[Midpoint-dev] Inducement updates are not propagated to User after reconciliation
Ivan Noris
ivan.noris at evolveum.com
Thu Feb 5 14:25:32 CET 2015
Hi Anand,
for Scenario 1, please try this:
<attribute>
<ref
xmlns:qn546="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">qn546:host</ref>
*<tolerant>false</tolerant>*
<outbound>
<strength>strong</strength>
<expression>
<value>host1</value>
<value>host2</value>
<!-- <value>host3</value> -->
</expression>
</outbound>
</attribute>
This will tell midpoint that when reconciling, all values not
provisioned by midPoint should be removed.
Default is tolerant=true, so midPoint can add/remove values when changes
are processed.
I'm thinking about Scenario 2 and will let you know.
Regards,
Ivan
>
> Adding new attributes is working fine but when you try to delete any
> of the attribute its not getting reflected in Ldap.
>
>
> *_Scenario 1_* :-
>
> 1. Role1 was having Open Ldap account as an Inducement. Induced
> Account was also having attributes host1,host2,host3.
>
> 2. Now Role1 was assigned to an User and user got the Open Ldap
> Account as well as the host1,host2,host3 as expected. Entry added in
> Ldap also.
>
> 3. <attribute>
> <ref
> xmlns:qn546="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">qn546:host</ref>
> <outbound>
> <strength>strong</strength>
> <expression>
> <value>host1</value>
> <value>host2</value>
> <value>host3</value>
> </expression>
> </outbound>
> </attribute>
>
>
> 4. host3 attribute deleted from Role1 xml And User
> reconciled. <strength> tag was still present.
>
> 5. host3 attribute not removed from the Ldap.
>
> 6. host 3 attribute is not getting deleted from OpenLdap
> account (midpoint) which user got due to inducement. if we try to
> remove the attribute from OpenLdap account, attribute is getting
> deleted from ldap as well.
>
>
>
> *_Scenario 2_* :-
>
> 1. Role1 has Ldap account with attributes host1,host2,host3
> as inducement.
>
> 2. And Role2 has Role1 as an inducement.
>
> 3. Role2 is then assigned to User.
>
> 4. User gets all the host attributes as well as OpenLdap A/c
> with attributes host1,host2,host3.
>
> 5. Now when you unassign Role1 from Role2 and reconcile User,
> Ldap a/c (midpoint) is not getting removed and attribute
> host1,host2,host3 are still present to User.
>
>
> Please assist me with the proper solution.
>
>
>
> Regards
> Anand Kothekar
>
>
>
> On Tue, Feb 3, 2015 at 1:57 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
> .. I have just checked your sample once again. You DO have
> strength=strong for inducement mapping, I was looking a few lines
> above to the assignments part.
>
> Can you please check anyway, if the strength is still there (using
> Configuration - Repository objects) and if your testing scenario
> is somehow different from mine?
>
> Thanks,
> Ivan
>
>
> On 02/03/2015 09:23 AM, Ivan Noris wrote:
>> Hi Anand,
>>
>> I have experimented a little with similar setup.
>>
>> First, I took one of my customer roles, which work. I added two
>> attribute mappings to the role construction for OpenDJ resource,
>> such as:
>>
>> <attribute>
>> <ref>ri:preferredLanguage</ref>
>> <outbound>
>> *<strength>strong</strength>*
>> <expression>
>> <value>sk</value>
>> </expression>
>> </outbound>
>> </attribute>
>>
>> <attribute>
>> <ref>ri:carLicense</ref>
>> <outbound>
>> *<strength>strong</strength>*
>> <expression>
>> <value>XXX</value>
>> </expression>
>> </outbound>
>> </attribute>
>>
>> I've already had an user with this role assigned, so after I
>> reimported the role definition (because I've changed the XML file
>> with my role), I've edited the user and checked "reconcile"
>> checkbox, and saved. After saving, user surely had both
>> attributes (preferredLanguage and carLicense) set to predefined
>> values. Before the save, the values were not defined for that
>> OpenDJ account, as there were never the part of that role before.
