> *Envoyé :* Tuesday, December 4, 2018 2:37 PM
> *À :* midpoint at lists.evolveum.com
> *Objet :* [midPoint] OpenLDAP groups/users association (Midpoint 3.9)
>
>
>
> Hello,
>
>
>
> I am testing the management of identities and groups to populate an Active
> Directory and an openLDAP from a database.
>
>
>
> In Midpoint, users are created and assigned to organizations.
>
> In the AD resource, I achieve to create them as well and replicate the
> assignments with association.
>
>
>
>
>
> But I need some help to parameter the association in the resource to
> openLDAP.
>
> Users and groups (with a dummy account in member parameter) are created
> correctly.
>
>
>
> The relation in openLDAP is not made : the association do not replicate
> the assignments between users and organizations.
>
>
>
> How can I parameter the association to replicate this link ?
>
> It seems as the resource is not using the association at all.
>
>
>
>
>
> You can see below each objectType minus all the attributes.
>
>
>
> <objectType>
>
> <kind>account</kind>
>
> <displayName>Normal Account</displayName>
>
> <default>true</default>
>
> <objectClass>ri:inetOrgPerson</objectClass>
>
> <auxiliaryObjectClass>ri:eduPerson</auxiliaryObjectClass>
>
>
> <auxiliaryObjectClass>ri:supannPerson</auxiliaryObjectClass>
>
>
> <auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>
>
> …
>
> …
>
> …
>
> <association>
>
> <ref>ri:group</ref>
>
> <displayName>LDAP Group
> Membership</displayName>
>
> <kind>entitlement</kind>
>
> <intent>ldapGroup</intent>
>
> <direction>objectToSubject</direction>
>
>
> <associationAttribute>ri:member</associationAttribute>
>
> <valueAttribute>ri:dn</valueAttribute>
>
> </association>
>
> …
>
> …
>
> …
>
> <objectType>
>
>
>
>
>
> <objectType>
>
> <kind>entitlement</kind>
>
> <intent>ldapGroup</intent>
>
> <displayName>LDAP Group</displayName>
>
> <objectClass>ri:groupOfNames</objectClass>
>
> <baseContext>
>
>
> <objectClass>ri:organizationalUnit</objectClass>
>
> <filter>
>
> <q:equal>
>
>
> <q:path>attributes/dn</q:path>
>
>
> <q:value>ou=groups,dc=univ-lyon1,dc=fr</q:value>
>
> </q:equal>
>
> </filter>
>
> </baseContext>
>
> …
>
> …
>
> …
>
> <objectType>
>
>
>
>
>
>
>
> Case 1 : I specify a dummy user into the attribute member of the
> entitlement objectType. The group is created but with only the dummy member.
>
> <attribute>
>
> <ref>ri:member</ref>
>
> <fetchStrategy>minimal</fetchStrategy>
>
> <outbound>
>
> <strength>weak</strength>
>
> <expression>
>
>
> <value>cn=fake,dc=evolveum,dc=net</value>
>
> </expression>
>
> </outbound>
>
> </attribute>
>
>
>
> Case 2 : no member attribute. The group cannot be created because member
> is needed for the creation.
>
>
>
>
>
>
>
> Thanks.
>
>
>
> Antoine.
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
--
Devin Rosenbauer
Principal Consultant
Identity Works LLC
+1 585 210 3201
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181205/49d1ddb2/attachment.htm>
More information about the midPoint
mailing list