[midPoint] OpenLDAP groups/users association (Midpoint 3.9)

LECOMTE ANTOINE antoine.lecomte at univ-lyon1.fr
Thu Dec 6 11:51:05 CET 2018 

Hello,

I will try to explain the best I can.

I want to replicate the assignment between Users and Organization from Midpoint into openLDAP.

The issue was on openLDAP object group : the attribute member was not populated with accounts.
But groups and accounts are correctly created and the association is configured in the resource.
So, the resource was completely fine.

The problem was with the setup of the meta-role assigned to the organizations.
Only the first of the 2 inducements was configured.

The 2nd inducement with the order constraint tell Midpoint to link users to group in the resource.


So my actions manually done in order :

-          Create a projection for user X in openLDAP via resource

-          Assign Meta-role to an organization G (which is assigned to the user X)

-          Reconcile the org G to create the group in openLDAP

-          Reconcile the user X to value the attribute member in the group in openLDAP


Note that I didn’t customize the GroupOfName schema in openLDAP, so I still need to specify the attribute member with a static fake value (see first message).

Antoine.
De : midPoint [mailto:midpoint-bounces at lists.evolveum.com] De la part de Devin Rosenbauer
Envoyé : Wednesday, December 5, 2018 7:37 PM
À : midPoint General Discussion <midpoint at lists.evolveum.com>
Objet : Re: [midPoint] OpenLDAP groups/users association (Midpoint 3.9)

Can you provide a little detail on what was the issue, just for other readers' information?

On Wed, Dec 5, 2018 at 2:57 AM LECOMTE ANTOINE <antoine.lecomte at univ-lyon1.fr<mailto:antoine.lecomte at univ-lyon1.fr>> wrote:
Hi again,

I self-resolve my problem with the correct use of Metarole : https://wiki.evolveum.com/display/midPoint/Roles,+Metaroles+and+Generic+Synchronization


Antoine.
De : midPoint [mailto:midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>] De la part de LECOMTE ANTOINE
Envoyé : Tuesday, December 4, 2018 2:37 PM
À : midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Objet : [midPoint] OpenLDAP groups/users association (Midpoint 3.9)

Hello,

I am testing the management of identities and groups to populate an Active Directory and an openLDAP from a database.

In Midpoint, users are created and assigned to organizations.
In the AD resource, I achieve to create them as well and replicate the assignments with association.


But I need some help to parameter the association in the resource to openLDAP.
Users and groups (with a dummy account in member parameter) are created correctly.

The relation in openLDAP is not made : the association do not replicate the assignments between users and organizations.

How can I parameter the association to replicate this link ?
It seems as the resource is not using the association at all.


You can see below each objectType minus all the attributes.

<objectType>
                <kind>account</kind>
                <displayName>Normal Account</displayName>
                <default>true</default>
                <objectClass>ri:inetOrgPerson</objectClass>
                <auxiliaryObjectClass>ri:eduPerson</auxiliaryObjectClass>
                <auxiliaryObjectClass>ri:supannPerson</auxiliaryObjectClass>
                <auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>
                …
                …
                …
              <association>
                               <ref>ri:group</ref>
                               <displayName>LDAP Group Membership</displayName>
                               <kind>entitlement</kind>
                               <intent>ldapGroup</intent>
                               <direction>objectToSubject</direction>
                               <associationAttribute>ri:member</associationAttribute>
                               <valueAttribute>ri:dn</valueAttribute>
                </association>
                …
                …
                …
<objectType>


<objectType>
                <kind>entitlement</kind>
                <intent>ldapGroup</intent>
                <displayName>LDAP Group</displayName>
                <objectClass>ri:groupOfNames</objectClass>
                <baseContext>
                               <objectClass>ri:organizationalUnit</objectClass>
                               <filter>
                                               <q:equal>
                                                               <q:path>attributes/dn</q:path>
                                                               <q:value>ou=groups,dc=univ-lyon1,dc=fr</q:value>
                                               </q:equal>
                               </filter>
                </baseContext>
                …
                …
                …
<objectType>



Case 1 : I specify a dummy user into the attribute member of the entitlement objectType. The group is created but with only the dummy member.
<attribute>
                <ref>ri:member</ref>
                <fetchStrategy>minimal</fetchStrategy>
                <outbound>
                               <strength>weak</strength>
                               <expression>
                                               <value>cn=fake,dc=evolveum,dc=net</value>
                               </expression>
                </outbound>
</attribute>

Case 2 : no member attribute. The group cannot be created because member is needed for the creation.



Thanks.

Antoine.


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint


--
Devin Rosenbauer
Principal Consultant
Identity Works LLC
+1 585 210 3201
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181206/0f107788/attachment.htm>

More information about the midPoint mailing list