>>
>> Next I edited the role again through Configure - Repository
>> objects and changed the values (e.g. preferredLanguage to "en"
>> and carLicense to "YYY"). Then I edited the same user and checked
>> "reconcile" checkbox and saved. After saving, the
>> preferredLanguage was set to "en" and carLicense had two values
>> (both the original and the new "YYY" because it's multivalue field).
>>
>> Later I just made another change in the attribute value and it
>> still worked.
>>
>> So it seems to be working as it should. *But*, while testing, I
>> discovered https://jira.evolveum.com/browse/MID-2194. The symptom
>> is as follows: whenever you edit role through GUI, the strength
>> for attributes is lost. It's enough just to edit+save role using
>> Role editor. Configure - Repository objects (XML editor) is fine.
>>
>> When I look at your role export, there is *no strength* for any
>> of the attributes in outbound mappings. I believe it might be
>> caused by the bug I've just reported. So please, either edit the
>> role using Repository objects XML editor until we fix it; or
>> please create the roles as XML files and import them to midPoint.
>> It should be ok if you export your existing roles and fix them in
>> XML files and then reimport.
>>
>> Best regards,
>> Ivan
>>
>> On 02/02/2015 04:24 PM, Anand Kothekar wrote:
>>> Hi,
>>>
>>> As per our discussion I tried to give <strength> tag in role but
>>> it didn't worked for me.
>>>
>>> Basically we had two host attribute values in inducement and
>>> member user also had the same host membership, then after
>>> modifying the inducement I reconciled the user but no change in
>>> host attribute of user's ldap account.
>>>
>>> I have attached the sample role xml, please have a look and let
>>> me know if I am doing anything wrong.
>>>
>>>
>>>
>>> Thanks,
>>> Anand Kothekar
>>>
>>>
>>>
>>> On Fri, Jan 23, 2015 at 3:15 PM, Ivan Noris
>>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>>
>>> Hi Anand,
>>>
>>> please see inline:
>>>
>>> On 01/23/2015 06:17 AM, Anand Kothekar wrote:
>>>> Hi Ivan
>>>>
>>>> First of all Ldap connector supports Auxiliary object
>>>> classes. I have tested it and it works for me.
>>>>
>>>> Secondly, The host attribute is defined in resource schema
>>>> and I have added it in Schema Handling but i do not have
>>>> any outbound mapping right now (quite usual for our
>>>> requirement, most of the resources have such attributes
>>>> that cannot be mapped to any focal object in midpoint).
>>>>
>>>> Is it possible that i can map whatever user has entered
>>>> (instead of mapping the host or any other attribute to
>>>> midpoint's focal object) to target resource attribute in
>>>> outbound mapping.
>>>
>>> If user enters the value in the form, you don't need mappings.
>>> Mapping are used to set the target attribute value according
>>> to some other attribute value or expression.
>>>
>>> Some example:
>>> If you need to copy user/givenName attribute value to LDAP's
>>> sn attribute, you need outbound mapping in resource schema
>>> handling.
>>> If you need to generate LDAP's sn attribute value by taking
>>> user/givenName attribute value and (for example) lowercase
>>> all attributes and remove diacritics, you need outbound
>>> mapping in resource schema handling.
>>> If you want the user to set the LDAP's host attribute to
>>> user-defined-value, i.e. in the GUI form, manually, you
>>> don't need any mapping for this attribute. If user enters
>>> the value manually, provisioning will store the value to the
>>> resource. It is NOT remembered in midPoint. There is no
>>> expression how to derive the value, thus no mapping. And
>>> midPoint has no way of forcing the attribute value to
>>> contain the user defined value during the reconciliation,
>>> because the user defined value is stored only on LDAP, not
>>> in midPoint. When outbound mappings are used, the target
>>> attribute value can be derived from some source
>>> attribute(s)/expressions, co midPoint can enforce these values.
>>>
>>> Maybe there is another way how to achieve what you need if I
>>> understand it correctly. Define an extended attribute in
>>> User (by extending schema) and let the user set/modify this
>>> extended attribute. Then you can have schema handling
>>> mapping in resource, and you can thus use strong mapping
>>> strength.
