[midPoint] LDAP Role not unassigned when validTo is reached
Pascal PERICHON
pascal.perichon at u-paris.fr
Wed Dec 7 11:47:09 CET 2022
Hi again ;)
validTo is just validTo : enabled or disabled things but not distroyed
the thing (maybe you like disable thing but keep it)
Check here:
https://docs.evolveum.com/midpoint/reference/resources/entitlements/#entitlement-membership-removal
or maybe... Did you add some rules for your group in your LDAP resource
file ? Something with "activation"/"existence" like :
... <resource> ... <schemaHandling> ... <objectType>
<kind>entitlement</kind> <intent>group</intent> <description>My LDAP
Group</description> <objectClass>ri:groupOfNames</objectClass> ...
<activation> <existence> <outbound> <strength>weak</strength> <source>
<c:path>$focus/effectiveStatus</c:path> </source> <expression>
<c:script> <c:code> // the code to suppress on not the association if
(myCondition) return false; </c:code> </c:script> </expression>
</outbound> </existence> </activation> ... </objectType> ...
</schemaHandling> ...
</resource>
Best regards
-------
*Pascal PÉRICHON*
Direction des systèmes d'information et du numérique
Université Paris Cité
Le 07/12/2022 à 08:58, Patrik Sidler via midPoint a écrit :
>
> Hi All,
>
> I am having a problem with a LDAP Role that not gets unassigned when
> the validTo is reached.
>
> The role assignment on the particular user changes its effectiveStatus
> to disabled (because validTo is reached), but the role will not be
> unassigned and therefore the user is still member of the LDAP Group.
>
> What do I have to configure that the Role will be unassigned when
> validTo is reached?
>
> I am working with midPoint 4.6 by the way.
>
> *My LDAP Role:*
>
> <role xmlns=http://midpoint.evolveum.com/xml/ns/public/common/common-3
> xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3
> xmlns:icfs=http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
> xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3
> xmlns:q=http://prism.evolveum.com/xml/ns/public/query-3
> xmlns:ri=http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
> xmlns:t=http://prism.evolveum.com/xml/ns/public/types-3
> xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance
> oid="f2906bc1-4b33-4bf1-9233-981614e70195" version="8">
>
> <name>cn=biouser,cn=groups,cn=accounts,dc=dsone-dev,dc=aspectra,dc=net</name>
>
> <assignment id="1">
>
> <metadata>
>
>
> <createChannel>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#import</createChannel
> <http://midpoint.evolveum.com/xml/ns/public/common/channels-3#import</createChannel>>
>
> <originMappingName>Metarole LDAP Group
> Assignment</originMappingName>
>
> </metadata>
>
> <targetRef oid="ed3e5df8-2217-11e8-9d57-9793344c7aa6"
> relation="org:default" type="c:RoleType">
>
> <!-- Metarole LDAP Group Assignment -->
>
> </targetRef>
>
> <activation>
>
> <effectiveStatus>enabled</effectiveStatus>
>
> </activation>
>
> </assignment>
>
> <assignment id="2">
>
> <metadata>
>
>
> <createChannel>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#import</createChannel
> <http://midpoint.evolveum.com/xml/ns/public/common/channels-3#import</createChannel>>
>
> <originMappingName>Metarole Line Manager
> Approval</originMappingName>
>
> </metadata>
>
> <targetRef oid="cee649ee-8764-47e3-847b-c9f7155bcfe3"
> relation="org:default" type="c:RoleType">
>
> <!-- Metarole Line Manager Approval -->
>
> </targetRef>
>
> <activation>
>
> <effectiveStatus>enabled</effectiveStatus>
>
> </activation>
>
> </assignment>
>
> <roleMembershipRef oid="ed3e5df8-2217-11e8-9d57-9793344c7aa6"
