[Midpoint-dev] Inducement updates are not propagated to User after reconciliation

Ivan Noris ivan.noris at evolveum.com
Thu Feb 5 14:25:32 CET 2015


Hi Anand,

for Scenario 1, please try this:

<attribute>
            <ref
xmlns:qn546="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">qn546:host</ref>
           *<tolerant>false</tolerant>*
            <outbound>
               <strength>strong</strength>
               <expression>
                  <value>host1</value>
                  <value>host2</value>
                  <!-- <value>host3</value> -->
               </expression>
             </outbound>
          </attribute>

This will tell midpoint that when reconciling, all values not
provisioned by midPoint should be removed.
Default is tolerant=true, so midPoint can add/remove values when changes
are processed.

I'm thinking about Scenario 2 and will let you know.

Regards,
Ivan



>
> Adding new attributes is working fine but when you try to delete any
> of the attribute its not getting reflected in Ldap.
>
>
> *_Scenario 1_* :-
>
>       1. Role1 was having Open Ldap account as an Inducement. Induced
> Account was also having attributes host1,host2,host3.
>
>   2. Now Role1 was assigned to an User and user got the Open Ldap
> Account as well as the host1,host2,host3 as expected.  Entry added in
> Ldap also. 
>
>       3.  <attribute>
>             <ref
> xmlns:qn546="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">qn546:host</ref>
>             <outbound>
>                <strength>strong</strength>
>                <expression>
>                   <value>host1</value>
>                   <value>host2</value>
>                   <value>host3</value>
>                </expression>
>              </outbound>
>           </attribute>
>
>
>        4.   host3 attribute deleted from Role1 xml And User
> reconciled. <strength> tag was still present.
>
>        5.   host3 attribute not removed from the Ldap.
>
>        6.   host 3 attribute is not getting deleted from OpenLdap
> account (midpoint) which user got due to inducement. if we try to
> remove the attribute from OpenLdap account, attribute is getting
> deleted from ldap as well.
>
>
>
> *_Scenario 2_* :-
>
>        1.   Role1 has Ldap account with attributes host1,host2,host3
> as inducement.
>
>        2.   And Role2 has Role1 as an inducement.
>
>        3.   Role2 is then assigned to User.
>
>        4.   User gets all the host attributes as well as OpenLdap A/c
> with attributes host1,host2,host3.
>
>        5.   Now when you unassign Role1 from Role2 and reconcile User,
> Ldap a/c (midpoint) is not getting removed and attribute
> host1,host2,host3 are still present to User.     
>
>   
>     Please assist me with the proper solution.
>  
>
>
> Regards
> Anand Kothekar
>
>
>
> On Tue, Feb 3, 2015 at 1:57 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     .. I have just checked your sample once again. You DO have
>     strength=strong for inducement mapping, I was looking a few lines
>     above to the assignments part.
>
>     Can you please check anyway, if the strength is still there (using
>     Configuration - Repository objects) and if your testing scenario
>     is somehow different from mine?
>
>     Thanks,
>     Ivan
>
>
>     On 02/03/2015 09:23 AM, Ivan Noris wrote:
>>     Hi Anand,
>>
>>     I have experimented a little with similar setup.
>>
>>     First, I took one of my customer roles, which work. I added two
>>     attribute mappings to the role construction for OpenDJ resource,
>>     such as:
>>
>>     <attribute>
>>       <ref>ri:preferredLanguage</ref>
>>       <outbound>
>>         *<strength>strong</strength>*
>>         <expression>
>>           <value>sk</value>
>>         </expression>
>>       </outbound>
>>     </attribute>
>>
>>     <attribute>
>>       <ref>ri:carLicense</ref>
>>       <outbound>
>>         *<strength>strong</strength>*
>>         <expression>
>>           <value>XXX</value>
>>         </expression>
>>       </outbound>
>>     </attribute>
>>
>>     I've already had an user with this role assigned, so after I
>>     reimported the role definition (because I've changed the XML file
>>     with my role), I've edited the user and checked "reconcile"
>>     checkbox, and saved. After saving, user surely had both
>>     attributes (preferredLanguage and carLicense) set to predefined
>>     values. Before the save, the values were not defined for that
>>     OpenDJ account, as there were never the part of that role before.
>>
>>     Next I edited the role again through Configure - Repository
>>     objects and changed the values (e.g. preferredLanguage to "en"
>>     and carLicense to "YYY"). Then I edited the same user and checked
>>     "reconcile" checkbox and saved. After saving, the
>>     preferredLanguage was set to "en" and carLicense had two values
>>     (both the original and the new "YYY" because it's multivalue field).
>>
>>     Later I just made another change in the attribute value and it
>>     still worked.
>>
