From gugalou38 at gmail.com Sun Jan 3 01:21:07 2021 From: gugalou38 at gmail.com (Gus Lou) Date: Sat, 2 Jan 2021 21:21:07 -0300 Subject: [midPoint] AD Account Import Task Error Message-ID: Hello Guys Happy New Year I created a task to import existing accounts in Active Directory. After the task to import some accounts it stop and presents an error regarding an account that could not be imported. It is a default exchange account that for some reason is not being recognized by the midpoint. Is there a way to exclude this account from import so that it doesn't stop the task? Task error: Couldn't convert resource object from ConnID to midPoint: uid=Attribute: {Name=__UID__, Value=[f10eed2a-1a67-4484-97c9-b9c28646fb12]}, name=Attribute: {Name=__NAME__, Value=[CN=Exchange Online-ApplicationAccount,OU=UserDisable,DC=xyz,DC=net]}, class=ObjectClass: user: Unknown attribute msExchUserBL in definition of object class { http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}user. Original ConnId name: msExchUserBL in resource object identified by Attribute: {Name=__NAME__, Value=[CN=Exchange Online-ApplicationAccount,OU=UserDisable,DC=xyz,DC=net]} Regards Gus -------------- next part -------------- An HTML attachment was scrubbed... URL: From gugalou38 at gmail.com Sun Jan 3 02:39:38 2021 From: gugalou38 at gmail.com (Gus Lou) Date: Sat, 2 Jan 2021 22:39:38 -0300 Subject: [midPoint] AD Account Import Task Error In-Reply-To: References: Message-ID: It seems that using a filter on the resource may be a solution. Em sáb., 2 de jan. de 2021 às 21:21, Gus Lou escreveu: > Hello Guys Happy New Year > > I created a task to import existing accounts in Active Directory. After > the task to import some accounts it stop and presents an error regarding an > account that could not be imported. It is a default exchange account that > for some reason is not being recognized by the midpoint. Is there a way to > exclude this account from import so that it doesn't stop the task? > > Task error: > Couldn't convert resource object from ConnID to midPoint: uid=Attribute: > {Name=__UID__, Value=[f10eed2a-1a67-4484-97c9-b9c28646fb12]}, > name=Attribute: {Name=__NAME__, Value=[CN=Exchange > Online-ApplicationAccount,OU=UserDisable,DC=xyz,DC=net]}, > class=ObjectClass: user: Unknown attribute msExchUserBL in definition of > object class { > http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}user. > Original ConnId name: msExchUserBL in resource object identified by > Attribute: {Name=__NAME__, Value=[CN=Exchange > Online-ApplicationAccount,OU=UserDisable,DC=xyz,DC=net]} > > > Regards > > Gus > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gugalou38 at gmail.com Sun Jan 3 21:00:41 2021 From: gugalou38 at gmail.com (Gus Lou) Date: Sun, 3 Jan 2021 17:00:41 -0300 Subject: [midPoint] AD Account Import Task Error In-Reply-To: References:

Message-ID: Hi Guys Unfortunately the strategy of filtering by the path I mentioned earlier did not work. The active directory environment has several accounts that have attributes such as: msDS-KeyCredentialLink and msExchUserBL than Midpoint When I run the account import task I get the error extracted from the log Couldn't convert resource object from ConnID to midPoint: uid=Attribute: {Name=__UID__, Value=[f10eed2a-1a67-4484-97c9-b9c28646fb12]}, name=Attribute: {Name=__NAME__, Value=[CN=Exchange Online-ApplicationAccount,OU=UserDisable,DC=xyz,DC=net]}, class=ObjectClass: user: Unknown attribute msExchUserBL in definition of object class { http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}user. Original ConnId name: msExchUserBL in resource object identified by Attribute: {Name=__NAME__, Value=[CN=Exchange Online-ApplicationAccount,OU=UserDisable,DC=xyz,DC=net]} Error dealing with schema: Couldn't convert resource object from ConnID to midPoint: uid=Attribute: {Name=__UID__, Value=[20c2b611-1716-3c77-98c8-a8ba87e5c571]}, name=Attribute: {Name=__NAME__, Value=[CN=joe doe,OU=users,DC=xyz,DC=net]}, class=ObjectClass: user: Unknown attribute msDS-KeyCredentialLink in definition of object class { http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}user. Original ConnId name: msDS-KeyCredentialLink in resource object identified by Attribute: {Name=__NAME__, Value=[CN=joe doe,OU=users,DC=xyz,DC=net]} If anyone has any tips I would appreciate it. Em sáb., 2 de jan. de 2021 às 22:39, Gus Lou escreveu: > It seems that using a filter on the resource may be a solution. > > > > > > Em sáb., 2 de jan. de 2021 às 21:21, Gus Lou > escreveu: > >> Hello Guys Happy New Year >> >> I created a task to import existing accounts in Active Directory. After >> the task to import some accounts it stop and presents an error regarding an >> account that could not be imported. It is a default exchange account that >> for some reason is not being recognized by the midpoint. Is there a way to >> exclude this account from import so that it doesn't stop the task? >> >> Task error: >> Couldn't convert resource object from ConnID to midPoint: uid=Attribute: >> {Name=__UID__, Value=[f10eed2a-1a67-4484-97c9-b9c28646fb12]}, >> name=Attribute: {Name=__NAME__, Value=[CN=Exchange >> Online-ApplicationAccount,OU=UserDisable,DC=xyz,DC=net]}, >> class=ObjectClass: user: Unknown attribute msExchUserBL in definition of >> object class { >> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}user. >> Original ConnId name: msExchUserBL in resource object identified by >> Attribute: {Name=__NAME__, Value=[CN=Exchange >> Online-ApplicationAccount,OU=UserDisable,DC=xyz,DC=net]} >> >> >> Regards >> >> Gus >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeverling at bshp.edu Mon Jan 4 18:07:56 2021 From: jeverling at bshp.edu (Jason Everling) Date: Mon, 4 Jan 2021 17:07:56 +0000 Subject: [midPoint] AD Account Import Task Error In-Reply-To: References:

, Message-ID: You need to add all the object classes for the attributes your users have, whichever object class those 2 attributes belong to add them as auxiliary object class in resource ________________________________ From: midPoint on behalf of Gus Lou via midPoint Sent: Sunday, January 3, 2021 2:00:41 PM To: midPoint General Discussion Cc: Gus Lou Subject: Re: [midPoint] AD Account Import Task Error Hi Guys Unfortunately the strategy of filtering by the path I mentioned earlier did not work. The active directory environment has several accounts that have attributes such as: msDS-KeyCredentialLink and msExchUserBL than Midpoint When I run the account import task I get the error extracted from the log Couldn't convert resource object from ConnID to midPoint: uid=Attribute: {Name=__UID__, Value=[f10eed2a-1a67-4484-97c9-b9c28646fb12]}, name=Attribute: {Name=__NAME__, Value=[CN=Exchange Online-ApplicationAccount,OU=UserDisable,DC=xyz,DC=net]}, class=ObjectClass: user: Unknown attribute msExchUserBL in definition of object class {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}user. Original ConnId name: msExchUserBL in resource object identified by Attribute: {Name=__NAME__, Value=[CN=Exchange Online-ApplicationAccount,OU=UserDisable,DC=xyz,DC=net]} Error dealing with schema: Couldn't convert resource object from ConnID to midPoint: uid=Attribute: {Name=__UID__, Value=[20c2b611-1716-3c77-98c8-a8ba87e5c571]}, name=Attribute: {Name=__NAME__, Value=[CN=joe doe,OU=users,DC=xyz,DC=net]}, class=ObjectClass: user: Unknown attribute msDS-KeyCredentialLink in definition of object class {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}user. Original ConnId name: msDS-KeyCredentialLink in resource object identified by Attribute: {Name=__NAME__, Value=[CN=joe doe,OU=users,DC=xyz,DC=net]} If anyone has any tips I would appreciate it. Em sáb., 2 de jan. de 2021 às 22:39, Gus Lou > escreveu: It seems that using a filter on the resource may be a solution. Em sáb., 2 de jan. de 2021 às 21:21, Gus Lou > escreveu: Hello Guys Happy New Year I created a task to import existing accounts in Active Directory. After the task to import some accounts it stop and presents an error regarding an account that could not be imported. It is a default exchange account that for some reason is not being recognized by the midpoint. Is there a way to exclude this account from import so that it doesn't stop the task? Task error: Couldn't convert resource object from ConnID to midPoint: uid=Attribute: {Name=__UID__, Value=[f10eed2a-1a67-4484-97c9-b9c28646fb12]}, name=Attribute: {Name=__NAME__, Value=[CN=Exchange Online-ApplicationAccount,OU=UserDisable,DC=xyz,DC=net]}, class=ObjectClass: user: Unknown attribute msExchUserBL in definition of object class {http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}user. Original ConnId name: msExchUserBL in resource object identified by Attribute: {Name=__NAME__, Value=[CN=Exchange Online-ApplicationAccount,OU=UserDisable,DC=xyz,DC=net]} Regards Gus -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrea.picconi at innovery.net Tue Jan 5 15:51:50 2021 From: andrea.picconi at innovery.net (Andrea Picconi) Date: Tue, 5 Jan 2021 14:51:50 +0000 Subject: [midPoint] Problem with java script with dates Message-ID: Hi all, we have a problem with an operation that should lead to outbound on an Oracle DB the furthest date in time between three dates that we have as values on MIDPOINT. First example below just works if only one of the three (dates) attribute field is populated, when we have two fields populated it gives us an error: Below, instead, the error when we try with two or more fields populated: [cid:image003.png at 01D6E378.995CE130] Any idea how to resolve it? Thank you and regards, Andrea Picconi IAM (Identity Access Management) [Innovery] Skype: precons T: +39 06 51963439 (int. 196) Strada Quattro Palazzina A6 c/o Centro Direzionale Milanofiori, 20057 Assago (MI). www.innovery.net | T: +39 06 519 63 439 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 47210 bytes Desc: image003.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.png Type: image/png Size: 8058 bytes Desc: image004.png URL: From virgo at evolveum.com Wed Jan 6 02:00:03 2021 From: virgo at evolveum.com (Richard Richter) Date: Wed, 6 Jan 2021 02:00:03 +0100 (CET) Subject: [midPoint] Problem with java script with dates In-Reply-To: References: Message-ID: <1878136460.465802.1609894803600.JavaMail.zimbra@evolveum.com> Hello Couple of points here: * If possible, errors as copy/pasted text are better than images, it is easier to copy/paste from it for us too when Googling error messages. * The script code is "nearly Java", it's actually Groovy and the message "Cannot compare" is error from Groovy language/runtime. * As for the problem, this answer may help: [ https://stackoverflow.com/a/1333733/658826 | https://stackoverflow.com/a/1333733/658826 ] The issue is that XMLGregorianCalendar really is not comparable, so it can't be used with > operator (which is Groovy extension, Java would not allow this between two objects). Regards Richard Richter midPoint developer From: "midPoint General Discussion" To: "midPoint General Discussion" Cc: "Andrea Picconi" , "Marianna De Biasio" , "Jacopo Giuliano" Sent: Tuesday, January 5, 2021 3:51:50 PM Subject: [midPoint] Problem with java script with dates Hi all, we have a problem with an operation that should lead to outbound on an Oracle DB the furthest date in time between three dates that we have as values on MIDPOINT. First example below just works if only one of the three (dates) attribute field is populated, when we have two fields populated it gives us an error: Below, instead, the error when we try with two or more fields populated: Any idea how to resolve it? Thank you and regards, Andrea Picconi IAM (Identity Access Management) Skype: precons T: +39 06 51963439 (int. 196) Strada Quattro Palazzina A6 c/o Centro Direzionale Milanofiori, 20057 Assago (MI). [ http://www.innovery.net/ | www.innovery.net ] | T: +39 06 519 63 439 _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 47210 bytes Desc: image003.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.png Type: image/png Size: 8058 bytes Desc: image004.png URL: From lilstrom at fnal.gov Thu Jan 7 18:29:39 2021 From: lilstrom at fnal.gov (Al Lilianstrom) Date: Thu, 7 Jan 2021 17:29:39 +0000 Subject: [midPoint] Importing AD groups as roles Message-ID: Still struggling with this. Given up on importing the existing groups as roles for now. Using https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO as a guide I verified that my configuration for the AD resource matched the guide. I then created the task for syncing groups Synchronization: Active Directory Groups entitlement runnable http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/live-sync/handler-3 recurring tight 5 Task runs without errors. I then created a group. The task picked up the group and added it as a shadow. >From this line in the document "When new group is created, it appears in midPoint as a new entitlement shadow and a role." I expected a role to be created. Am I misunderstanding the document or missing something in the task? -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory www.fnal.gov lilstrom at fnal.gov From chris at cmwoods.com Thu Jan 7 18:44:19 2021 From: chris at cmwoods.com (chris at cmwoods.com) Date: Thu, 07 Jan 2021 17:44:19 +0000 Subject: [midPoint] Importing AD groups as roles In-Reply-To: References: Message-ID: Hi Al, the importing as a role is not defined in the task. You have to define that in an inbound mapping in an association in your resource schema handling. For AD it also gets more complicated due to nested groups - if you want roles as members of roles in midpoint. I am back at work on Monday and can send you an example if you like. Regards, Chris January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint" wrote: > Still struggling with this. Given up on importing the existing groups as roles for now. Using > https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO as a guide > I verified that my configuration for the AD resource matched the guide. I then created the task for > syncing groups > > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" > xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" > xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" > xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" > xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"> > Synchronization: Active Directory Groups > > xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">entitlement > > runnable > http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/live-sync/handler- > > > recurring > tight > > 5 > > > > Task runs without errors. > > I then created a group. The task picked up the group and added it as a shadow. > > From this line in the document "When new group is created, it appears in midPoint as a new > entitlement shadow and a role." I expected a role to be created. > > Am I misunderstanding the document or missing something in the task? > > -- > Al Lilianstrom > Authentication Services > > Fermi National Accelerator Laboratory > www.fnal.gov > lilstrom at fnal.gov > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint From lilstrom at fnal.gov Thu Jan 7 20:20:48 2021 From: lilstrom at fnal.gov (Al Lilianstrom) Date: Thu, 7 Jan 2021 19:20:48 +0000 Subject: [midPoint] Importing AD groups as roles In-Reply-To: References: , Message-ID: Hi Chris, Thanks for the response. I have the inbound mapping and association defined. ri:group AD Group Membership entitlement group objectToSubject ri:member ri:name ri:memberOf ri:name false entitlement group AD Group true ri:group ri:cn mr:stringIgnoreCase $focus/name ... I'd really appreciate an example. Please send it when you have a chance on Monday. al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory www.fnal.gov lilstrom at fnal.gov ________________________________________ From: chris at cmwoods.com Sent: Thursday, January 7, 2021 11:44 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Al, the importing as a role is not defined in the task. You have to define that in an inbound mapping in an association in your resource schema handling. For AD it also gets more complicated due to nested groups - if you want roles as members of roles in midpoint. I am back at work on Monday and can send you an example if you like. Regards, Chris January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint" wrote: > Still struggling with this. Given up on importing the existing groups as roles for now. Using > https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2BGroup-2BSynchronization-2BHOWTO&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=qzlO4VhAsDjofkMBBzEIVXfh548pEhTobTb4-k4Iw8A&e= as a guide > I verified that my configuration for the AD resource matched the guide. I then created the task for > syncing groups > > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" > xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" > xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" > xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" > xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"> > Synchronization: Active Directory Groups > > xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">entitlement > > runnable > https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_synchronization_task_live-2Dsync_handler-2D&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=Pq5GOOAao17jRFm3GE-ojdVS-MYluBMNYXFDy_DHQvk&e= > > > recurring > tight > > 5 > > > > Task runs without errors. > > I then created a group. The task picked up the group and added it as a shadow. > > From this line in the document "When new group is created, it appears in midPoint as a new > entitlement shadow and a role." I expected a role to be created. > > Am I misunderstanding the document or missing something in the task? > > -- > Al Lilianstrom > Authentication Services > > Fermi National Accelerator Laboratory > http://www.fnal.gov > lilstrom at fnal.gov > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=ZJ5Xkl5mnRIijyiycMv8NSCIutNVsI7Ms85zGDzPAGk&e= From jeverling at bshp.edu Thu Jan 7 20:49:06 2021 From: jeverling at bshp.edu (Jason Everling) Date: Thu, 7 Jan 2021 13:49:06 -0600 Subject: [midPoint] Importing AD groups as roles In-Reply-To: References: , , Message-ID: <70981793-A49D-4FD6-8B9D-12D410219653@hxcore.ol> An HTML attachment was scrubbed... URL: From lilstrom at fnal.gov Fri Jan 8 17:27:35 2021 From: lilstrom at fnal.gov (Al Lilianstrom) Date: Fri, 8 Jan 2021 16:27:35 +0000 Subject: [midPoint] Importing AD groups as roles In-Reply-To: <70981793-A49D-4FD6-8B9D-12D410219653@hxcore.ol> References: , , , <70981793-A49D-4FD6-8B9D-12D410219653@hxcore.ol> Message-ID: Hi Jason, I've tried a couple of different attributes there. Name as it's in the doc I referenced below and dn as it's in the same from your org in github. Same results. Shadow created but no role. No error that I've been able to find. This is what the shadow object looks like. Any clues there as to what I might be missing? CN=TestSync1,OU=midPoint,DC=fermistart,DC=fnal,DC=local 2021-01-08T09:48:37.057-06:00 2021-01-08T09:48:37.057-06:00 ri:group 4d011362-4f8e-4b77-ad8f-257bd2f9338e entitlement true cn=testsync1,ou=midpoint,dc=fermistart,dc=fnal,dc=local 4d011362-4f8e-4b77-ad8f-257bd2f9338e al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Jason Everling Sent: Thursday, January 7, 2021 1:49 PM To: midPoint General Discussion; chris at cmwoods.com Cc: Al Lilianstrom Subject: RE: [midPoint] Importing AD groups as roles >From what I can see so far, pretty sure you need to use ‘ri:dn’ for ‘shortcutValueAttribute’ and ‘valueAttribute’ From: Al Lilianstrom via midPoint Sent: Thursday, January 7, 2021 1:20 PM To: chris at cmwoods.com; midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Chris, Thanks for the response. I have the inbound mapping and association defined. ri:group AD Group Membership entitlement group objectToSubject ri:member ri:name ri:memberOf ri:name false entitlement group AD Group true ri:group ri:cn mr:stringIgnoreCase $focus/name ... I'd really appreciate an example. Please send it when you have a chance on Monday. al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: chris at cmwoods.com Sent: Thursday, January 7, 2021 11:44 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Al, the importing as a role is not defined in the task. You have to define that in an inbound mapping in an association in your resource schema handling. For AD it also gets more complicated due to nested groups - if you want roles as members of roles in midpoint. I am back at work on Monday and can send you an example if you like. Regards, Chris January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint" wrote: > Still struggling with this. Given up on importing the existing groups as roles for now. Using > https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2BGroup-2BSynchronization-2BHOWTO&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=qzlO4VhAsDjofkMBBzEIVXfh548pEhTobTb4-k4Iw8A&e= as a guide > I verified that my configuration for the AD resource matched the guide. I then created the task for > syncing groups > > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" > xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" > xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" > xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" > xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"> > Synchronization: Active Directory Groups > > xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">entitlement > > runnable > https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_synchronization_task_live-2Dsync_handler-2D&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=Pq5GOOAao17jRFm3GE-ojdVS-MYluBMNYXFDy_DHQvk&e= > > > recurring > tight > > 5 > > > > Task runs without errors. > > I then created a group. The task picked up the group and added it as a shadow. > > From this line in the document "When new group is created, it appears in midPoint as a new > entitlement shadow and a role." I expected a role to be created. > > Am I misunderstanding the document or missing something in the task? > > -- > Al Lilianstrom > Authentication Services > > Fermi National Accelerator Laboratory > http://www.fnal.gov > lilstrom at fnal.gov > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=ZJ5Xkl5mnRIijyiycMv8NSCIutNVsI7Ms85zGDzPAGk&e= _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint From jeverling at bshp.edu Fri Jan 8 17:41:46 2021 From: jeverling at bshp.edu (Jason Everling) Date: Fri, 8 Jan 2021 10:41:46 -0600 Subject: [midPoint] Importing AD groups as roles In-Reply-To: References: , , , <70981793-A49D-4FD6-8B9D-12D410219653@hxcore.ol>, Message-ID: <2AC4CA56-58B7-4F62-BCBC-4FA54DEC26C7@hxcore.ol> An HTML attachment was scrubbed... URL: From lilstrom at fnal.gov Fri Jan 8 19:51:07 2021 From: lilstrom at fnal.gov (Al Lilianstrom) Date: Fri, 8 Jan 2021 18:51:07 +0000 Subject: [midPoint] Importing AD groups as roles In-Reply-To: <2AC4CA56-58B7-4F62-BCBC-4FA54DEC26C7@hxcore.ol> References: , , , <70981793-A49D-4FD6-8B9D-12D410219653@hxcore.ol>, , <2AC4CA56-58B7-4F62-BCBC-4FA54DEC26C7@hxcore.ol> Message-ID: Hi Jason, It looks like this Group sync ri:group entitlement group RoleType true c:dn $shadow/attributes/cn linked true deleted http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink unlinked http://midpoint.evolveum.com/xml/ns/public/model/action-3#link unmatched -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Jason Everling Sent: Friday, January 8, 2021 10:41 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: RE: [midPoint] Importing AD groups as roles So “name” is a midpoint attribute, the association section needs attributes that exist in AD, so for sure “ri:name” is not valid, should be “ri:dn”, what is your object synchronization section for actions? From: Al Lilianstrom via midPoint Sent: Friday, January 8, 2021 10:27 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Jason, I've tried a couple of different attributes there. Name as it's in the doc I referenced below and dn as it's in the same from your org in github. Same results. Shadow created but no role. No error that I've been able to find. This is what the shadow object looks like. Any clues there as to what I might be missing? xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="ae7c73f6-82cf-4776-89a2-9cb099bbcabb" version="1"> CN=TestSync1,OU=midPoint,DC=fermistart,DC=fnal,DC=local 2021-01-08T09:48:37.057-06:00 2021-01-08T09:48:37.057-06:00 ri:group 4d011362-4f8e-4b77-ad8f-257bd2f9338e entitlement true cn=testsync1,ou=midpoint,dc=fermistart,dc=fnal,dc=local 4d011362-4f8e-4b77-ad8f-257bd2f9338e al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Jason Everling Sent: Thursday, January 7, 2021 1:49 PM To: midPoint General Discussion; chris at cmwoods.com Cc: Al Lilianstrom Subject: RE: [midPoint] Importing AD groups as roles >From what I can see so far, pretty sure you need to use ‘ri:dn’ for ‘shortcutValueAttribute’ and ‘valueAttribute’ From: Al Lilianstrom via midPoint Sent: Thursday, January 7, 2021 1:20 PM To: chris at cmwoods.com; midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Chris, Thanks for the response. I have the inbound mapping and association defined. ri:group AD Group Membership entitlement group objectToSubject ri:member ri:name ri:memberOf ri:name false entitlement group AD Group true ri:group ri:cn mr:stringIgnoreCase $focus/name ... I'd really appreciate an example. Please send it when you have a chance on Monday. al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: chris at cmwoods.com Sent: Thursday, January 7, 2021 11:44 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Al, the importing as a role is not defined in the task. You have to define that in an inbound mapping in an association in your resource schema handling. For AD it also gets more complicated due to nested groups - if you want roles as members of roles in midpoint. I am back at work on Monday and can send you an example if you like. Regards, Chris January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint" wrote: > Still struggling with this. Given up on importing the existing groups as roles for now. Using > https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2BGroup-2BSynchronization-2BHOWTO&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=qzlO4VhAsDjofkMBBzEIVXfh548pEhTobTb4-k4Iw8A&e= as a guide > I verified that my configuration for the AD resource matched the guide. I then created the task for > syncing groups > > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" > xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" > xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" > xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" > xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"> > Synchronization: Active Directory Groups > > xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">entitlement > > runnable > https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_synchronization_task_live-2Dsync_handler-2D&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=Pq5GOOAao17jRFm3GE-ojdVS-MYluBMNYXFDy_DHQvk&e= > > > recurring > tight > > 5 > > > > Task runs without errors. > > I then created a group. The task picked up the group and added it as a shadow. > > From this line in the document "When new group is created, it appears in midPoint as a new > entitlement shadow and a role." I expected a role to be created. > > Am I misunderstanding the document or missing something in the task? > > -- > Al Lilianstrom > Authentication Services > > Fermi National Accelerator Laboratory > http://www.fnal.gov > lilstrom at fnal.gov > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=ZJ5Xkl5mnRIijyiycMv8NSCIutNVsI7Ms85zGDzPAGk&e= _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint From chris at cmwoods.com Fri Jan 8 20:03:44 2021 From: chris at cmwoods.com (Chris Woods) Date: Fri, 08 Jan 2021 20:03:44 +0100 Subject: [midPoint] Importing AD groups as roles In-Reply-To: References: , , , <70981793-A49D-4FD6-8B9D-12D410219653@hxcore.ol>, , <2AC4CA56-58B7-4F62-BCBC-4FA54DEC26C7@hxcore.ol> Message-ID: <176e3621280.278b.b31242745c19d1e738abf173820fc831@cmwoods.com> Hi Al, You don't have a reaction defined for "unmatched". This should be "add focus" if you want the role to be created. Regards, Chris Am 8. Januar 2021 19:51:19 schrieb Al Lilianstrom via midPoint : > Hi Jason, > > It looks like this > > > Group sync > ri:group > entitlement > group > RoleType > true > > > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:dn > > $shadow/attributes/cn > > > > > linked > true > > > deleted > > http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink > > > > unlinked > > http://midpoint.evolveum.com/xml/ns/public/model/action-3#link > > > > unmatched > > > > > -- > Al Lilianstrom > Authentication Services > > Fermi National Accelerator