>>>
>>> Best regards,
>>> Ivan
>>>
>>>
>>>>
>>>> What my concern is there is no way in UI to set the
>>>> strength and doing it at policy level is quite
>>>> unmanageable(resource is one but inducement will be
>>>> thousands).
>>>>
>>>> So just to summarize
>>>> - we want this to be done at resource level.
>>>>
>>>> - i think it is achievable if we can define outbound
>>>> mapping so that user entered value is mapped to target
>>>> attribute.
>>>>
>>>>
>>>> Thanks
>>>> Anand
>>>>
>>>>
>>>> On Thu, Jan 22, 2015 at 8:36 PM, Ivan Noris
>>>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>>
>>>> wrote:
>>>>
>>>> Hi,
>>>>
>>>> as you have the mapping in role, not in resource, you
>>>> should have the mapping set as strong for "host"
>>>> attribute in *all* applicable roles (that are setting
>>>> this attribute).
>>>>
>>>> There will be no configuration in resource, because
>>>> there is no mapping for that attribute at the resource
>>>> level. The strength always applies to the mapping
>>>> definition.
>>>>
>>>> You mentioned that this is auxiliary object class. Not
>>>> sure if the LDAP connector supports such classes...
>>>>
>>>> Regards,
>>>> I.
>>>>
>>>>
>>>> On 01/22/2015 03:49 PM, Anand Kothekar wrote:
>>>>> Hi,
>>>>>
>>>>> Yes, the host attribute will be entered by the user
>>>>> who is managing the midpoint or it will be populated
>>>>> in inducement of a role by our custom code . It will
>>>>> never be automated to get the value from any focus
>>>>> object like User.
>>>>>
>>>>>
>>>>> Thanks
>>>>> Anand
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Jan 22, 2015 at 7:56 PM, Ivan Noris
>>>>> <ivan.noris at evolveum.com
>>>>> <mailto:ivan.noris at evolveum.com>> wrote:
>>>>>
>>>>> Hi Anand,
>>>>>
>>>>> can you please be more precise about "value
>>>>> entered by user"?
>>>>> Do you mean that the host and/or(?) description
>>>>> attributes are expected to be managed by the user
>>>>> who is editing the user in midPoint, on the right
>>>>> side of User details in Accounts part? Are these
>>>>> expected to be set always explicitly by the user?
>>>>> No automation from midpoint user attributes?
>>>>>
>>>>> Thanks,
>>>>> I.
>>>>>
>>>>>
>>>>> On 01/22/2015 02:03 PM, Anand Kothekar wrote:
>>>>>> Hi Ivan,
>>>>>>
>>>>>> Thanks for your inputs.
>>>>>>
>>>>>> I tried it by adding this constraint in
>>>>>> inducement itself and it worked but I want to do
>>>>>> this at resource level.
>>>>>>
>>>>>> I tried adding the same in resource but the thing
>>>>>> is I do not have any outbound mapping defined for
>>>>>> these attributes (as I use the value entered by
>>>>>> user ) now if I add only strength property in
>>>>>> outbound it gives me Error.
>>>>>>
>>>>>> Can you help me with pointing to the right kind
>>>>>> of mapping I need to do.
>>>>>>
>>>>>> Here is the host attribute snippet from my resource:
>>>>>> <attribute>
>>>>>> <ref
>>>>>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:host</ref>
>>>>>> <matchingRule
>>>>>> xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
>>>>>> <outbound>
>>>>>> <strength>strong</strength>
>>>>>> </outbound>
>>>>>> </attribute>
>>>>>>
>>>>>> I need to know how I can map value entered by user.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> Anand Kothekar
>>>>>>
>>>>>>
>>>>>> On Thu, Jan 22, 2015 at 5:52 PM, Ivan Noris
>>>>>> <ivan.noris at evolveum.com
>>>>>> <mailto:ivan.noris at evolveum.com>> wrote:
>>>>>>
>>>>>> Hi Anand,
>>>>>>
>>>>>> can you please define the mappings for
>>>>>> description and host attributes as strong?