>>     So it seems to be working as it should. *But*, while testing, I
>>     discovered https://jira.evolveum.com/browse/MID-2194. The symptom
>>     is as follows: whenever you edit role through GUI, the strength
>>     for attributes is lost. It's enough just to edit+save role using
>>     Role editor. Configure - Repository objects (XML editor) is fine.
>>
>>     When I look at your role export, there is *no strength* for any
>>     of the attributes in outbound mappings. I believe it might be
>>     caused by the bug I've just reported. So please, either edit the
>>     role using Repository objects XML editor until we fix it; or
>>     please create the roles as XML files and import them to midPoint.
>>     It should be ok if you export your existing roles and fix them in
>>     XML files and then reimport.
>>
>>     Best regards,
>>     Ivan
>>
>>     On 02/02/2015 04:24 PM, Anand Kothekar wrote:
>>>     Hi,
>>>
>>>     As per our discussion I tried to give <strength> tag in role but
>>>     it didn't worked for me.
>>>
>>>     Basically we had two host attribute values in inducement and
>>>     member user also had the same host membership, then after
>>>     modifying the inducement I reconciled the user but no change in
>>>     host attribute of user's ldap account.
>>>
>>>     I have attached the sample role xml, please have a look and let
>>>     me know if I am doing anything wrong.
>>>
>>>
>>>
>>>     Thanks,
>>>     Anand Kothekar
>>>
>>>
>>>
>>>     On Fri, Jan 23, 2015 at 3:15 PM, Ivan Noris
>>>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>>
>>>         Hi Anand,
>>>
>>>         please see inline:
>>>
>>>         On 01/23/2015 06:17 AM, Anand Kothekar wrote:
>>>>         Hi Ivan
>>>>
>>>>         First of all Ldap connector supports Auxiliary object
>>>>         classes. I have tested it and it works for me.
>>>>
>>>>         Secondly, The host attribute is defined in resource schema
>>>>         and I have added it in Schema Handling but i do not have
>>>>         any outbound mapping right now (quite usual for our
>>>>         requirement, most of the resources have such attributes
>>>>         that cannot be mapped to any focal object in midpoint).
>>>>
>>>>         Is it possible that i can map whatever user has entered
>>>>         (instead of mapping the host or any other attribute to
>>>>         midpoint's focal object) to target resource attribute in
>>>>         outbound mapping.
>>>
>>>         If user enters the value in the form, you don't need mappings.
>>>         Mapping are used to set the target attribute value according
>>>         to some other attribute value or expression.
>>>
>>>         Some example:
>>>         If you need to copy user/givenName attribute value to LDAP's
>>>         sn attribute, you need outbound mapping in resource schema
>>>         handling.
>>>         If you need to generate LDAP's sn attribute value by taking
>>>         user/givenName attribute value and (for example) lowercase
>>>         all attributes and remove diacritics, you need outbound
>>>         mapping in resource schema handling.
>>>         If you want the user to set the LDAP's host attribute to
>>>         user-defined-value, i.e. in the GUI form, manually, you
>>>         don't need any mapping for this attribute. If user enters
>>>         the value manually, provisioning will store the value to the
>>>         resource. It is NOT remembered in midPoint. There is no
>>>         expression how to derive the value, thus no mapping. And
>>>         midPoint has no way of forcing the attribute value to
>>>         contain the user defined value during the reconciliation,
>>>         because the user defined value is stored only on LDAP, not
>>>         in midPoint. When outbound mappings are used, the target
>>>         attribute value can be derived from some source
>>>         attribute(s)/expressions, co midPoint can enforce these values.
>>>
>>>         Maybe there is another way how to achieve what you need if I
>>>         understand it correctly. Define an extended attribute in
>>>         User (by extending schema) and let the user set/modify this
>>>         extended attribute. Then you can have schema handling
>>>         mapping in resource, and you can thus use strong mapping
>>>         strength.
>>>
>>>         Best regards,
>>>         Ivan
>>>
>>>
>>>>
>>>>         What my concern is there is no way in UI to set the
>>>>         strength and doing it at policy level is quite
>>>>         unmanageable(resource is one but inducement will be
>>>>         thousands). 
>>>>
>>>>         So just to summarize 
>>>>         - we want this to be done at resource level.
>>>>
>>>>             - i think it is achievable if we can define outbound
>>>>              mapping so that user entered value is mapped to target
>>>>             attribute.
>>>>
>>>>
>>>>         Thanks
>>>>         Anand
>>>>
>>>>
>>>>         On Thu, Jan 22, 2015 at 8:36 PM, Ivan Noris
>>>>         <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>>