Laboratory > www.fnal.gov > lilstrom at fnal.gov > > > ________________________________________ > From: Jason Everling > Sent: Friday, January 8, 2021 10:41 AM > To: midPoint General Discussion > Cc: Al Lilianstrom > Subject: RE: [midPoint] Importing AD groups as roles > > So “name” is a midpoint attribute, the association section needs attributes > that exist in AD, so for sure “ri:name” is not valid, should be “ri:dn”, > what is your object synchronization section for actions? > > From: Al Lilianstrom via midPoint > Sent: Friday, January 8, 2021 10:27 AM > To: midPoint General Discussion > Cc: Al Lilianstrom > Subject: Re: [midPoint] Importing AD groups as roles > > Hi Jason, > > I've tried a couple of different attributes there. Name as it's in the doc > I referenced below and dn as it's in the same from your org in github. Same > results. Shadow created but no role. No error that I've been able to find. > > This is what the shadow object looks like. Any clues there as to what I > might be missing? > > xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" > xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" > xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" > xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" > xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" > oid="ae7c73f6-82cf-4776-89a2-9cb099bbcabb" version="1"> > CN=TestSync1,OU=midPoint,DC=fermistart,DC=fnal,DC=local > relation="org:default" type="c:ResourceType"> > > > 2021-01-08T09:48:37.057-06:00 > 2021-01-08T09:48:37.057-06:00 > ri:group > 4d011362-4f8e-4b77-ad8f-257bd2f9338e > entitlement > true > > cn=testsync1,ou=midpoint,dc=fermistart,dc=fnal,dc=local > 4d011362-4f8e-4b77-ad8f-257bd2f9338e > > > > > al > > > -- > Al Lilianstrom > Authentication Services > > Fermi National Accelerator Laboratory > http://www.fnal.gov > lilstrom at fnal.gov > > > ________________________________________ > From: Jason Everling > Sent: Thursday, January 7, 2021 1:49 PM > To: midPoint General Discussion; chris at cmwoods.com > Cc: Al Lilianstrom > Subject: RE: [midPoint] Importing AD groups as roles > > From what I can see so far, pretty sure you need to use ‘ri:dn’ for > ‘shortcutValueAttribute’ and ‘valueAttribute’ > > From: Al Lilianstrom via midPoint > Sent: Thursday, January 7, 2021 1:20 PM > To: chris at cmwoods.com; midPoint General > Discussion > Cc: Al Lilianstrom > Subject: Re: [midPoint] Importing AD groups as roles > > Hi Chris, > > Thanks for the response. > > I have the inbound mapping and association defined. > > > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:group > AD Group Membership > entitlement > group > objectToSubject > ri:member > ri:name > ri:memberOf > ri:name > false > > > > entitlement > group > AD Group > true > ri:group > > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn > xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase > > > $focus/name > > > > ... > > I'd really appreciate an example. Please send it when you have a chance on > Monday. > > al > > > -- > Al Lilianstrom > Authentication Services > > Fermi National Accelerator Laboratory > http://www.fnal.gov > lilstrom at fnal.gov > > > ________________________________________ > From: chris at cmwoods.com > Sent: Thursday, January 7, 2021 11:44 AM > To: midPoint General Discussion > Cc: Al Lilianstrom > Subject: Re: [midPoint] Importing AD groups as roles > > Hi Al, > > the importing as a role is not defined in the task. You have to define that > in an inbound mapping in an association in your resource schema handling. > For AD it also gets more complicated due to nested groups - if you want > roles as members of roles in midpoint. > > I am back at work on Monday and can send you an example if you like. > > Regards, > Chris > > January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint" > wrote: > >> Still struggling with this. Given up on importing the existing groups as >> roles for now. Using >> https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2BGroup-2BSynchronization-2BHOWTO&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=qzlO4VhAsDjofkMBBzEIVXfh548pEhTobTb4-k4Iw8A&e= >> as a guide >> I verified that my configuration for the AD resource matched the guide. I >> then created the task for >> syncing groups >> >> > xmlns="https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=A-QjjPWUuFgmB5_adbMwnoSDeMofyb4hVVFNEdFgPSQ&e= >> " >> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" >> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" >> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" >> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" >> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" >> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"> >> Synchronization: Active Directory Groups >> >> > xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">entitlement >> >> runnable >> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_synchronization_task_live-2Dsync_handler-2D&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=Pq5GOOAao17jRFm3GE-ojdVS-MYluBMNYXFDy_DHQvk&e= >> >> >> recurring >> tight >> >> 5 >> >> >> >> Task runs without errors. >> >> I then created a group. The task picked up the group and added it as a shadow. >> >> From this line in the document "When new group is created, it appears in >> midPoint as a new >> entitlement shadow and a role." I expected a role to be created. >> >> Am I misunderstanding the document or missing something in the task? >> >> -- >> Al Lilianstrom >> Authentication Services >> >> Fermi National Accelerator Laboratory >> http://www.fnal.gov >> lilstrom at fnal.gov >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=ZJ5Xkl5mnRIijyiycMv8NSCIutNVsI7Ms85zGDzPAGk&e= > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From lilstrom at fnal.gov Fri Jan 8 21:07:14 2021 From: lilstrom at fnal.gov (Al Lilianstrom) Date: Fri, 8 Jan 2021 20:07:14 +0000 Subject: [midPoint] Importing AD groups as roles In-Reply-To: <176e3621280.278b.b31242745c19d1e738abf173820fc831@cmwoods.com> References: , , , <70981793-A49D-4FD6-8B9D-12D410219653@hxcore.ol>, , <2AC4CA56-58B7-4F62-BCBC-4FA54DEC26C7@hxcore.ol> , <176e3621280.278b.b31242745c19d1e738abf173820fc831@cmwoods.com> Message-ID: Thanks Chris. Still not seeing a role. Looking at the example that Jason has in github I see Role Template - Domain Groups as part of the reaction for the addFocus to an unmatched group. Do I need a template defined for the role to be added? al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Chris Woods Sent: Friday, January 8, 2021 1:03 PM To: midPoint General Discussion; Jason Everling Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Al, You don't have a reaction defined for "unmatched". This should be "add focus" if you want the role to be created. Regards, Chris Am 8. Januar 2021 19:51:19 schrieb Al Lilianstrom via midPoint : Hi Jason, It looks like this Group sync ri:group entitlement group RoleType true c:dn $shadow/attributes/cn linked true deleted http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink unlinked http://midpoint.evolveum.com/xml/ns/public/model/action-3#link unmatched -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Jason Everling Sent: Friday, January 8, 2021 10:41 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: RE: [midPoint] Importing AD groups as roles So “name” is a midpoint attribute, the association section needs attributes that exist in AD, so for sure “ri:name” is not valid, should be “ri:dn”, what is your object synchronization section for actions? From: Al Lilianstrom via midPoint Sent: Friday, January 8, 2021 10:27 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Jason, I've tried a couple of different attributes there. Name as it's in the doc I referenced below and dn as it's in the same from your org in github. Same results. Shadow created but no role. No error that I've been able to find. This is what the shadow object looks like. Any clues there as to what I might be missing? xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="ae7c73f6-82cf-4776-89a2-9cb099bbcabb" version="1"> CN=TestSync1,OU=midPoint,DC=fermistart,DC=fnal,DC=local 2021-01-08T09:48:37.057-06:00 2021-01-08T09:48:37.057-06:00 ri:group 4d011362-4f8e-4b77-ad8f-257bd2f9338e entitlement true cn=testsync1,ou=midpoint,dc=fermistart,dc=fnal,dc=local 4d011362-4f8e-4b77-ad8f-257bd2f9338e al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Jason Everling Sent: Thursday, January 7, 2021 1:49 PM To: midPoint General Discussion; chris at cmwoods.com Cc: Al Lilianstrom Subject: RE: [midPoint] Importing AD groups as roles >From what I can see so far, pretty sure you need to use ‘ri:dn’ for ‘shortcutValueAttribute’ and ‘valueAttribute’ From: Al Lilianstrom via midPoint Sent: Thursday, January 7, 2021 1:20 PM To: chris at cmwoods.com; midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Chris, Thanks for the response. I have the inbound mapping and association defined. ri:group AD Group Membership entitlement group objectToSubject ri:member ri:name ri:memberOf ri:name false entitlement group AD Group true ri:group ri:cn mr:stringIgnoreCase $focus/name ... I'd really appreciate an example. Please send it when you have a chance on Monday. al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: chris at cmwoods.com Sent: Thursday, January 7, 2021 11:44 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Al, the importing as a role is not defined in the task. You have to define that in an inbound mapping in an association in your resource schema handling. For AD it also gets more complicated due to nested groups - if you want roles as members of roles in midpoint. I am back at work on Monday and can send you an example if you like. Regards, Chris January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint" wrote: Still struggling with this. Given up on importing the existing groups as roles for now. Using https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2BGroup-2BSynchronization-2BHOWTO&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=qzlO4VhAsDjofkMBBzEIVXfh548pEhTobTb4-k4Iw8A&e= as a guide I verified that my configuration for the AD resource matched the guide. I then created the task for syncing groups Synchronization: Active Directory Groups entitlement runnable https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_synchronization_task_live-2Dsync_handler-2D&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=Pq5GOOAao17jRFm3GE-ojdVS-MYluBMNYXFDy_DHQvk&e= recurring tight 5 Task runs without errors. I then created a group. The task picked up the group and added it as a shadow. >From this line in the document "When new group is created, it appears in midPoint as a new entitlement shadow and a role." I expected a role to be created. Am I misunderstanding the document or missing something in the task? -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=ZJ5Xkl5mnRIijyiycMv8NSCIutNVsI7Ms85zGDzPAGk&e= _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint From chris at cmwoods.com Fri Jan 8 21:33:44 2021 From: chris at cmwoods.com (Chris Woods) Date: Fri, 08 Jan 2021 21:33:44 +0100 Subject: [midPoint] Importing AD groups as roles In-Reply-To: References: , , , <70981793-A49D-4FD6-8B9D-12D410219653@hxcore.ol>, , <2AC4CA56-58B7-4F62-BCBC-4FA54DEC26C7@hxcore.ol> , <176e3621280.278b.b31242745c19d1e738abf173820fc831@cmwoods.com> Message-ID: <176e3b47840.278b.b31242745c19d1e738abf173820fc831@cmwoods.com> Hi Al, It's not a prerequisite. The only mandatory field would be name which you were setting in the inbound mapping from ri:cn if I remember correctly. You can use the template to set other values for the role that may not be coming directly from the resource (we are actually using archetypes to set these kind of values). Actually, we copy ri:cn to $focus/identifier and then generate a name for the role in the archetype - but this is all stuff to do after the creation of the role is working. I take it you're not getting any error messages? Regards, Chris Am 8. Januar 2021 21:07:24 schrieb Al Lilianstrom : > Thanks Chris. Still not seeing a role. > > Looking at the example that Jason has in github I see > > type="c:ObjectTemplateType"> > Role Template - Domain Groups > > > as part of the reaction for the addFocus to an unmatched group. > > Do I need a template defined for the role to be added? > > al > > -- > Al Lilianstrom > Authentication Services > > Fermi National Accelerator Laboratory > www.fnal.gov > lilstrom at fnal.gov > > > ________________________________________ > From: Chris Woods > Sent: Friday, January 8, 2021 1:03 PM > To: midPoint General Discussion; Jason Everling > Cc: Al Lilianstrom > Subject: Re: [midPoint] Importing AD groups as roles > > Hi Al, > > You don't have a reaction defined for "unmatched". This should be "add > focus" if you want the role to be created. > > Regards, > Chris > > Am 8. Januar 2021 19:51:19 schrieb Al Lilianstrom via midPoint > : > > Hi Jason, > > It looks like this > > > Group sync > ri:group > entitlement > group > RoleType > true > > > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:dn > > $shadow/attributes/cn > > > > > linked > true > > > deleted > > http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink > > > > unlinked > > http://midpoint.evolveum.com/xml/ns/public/model/action-3#link > > > > unmatched > > > > > -- > Al Lilianstrom > Authentication Services > > Fermi National Accelerator Laboratory > http://www.fnal.gov > lilstrom at fnal.gov > > > ________________________________________ > From: Jason Everling > Sent: Friday, January 8, 2021 10:41 AM > To: midPoint General Discussion > Cc: Al Lilianstrom > Subject: RE: [midPoint] Importing AD groups as roles > > So “name” is a midpoint attribute, the association section needs attributes > that exist in AD, so for sure “ri:name” is not valid, should be “ri:dn”, > what is your object synchronization section for actions? > > From: Al Lilianstrom via midPoint > Sent: Friday, January 8, 2021 10:27 AM > To: midPoint General Discussion > Cc: Al Lilianstrom > Subject: Re: [midPoint] Importing AD groups as roles > > Hi Jason, > > I've tried a couple of different attributes there. Name as it's in the doc > I referenced below and dn as it's in the same from your org in github. Same > results. Shadow created but no role. No error that I've been able to find. > > This is what the shadow object looks like. Any clues there as to what I > might be