> relation="org:default" type="c:RoleType">
>
> <!-- Metarole LDAP Group Assignment -->
>
> </roleMembershipRef>
>
> <roleMembershipRef oid="cee649ee-8764-47e3-847b-c9f7155bcfe3"
> relation="org:default" type="c:RoleType">
>
> <!-- Metarole Line Manager Approval -->
>
> </roleMembershipRef>
>
> <linkRef oid="a7e0ac25-cd8c-4387-9ebb-6fc961549d7a"
> relation="org:default" type="c:ShadowType">
>
> <!--
> cn=defaultuser,cn=groups,cn=accounts,dc=env-dev,dc=customer,dc=net -->
>
> </linkRef>
>
> <activation>
>
> <effectiveStatus>enabled</effectiveStatus>
>
> <enableTimestamp>2022-11-23T16:26:51.664+01:00</enableTimestamp>
>
> </activation>
>
> <displayName>defaultuser</displayName>
>
> <identifier>jira-notification</identifier>
>
> <requestable>true</requestable>
>
> </role>
>
> *My LDAP Group Add MetaRole:*
>
> <role xmlns=http://midpoint.evolveum.com/xml/ns/public/common/common-3
> xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3
> xmlns:icfs=http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
> xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3
> xmlns:q=http://prism.evolveum.com/xml/ns/public/query-3
> xmlns:ri=http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
> xmlns:t=http://prism.evolveum.com/xml/ns/public/types-3
> xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance
> oid="ed3e5df8-2217-11e8-9d57-9793344c7aa6" version="21">
>
> <name>Metarole LDAP Group Assignment</name>
>
> <description>Assign this Meta Role to all LDAP Group Roles, that
> can be assigned to users.</description>
>
> <activation>
>
> <effectiveStatus>enabled</effectiveStatus>
>
> <enableTimestamp>2022-11-15T11:23:42.723+01:00</enableTimestamp>
>
> </activation>
>
> <displayName>Metarole: assign Users to LDAP Group</displayName>
>
> <inducement id="12">
>
> <description>Inducement to add the User to the correct LDAP
> Group and to create an account as a projection of user having assigned
> a LDAP Group Role with this metarole.</description>
>
> <construction>
>
> <description>Creates an account for user, and associates
> with group created for the Role assigned to the user.</description>
>
> <strength>weak</strength>
>
> <resourceRef oid="31f3b90c-7b4d-4320-9964-3f46a3e75cf2"
> relation="org:default" type="c:ResourceType">
>
> <!-- LDAP -->
>
> </resourceRef>
>
> <kind>account</kind>
>
> <intent>ldapAccount</intent>
>
> <association id="14">
>
> <ref>ri:ldapGroupMember</ref>
>
> <outbound>
>
> <strength>strong</strength>
>
> <source>
>
> <path>$focusAssignment/targetRef</path>
>
> </source>
>
> <expression>
>
> <associationFromLink>
>
> <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
>
> <kind>entitlement</kind>
>
> <intent>ldapGroup</intent>
>
> </projectionDiscriminator>
>
> </associationFromLink>
>
> </expression>
>
> </outbound>
>
> </association>
>
> </construction>
>
> <order>2</order>
>
> <focusType>UserType</focusType>
>
> </inducement>
>
> <inducement id="11">
>
> <description>Inducement to add the User to the correct LDAP
> Group</description>
>
> <construction>
>
> <description>Creates an object (group) for
> organization</description>
>
> <resourceRef oid="31f3b90c-7b4d-4320-9964-3f46a3e75cf2"
> relation="org:default" type="c:ResourceType">
>
> <!-- LDAP -->
>
> </resourceRef>
>
> <kind>entitlement</kind>
>
> <intent>ldapGroup</intent>
>
> </construction>
>
> </inducement>
>
> </role>
>
> Thank you in advance for your help.
>
> Regards
>
> Patrik Sidler ITConcepts
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20221207/57272189/attachment-0001.htm>
More information about the midPoint
mailing list