>>>>         wrote:
>>>>
>>>>             Hi,
>>>>
>>>>             as you have the mapping in role, not in resource, you
>>>>             should have the mapping set as strong for "host"
>>>>             attribute in *all* applicable roles (that are setting
>>>>             this attribute).
>>>>
>>>>             There will be no configuration in resource, because
>>>>             there is no mapping for that attribute at the resource
>>>>             level. The strength always applies to the mapping
>>>>             definition.
>>>>
>>>>             You mentioned that this is auxiliary object class. Not
>>>>             sure if the LDAP connector supports such classes...
>>>>
>>>>             Regards,
>>>>             I.
>>>>
>>>>
>>>>             On 01/22/2015 03:49 PM, Anand Kothekar wrote:
>>>>>             Hi,
>>>>>
>>>>>             Yes, the host attribute will be entered by the user
>>>>>             who is managing the midpoint or it will be populated
>>>>>             in inducement of a role by our custom code . It will
>>>>>             never be automated to get the value from any focus
>>>>>             object like User.
>>>>>
>>>>>
>>>>>             Thanks
>>>>>             Anand
>>>>>
>>>>>
>>>>>
>>>>>             On Thu, Jan 22, 2015 at 7:56 PM, Ivan Noris
>>>>>             <ivan.noris at evolveum.com
>>>>>             <mailto:ivan.noris at evolveum.com>> wrote:
>>>>>
>>>>>                 Hi Anand,
>>>>>
>>>>>                 can you please be more precise about "value
>>>>>                 entered by user"?
>>>>>                 Do you mean that the host and/or(?) description
>>>>>                 attributes are expected to be managed by the user
>>>>>                 who is editing the user in midPoint, on the right
>>>>>                 side of User details in Accounts part? Are these
>>>>>                 expected to be set always explicitly by the user?
>>>>>                 No automation from midpoint user attributes?
>>>>>
>>>>>                 Thanks,
>>>>>                 I.
>>>>>
>>>>>
>>>>>                 On 01/22/2015 02:03 PM, Anand Kothekar wrote:
>>>>>>                 Hi Ivan, 
>>>>>>
>>>>>>                 Thanks for your inputs.
>>>>>>
>>>>>>                 I tried it by adding this constraint in
>>>>>>                 inducement itself and it worked but I want to do
>>>>>>                 this at resource level.
>>>>>>
>>>>>>                 I tried adding the same in resource but the thing
>>>>>>                 is I do not have any outbound mapping defined for
>>>>>>                 these attributes (as I use the value entered by
>>>>>>                 user ) now if I add only strength property in
>>>>>>                 outbound it gives me Error.
>>>>>>
>>>>>>                 Can you help me with pointing to the right kind
>>>>>>                 of mapping I need to do.
>>>>>>
>>>>>>                 Here is the host attribute snippet from my resource: 
>>>>>>                          <attribute>
>>>>>>                             <ref
>>>>>>                 xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:host</ref>
>>>>>>                             <matchingRule
>>>>>>                 xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
>>>>>>                             <outbound>
>>>>>>                                <strength>strong</strength>
>>>>>>                             </outbound>
>>>>>>                          </attribute>
>>>>>>
>>>>>>                 I need to know how I can map value entered by user.
>>>>>>
>>>>>>
>>>>>>
>>>>>>                 Thanks,
>>>>>>                 Anand Kothekar
>>>>>>
>>>>>>
>>>>>>                 On Thu, Jan 22, 2015 at 5:52 PM, Ivan Noris
>>>>>>                 <ivan.noris at evolveum.com
>>>>>>                 <mailto:ivan.noris at evolveum.com>> wrote:
>>>>>>
>>>>>>                     Hi Anand,
>>>>>>
>>>>>>                     can you please define the mappings for
>>>>>>                     description and host attributes as strong?
>>>>>>
>>>>>>                     Something like:
>>>>>>
>>>>>>                                     <attribute>
>>>>>>                                         <ref>ri:description</ref>
>>>>>>                                         <outbound>
>>>>>>                     *                       
>>>>>>                     <strength>strong</strength>**
>>>>>>                     *. . .
>>>>>>                                         </outbound>
>>>>>>                                     </attribute>
>>>>>>                     Then run the reconciliation again please.
>>>>>>
>>>>>>                     If you already have this configured and it
>>>>>>                     does not work, please share the attribute
>>>>>>                     mappings here.
>>>>>>
>>>>>>                     Regards,
>>>>>>                     I.
>>>>>>
>>>>>>
>>>>>>                     On 01/20/2015 11:15 AM, Anand Kothekar wrote:
>>>>>>>                     Hi,
>>>>>>>
>>>>>>>                     I have been playing around with role