missing? > > xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" > xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" > xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" > xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" > xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" > oid="ae7c73f6-82cf-4776-89a2-9cb099bbcabb" version="1"> > CN=TestSync1,OU=midPoint,DC=fermistart,DC=fnal,DC=local > relation="org:default" type="c:ResourceType"> > > > 2021-01-08T09:48:37.057-06:00 > 2021-01-08T09:48:37.057-06:00 > ri:group > 4d011362-4f8e-4b77-ad8f-257bd2f9338e > entitlement > true > > cn=testsync1,ou=midpoint,dc=fermistart,dc=fnal,dc=local > 4d011362-4f8e-4b77-ad8f-257bd2f9338e > > > > > al > > > -- > Al Lilianstrom > Authentication Services > > Fermi National Accelerator Laboratory > http://www.fnal.gov > lilstrom at fnal.gov > > > ________________________________________ > From: Jason Everling > Sent: Thursday, January 7, 2021 1:49 PM > To: midPoint General Discussion; chris at cmwoods.com > Cc: Al Lilianstrom > Subject: RE: [midPoint] Importing AD groups as roles > > From what I can see so far, pretty sure you need to use ‘ri:dn’ for > ‘shortcutValueAttribute’ and ‘valueAttribute’ > > From: Al Lilianstrom via midPoint > Sent: Thursday, January 7, 2021 1:20 PM > To: chris at cmwoods.com; midPoint General > Discussion > Cc: Al Lilianstrom > Subject: Re: [midPoint] Importing AD groups as roles > > Hi Chris, > > Thanks for the response. > > I have the inbound mapping and association defined. > > > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:group > AD Group Membership > entitlement > group > objectToSubject > ri:member > ri:name > ri:memberOf > ri:name > false > > > > entitlement > group > AD Group > true > ri:group > > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn > xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase > > > $focus/name > > > > ... > > I'd really appreciate an example. Please send it when you have a chance on > Monday. > > al > > > -- > Al Lilianstrom > Authentication Services > > Fermi National Accelerator Laboratory > http://www.fnal.gov > lilstrom at fnal.gov > > > ________________________________________ > From: chris at cmwoods.com > Sent: Thursday, January 7, 2021 11:44 AM > To: midPoint General Discussion > Cc: Al Lilianstrom > Subject: Re: [midPoint] Importing AD groups as roles > > Hi Al, > > the importing as a role is not defined in the task. You have to define that > in an inbound mapping in an association in your resource schema handling. > For AD it also gets more complicated due to nested groups - if you want > roles as members of roles in midpoint. > > I am back at work on Monday and can send you an example if you like. > > Regards, > Chris > > January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint" > wrote: > > Still struggling with this. Given up on importing the existing groups as > roles for now. Using > https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2BGroup-2BSynchronization-2BHOWTO&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=qzlO4VhAsDjofkMBBzEIVXfh548pEhTobTb4-k4Iw8A&e= > as a guide > I verified that my configuration for the AD resource matched the guide. I > then created the task for > syncing groups > > xmlns="https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=A-QjjPWUuFgmB5_adbMwnoSDeMofyb4hVVFNEdFgPSQ&e= > " > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" > xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" > xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" > xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" > xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"> > Synchronization: Active Directory Groups > > xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">entitlement > > runnable > https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_synchronization_task_live-2Dsync_handler-2D&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=Pq5GOOAao17jRFm3GE-ojdVS-MYluBMNYXFDy_DHQvk&e= > > > recurring > tight > > 5 > > > > Task runs without errors. > > I then created a group. The task picked up the group and added it as a shadow. > > From this line in the document "When new group is created, it appears in > midPoint as a new > entitlement shadow and a role." I expected a role to be created. > > Am I misunderstanding the document or missing something in the task? > > -- > Al Lilianstrom > Authentication Services > > Fermi National Accelerator Laboratory > http://www.fnal.gov > lilstrom at fnal.gov > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=ZJ5Xkl5mnRIijyiycMv8NSCIutNVsI7Ms85zGDzPAGk&e= > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrea.picconi at innovery.net Mon Jan 11 09:21:14 2021 From: andrea.picconi at innovery.net (Andrea Picconi) Date: Mon, 11 Jan 2021 08:21:14 +0000 Subject: [midPoint] Problem with java script with dates In-Reply-To: <1878136460.465802.1609894803600.JavaMail.zimbra@evolveum.com> References: <1878136460.465802.1609894803600.JavaMail.zimbra@evolveum.com> Message-ID: Hi Richard, thanks to your answer we have solved the problem. Here is the code, maybe it will be useful for someone else: Regards, Andrea Picconi IAM (Identity Access Management) [Innovery] Skype: precons T: +39 06 51963439 (int. 196) Strada Quattro Palazzina A6 c/o Centro Direzionale Milanofiori, 20057 Assago (MI). www.innovery.net | T: +39 06 519 63 439 From: midPoint On Behalf Of Richard Richter via midPoint Sent: Wednesday, January 6, 2021 2:00 AM To: midPoint General Discussion Cc: Richard Richter Subject: Re: [midPoint] Problem with java script with dates Hello Couple of points here: * If possible, errors as copy/pasted text are better than images, it is easier to copy/paste from it for us too when Googling error messages. * The script code is "nearly Java", it's actually Groovy and the message "Cannot compare" is error from Groovy language/runtime. * As for the problem, this answer may help: https://stackoverflow.com/a/1333733/658826 The issue is that XMLGregorianCalendar really is not comparable, so it can't be used with > operator (which is Groovy extension, Java would not allow this between two objects). Regards Richard Richter midPoint developer ________________________________ From: "midPoint General Discussion" > To: "midPoint General Discussion" > Cc: "Andrea Picconi" >, "Marianna De Biasio" >, "Jacopo Giuliano" > Sent: Tuesday, January 5, 2021 3:51:50 PM Subject: [midPoint] Problem with java script with dates Hi all, we have a problem with an operation that should lead to outbound on an Oracle DB the furthest date in time between three dates that we have as values on MIDPOINT. First example below just works if only one of the three (dates) attribute field is populated, when we have two fields populated it gives us an error: Below, instead, the error when we try with two or more fields populated: [cid:image001.png at 01D6E7F9.9CB13360] Any idea how to resolve it? Thank you and regards, Andrea Picconi IAM (Identity Access Management) [Innovery] Skype: precons T: +39 06 51963439 (int. 196) Strada Quattro Palazzina A6 c/o Centro Direzionale Milanofiori, 20057 Assago (MI). www.innovery.net | T: +39 06 519 63 439 _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 47210 bytes Desc: image001.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 8058 bytes Desc: image002.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.png Type: image/png Size: 8058 bytes Desc: image004.png URL: From jeverling at bshp.edu Mon Jan 11 16:14:18 2021 From: jeverling at bshp.edu (Jason Everling) Date: Mon, 11 Jan 2021 09:14:18 -0600 Subject: [midPoint] Importing AD groups as roles In-Reply-To: References: , , , <70981793-A49D-4FD6-8B9D-12D410219653@hxcore.ol>, , <2AC4CA56-58B7-4F62-BCBC-4FA54DEC26C7@hxcore.ol>, Message-ID: <0E0E5664-C2F8-4030-BB94-369D7C191718@hxcore.ol> An HTML attachment was scrubbed... URL: From jeverling at bshp.edu Mon Jan 11 17:06:28 2021 From: jeverling at bshp.edu (Jason Everling) Date: Mon, 11 Jan 2021 10:06:28 -0600 Subject: [midPoint] Importing AD groups as roles In-Reply-To: <0E0E5664-C2F8-4030-BB94-369D7C191718@hxcore.ol> References: , , , <70981793-A49D-4FD6-8B9D-12D410219653@hxcore.ol>, , <2AC4CA56-58B7-4F62-BCBC-4FA54DEC26C7@hxcore.ol>, , <0E0E5664-C2F8-4030-BB94-369D7C191718@hxcore.ol> Message-ID: <80D36FEA-0D0D-4CF0-A66F-10A519EBE501@hxcore.ol> An HTML attachment was scrubbed... URL: From tomas.husar at ibask.eu Mon Jan 11 18:32:22 2021 From: tomas.husar at ibask.eu (tomas.husar at ibask.eu) Date: Mon, 11 Jan 2021 18:32:22 +0100 Subject: [midPoint] midpoint GUI for viewing and modifienig Users details Message-ID: Hallo together, our client is very "volatile" on existence of GUI elements which are displayed, but do-nothing. For example: endUser is logged he is trying to self change his own attributes at userView he see couple of editbox for attributes which he is authorised to read/modify... button Why is this displayed? How can I make it invisible? I expected its visibility is controled by PageAdminObjectDetails: And when there is no available archeypes the button is not there ( getArchetypeOidsListToAssign) Thanx of any oppinion. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 22858 bytes Desc: not available URL: From lilstrom at fnal.gov Mon Jan 11 19:46:39 2021 From: lilstrom at fnal.gov (Al Lilianstrom) Date: Mon, 11 Jan 2021 18:46:39 +0000 Subject: [midPoint] Importing AD groups as roles In-Reply-To: <80D36FEA-0D0D-4CF0-A66F-10A519EBE501@hxcore.ol> References: , , , <70981793-A49D-4FD6-8B9D-12D410219653@hxcore.ol>, , <2AC4CA56-58B7-4F62-BCBC-4FA54DEC26C7@hxcore.ol>, , <0E0E5664-C2F8-4030-BB94-369D7C191718@hxcore.ol>, <80D36FEA-0D0D-4CF0-A66F-10A519EBE501@hxcore.ol> Message-ID: Hi Jason, Thank you for the explanation and the sample. Cleared some things up in my head. Huge step forward. I was able to get a small number of groups to import as roles. Next error to resolve is midPoint wanting to move all of the groups to the same OU rather than leave them where they exist in AD. No doubt it's in the outbound expression for the group - just need to understand what I need to do. Thanks again, al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Jason Everling Sent: Monday, January 11, 2021 10:06 AM To: Al Lilianstrom; midPoint General Discussion Subject: RE: [midPoint] Importing AD groups as roles Since you had these types of values mixed before, Anything with “c:” in the attribute name will be an attribute that is part of midpoints built-in schema, on the other hand, “ri:” will be an attribute that is part of your resource. You might use the below for correlation, the midpoint schema “name” field will match your AD “cn” attribute c:name $shadow/attributes/ri:cn From: Jason Everling Sent: Monday, January 11, 2021 9:14 AM To: Al Lilianstrom; midPoint General Discussion Subject: RE: [midPoint] Importing AD groups as roles I think it might be your correlation, you are specifying c:dn but that’s not a valid midpoint attribute, I don’t know how you are using it, everyone has it setup, naming, differently, but the needs to be a midpoint attribute, like maybe if you are mapping “cn” to the role “name” field you would use “c:name” From: Al Lilianstrom Sent: Friday, January 8, 2021 12:51 PM To: Jason Everling; midPoint General Discussion Subject: Re: [midPoint] Importing AD groups as roles Hi Jason, It looks like this Group sync ri:group entitlement group RoleType true c:dn $shadow/attributes/cn linked true deleted http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink unlinked http://midpoint.evolveum.com/xml/ns/public/model/action-3#link unmatched -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Jason Everling Sent: Friday, January 8, 2021 10:41 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: RE: [midPoint] Importing AD groups as roles So “name” is a midpoint attribute, the association section needs attributes that exist in AD, so for sure “ri:name” is not valid, should be “ri:dn”, what is your object synchronization section for actions? From: Al Lilianstrom via midPoint Sent: Friday, January 8, 2021 10:27 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Jason, I've tried a couple of different attributes there. Name as it's in the doc I referenced below and dn as it's in the same from your org in github. Same results. Shadow created but no role. No error that I've been able to find. This is what the shadow object looks like. Any clues there as to what I might be missing? xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="ae7c73f6-82cf-4776-89a2-9cb099bbcabb" version="1"> CN=TestSync1,OU=midPoint,DC=fermistart,DC=fnal,DC=local 2021-01-08T09:48:37.057-06:00 2021-01-08T09:48:37.057-06:00 ri:group 4d011362-4f8e-4b77-ad8f-257bd2f9338e entitlement true cn=testsync1,ou=midpoint,dc=fermistart,dc=fnal,dc=local 4d011362-4f8e-4b77-ad8f-257bd2f9338e al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Jason Everling Sent: Thursday, January 7, 2021 1:49 PM To: midPoint General Discussion; chris at cmwoods.com Cc: Al Lilianstrom Subject: RE: [midPoint] Importing AD groups as roles >From what I can see so far, pretty sure you need to use ‘ri:dn’ for ‘shortcutValueAttribute’ and ‘valueAttribute’ From: Al Lilianstrom via midPoint Sent: Thursday, January 7, 2021 1:20 PM To: chris at cmwoods.com; midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Chris, Thanks for the response. I have the inbound mapping and association defined. ri:group AD Group Membership entitlement group objectToSubject ri:member ri:name ri:memberOf ri:name false entitlement group AD Group true ri:group ri:cn mr:stringIgnoreCase $focus/name ... I'd really appreciate an example. Please send it when you have a chance on Monday. al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: chris at cmwoods.com Sent: Thursday, January 7, 2021 11:44 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Al, the importing as a role is not defined in the task. You have to define that in an inbound mapping in an association in your resource schema handling. For AD it also gets more complicated due to nested groups - if you want roles as members of roles in midpoint. I am back at work on Monday and can send you an example if you like. Regards, Chris January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint" wrote: > Still struggling with this. Given up on importing the existing groups as roles for now. Using > https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2BGroup-2BSynchronization-2BHOWTO&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=qzlO4VhAsDjofkMBBzEIVXfh548pEhTobTb4-k4Iw8A&e= as a guide > I verified that my configuration for the AD resource matched the guide. I then created the task for > syncing groups > > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" > xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" > xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" > xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" > xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"> > Synchronization: Active Directory Groups > > xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">entitlement > > runnable > https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_synchronization_task_live-2Dsync_handler-2D&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=Pq5GOOAao17jRFm3GE-ojdVS-MYluBMNYXFDy_DHQvk&e= > > > recurring > tight > > 5 > > > > Task runs without errors. > > I then created a group. The task picked up the group and added it as a shadow. > > From this line in the document "When new group is created, it appears in midPoint as a new > entitlement shadow and a role." I expected a role to be created. > > Am I misunderstanding the document or missing something in the task? > > -- > Al Lilianstrom > Authentication Services > > Fermi National Accelerator Laboratory > http://www.fnal.gov > lilstrom at fnal.gov > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=ZJ5Xkl5mnRIijyiycMv8NSCIutNVsI7Ms85zGDzPAGk&e= _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint From Chris.Woods at rohde-schwarz.com Wed Jan 13 15:30:22 2021 From: Chris.Woods at rohde-schwarz.com (Chris Woods) Date: Wed, 13 Jan 2021 14:30:22 +0000 Subject: [midPoint] Importing AD groups as roles Message-ID: <5f4a4dfd5d6240a2bd5fb4ae7ec8a01c@rohde-schwarz.com> Hi Al, sorry for the delay - here's a snippet from our AD configuration - there is, however, probably quite a lot of stuff that you don't need in there. Regards, Chris -----Original Message----- From: midPoint On Behalf Of Al Lilianstrom via midPoint Sent: Monday, January 11, 2021 7:47 PM To: Jason Everling ; midPoint General Discussion Cc: Al Lilianstrom Subject: *EXT* [Newsletter] Re: [midPoint] Importing AD groups as roles Hi Jason, Thank you for the explanation and the sample. Cleared some things up in my head. Huge step forward. I was able to get a small number of groups to import as roles. Next error to resolve is midPoint wanting to move all of the groups to the same OU rather than leave them where they exist in AD. No doubt it's in the outbound expression for the group - just need to understand what I need to do. Thanks again, al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Jason Everling Sent: Monday, January 11, 2021 10:06 AM To: Al Lilianstrom; midPoint General Discussion Subject: RE: [midPoint] Importing AD groups as roles Since you had these types of values mixed before, Anything with “c:” in the attribute name will be an attribute that is part of midpoints built-in schema, on the other hand, “ri:” will be an attribute that is part of your resource. You might use the below for correlation, the midpoint schema “name” field will match your AD “cn” attribute c:name $shadow/attributes/ri:cn From: Jason Everling Sent: Monday, January 11, 2021 9:14 AM To: Al Lilianstrom; midPoint General Discussion Subject: RE: [midPoint] Importing AD groups as roles I think it might be your correlation, you are specifying c:dn but that’s not a valid midpoint attribute, I don’t know how you are using it, everyone has it setup, naming, differently, but the needs to be a midpoint attribute, like maybe if you are mapping “cn” to the role “name” field you would use “c:name” From: Al Lilianstrom Sent: Friday, January 8, 2021 12:51 PM To: Jason Everling; midPoint General Discussion Subject: Re: [midPoint] Importing AD groups as roles Hi Jason, It looks like this Group sync ri:group entitlement group RoleType true c:dn $shadow/attributes/cn linked true deleted http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink unlinked http://midpoint.evolveum.com/xml/ns/public/model/action-3#link unmatched -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Jason Everling Sent: Friday, January 8, 2021 10:41 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: RE: [midPoint] Importing AD groups as roles So “name” is a midpoint attribute, the association section needs attributes that exist in AD, so for sure “ri:name” is not valid, should be “ri:dn”, what is your object synchronization section for actions? From: Al Lilianstrom via midPoint Sent: Friday, January 8, 2021 10:27 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Jason, I've tried a couple of different attributes there. Name as it's in the doc I referenced below and dn as it's in the same from your org in github. Same results. Shadow created but no role. No error that I've been able to find. This is what the shadow object looks like. Any clues there as to what I might be missing? xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="ae7c73f6-82cf-4776-89a2-9cb099bbcabb" version="1"> CN=TestSync1,OU=midPoint,DC=fermistart,DC=fnal,DC=local 2021-01-08T09:48:37.057-06:00 2021-01-08T09:48:37.057-06:00 ri:group 4d011362-4f8e-4b77-ad8f-257bd2f9338e entitlement true cn=testsync1,ou=midpoint,dc=fermistart,dc=fnal,dc=local 4d011362-4f8e-4b77-ad8f-257bd2f9338e al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Jason Everling Sent: Thursday, January 7, 2021 1:49 PM To: midPoint General Discussion; chris at cmwoods.com Cc: Al Lilianstrom Subject: RE: [midPoint] Importing AD groups as roles From what I can see so far, pretty sure you need to use ‘ri:dn’ for ‘shortcutValueAttribute’ and ‘valueAttribute’ From: Al Lilianstrom via midPoint Sent: Thursday, January 7, 2021 1:20 PM To: chris at cmwoods.com; midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Chris, Thanks for the response. I have the inbound mapping and association defined. ri:group AD Group Membership entitlement group objectToSubject ri:member ri:name ri:memberOf ri:name false entitlement group AD Group true ri:group ri:cn mr:stringIgnoreCase $focus/name ... I'd really appreciate an example. Please send it when you have a chance on Monday. al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: chris at cmwoods.com Sent: Thursday, January 7, 2021 11:44 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Al, the importing as a role is not defined in the task. You have to define that in an inbound mapping in an association in your resource schema handling. For AD it also gets more complicated due to nested groups - if you want roles as members of roles in midpoint. I am back at work on Monday and can send you an example if you like. Regards, Chris January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint" wrote: > Still struggling with this. Given up on importing the existing groups > as roles for now. Using > https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com > _display_midPoint_Active-2BDirectory-2BGroup-2BSynchronization-2BHOWTO > &d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LO > fLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=qzlO4VhAsDj > ofkMBBzEIVXfh548pEhTobTb4-k4Iw8A&e= as a guide I verified that my > configuration for the AD resource matched the guide. I then created > the task for syncing groups > > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" > xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" > xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" > xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" > xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"> > Synchronization: Active Directory Groups > xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension > -3">entitlement > > runnable > https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoi > nt.evolveum.com_xml_ns_public_model_synchronization_task_live-2Dsync_h > andler-2D&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1ke > z-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=Pq > 5GOOAao17jRFm3GE-ojdVS-MYluBMNYXFDy_DHQvk&e= > > type="c:ResourceType"/> recurring > tight > > 5 > > > > Task runs without errors. > > I then created a group. The task picked up the group and added it as a shadow. > > From this line in the document "When new group is created, it appears > in midPoint as a new entitlement shadow and a role." I expected a role to be created. > > Am I misunderstanding the document or missing something in the task? > > -- > Al Lilianstrom > Authentication Services > > Fermi National Accelerator Laboratory > http://www.fnal.gov > lilstrom at fnal.gov > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.co > m_mailman_listinfo_midpoint&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53 > oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU- > 1BoDRZcAH_I4E&s=ZJ5Xkl5mnRIijyiycMv8NSCIutNVsI7Ms85zGDzPAGk&e= _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- A non-text attachment was scrubbed... Name: ad_snippet.xml Type: application/xml Size: 19876 bytes Desc: ad_snippet.xml URL: From Chris.Woods at rohde-schwarz.com Wed Jan 13 15:31:27 2021 From: Chris.Woods at rohde-schwarz.com (Chris Woods) Date: Wed, 13 Jan 2021 14:31:27 +0000 Subject: [midPoint] Importing AD groups as roles Message-ID: <5d977222d651459aa739e7e97c6fe038@rohde-schwarz.com> Hi Al, you could try commenting out the outbound mappings if this is a one-time import. What strength is set for ri:dn? Regards, Chris -----Original Message----- From: midPoint On Behalf Of Al Lilianstrom via midPoint Sent: Monday, January 11, 2021 7:47 PM To: Jason Everling ; midPoint General Discussion Cc: Al Lilianstrom Subject: *EXT* [Newsletter] Re: [midPoint] Importing AD groups as roles Hi Jason, Thank you for the explanation and the sample. Cleared some things up in my head. Huge step forward. I was able to get a small number of groups to import as roles. Next error to resolve is midPoint wanting to move all of the groups to the same OU rather than leave them where they exist in AD. No doubt it's in the outbound expression for the group - just need to understand what I need to do. Thanks again, al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Jason Everling Sent: Monday, January 11, 2021 10:06 AM To: Al Lilianstrom; midPoint General Discussion Subject: RE: [midPoint] Importing AD groups as roles Since you had these types of values mixed before, Anything with “c:” in the attribute name will be an attribute that is part of midpoints built-in schema, on the other hand, “ri:” will be an attribute that is part of your resource. You might use the below for correlation, the midpoint schema “name” field will match your AD “cn” attribute c:name $shadow/attributes/ri:cn From: Jason Everling Sent: Monday, January 11, 2021 9:14 AM To: Al Lilianstrom; midPoint General Discussion Subject: RE: [midPoint] Importing AD groups as roles I think it might be your correlation, you are specifying c:dn but that’s not a valid midpoint attribute, I don’t know how you are using it, everyone has it setup, naming, differently, but the needs to be a midpoint attribute, like maybe if you are mapping “cn” to the role “name” field you would use “c:name” From: Al Lilianstrom Sent: Friday, January 8, 2021 12:51 PM To: Jason Everling; midPoint General Discussion Subject: Re: [midPoint] Importing AD groups as roles Hi Jason, It looks like this Group sync ri:group entitlement group RoleType true c:dn $shadow/attributes/cn linked true deleted http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink unlinked http://midpoint.evolveum.com/xml/ns/public/model/action-3#link unmatched -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Jason Everling Sent: Friday, January 8, 2021 10:41 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: RE: [midPoint] Importing AD groups as roles So “name” is a midpoint attribute, the association section needs attributes that exist in AD, so for sure “ri:name” is not valid, should be “ri:dn”, what is your object synchronization section for actions? From: Al Lilianstrom via midPoint Sent: Friday, January 8, 2021 10:27 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Jason, I've tried a couple of different attributes there. Name as it's in the doc I referenced below and dn as it's in the same from your org in github. Same results. Shadow created but no role. No error that I've been able to find. This is what the shadow object looks like. Any clues there as to what I might be missing? xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="ae7c73f6-82cf-4776-89a2-9cb099bbcabb" version="1"> CN=TestSync1,OU=midPoint,DC=fermistart,DC=fnal,DC=local 2021-01-08T09:48:37.057-06:00 2021-01-08T09:48:37.057-06:00 ri:group 4d011362-4f8e-4b77-ad8f-257bd2f9338e entitlement true cn=testsync1,ou=midpoint,dc=fermistart,dc=fnal,dc=local 4d011362-4f8e-4b77-ad8f-257bd2f9338e al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Jason Everling Sent: Thursday, January 7, 2021 1:49 PM To: midPoint General Discussion; chris at cmwoods.com Cc: Al Lilianstrom Subject: RE: [midPoint] Importing AD groups as roles From what I can see so far, pretty sure you need to use ‘ri:dn’ for ‘shortcutValueAttribute’ and ‘valueAttribute’ From: Al Lilianstrom via midPoint Sent: Thursday, January 7, 2021 1:20 PM To: chris at cmwoods.com; midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Chris, Thanks for the response. I have the inbound mapping and association defined. ri:group AD Group Membership entitlement group objectToSubject ri:member ri:name ri:memberOf ri:name false entitlement group AD Group true ri:group ri:cn mr:stringIgnoreCase $focus/name ... I'd really appreciate an example. Please send it when you have a chance on Monday. al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: chris at cmwoods.com Sent: Thursday, January 7, 2021 11:44 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Al, the importing as a role is not defined in the task. You have to define that in an inbound mapping in an association in your resource schema handling. For AD it also gets more complicated due to nested groups - if you want roles as members of roles in midpoint. I am back at work on Monday and can send you an example if you like. Regards, Chris January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint" wrote: > Still struggling with this. Given up on importing the existing groups > as roles for now. Using > https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com > _display_midPoint_Active-2BDirectory-2BGroup-2BSynchronization-2BHOWTO > &d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LO > fLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=qzlO4VhAsDj > ofkMBBzEIVXfh548pEhTobTb4-k4Iw8A&e= as a guide I verified that my > configuration for the AD resource matched the guide. I then created > the task for syncing groups > > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" > xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" > xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" > xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" > xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"> > Synchronization: Active Directory Groups > xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension > -3">entitlement > > runnable > https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoi > nt.evolveum.com_xml_ns_public_model_synchronization_task_live-2Dsync_h > andler-2D&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1ke > z-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=Pq > 5GOOAao17jRFm3GE-ojdVS-MYluBMNYXFDy_DHQvk&e= > > type="c:ResourceType"/> recurring > tight > > 5 > > > > Task runs without errors. > > I then created a group. The task picked up the group and added it as a shadow. > > From this line in the document "When new group is created, it appears > in midPoint as a new entitlement shadow and a role." I expected a role to be created. > > Am I misunderstanding the document or missing something in the task? > > -- > Al Lilianstrom > Authentication Services > > Fermi National Accelerator Laboratory > http://www.fnal.gov > lilstrom at fnal.gov > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.co > m_mailman_listinfo_midpoint&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53 > oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU- > 1BoDRZcAH_I4E&s=ZJ5Xkl5mnRIijyiycMv8NSCIutNVsI7Ms85zGDzPAGk&e= _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint From Chris.Woods at rohde-schwarz.com Wed Jan 13 15:43:27 2021 From: Chris.Woods at rohde-schwarz.com (Chris Woods) Date: Wed, 13 Jan 2021 14:43:27 +0000 Subject: [midPoint] Changes to custom tasks in 4.2? Message-ID: <7fb52f97ad384723b8b994bc4a5a0d7f@rohde-schwarz.com> Hi, we are currently running midPoint 4.1 and have two custom tasks (written based on https://wiki.evolveum.com/display/midPoint/Create+Custom+Task). However, when trying to test them with 4.2 we receive the following error: "No handler for URI 'http://de.rus.idm.midpoint/task/departmentimport/handler', closing the task." I have attached the class. Would appreciate any ideas :) Thanks in advance, Chris CHRIS WOODS Identity Management Information and Business Technology Rohde & Schwarz GmbH & Co. KG Mühldofstraße 15| 81671 München Telefon: +49 89 4129 15735 Internet: https://www.rohde-schwarz.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: CompanyLocationImportTask.java Type: application/octet-stream Size: 25565 bytes Desc: CompanyLocationImportTask.java URL: From radovan.semancik at evolveum.com Thu Jan 14 18:43:42 2021 From: radovan.semancik at evolveum.com (Radovan Semancik) Date: Thu, 14 Jan 2021 18:43:42 +0100 Subject: [midPoint] Blog: Happy New Year 2021 Message-ID: Dear midPoint community, We wish you a Happy New Year 2021! We have big plans for this year, including major midPoint improvements and next LTS midPoint release. Last year was really challenging. Even though 2021 is not going to be easy, there are high hopes. Of course, the pandemic and the economic crisis affects everyone including us, but we are doing our best to carry on and work hard. We definitely have some ambitious plans for this year. Firstly, there is a midScale project aimed towards major improvements in midPoint scalability. The project is still in an early phase, yet we have some designs and results already. We plan to make some bold changes in important midPoint components, therefore we will be conducting a survey soon to gather community feedback. MidScale is planned to deliver some results in midPoint 4.3, however the most significant results are expected in midPoint 4.4. Speaking of midPoint 4.4, it is planned to be next long-term support (LTS) release. Obviously, there are expectations – and responsibilities. The 4.4 LTS release is supposed to be more stable and well tested. We are already working on a new testing environment for midPoint. The 4.4 LTS has to live at least until 2024. Last year also brought some news, especially MidPoint Studio . The Studio has proven to be a very useful tool already, and we definitely plan to continue working on it this year. We also plan documentation updates, mostly to make the documentation easier to navigate, lowering the entry barrier. MidPoint community is growing, and we want to support you as much as we can. We are also looking further ahead, beyond midPoint 4.4 LTS. We are working on a vision for midPoint 5, also preparing development projects that should extend midPoint capabilities to new areas. This is likely to take more concrete shape during this year. Therefore please stay tuned. Hopefully, more news will come in next few months. (Reposted from Evolveum blog ) -- Radovan Semancik Software Architect evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From vito.carpentieri at gmail.com Sat Jan 16 19:03:32 2021 From: vito.carpentieri at gmail.com (Vito Antonio Carpentieri) Date: Sat, 16 Jan 2021 19:03:32 +0100 Subject: [midPoint] LdapNetworkConnection - Connection reset by peer Message-ID: Hi guys, I installed midPoint 4.1 as a standalone server and I created a Ldap resource using embedded ldap connector 3.0. Now, I am trying to connect to a Directory Server behind Load Balancer with the idletimeout attribute setted. I noticed that, when a task runs after an "idletimeout" amount of time from the last one, it turns into suspended status. Reading the log (see below) , I found a connection error. It sounds like if there is a time of inactivity more then idletimeout value, the server sends an ECONNRESET response to midPoint and the connection is not reopened: Could you tell me where my mistake is? Has anybody dealt with this issue yet? Do any settings exist to avoid this error? Best regards Vito LOG 2021-01-12 12:24:25,039 [] [NioProcessor-2] WARN (org.apache.directory.ldap.client.api.LdapNetworkConnection): Connection reset by peer java.io.IOException: Connection reset by peer at java.base/sun.nio.ch.FileDispatcherImpl.read0(Native Method) at java.base/sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39) at java.base/sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:276) at java.base/sun.nio.ch.IOUtil.read(IOUtil.java:245) at java.base/sun.nio.ch.IOUtil.read(IOUtil.java:223) at java.base/sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:358) at org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:378) at org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:47) at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:519) at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68) at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1222) at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1211) at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683) at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:834) 2021-01-12 12:24:25,040 [] [http-nio-8080-exec-9] ERROR (com.evolveum.polygon.connector.ldap.search.DefaultSearchStrategy): method: null msg:LDAP error during search: protocolError: PROTOCOL_ERROR: The server will disconnect! (2) -------------- next part -------------- An HTML attachment was scrubbed... URL: From gustav.palos at gmail.com Tue Jan 19 17:06:15 2021 From: gustav.palos at gmail.com (=?UTF-8?B?UMOhbG9zIEd1c3TDoXY=?=) Date: Tue, 19 Jan 2021 17:06:15 +0100 Subject: [midPoint] How to blank out user properties? In-Reply-To: References: <0da4f0892f86213f47ae2bea9823f13789a595fa.camel@ndsu.edu> <64253D7B-A070-4BAE-A46F-400F262B0DAD@hxcore.ol>

<9a3fcdc6ea3976926f7380eae8d431ce3c2c7ab6.camel@ndsu.edu>

<18a191ed903a94a5831c0b3a4d5d1930160bebf6.camel@ndsu.edu> <3b352d6af20d2193cd87fdc20ea82ca082c056c2.camel@ndsu.edu> Message-ID: Hi All, we found a solution over global user object template like this: cleaning attribute after source shadow is dead/missing strong $focus/extension/attributeToClean Best regards, Gustav st 8. 7. 2020 o 15:40 Jason Everling napísal(a): > I guess it goes, every environment is different, just a little additions > to turn it into a task, see attached, the formatting kept going screwy if I > pasted. You can go in and schedule it after you import or add the schedule > info to the xml. > > > On Tue, Jul 7, 2020 at 2:53 PM Richard Frovarp > wrote: > >> The value wasn't being reapplied. It looks like empty strings aren't >> null, and I am not quite able to get null to work. I need to come up with a >> more elegant solution, but I was able to find something that works: >> >> > xmlns:c=" >> http://midpoint.evolveum.com/xml/ns/public/common/common-3" >> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> >> ; >> UserType >> >> >> extension/ndsuPrimaryJobDepartment >> >> >> >> >> execute-script >> >> script >> >> >> import >> com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType >> import >> com.evolveum.midpoint.xml.ns._public.common.common_3.UserType >> import com.evolveum.midpoint.prism.path.ItemPath >> >> refs = input?.getLinkRef() >> for (ref in refs) { >> try { >> shadow = midpoint.getObject(ShadowType.class, ref.getOid()) >> } catch (Exception e) { >> log.info('DEAD SHADOW {}', input.name) >> continue >> } >> >> if (shadow.getResourceRef().getOid() == >> '5f1cc34a-2b27-4ae1-9989-3960e2e311f4') { >> return >> } >> } >> path = ItemPath.create(UserType.F_EXTENSION, >> 'ndsuPrimaryJobDepartment') >> delta = >> midpoint.prismContext.deltaFactory().object().createModificationDeleteProperty(UserType.class, >> input.getOid(), path, basic.getPropertyValue(input, >> "extension/ndsuPrimaryJobDepartment")) >> midpoint.executeChanges(delta) >> >> path = ItemPath.create(UserType.F_EXTENSION, >> 'ndsuPrimaryJobTitle') >> titleDelta = >> midpoint.prismContext.deltaFactory().object().createModificationDeleteProperty(UserType.class, >> input.getOid(), path, basic.getPropertyValue(input, >> "extension/ndsuPrimaryJobTitle")) >> midpoint.executeChanges(delta) >> >> >> >> >> >> >> >> Feels like I'm doing things sub-optimal. Between your examples and the >> Grouper bits I was able to get enough figured out. Like I said, this works. >> They only way they disappear from the resource is on a reconcile, so having >> this run in a task later is fine. I think my dead shadows are from earlier >> tests where I didn't get the right synchronization for removal quickly >> enough. >> >> Now I need to figure out how to turn this into a bulk action task of some >> sort. >> >> On Thu, 2020-07-02 at 16:58 -0500, Jason Everling wrote: >> >> Yep, my weekend starts here in a few! even though i've been working at >> home for 4 months now :D >> >> You could be hitting my age old bug as well, check the history tab on the >> user to make sure the value isn't being re-applied, I was about right, the >> last time we used it was 3.2 and this was reported in 3.1 when it was doing >> the same thing for us, >> https://jira.evolveum.com/browse/MID-2100 >> >> >> >> >> On Thu, Jul 2, 2020 at 4:27 PM Richard Frovarp >> wrote: >> >> >> Clean out title >> strong >> >> $user/extension/ndsuPrimaryJobTitle >> >> >> >> >> >> >> It's not clear how midPoint interprets empty strings to me. Hence using >> the script to do an explicit null. >> >> I can give what you provided a try next week. I'm about to start the >> weekend. Thank you for the help. Thank you for providing your examples, >> they have been helpful to us getting going (I just found your bulk actions >> item, which is helpful). Once I have something more complicated than >> importing names, I'll start to try to contribute back with what we have >> working. >> >> Have a great 4th! >> >> >> >> On Thu, 2020-07-02 at 16:18 -0500, Jason Everling wrote: >> >> So can you post what you have for the deleted template action? You also >> have that set under the resource for deleted? I just checked, and a long >> time ago we did something similar for accounts removed from a resource, >> although we don't anymore but that was on 3.2 and should still work, i >> don't see why not unless its bug, try the below, i pulled from an old >> 'delete' template on our private repo from an old resource we had years ago >> >> >> true >> strong >> >> '' >> >> >> extension/ndsuPrimaryJobTitle >> >> >> >> >> >> >> On Thu, Jul 2, 2020 at 4:09 PM Richard Frovarp >> wrote: >> >> Thanks. I've started work down the bulk actions path. Which is perhaps >> less than ideal, but I think I understand it, and I will have operations >> later that will require it. I can follow your more elegant solution after I >> have something working. I don't quite have all of the affiliations >> populated yet right now. I figured that setting and clearing a single value >> attribute from a single source would be the easiest thing to start with. >> Affiliations come after I have this working. >> >> On Thu, 2020-07-02 at 15:55 -0500, Jason Everling wrote: >> >> :/ ive been updating some of our logstash stuff, should be != faculty and >> != staff >> JASON >> >> >> On Thu, Jul 2, 2020 at 3:49 PM Jason Everling wrote: >> >> Gotcha, I just put together a quick example for an idea, you can also go >> with if affiliation == student && not == faculty || affiliation == student >> && not == staff || etc... >> >> for the assignments, you would write the script to get all assignments >> then if your resource doesn't exist apply mapping, there is a midpoint >> function for it, we used something similar for a bulk task, ill find it on >> my prod git repo, its back there in time, >> >> someone else might be able to chime in sooner >> >> >> >> On Thu, Jul 2, 2020 at 2:13 PM Richard Frovarp >> wrote: >> >> But students can be employed. I need it so that if they aren't in that >> resource, they are removed. You're earlier example makes some sense, but I >> don't have a deep enough understanding of midPoint to fully implement it. >> Error complains about the source of $user/assignments. I'm on 4.1 and it >> looks like that may have changed some, but I can't quite figure out how. >> >> Kind of frustrated as this seems like it should be a basic operation, and >> it's the one thing stopping me from going further. I don't want a mess of >> stale data in a brand new system a day after it goes up. >> >> I've been looking at queries and bulk actions, but I can't figure out how >> to find all users that aren't referenced by a resource. I can find all in >> the resource, and all that have a resource that isn't it (which is all of >> the users as names are pulled in from a different resource). What is a one >> minute query in raw SQL is beyond my understanding here right now. >> >> On Thu, 2020-07-02 at 13:15 -0500, Jason Everling wrote: >> >> Also this in the default template, if return null; doesn’t work you could >> also go with return ‘’; . So many different ways to do it without relying >> on a deleted template >> >> >> >> >> >> Clean out department >> >> strong >> >> >> >> $user/extension/your_affiliation >> >> >> >> >> >> $user/extension/ndsuPrimaryJobTitle >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> *From: *Jason Everling >> *Sent: *Thursday, July 2, 2020 1:06 PM >> *To: *midPoint General Discussion >> *Subject: *RE: [midPoint] How to blank out user properties? >> >> >> >> ** only if the resource isn’t assigned?