[Midpoint-dev] Inducement updates are not propagated to User after reconciliation
Ivan Noris
ivan.noris at evolveum.com
Tue Feb 3 09:27:58 CET 2015
.. I have just checked your sample once again. You DO have
strength=strong for inducement mapping, I was looking a few lines above
to the assignments part.
Can you please check anyway, if the strength is still there (using
Configuration - Repository objects) and if your testing scenario is
somehow different from mine?
Thanks,
Ivan
On 02/03/2015 09:23 AM, Ivan Noris wrote:
> Hi Anand,
>
> I have experimented a little with similar setup.
>
> First, I took one of my customer roles, which work. I added two
> attribute mappings to the role construction for OpenDJ resource, such as:
>
> <attribute>
> <ref>ri:preferredLanguage</ref>
> <outbound>
> *<strength>strong</strength>*
> <expression>
> <value>sk</value>
> </expression>
> </outbound>
> </attribute>
>
> <attribute>
> <ref>ri:carLicense</ref>
> <outbound>
> *<strength>strong</strength>*
> <expression>
> <value>XXX</value>
> </expression>
> </outbound>
> </attribute>
>
> I've already had an user with this role assigned, so after I
> reimported the role definition (because I've changed the XML file with
> my role), I've edited the user and checked "reconcile" checkbox, and
> saved. After saving, user surely had both attributes
> (preferredLanguage and carLicense) set to predefined values. Before
> the save, the values were not defined for that OpenDJ account, as
> there were never the part of that role before.
>
> Next I edited the role again through Configure - Repository objects
> and changed the values (e.g. preferredLanguage to "en" and carLicense
> to "YYY"). Then I edited the same user and checked "reconcile"
> checkbox and saved. After saving, the preferredLanguage was set to
> "en" and carLicense had two values (both the original and the new
> "YYY" because it's multivalue field).
>
> Later I just made another change in the attribute value and it still
> worked.
>
> So it seems to be working as it should. *But*, while testing, I
> discovered https://jira.evolveum.com/browse/MID-2194. The symptom is
> as follows: whenever you edit role through GUI, the strength for
> attributes is lost. It's enough just to edit+save role using Role
> editor. Configure - Repository objects (XML editor) is fine.
>
> When I look at your role export, there is *no strength* for any of the
> attributes in outbound mappings. I believe it might be caused by the
> bug I've just reported. So please, either edit the role using
> Repository objects XML editor until we fix it; or please create the
> roles as XML files and import them to midPoint. It should be ok if you
> export your existing roles and fix them in XML files and then reimport.
>
> Best regards,
> Ivan
>
> On 02/02/2015 04:24 PM, Anand Kothekar wrote:
>> Hi,
>>
>> As per our discussion I tried to give <strength> tag in role but it
>> didn't worked for me.
>>
>> Basically we had two host attribute values in inducement and member
>> user also had the same host membership, then after modifying the
>> inducement I reconciled the user but no change in host attribute of
>> user's ldap account.
>>
>> I have attached the sample role xml, please have a look and let me
>> know if I am doing anything wrong.
>>
>>
>>
>> Thanks,
>> Anand Kothekar
>>
>>
>>
>> On Fri, Jan 23, 2015 at 3:15 PM, Ivan Noris <ivan.noris at evolveum.com
>> <mailto:ivan.noris at evolveum.com>> wrote:
>>
>> Hi Anand,
>>
>> please see inline:
>>
>> On 01/23/2015 06:17 AM, Anand Kothekar wrote:
>>> Hi Ivan
>>>
>>> First of all Ldap connector supports Auxiliary object classes. I
>>> have tested it and it works for me.
>>>
>>> Secondly, The host attribute is defined in resource schema and I
>>> have added it in Schema Handling but i do not have any outbound
>>> mapping right now (quite usual for our requirement, most of the
>>> resources have such attributes that cannot be mapped to any
>>> focal object in midpoint).
>>>
>>> Is it possible that i can map whatever user has entered (instead
>>> of mapping the host or any other attribute to midpoint's focal
>>> object) to target resource attribute in outbound mapping.
>>
>> If user enters the value in the form, you don't need mappings.
>> Mapping are used to set the target attribute value according to
>> some other attribute value or expression.
