[Midpoint-dev] Inducement updates are not propagated to User after reconciliation
Ivan Noris
ivan.noris at evolveum.com
Thu Feb 5 18:18:22 CET 2015
Hi Anand,
good to hear!
Regarding Scenario 2 - I've been discussing this with my coleague and it
may be related to Enforcement policy. Can you please check your
Configuration - Basic - Assignment Policy Enforcement Setting?
Maybe you'd need to change it to "Full". Be adwised: this will have one
consequence with regard to the default (Relative) setting: when midPoint
works with an user and he/she has accounts which are only linked, but
not provided by assignments, the accounts will be deleted.
Regards,
Ivan
On 02/05/2015 06:11 PM, Anand Kothekar wrote:
> Hi Ivan,
>
> The Tolerate tag worked with resoource level change.
>
> Thank you for the prompt reply.
>
> I will test few more things tomorrow and will let you know about the
> result.
>
>
>
> Regards,
> Anand Kothekar
>
> On Thu, Feb 5, 2015 at 8:09 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
> Hi Anand,
>
> please define the attribute as tolerant in schema handling in the
> Resource (not in role):
>
> 1. in your resource, in schema handling part, define it as:
>
> <attribute>
> <ref>ri:host</ref> <!-- I assume ri prefix is defined
> as in all our samples -->
> *<tolerant>false</tolerant>*
> </attribute>
>
> 2. in your role use what you already have, without
> <tolerant>false</tolerant>
>
> Let me know please if it worked. Thank you.
>
> It seems that some attribute properties can only be defined in
> schema handling of the resource.
>
> I.
>
>
> On 02/05/2015 03:25 PM, Anand Kothekar wrote:
>> Hi,
>>
>> I am afraid but <tolerant>false</tolerant> is not working in my case.
>>
>> I have attached xml file, Please go through it once.
>>
>>
>> Thanks,
>> Anand
>>
>> On Thu, Feb 5, 2015 at 6:55 PM, Ivan Noris
>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>> Hi Anand,
>>
>> for Scenario 1, please try this:
>>
>> <attribute>
>> <ref
>> xmlns:qn546="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>>qn546:host</ref>
>> *<tolerant>false</tolerant>*
>> <outbound>
>> <strength>strong</strength>
>> <expression>
>> <value>host1</value>
>> <value>host2</value>
>> <!-- <value>host3</value> -->
>> </expression>
>> </outbound>
>> </attribute>
>>
>> This will tell midpoint that when reconciling, all values not
>> provisioned by midPoint should be removed.
>> Default is tolerant=true, so midPoint can add/remove values
>> when changes are processed.
>>
>> I'm thinking about Scenario 2 and will let you know.
>>
>> Regards,
>> Ivan
>>
>>
>>
>>
>>>
>>> Adding new attributes is working fine but when you try to
>>> delete any of the attribute its not getting reflected in Ldap.
>>>
>>>
>>> *_Scenario 1_* :-
>>>
>>> 1. Role1 was having Open Ldap account as an
>>> Inducement. Induced Account was also having attributes
>>> host1,host2,host3.
>>>
>>> 2. Now Role1 was assigned to an User and user got the Open
>>> Ldap Account as well as the host1,host2,host3 as expected.
>>> Entry added in Ldap also.
>>>
>>> 3. <attribute>
>>> <ref
>>> xmlns:qn546="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">qn546:host</ref>
>>> <outbound>
>>> <strength>strong</strength>
>>> <expression>
>>> <value>host1</value>
>>> <value>host2</value>
>>> <value>host3</value>
>>> </expression>
>>> </outbound>
>>> </attribute>
>>>
>>>
>>> 4. host3 attribute deleted from Role1 xml And User
>>> reconciled. <strength> tag was still present.
>>>
>>> 5. host3 attribute not removed from the Ldap.
>>>
>>> 6. host 3 attribute is not getting deleted from
>>> OpenLdap account (midpoint) which user got due to
>>> inducement. if we try to remove the attribute from OpenLdap
>>> account, attribute is getting deleted from ldap as well.