* >> >> >> >> *From: *Jason Everling >> *Sent: *Thursday, July 2, 2020 1:04 PM >> *To: *midPoint General Discussion >> *Subject: *RE: [midPoint] How to blank out user properties? >> >> >> >> What about just a regular mapping in the default user template with a >> condition strong that gets applied and only if the resource is assigned? >> >> >> >> >> >> Clean out department >> >> strong >> >> >> >> $user/assignments >> >> >> >> >> >> $user/extension/ndsuPrimaryJobTitle >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> *From: *Richard Frovarp >> *Sent: *Thursday, July 2, 2020 12:56 PM >> *To: *midpoint at lists.evolveum.com >> *Subject: *Re: [midPoint] How to blank out user properties? >> >> >> >> I've seen your archive example. I wasn't completely clear. I don't want >> to archive the old value. I just want it gone. I want to keep the user >> object though. So if I were to leave NDSU, we would want there to still be >> the name, employee number, etc to remain. But my title would no longer >> apply. A bigger deal if I were to become a student, we wouldn't want my job >> title applied to my AD object for instance as it wouldn't be applicable. >> Just trying to get the value back to null. >> >> >> >> On Thu, 2020-07-02 at 12:22 -0500, Jason Everling wrote: >> >> So what I can read from, you want to archive the old value? We do this >> for various attributes when they are changed, see here, I had added it to >> the midpoint samples a while back, it will take the old value which was >> previously set and then add it to a custom schema attribute for archival >> history, such as a username change, level change, affiliation, etc.. >> >> >> >> >> https://github.com/evolveum/midpoint-samples/blob/master/samples/contrib/bshp/objects/objectTemplates/Includes%20-%20Archiving.xml >> >> >> >> *From: *Richard Frovarp >> *Sent: *Thursday, July 2, 2020 11:13 AM >> *Subject: *[midPoint] How to blank out user properties? >> >> >> >> I'm reading a list of our employees from a DB through a >> >> DatabaseTableConnector resource. As part of that process I'm setting a >> >> custom schema element that is their title. That's fine. However, when >> >> they are no longer employed, they disappear from the database table. >> >> >> >> So I'm trying to blank out the title property, since if they aren't >> >> employed anymore, they don't have a title. We want to keep historic >> >> records, and they may still be a student, which we wouldn't populate a >> >> title. >> >> >> >> How does one go about doing this? It was suggested using an object >> >> template on the deleted situation, but that doesn't appear to be >> >> working. >> >> >> >> Resource: >> >> >> >> >> >> deleted >> >> true >> >> >> >> http://midpoint.evolveum.com/xml/ns/public/model/action >> >> -3#unlink; >> >> >> >> >> >> >> >> >> >> User Template: >> >> >> >> >> >> Clean out department >> >> strong >> >> >> >> $user/extension/ndsuPrimaryJobTitle >> >> >> >> >> >> >> >> >> >> >> >> >> >> No errors are thrown, it's just that the title element remains populate >> >> with the last know value when the user is deleted from the resource. >> >> >> >> Thanks, >> >> Richard >> >> _______________________________________________ >> >> midPoint mailing list >> >> midPoint at lists.evolveum.com >> >> https://lists.evolveum.com/mailman/listinfo/midpoint >> >> >> >> _______________________________________________ >> >> midPoint mailing list >> >> midPoint at lists.evolveum.com >> >> https://lists.evolveum.com/mailman/listinfo/midpoint >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> midPoint mailing list >> >> midPoint at lists.evolveum.com >> >> https://lists.evolveum.com/mailman/listinfo/midpoint >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> https://lists.evolveum.com/mailman/listinfo/midpoint >> >> _______________________________________________ >> >> midPoint mailing list >> >> midPoint at lists.evolveum.com >> >> https://lists.evolveum.com/mailman/listinfo/midpoint >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> https://lists.evolveum.com/mailman/listinfo/midpoint >> >> _______________________________________________ >> >> midPoint mailing list >> >> midPoint at lists.evolveum.com >> >> https://lists.evolveum.com/mailman/listinfo/midpoint >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> https://lists.evolveum.com/mailman/listinfo/midpoint >> >> _______________________________________________ >> >> midPoint mailing list >> >> midPoint at lists.evolveum.com >> >> https://lists.evolveum.com/mailman/listinfo/midpoint >> >> >> _______________________________________________ >> midPoint mailing list >> midPoint at lists.evolveum.com >> https://lists.evolveum.com/mailman/listinfo/midpoint >> > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint > -- s pozdravom Gustáv Pálos -------------- next part -------------- An HTML attachment was scrubbed... URL: From lilstrom at fnal.gov Tue Jan 19 19:45:49 2021 From: lilstrom at fnal.gov (Al Lilianstrom) Date: Tue, 19 Jan 2021 18:45:49 +0000 Subject: [midPoint] Importing AD groups as roles In-Reply-To: <5f4a4dfd5d6240a2bd5fb4ae7ec8a01c@rohde-schwarz.com> References: <5f4a4dfd5d6240a2bd5fb4ae7ec8a01c@rohde-schwarz.com> Message-ID: Thanks Chris. Seeing examples of working configurations is very helpful. al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Chris Woods Sent: Wednesday, January 13, 2021 8:30 AM To: midPoint General Discussion; Jason Everling Cc: Al Lilianstrom Subject: RE: [midPoint] Importing AD groups as roles Hi Al, sorry for the delay - here's a snippet from our AD configuration - there is, however, probably quite a lot of stuff that you don't need in there. Regards, Chris -----Original Message----- From: midPoint On Behalf Of Al Lilianstrom via midPoint Sent: Monday, January 11, 2021 7:47 PM To: Jason Everling ; midPoint General Discussion Cc: Al Lilianstrom Subject: *EXT* [Newsletter] Re: [midPoint] Importing AD groups as roles Hi Jason, Thank you for the explanation and the sample. Cleared some things up in my head. Huge step forward. I was able to get a small number of groups to import as roles. Next error to resolve is midPoint wanting to move all of the groups to the same OU rather than leave them where they exist in AD. No doubt it's in the outbound expression for the group - just need to understand what I need to do. Thanks again, al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Jason Everling Sent: Monday, January 11, 2021 10:06 AM To: Al Lilianstrom; midPoint General Discussion Subject: RE: [midPoint] Importing AD groups as roles Since you had these types of values mixed before, Anything with “c:” in the attribute name will be an attribute that is part of midpoints built-in schema, on the other hand, “ri:” will be an attribute that is part of your resource. You might use the below for correlation, the midpoint schema “name” field will match your AD “cn” attribute c:name $shadow/attributes/ri:cn From: Jason Everling Sent: Monday, January 11, 2021 9:14 AM To: Al Lilianstrom; midPoint General Discussion Subject: RE: [midPoint] Importing AD groups as roles I think it might be your correlation, you are specifying c:dn but that’s not a valid midpoint attribute, I don’t know how you are using it, everyone has it setup, naming, differently, but the needs to be a midpoint attribute, like maybe if you are mapping “cn” to the role “name” field you would use “c:name” From: Al Lilianstrom Sent: Friday, January 8, 2021 12:51 PM To: Jason Everling; midPoint General Discussion Subject: Re: [midPoint] Importing AD groups as roles Hi Jason, It looks like this Group sync ri:group entitlement group RoleType true c:dn $shadow/attributes/cn linked true deleted https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_action-2D3-23unlink&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=7THUCNewBBYxI8MLI-ivudtNZN5vG2jVhGkUxoyCLxo&s=rSU2brjCk1RN5OkTYx7ImGUGkkBNVOlUWP39urBPUqY&e= unlinked https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_action-2D3-23link&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=7THUCNewBBYxI8MLI-ivudtNZN5vG2jVhGkUxoyCLxo&s=f1N1kooRCKLD63TVXCGPhFQlACjM0pShNCXLUlrUty4&e= unmatched -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Jason Everling Sent: Friday, January 8, 2021 10:41 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: RE: [midPoint] Importing AD groups as roles So “name” is a midpoint attribute, the association section needs attributes that exist in AD, so for sure “ri:name” is not valid, should be “ri:dn”, what is your object synchronization section for actions? From: Al Lilianstrom via midPoint Sent: Friday, January 8, 2021 10:27 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Jason, I've tried a couple of different attributes there. Name as it's in the doc I referenced below and dn as it's in the same from your org in github. Same results. Shadow created but no role. No error that I've been able to find. This is what the shadow object looks like. Any clues there as to what I might be missing? xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="ae7c73f6-82cf-4776-89a2-9cb099bbcabb" version="1"> CN=TestSync1,OU=midPoint,DC=fermistart,DC=fnal,DC=local 2021-01-08T09:48:37.057-06:00 2021-01-08T09:48:37.057-06:00 ri:group 4d011362-4f8e-4b77-ad8f-257bd2f9338e entitlement true cn=testsync1,ou=midpoint,dc=fermistart,dc=fnal,dc=local 4d011362-4f8e-4b77-ad8f-257bd2f9338e al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: Jason Everling Sent: Thursday, January 7, 2021 1:49 PM To: midPoint General Discussion; chris at cmwoods.com Cc: Al Lilianstrom Subject: RE: [midPoint] Importing AD groups as roles >From what I can see so far, pretty sure you need to use ‘ri:dn’ for ‘shortcutValueAttribute’ and ‘valueAttribute’ From: Al Lilianstrom via midPoint Sent: Thursday, January 7, 2021 1:20 PM To: chris at cmwoods.com; midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Chris, Thanks for the response. I have the inbound mapping and association defined. ri:group AD Group Membership entitlement group objectToSubject ri:member ri:name ri:memberOf ri:name false entitlement group AD Group true ri:group ri:cn mr:stringIgnoreCase $focus/name ... I'd really appreciate an example. Please send it when you have a chance on Monday. al -- Al Lilianstrom Authentication Services Fermi National Accelerator Laboratory http://www.fnal.gov lilstrom at fnal.gov ________________________________________ From: chris at cmwoods.com Sent: Thursday, January 7, 2021 11:44 AM To: midPoint General Discussion Cc: Al Lilianstrom Subject: Re: [midPoint] Importing AD groups as roles Hi Al, the importing as a role is not defined in the task. You have to define that in an inbound mapping in an association in your resource schema handling. For AD it also gets more complicated due to nested groups - if you want roles as members of roles in midpoint. I am back at work on Monday and can send you an example if you like. Regards, Chris January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint" wrote: > Still struggling with this. Given up on importing the existing groups > as roles for now. Using > https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com > _display_midPoint_Active-2BDirectory-2BGroup-2BSynchronization-2BHOWTO > &d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LO > fLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=qzlO4VhAsDj > ofkMBBzEIVXfh548pEhTobTb4-k4Iw8A&e= as a guide I verified that my > configuration for the AD resource matched the guide. I then created > the task for syncing groups > > xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" > xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" > xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" > xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" > xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" > xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"> > Synchronization: Active Directory Groups > xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension > -3">entitlement > > runnable > https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoi > nt.evolveum.com_xml_ns_public_model_synchronization_task_live-2Dsync_h > andler-2D&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1ke > z-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=Pq > 5GOOAao17jRFm3GE-ojdVS-MYluBMNYXFDy_DHQvk&e= > > type="c:ResourceType"/> recurring > tight > > 5 > > > > Task runs without errors. > > I then created a group. The task picked up the group and added it as a shadow. > > From this line in the document "When new group is created, it appears > in midPoint as a new entitlement shadow and a role." I expected a role to be created. > > Am I misunderstanding the document or missing something in the task? > > -- > Al Lilianstrom > Authentication Services > > Fermi National Accelerator Laboratory > http://www.fnal.gov > lilstrom at fnal.gov > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.co > m_mailman_listinfo_midpoint&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53 > oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU- > 1BoDRZcAH_I4E&s=ZJ5Xkl5mnRIijyiycMv8NSCIutNVsI7Ms85zGDzPAGk&e= _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=7THUCNewBBYxI8MLI-ivudtNZN5vG2jVhGkUxoyCLxo&s=suc7UQt4yceLzpcS3xNFN2Q8RGgfjnqZhon2YmTSkeI&e= _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=7THUCNewBBYxI8MLI-ivudtNZN5vG2jVhGkUxoyCLxo&s=suc7UQt4yceLzpcS3xNFN2Q8RGgfjnqZhon2YmTSkeI&e= _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIGaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=7THUCNewBBYxI8MLI-ivudtNZN5vG2jVhGkUxoyCLxo&s=suc7UQt4yceLzpcS3xNFN2Q8RGgfjnqZhon2YmTSkeI&e= From radovan.semancik at evolveum.com Thu Jan 21 18:58:02 2021 From: radovan.semancik at evolveum.com (Radovan Semancik) Date: Thu, 21 Jan 2021 18:58:02 +0100 Subject: [midPoint] Blog: MidPoint Scalability Survey Message-ID: Dear midPoint community, Last year we have started midScale project . The goal of this project is to significantly improve midPoint scalability and performance. Which means that the project is about to bring substantial changes in midPoint. As some of those changes affect community in numerous ways, we would like to gather feedback of midPoint community to help make the best possible decisions. Enter midScale plans survey . Essential part of the midScale project deals with midPoint repository – our main database. We are focusing primarily on PostgreSQL, but we are wondering how we should support other databases in the future. We would more than appreciate your opinions, that will help us make the best dicition for future midPoint development. There are also questions about auditing, as we feel we have to make improvements in this area as well. And then we are curious about platforms that you use to run midPoint. This survey is designed mostly for engineers and similar people dealing with technology. Please take the survey by accessing the following URL: https://evolveum.limequery.net/561656 The survey will take approx. 