>>
>> Some example:
>> If you need to copy user/givenName attribute value to LDAP's sn
>> attribute, you need outbound mapping in resource schema handling.
>> If you need to generate LDAP's sn attribute value by taking
>> user/givenName attribute value and (for example) lowercase all
>> attributes and remove diacritics, you need outbound mapping in
>> resource schema handling.
>> If you want the user to set the LDAP's host attribute to
>> user-defined-value, i.e. in the GUI form, manually, you don't
>> need any mapping for this attribute. If user enters the value
>> manually, provisioning will store the value to the resource. It
>> is NOT remembered in midPoint. There is no expression how to
>> derive the value, thus no mapping. And midPoint has no way of
>> forcing the attribute value to contain the user defined value
>> during the reconciliation, because the user defined value is
>> stored only on LDAP, not in midPoint. When outbound mappings are
>> used, the target attribute value can be derived from some source
>> attribute(s)/expressions, co midPoint can enforce these values.
>>
>> Maybe there is another way how to achieve what you need if I
>> understand it correctly. Define an extended attribute in User (by
>> extending schema) and let the user set/modify this extended
>> attribute. Then you can have schema handling mapping in resource,
>> and you can thus use strong mapping strength.
>>
>> Best regards,
>> Ivan
>>
>>
>>>
>>> What my concern is there is no way in UI to set the strength and
>>> doing it at policy level is quite unmanageable(resource is one
>>> but inducement will be thousands).
>>>
>>> So just to summarize
>>> - we want this to be done at resource level.
>>>
>>> - i think it is achievable if we can define outbound
>>> mapping so that user entered value is mapped to target
>>> attribute.
>>>
>>>
>>> Thanks
>>> Anand
>>>
>>>
>>> On Thu, Jan 22, 2015 at 8:36 PM, Ivan Noris
>>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>>
>>> Hi,
>>>
>>> as you have the mapping in role, not in resource, you should
>>> have the mapping set as strong for "host" attribute in *all*
>>> applicable roles (that are setting this attribute).
>>>
>>> There will be no configuration in resource, because there is
>>> no mapping for that attribute at the resource level. The
>>> strength always applies to the mapping definition.
>>>
>>> You mentioned that this is auxiliary object class. Not sure
>>> if the LDAP connector supports such classes...
>>>
>>> Regards,
>>> I.
>>>
>>>
>>> On 01/22/2015 03:49 PM, Anand Kothekar wrote:
>>>> Hi,
>>>>
>>>> Yes, the host attribute will be entered by the user who is
>>>> managing the midpoint or it will be populated in inducement
>>>> of a role by our custom code . It will never be automated
>>>> to get the value from any focus object like User.
>>>>
>>>>
>>>> Thanks
>>>> Anand
>>>>
>>>>
>>>>
>>>> On Thu, Jan 22, 2015 at 7:56 PM, Ivan Noris
>>>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>>
>>>> wrote:
>>>>
>>>> Hi Anand,
>>>>
>>>> can you please be more precise about "value entered by
>>>> user"?
>>>> Do you mean that the host and/or(?) description
>>>> attributes are expected to be managed by the user who
>>>> is editing the user in midPoint, on the right side of
>>>> User details in Accounts part? Are these expected to be
>>>> set always explicitly by the user? No automation from
>>>> midpoint user attributes?
>>>>
>>>> Thanks,
>>>> I.
>>>>
>>>>
>>>> On 01/22/2015 02:03 PM, Anand Kothekar wrote:
>>>>> Hi Ivan,
>>>>>
>>>>> Thanks for your inputs.
>>>>>
>>>>> I tried it by adding this constraint in inducement
>>>>> itself and it worked but I want to do this at resource
>>>>> level.
>>>>>
>>>>> I tried adding the same in resource but the thing is I
>>>>> do not have any outbound mapping defined for these
>>>>> attributes (as I use the value entered by user ) now
>>>>> if I add only strength property in outbound it gives
>>>>> me Error.
>>>>>
>>>>> Can you help me with pointing to the right kind of
>>>>> mapping I need to do.