>>>
>>>
>>>
>>> *_Scenario 2_* :-
>>>
>>> 1. Role1 has Ldap account with attributes
>>> host1,host2,host3 as inducement.
>>>
>>> 2. And Role2 has Role1 as an inducement.
>>>
>>> 3. Role2 is then assigned to User.
>>>
>>> 4. User gets all the host attributes as well as
>>> OpenLdap A/c with attributes host1,host2,host3.
>>>
>>> 5. Now when you unassign Role1 from Role2 and
>>> reconcile User, Ldap a/c (midpoint) is not getting removed
>>> and attribute host1,host2,host3 are still present to User.
>>>
>>>
>>> Please assist me with the proper solution.
>>>
>>>
>>>
>>> Regards
>>> Anand Kothekar
>>>
>>>
>>>
>>> On Tue, Feb 3, 2015 at 1:57 PM, Ivan Noris
>>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>>
>>> wrote:
>>>
>>> .. I have just checked your sample once again. You DO
>>> have strength=strong for inducement mapping, I was
>>> looking a few lines above to the assignments part.
>>>
>>> Can you please check anyway, if the strength is still
>>> there (using Configuration - Repository objects) and if
>>> your testing scenario is somehow different from mine?
>>>
>>> Thanks,
>>> Ivan
>>>
>>>
>>> On 02/03/2015 09:23 AM, Ivan Noris wrote:
>>>> Hi Anand,
>>>>
>>>> I have experimented a little with similar setup.
>>>>
>>>> First, I took one of my customer roles, which work. I
>>>> added two attribute mappings to the role construction
>>>> for OpenDJ resource, such as:
>>>>
>>>> <attribute>
>>>> <ref>ri:preferredLanguage</ref>
>>>> <outbound>
>>>> *<strength>strong</strength>*
>>>> <expression>
>>>> <value>sk</value>
>>>> </expression>
>>>> </outbound>
>>>> </attribute>
>>>>
>>>> <attribute>
>>>> <ref>ri:carLicense</ref>
>>>> <outbound>
>>>> *<strength>strong</strength>*
>>>> <expression>
>>>> <value>XXX</value>
>>>> </expression>
>>>> </outbound>
>>>> </attribute>
>>>>
>>>> I've already had an user with this role assigned, so
>>>> after I reimported the role definition (because I've
>>>> changed the XML file with my role), I've edited the
>>>> user and checked "reconcile" checkbox, and saved. After
>>>> saving, user surely had both attributes
>>>> (preferredLanguage and carLicense) set to predefined
>>>> values. Before the save, the values were not defined
>>>> for that OpenDJ account, as there were never the part
>>>> of that role before.
>>>>
>>>> Next I edited the role again through Configure -
>>>> Repository objects and changed the values (e.g.
>>>> preferredLanguage to "en" and carLicense to "YYY").
>>>> Then I edited the same user and checked "reconcile"
>>>> checkbox and saved. After saving, the preferredLanguage
>>>> was set to "en" and carLicense had two values (both the
>>>> original and the new "YYY" because it's multivalue field).
>>>>
>>>> Later I just made another change in the attribute value
>>>> and it still worked.
>>>>
>>>> So it seems to be working as it should. *But*, while
>>>> testing, I discovered
>>>> https://jira.evolveum.com/browse/MID-2194. The symptom
>>>> is as follows: whenever you edit role through GUI, the
>>>> strength for attributes is lost. It's enough just to
>>>> edit+save role using Role editor. Configure -
>>>> Repository objects (XML editor) is fine.
>>>>
>>>> When I look at your role export, there is *no strength*
>>>> for any of the attributes in outbound mappings. I
>>>> believe it might be caused by the bug I've just
>>>> reported. So please, either edit the role using
>>>> Repository objects XML editor until we fix it; or
>>>> please create the roles as XML files and import them to
>>>> midPoint. It should be ok if you export your existing
>>>> roles and fix them in XML files and then reimport.