>>>>>>
>>>>>> Something like:
>>>>>>
>>>>>> <attribute>
>>>>>> <ref>ri:description</ref>
>>>>>> <outbound>
>>>>>> *
>>>>>> <strength>strong</strength>**
>>>>>> *. . .
>>>>>> </outbound>
>>>>>> </attribute>
>>>>>> Then run the reconciliation again please.
>>>>>>
>>>>>> If you already have this configured and it
>>>>>> does not work, please share the attribute
>>>>>> mappings here.
>>>>>>
>>>>>> Regards,
>>>>>> I.
>>>>>>
>>>>>>
>>>>>> On 01/20/2015 11:15 AM, Anand Kothekar wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have been playing around with role
>>>>>>> inducements and found some issue, need some
>>>>>>> quick help as inducements are quite
>>>>>>> important for our solution.
>>>>>>>
>>>>>>> _Issue:_ Inducement updates are not
>>>>>>> propagated properly to User after
>>>>>>> reconciliation.
>>>>>>>
>>>>>>> _Details:_ When user is a assigned a role
>>>>>>> having a resource inducement, User gets
>>>>>>> appropriate accounts and induced group
>>>>>>> memberships. Now Changing some attributes in
>>>>>>> role inducements are not propagated after
>>>>>>> reconciling User.
>>>>>>>
>>>>>>> _Steps Followed:_
>>>>>>> - I added and ldap resource inducement in a
>>>>>>> new Role*. *I provided some attributes
>>>>>>> like LdapGroups, Host, and description.
>>>>>>> - User is assigned to this Role. User gets
>>>>>>> the ldap account, appropriate group
>>>>>>> memberships and other attributes specified
>>>>>>> in inducement (i.e. description
>>>>>>> ,host(multivalued attribute from an
>>>>>>> Auxiliary object class)). So all good till now.
>>>>>>> - Now I updated the Resource inducement for
>>>>>>> example changed the description, added few
>>>>>>> groups, added few host.
>>>>>>> - After inducement modification I reconciled
>>>>>>> the User, and following are the results:
>>>>>>>
>>>>>>> - Group membership is updated appropriately.
>>>>>>>
>>>>>>> - Description is not updated
>>>>>>>
>>>>>>> - host attribute is not updated
>>>>>>>
>>>>>>>
>>>>>>> Can you guys please check and let me know if
>>>>>>> I am doing something wrong or is it a
>>>>>>> problem somewhere in my resource or some
>>>>>>> other issue with midpoint system.
>>>>>>>
>>>>>>> Regards
>>>>>>> Anand Kothekar
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> midPoint-dev mailing list
>>>>>>> midPoint-dev at lists.evolveum.com <mailto:midPoint-dev at lists.evolveum.com>
>>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint-dev
>>>>>>
>>>>>> --
>>>>>> Ing. Ivan Noris
>>>>>> Senior Identity Management Engineer
>>>>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>>>>> _____________________________________________
>>>>>> "Semper Id(e)M Vix."
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Ing. Ivan Noris
>>>>> Senior Identity Management Engineer
>>>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>>>> _____________________________________________
>>>>> "Semper Id(e)M Vix."
>>>>>
>>>>>
>>>>
>>>> --
>>>> Ing. Ivan Noris
>>>> Senior Identity Management Engineer
>>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>>> _____________________________________________
>>>> "Semper Id(e)M Vix."
>>>>
>>>>
>>>
>>> --
>>> Ing. Ivan Noris
>>> Senior Identity Management Engineer
>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>> _____________________________________________
>>> "Semper Id(e)M Vix."
>>>
>>>
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer
>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>> _____________________________________________
>> "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint-dev mailing list
>> midPoint-dev at lists.evolveum.com <mailto:midPoint-dev at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint-dev
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
> _____________________________________________
> "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint-dev mailing list
> midPoint-dev at lists.evolveum.com
> <mailto:midPoint-dev at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint-dev
>
>
--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com evolveum.com/blog/
_____________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolveum.com/pipermail/midpoint-dev/attachments/20150205/f421b9e8/attachment-0001.html>
More information about the midPoint-dev
mailing list