[midPoint] LDAP Role not unassigned when validTo is reached

Patrik Sidler patrik.sidler at itconcepts.ch
Mon Dec 12 14:19:46 CET 2022 

Hi Ivan, Pascal,

Thank you for your help.
I have implemented your proposals and it works.

Regards,
Patrik

Von: midPoint <midpoint-bounces at lists.evolveum.com> Im Auftrag von Ivan Noris via midPoint
Gesendet: Mittwoch, 7. Dezember 2022 11:58
An: midpoint at lists.evolveum.com
Cc: Ivan Noris <ivan.noris at evolveum.com>
Betreff: Re: [midPoint] LDAP Role not unassigned when validTo is reached


Hi Patrik,

please note that even if there is validTo exceeded, role itself will not be unassigned. Just the assignment of the role will be inactive. Whatever the role does, will be "undone".

... but in this case, I think you need to set tolerant=false in the schema handling - if the role provides associations, then you need to configure it ther. That's just the page mentioned by Pascal. (https://docs.evolveum.com/midpoint/reference/resources/entitlements/#entitlement-membership-removal for the reference)

Before you set tolerance to false, you should be sure there are no other groups than provided by midPoint.

Best regards,

Ivan
On 7. 12. 2022 8:58, Patrik Sidler via midPoint wrote:
Hi All,

I am having a problem with a LDAP Role that not gets unassigned when the validTo is reached.
The role assignment on the particular user changes its effectiveStatus to disabled (because validTo is reached), but the role will not be unassigned and therefore the user is still member of the LDAP Group.

What do I have to configure that the Role will be unassigned when validTo is reached?
I am working with midPoint 4.6 by the way.


My LDAP Role:
<role xmlns=http://midpoint.evolveum.com/xml/ns/public/common/common-3 xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3 xmlns:icfs=http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3 xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3 xmlns:q=http://prism.evolveum.com/xml/ns/public/query-3 xmlns:ri=http://midpoint.evolveum.com/xml/ns/public/resource/instance-3 xmlns:t=http://prism.evolveum.com/xml/ns/public/types-3 xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance oid="f2906bc1-4b33-4bf1-9233-981614e70195" version="8">
    <name>cn=biouser,cn=groups,cn=accounts,dc=dsone-dev,dc=aspectra,dc=net</name>
    <assignment id="1">
        <metadata>
            <createChannel>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#import</createChannel>
            <originMappingName>Metarole LDAP Group Assignment</originMappingName>
        </metadata>
        <targetRef oid="ed3e5df8-2217-11e8-9d57-9793344c7aa6" relation="org:default" type="c:RoleType">
            <!-- Metarole LDAP Group Assignment -->
        </targetRef>
        <activation>
            <effectiveStatus>enabled</effectiveStatus>
        </activation>
    </assignment>
    <assignment id="2">
        <metadata>
            <createChannel>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#import</createChannel>
            <originMappingName>Metarole Line Manager Approval</originMappingName>
        </metadata>
        <targetRef oid="cee649ee-8764-47e3-847b-c9f7155bcfe3" relation="org:default" type="c:RoleType">
            <!-- Metarole Line Manager Approval -->
        </targetRef>
        <activation>
            <effectiveStatus>enabled</effectiveStatus>
        </activation>
    </assignment>
    <roleMembershipRef oid="ed3e5df8-2217-11e8-9d57-9793344c7aa6" relation="org:default" type="c:RoleType">
        <!-- Metarole LDAP Group Assignment -->
    </roleMembershipRef>
    <roleMembershipRef oid="cee649ee-8764-47e3-847b-c9f7155bcfe3" relation="org:default" type="c:RoleType">
        <!-- Metarole Line Manager Approval -->
    </roleMembershipRef>
    <linkRef oid="a7e0ac25-cd8c-4387-9ebb-6fc961549d7a" relation="org:default" type="c:ShadowType">
        <!-- cn=defaultuser,cn=groups,cn=accounts,dc=env-dev,dc=customer,dc=net -->
    </linkRef>
    <activation>
        <effectiveStatus>enabled</effectiveStatus>
        <enableTimestamp>2022-11-23T16:26:51.664+01:00</enableTimestamp>
    </activation>
    <displayName>defaultuser</displayName>
    <identifier>jira-notification</identifier>
    <requestable>true</requestable>
</role>

My LDAP Group Add MetaRole:
<role xmlns=http://midpoint.evolveum.com/xml/ns/public/common/common-3 xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3 xmlns:icfs=http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3 xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3 xmlns:q=http://prism.evolveum.com/xml/ns/public/query-3 xmlns:ri=http://midpoint.evolveum.com/xml/ns/public/resource/instance-3 xmlns:t=http://prism.evolveum.com/xml/ns/public/types-3 xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance oid="ed3e5df8-2217-11e8-9d57-9793344c7aa6" version="21">
    <name>Metarole LDAP Group Assignment</name>
    <description>Assign this Meta Role to all LDAP Group Roles, that can be assigned to users.</description>
    <activation>
        <effectiveStatus>enabled</effectiveStatus>
        <enableTimestamp>2022-11-15T11:23:42.723+01:00</enableTimestamp>
    </activation>
    <displayName>Metarole: assign Users to LDAP Group</displayName>
    <inducement id="12">
        <description>Inducement to add the User to the correct LDAP Group and to create an account as a projection of user having assigned a LDAP Group Role with this metarole.</description>
        <construction>
            <description>Creates an account for user, and associates with group created for the Role assigned to the user.</description>
            <strength>weak</strength>
            <resourceRef oid="31f3b90c-7b4d-4320-9964-3f46a3e75cf2" relation="org:default" type="c:ResourceType">
                <!-- LDAP -->
            </resourceRef>
            <kind>account</kind>
            <intent>ldapAccount</intent>
            <association id="14">
                <ref>ri:ldapGroupMember</ref>
                <outbound>
                    <strength>strong</strength>
                    <source>
                        <path>$focusAssignment/targetRef</path>
                    </source>
                    <expression>
                        <associationFromLink>
                            <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
                                <kind>entitlement</kind>
                                <intent>ldapGroup</intent>
                            </projectionDiscriminator>
                        </associationFromLink>
                    </expression>
                </outbound>
            </association>
        </construction>
        <order>2</order>
        <focusType>UserType</focusType>
    </inducement>
    <inducement id="11">
        <description>Inducement to add the User to the correct LDAP Group</description>
        <construction>
            <description>Creates an object (group) for organization</description>
            <resourceRef oid="31f3b90c-7b4d-4320-9964-3f46a3e75cf2" relation="org:default" type="c:ResourceType">
                <!-- LDAP -->
            </resourceRef>
            <kind>entitlement</kind>
            <intent>ldapGroup</intent>
        </construction>
    </inducement>
</role>

Thank you in advance for your help.

Regards
Patrik Sidler ITConcepts





_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

https://lists.evolveum.com/mailman/listinfo/midpoint

--

Ivan Noris

Expert Identity Engineer

evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20221212/bd77da76/attachment-0001.htm>

More information about the midPoint mailing list