>>>>
>>>> Best regards,
>>>> Ivan
>>>>
>>>> On 02/02/2015 04:24 PM, Anand Kothekar wrote:
>>>>> Hi,
>>>>>
>>>>> As per our discussion I tried to give <strength> tag
>>>>> in role but it didn't worked for me.
>>>>>
>>>>> Basically we had two host attribute values in
>>>>> inducement and member user also had the same host
>>>>> membership, then after modifying the inducement I
>>>>> reconciled the user but no change in host attribute of
>>>>> user's ldap account.
>>>>>
>>>>> I have attached the sample role xml, please have a
>>>>> look and let me know if I am doing anything wrong.
>>>>>
>>>>>
>>>>>
>>>>> Thanks,
>>>>> Anand Kothekar
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jan 23, 2015 at 3:15 PM, Ivan Noris
>>>>> <ivan.noris at evolveum.com
>>>>> <mailto:ivan.noris at evolveum.com>> wrote:
>>>>>
>>>>> Hi Anand,
>>>>>
>>>>> please see inline:
>>>>>
>>>>> On 01/23/2015 06:17 AM, Anand Kothekar wrote:
>>>>>> Hi Ivan
>>>>>>
>>>>>> First of all Ldap connector supports Auxiliary
>>>>>> object classes. I have tested it and it works for me.
>>>>>>
>>>>>> Secondly, The host attribute is defined in
>>>>>> resource schema and I have added it in Schema
>>>>>> Handling but i do not have any outbound mapping
>>>>>> right now (quite usual for our requirement, most
>>>>>> of the resources have such attributes that cannot
>>>>>> be mapped to any focal object in midpoint).
>>>>>>
>>>>>> Is it possible that i can map whatever user has
>>>>>> entered (instead of mapping the host or any other
>>>>>> attribute to midpoint's focal object) to target
>>>>>> resource attribute in outbound mapping.
>>>>>
>>>>> If user enters the value in the form, you don't
>>>>> need mappings.
>>>>> Mapping are used to set the target attribute value
>>>>> according to some other attribute value or expression.
>>>>>
>>>>> Some example:
>>>>> If you need to copy user/givenName attribute value
>>>>> to LDAP's sn attribute, you need outbound mapping
>>>>> in resource schema handling.
>>>>> If you need to generate LDAP's sn attribute value
>>>>> by taking user/givenName attribute value and (for
>>>>> example) lowercase all attributes and remove
>>>>> diacritics, you need outbound mapping in resource
>>>>> schema handling.
>>>>> If you want the user to set the LDAP's host
>>>>> attribute to user-defined-value, i.e. in the GUI
>>>>> form, manually, you don't need any mapping for
>>>>> this attribute. If user enters the value manually,
>>>>> provisioning will store the value to the resource.
>>>>> It is NOT remembered in midPoint. There is no
>>>>> expression how to derive the value, thus no
>>>>> mapping. And midPoint has no way of forcing the
>>>>> attribute value to contain the user defined value
>>>>> during the reconciliation, because the user
>>>>> defined value is stored only on LDAP, not in
>>>>> midPoint. When outbound mappings are used, the
>>>>> target attribute value can be derived from some
>>>>> source attribute(s)/expressions, co midPoint can
>>>>> enforce these values.
>>>>>
>>>>> Maybe there is another way how to achieve what you
>>>>> need if I understand it correctly. Define an
>>>>> extended attribute in User (by extending schema)
>>>>> and let the user set/modify this extended
>>>>> attribute. Then you can have schema handling
>>>>> mapping in resource, and you can thus use strong
>>>>> mapping strength.
>>>>>
>>>>> Best regards,
>>>>> Ivan
>>>>>
>>>>>
>>>>>>
>>>>>> What my concern is there is no way in UI to set
>>>>>> the strength and doing it at policy level is
>>>>>> quite unmanageable(resource is one but inducement
>>>>>> will be thousands).