15-30 minutes to complete. The survey is anonymous, it will not track you in any way. All questions are optional. You are free to choose how much data you share with us. Thank you in advance for participating in the survey. Opinions of midPoint community are very important for us. The results of the survey will guide the future development of midPoint. (Reposted from Evolveum blog ) -- Radovan Semancik Software Architect evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From vito.carpentieri at gmail.com Fri Jan 22 08:11:36 2021 From: vito.carpentieri at gmail.com (Vito Antonio Carpentieri) Date: Fri, 22 Jan 2021 08:11:36 +0100 Subject: [midPoint] LdapNetworkConnection - Connection reset by peer Message-ID: Hi guys, I installed midPoint 4.1 as a standalone server and I created a Ldap resource using embedded ldap connector 3.0. Now, I am trying to connect to a Directory Server behind Load Balancer with the idletimeout attribute setted. I noticed that, when a task runs after an "idletimeout" amount of time from the last one, it turns into suspended status. Reading the log (see below) , I found a connection error. It sounds like if there is a time of inactivity more then idletimeout value, the server sends an ECONNRESET response to midPoint and the connection is not reopened: Could you tell me where my mistake is? Has anybody dealt with this issue yet? Do any settings exist to avoid this error? Best regards Vito LOG 2021-01-12 12:24:25,039 [] [NioProcessor-2] WARN (org.apache.directory.ldap.client.api.LdapNetworkConnection): Connection reset by peer java.io.IOException: Connection reset by peer at java.base/sun.nio.ch.FileDispatcherImpl.read0(Native Method) at java.base/sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39) at java.base/sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:276) at java.base/sun.nio.ch.IOUtil.read(IOUtil.java:245) at java.base/sun.nio.ch.IOUtil.read(IOUtil.java:223) at java.base/sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:358) at org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:378) at org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:47) at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:519) at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68) at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1222) at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1211) at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683) at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:834) 2021-01-12 12:24:25,040 [] [http-nio-8080-exec-9] ERROR (com.evolveum.polygon.connector.ldap.search.DefaultSearchStrategy): method: null msg:LDAP error during search: protocolError: PROTOCOL_ERROR: The server will disconnect! (2) -------------- next part -------------- An HTML attachment was scrubbed... URL: From alexandre.zia at ifood.com.br Mon Jan 25 23:09:13 2021 From: alexandre.zia at ifood.com.br (Alexandre Zia) Date: Mon, 25 Jan 2021 19:09:13 -0300 Subject: [midPoint] 4.2 GUI search multiple objects Message-ID: In midpoint 4.1 and older when you search in GUI there was a plus button (+) that allowed you to type several terms at once. eg. Users -> all Users , click on 'Name', type john, click on plus (+) to add a new edit box, type mary, then you could search multiple terms But in 4.2 there's an edit box now, and as far as I can tell, no way to type several terms to search this is not optimal, is there a way to restore the old way? Regards, -- Alexandre R Zia *Security* www.ifood.com.br -------------- next part -------------- An HTML attachment was scrubbed... URL: From vera at evolveum.com Tue Jan 26 13:32:09 2021 From: vera at evolveum.com (Evolveum Marketing) Date: Tue, 26 Jan 2021 13:32:09 +0100 Subject: [midPoint] Upcoming Training Courses at Evolveum Message-ID: <0bb2792d-9cf9-ddd7-fe5c-aca45586a4a5@evolveum.com> Dear midPoint community, We hope your 2021 is going well so far. If the holiday season left you hungry for wisdom, you are more than welcome to join our MidPoint Advanced Customization training taking place on February 15: https://evolveum.com/training-and-certification/midpoint-advanced-customization-february-2021-online/ If you are rather interested in getting some basic provisioning configuration skills, do not miss MidPoint Deployment Fundamentals training starting on March 22: https://evolveum.com/training-and-certification/midpoint-deployment-fundamentals-march-2021-us-time-zone-online/ See you in the online class! -- Veronika Kolpascikova Marketing Specialist evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From Chris.Woods at rohde-schwarz.com Tue Jan 26 16:55:34 2021 From: Chris.Woods at rohde-schwarz.com (Chris Woods) Date: Tue, 26 Jan 2021 15:55:34 +0000 Subject: [midPoint] Strange AD errors with LDAP connetor Message-ID: Hi, I get the following message repeated in our log file: 2021-01-26 14:55:15,813 [] [Thread-32] WARN (com.evolveum.polygon.connector.ldap.search.DefaultSearchStrategy): method: null msg:Got unexpected response: MessageType : SEARCH_RESULT_REFERENCE Message ID : 32 Search Result Reference References 'ldaps://DomainDnsZones.idm.test/DC=DomainDnsZones,DC=idm,DC=test' 2021-01-26 14:55:15,813 [] [Thread-32] WARN (com.evolveum.polygon.connector.ldap.search.DefaultSearchStrategy): method: null msg:Got unexpected response: MessageType : SEARCH_RESULT_REFERENCE Message ID : 32 Search Result Reference References 'ldaps://idm.test/CN=Configuration,DC=idm,DC=test' 2021-01-26 14:55:15,823 [] [Thread-33] WARN (com.evolveum.polygon.connector.ldap.search.DefaultSearchStrategy): method: null msg:Got unexpected response: MessageType : SEARCH_RESULT_REFERENCE Message ID : 33 Search Result Reference References 'ldaps://ForestDnsZones.idm.test/DC=ForestDnsZones,DC=idm,DC=test' 2021-01-26 14:55:15,823 [] [Thread-33] WARN (com.evolveum.polygon.connector.ldap.search.DefaultSearchStrategy): method: null msg:Got unexpected response: MessageType : SEARCH_RESULT_REFERENCE Message ID : 33 Search Result Reference References 'ldaps://DomainDnsZones.idm.test/DC=DomainDnsZones,DC=idm,DC=test' 2021-01-26 14:55:15,823 [] [Thread-33] WARN (com.evolveum.polygon.connector.ldap.search.DefaultSearchStrategy): method: null msg:Got unexpected response: MessageType : SEARCH_RESULT_REFERENCE Message ID : 33 Search Result Reference References 'ldaps://idm.test/CN=Configuration,DC=idm,DC=test' Does anyone know what could be causing this? Thanks in advance! Regards, Chris CHRIS WOODS Identity Management Information and Business Technology Rohde & Schwarz GmbH & Co. KG Mühldofstraße 15| 81671 München Telefon: +49 89 4129 15735 Internet: https://www.rohde-schwarz.com Content provided within this e-mail including any attachments, is for the use of the intended recipients and may contain Rohde & Schwarz company restricted information. Any unauthorized use, disclosure, or distribution of this communication in whole or in part is strictly prohibited. If you are not the intended recipient, please notify the sender by reply email or by telephone and delete the communication in its entirety. -------------- next part -------------- An HTML attachment was scrubbed... URL: From vera at evolveum.com Wed Jan 27 16:07:51 2021 From: vera at evolveum.com (Evolveum Marketing) Date: Wed, 27 Jan 2021 16:07:51 +0100 Subject: [midPoint] Docker Images and Screencasts for You In-Reply-To: <47fb15ae-4ee7-f461-fab3-1db8491a4770@evolveum.com> References: <47fb15ae-4ee7-f461-fab3-1db8491a4770@evolveum.com> Message-ID: <1c7b59d1-264b-b960-7204-930b3dc036ac@evolveum.com> Dear midPoint community, From time to time everyone needs some help. Sometimes it is enough just to get answers and for these cases the wiki is a great source of information. Other times it is not enough as we need to understand the problem more deeply in order to move forward. It has already been few years since the Book – and I really mean to write capital B – called “Practical Identity Management With MidPoint” started from blank page and it is still growing and growing (many thanks to Radovan and all other contributors for the great work and for a lot of time spent on it). If you never saw it, I would recommend it – at least for fast reading as a great structured source of information helping to understand some relations and consequences connected to the topic in general and ofcourse also in a relation with midPoint. Even if we have a great static source of information available, it could still be not enough. Sometimes we need to see it – or even better – we need to try it. And when we want to try something, the ideal situation is when we can just run it without installation and simply remove / delete it once done while keeping the system clean. The Docker environment is ideal for it. For this purpose we have prepared Alpine based Docker images. It is a little bit optimized with Docker specifics in mind so in comparison with the original Ubuntu based midPoint Docker images, which have been available for some time already, we are on 1/3 of the size (compressed image has around 320 MB). Based on this Alpine image with midPoint we have also prepared Docker-compose files (directory: book) covering some chapters of the Book and using the sample files already mentioned in the Book. The goal was set to only do necessary changes to the sample files in order to demonstrate that it is really working. Example of the necessary change is to change the host from localhost to the name of the container. The chapter environment is composed to have working application with predefined things so your focus may be directly on the subject of the chapters (e.g. import account from the resource, provision to the resource, create the role, set the object template). As the backend for the application data PostgreSQL version 13 is used. Resource interaction is demonstrated with PostgreSQL and OpenLDAP. Default version of midPoint in the Docker compose file is set to 4.2. There are also other Alpine based images available, which can be used instead of 4.2. In case you prefer demonstration on other supported versions, available tags are latest-alpine, 4.2support-alpine, 4.2-alpine, 4.1support-alpine, 4.1-alpine, 4.0support-alpine and 4.0.2-alpine. You can use them to try any processed chapter of the Book or you can easily use them to test any other use cases with some demo objects and already set up resources. As we were preparing working Docker environments we decided to add something special, which was one of our Christmas gifts for the community – the screencasts . For all the chapters available as docker-compose we made short casts to show it. We finalized the post production processing of 3 recorded videos. You can use them to visualizate the Book if you prefer this form of information. Feel free to share them in order to show how easy it can be for anyone who wants to know things but doesn’t have enough time to go though the Book or to try it by themselves (e.g. friends, colleagues, boss). We have spent extra time to prepare this another source of information and we will be happy if it helps you to better understand the topic or save some time in your activities related to the great midPoint application. (Written by Kamil Jireš, Identity Engineer at Evolveum. Reposted from Evolveum blog ) -- Veronika Kolpascikova Marketing Specialist evolveum.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From radovan.semancik at evolveum.com Thu Jan 28 18:30:39 2021 From: radovan.semancik at evolveum.com (Radovan Semancik) Date: Thu, 28 Jan 2021 18:30:39 +0100 Subject: [midPoint] MidPoint 4.0.3 "Gutenberg" Update 3 released Message-ID: Dear midPoint community, Evolveum team is proud to announce the release of midPoint version 4.0.3. Release 4.0.3 is a thirty fourth midPoint release. It is third maintenance update for 4.0.x version family code-named code-named Gutenberg. The 4.0.x is a long-term support (LTS) version family. The 4.0.3 release brings bugfixes and minor improvements. For more information about the 4.0.3 release please see release notes at https://wiki.evolveum.com/display/midPoint/Release+4.0.3 We would like to express a special thanks for all midPoint subscribers, partners, supporters and especially the contributors. The Evolveum team would like to express many thanks for your interest, feedback and contributions. -- Radovan Semancik Software Architect evolveum.com From klevalley2 at davenport.edu Thu Jan 28 21:41:56 2021 From: klevalley2 at davenport.edu (Keith LeValley) Date: Thu, 28 Jan 2021 15:41:56 -0500 Subject: [midPoint] Adding attributes using inducements Message-ID: Good afternoon, I am trying to add an inducement to my metarole where any role assigned to it will get the attribute" true