>>>>>>>                     inducements and found some issue, need some
>>>>>>>                     quick help as inducements are quite
>>>>>>>                     important for our solution.
>>>>>>>
>>>>>>>                     _Issue:_ Inducement updates are not
>>>>>>>                     propagated properly to User after
>>>>>>>                     reconciliation.
>>>>>>>
>>>>>>>                     _Details:_ When user is a assigned a role
>>>>>>>                     having a resource inducement, User gets
>>>>>>>                     appropriate accounts and induced group
>>>>>>>                     memberships. Now Changing some attributes in
>>>>>>>                     role inducements are not propagated after
>>>>>>>                     reconciling User.
>>>>>>>
>>>>>>>                     _Steps Followed:_
>>>>>>>                     - I added and ldap resource inducement in a
>>>>>>>                     new Role*. *I provided some attributes
>>>>>>>                     like LdapGroups, Host, and description.
>>>>>>>                     - User is  assigned to this Role. User gets
>>>>>>>                     the ldap account, appropriate group
>>>>>>>                     memberships and other attributes specified
>>>>>>>                     in inducement (i.e. description
>>>>>>>                     ,host(multivalued attribute from an
>>>>>>>                     Auxiliary object class)). So all good till now.
>>>>>>>                     - Now I updated the Resource inducement for
>>>>>>>                     example changed the description, added few
>>>>>>>                     groups, added few host.
>>>>>>>                     - After inducement modification I reconciled
>>>>>>>                     the User, and following are the results:
>>>>>>>
>>>>>>>                         - Group membership is updated appropriately.
>>>>>>>
>>>>>>>                         - Description is not updated
>>>>>>>
>>>>>>>                         - host attribute is not updated
>>>>>>>
>>>>>>>
>>>>>>>                     Can you guys please check and let me know if
>>>>>>>                     I am doing something wrong or is it a
>>>>>>>                     problem somewhere in my resource or some
>>>>>>>                     other issue with midpoint system.
>>>>>>>
>>>>>>>                     Regards
>>>>>>>                     Anand Kothekar
>>>>>>>
>>>>>>>
>>>>>>>                     _______________________________________________
>>>>>>>                     midPoint-dev mailing list
>>>>>>>                     midPoint-dev at lists.evolveum.com <mailto:midPoint-dev at lists.evolveum.com>
>>>>>>>                     http://lists.evolveum.com/mailman/listinfo/midpoint-dev
>>>>>>
>>>>>>                     -- 
>>>>>>                       Ing. Ivan Noris
>>>>>>                       Senior Identity Management Engineer
>>>>>>                       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>>>>>                       _____________________________________________
>>>>>>                       "Semper Id(e)M Vix."
>>>>>>
>>>>>>
>>>>>
>>>>>                 -- 
>>>>>                   Ing. Ivan Noris
>>>>>                   Senior Identity Management Engineer
>>>>>                   evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>>>>                   _____________________________________________
>>>>>                   "Semper Id(e)M Vix."
>>>>>
>>>>>
>>>>
>>>>             -- 
>>>>               Ing. Ivan Noris
>>>>               Senior Identity Management Engineer
>>>>               evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>>>               _____________________________________________
>>>>               "Semper Id(e)M Vix."
>>>>
>>>>
>>>
>>>         -- 
>>>           Ing. Ivan Noris
>>>           Senior Identity Management Engineer
>>>           evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>>           _____________________________________________
>>>           "Semper Id(e)M Vix."
>>>
>>>
>>
>>     -- 
>>       Ing. Ivan Noris
>>       Senior Identity Management Engineer
>>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>>       _____________________________________________
>>       "Semper Id(e)M Vix."
>>
>>
>>     _______________________________________________
>>     midPoint-dev mailing list
>>     midPoint-dev at lists.evolveum.com <mailto:midPoint-dev at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint-dev
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer
>       evolveum.com <http://evolveum.com>     evolveum.com/blog/ <http://evolveum.com/blog/>
>       _____________________________________________
>       "Semper Id(e)M Vix."
>
>
>     _______________________________________________
>     midPoint-dev mailing list
>     midPoint-dev at lists.evolveum.com
>     <mailto:midPoint-dev at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint-dev
>
>

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolveum.com/pipermail/midpoint-dev/attachments/20150205/f421b9e8/attachment-0001.html>


More information about the midPoint-dev mailing list