>>>>>
>>>>> Here is the host attribute snippet from my resource:
>>>>> <attribute>
>>>>> <ref
>>>>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:host</ref>
>>>>> <matchingRule
>>>>> xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
>>>>> <outbound>
>>>>> <strength>strong</strength>
>>>>> </outbound>
>>>>> </attribute>
>>>>>
>>>>> I need to know how I can map value entered by user.
>>>>>
>>>>>
>>>>>
>>>>> Thanks,
>>>>> Anand Kothekar
>>>>>
>>>>>
>>>>> On Thu, Jan 22, 2015 at 5:52 PM, Ivan Noris
>>>>> <ivan.noris at evolveum.com
>>>>> <mailto:ivan.noris at evolveum.com>> wrote:
>>>>>
>>>>> Hi Anand,
>>>>>
>>>>> can you please define the mappings for description
>>>>> and host attributes as strong?
>>>>>
>>>>> Something like:
>>>>>
>>>>> <attribute>
>>>>> <ref>ri:description</ref>
>>>>> <outbound>
>>>>> * <strength>strong</strength>**
>>>>> *. . .
>>>>> </outbound>
>>>>> </attribute>
>>>>> Then run the reconciliation again please.
>>>>>
>>>>> If you already have this configured and it does
>>>>> not work, please share the attribute mappings here.
>>>>>
>>>>> Regards,
>>>>> I.
>>>>>
>>>>>
>>>>> On 01/20/2015 11:15 AM, Anand Kothekar wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I have been playing around with role inducements
>>>>>> and found some issue, need some quick help as
>>>>>> inducements are quite important for our solution.
>>>>>>
>>>>>> _Issue:_ Inducement updates are not propagated
>>>>>> properly to User after reconciliation.
>>>>>>
>>>>>> _Details:_ When user is a assigned a role having
>>>>>> a resource inducement, User gets appropriate
>>>>>> accounts and induced group memberships. Now
>>>>>> Changing some attributes in role inducements are
>>>>>> not propagated after reconciling User.
>>>>>>
>>>>>> _Steps Followed:_
>>>>>> - I added and ldap resource inducement in a
>>>>>> new Role*. *I provided some attributes
>>>>>> like LdapGroups, Host, and description.
>>>>>> - User is assigned to this Role. User gets the
>>>>>> ldap account, appropriate group memberships and
>>>>>> other attributes specified in inducement (i.e.
>>>>>> description ,host(multivalued attribute from an
>>>>>> Auxiliary object class)). So all good till now.
>>>>>> - Now I updated the Resource inducement for
>>>>>> example changed the description, added few
>>>>>> groups, added few host.
>>>>>> - After inducement modification I reconciled the
>>>>>> User, and following are the results:
>>>>>>
>>>>>> - Group membership is updated appropriately.
>>>>>>
>>>>>> - Description is not updated
>>>>>>
>>>>>> - host attribute is not updated
>>>>>>
>>>>>>
>>>>>> Can you guys please check and let me know if I am
>>>>>> doing something wrong or is it a problem
>>>>>> somewhere in my resource or some other issue with
>>>>>> midpoint system.
>>>>>>
>>>>>> Regards
>>>>>> Anand Kothekar
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint-dev mailing list
>>>>>> midPoint-dev at lists.evolveum.com <mailto:midPoint-dev at lists.evolveum.com>
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint-dev
>>>>>
>>>>> --
>>>>> Ing. Ivan Noris
>>>>> Senior Identity Management Engineer
>>>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>>>> _____________________________________________
>>>>> "Semper Id(e)M Vix."
>>>>>
>>>>>
>>>>
>>>> --
>>>> Ing. Ivan Noris
>>>> Senior Identity Management Engineer
>>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>>> _____________________________________________
>>>> "Semper Id(e)M Vix."
>>>>
>>>>
>>>
>>> --
>>> Ing. Ivan Noris
>>> Senior Identity Management Engineer
>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>> _____________________________________________
>>> "Semper Id(e)M Vix."
>>>
>>>
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer
>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>> _____________________________________________
>> "Semper Id(e)M Vix."
>>
>>
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com evolveum.com/blog/
> _____________________________________________
> "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint-dev mailing list
> midPoint-dev at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint-dev
--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com evolveum.com/blog/
_____________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolveum.com/pipermail/midpoint-dev/attachments/20150203/62a82c2f/attachment-0001.html>
More information about the midPoint-dev
mailing list