>>>>>>
>>>>>> So just to summarize
>>>>>> - we want this to be done at resource level.
>>>>>>
>>>>>> - i think it is achievable if we can define
>>>>>> outbound mapping so that user entered value
>>>>>> is mapped to target attribute.
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>> Anand
>>>>>>
>>>>>>
>>>>>> On Thu, Jan 22, 2015 at 8:36 PM, Ivan Noris
>>>>>> <ivan.noris at evolveum.com
>>>>>> <mailto:ivan.noris at evolveum.com>> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> as you have the mapping in role, not in
>>>>>> resource, you should have the mapping set as
>>>>>> strong for "host" attribute in *all*
>>>>>> applicable roles (that are setting this
>>>>>> attribute).
>>>>>>
>>>>>> There will be no configuration in resource,
>>>>>> because there is no mapping for that
>>>>>> attribute at the resource level. The strength
>>>>>> always applies to the mapping definition.
>>>>>>
>>>>>> You mentioned that this is auxiliary object
>>>>>> class. Not sure if the LDAP connector
>>>>>> supports such classes...
>>>>>>
>>>>>> Regards,
>>>>>> I.
>>>>>>
>>>>>>
>>>>>> On 01/22/2015 03:49 PM, Anand Kothekar wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Yes, the host attribute will be entered by
>>>>>>> the user who is managing the midpoint or it
>>>>>>> will be populated in inducement of a role by
>>>>>>> our custom code . It will never be automated
>>>>>>> to get the value from any focus object like
>>>>>>> User.
>>>>>>>
>>>>>>>
>>>>>>> Thanks
>>>>>>> Anand
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Jan 22, 2015 at 7:56 PM, Ivan Noris
>>>>>>> <ivan.noris at evolveum.com
>>>>>>> <mailto:ivan.noris at evolveum.com>> wrote:
>>>>>>>
>>>>>>> Hi Anand,
>>>>>>>
>>>>>>> can you please be more precise about
>>>>>>> "value entered by user"?
>>>>>>> Do you mean that the host and/or(?)
>>>>>>> description attributes are expected to
>>>>>>> be managed by the user who is editing
>>>>>>> the user in midPoint, on the right side
>>>>>>> of User details in Accounts part? Are
>>>>>>> these expected to be set always
>>>>>>> explicitly by the user? No automation
>>>>>>> from midpoint user attributes?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> I.
>>>>>>>
>>>>>>>
>>>>>>> On 01/22/2015 02:03 PM, Anand Kothekar
>>>>>>> wrote:
>>>>>>>> Hi Ivan,
>>>>>>>>
>>>>>>>> Thanks for your inputs.
>>>>>>>>
>>>>>>>> I tried it by adding this constraint in
>>>>>>>> inducement itself and it worked but I
>>>>>>>> want to do this at resource level.
>>>>>>>>
>>>>>>>> I tried adding the same in resource but
>>>>>>>> the thing is I do not have any outbound
>>>>>>>> mapping defined for these attributes
>>>>>>>> (as I use the value entered by user )
>>>>>>>> now if I add only strength property in
>>>>>>>> outbound it gives me Error.
>>>>>>>>
>>>>>>>> Can you help me with pointing to the
>>>>>>>> right kind of mapping I need to do.
>>>>>>>>
>>>>>>>> Here is the host attribute snippet from
>>>>>>>> my resource:
>>>>>>>> <attribute>
>>>>>>>> <ref
>>>>>>>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:host</ref>
>>>>>>>> <matchingRule
>>>>>>>> xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
>>>>>>>> <outbound>
>>>>>>>> <strength>strong</strength>
>>>>>>>> </outbound>
>>>>>>>> </attribute>
>>>>>>>>
>>>>>>>> I need to know how I can map value
>>>>>>>> entered by user.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Anand Kothekar
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Jan 22, 2015 at 5:52 PM, Ivan
>>>>>>>> Noris <ivan.noris at evolveum.com
>>>>>>>> <mailto:ivan.noris at evolveum.com>> wrote:
>>>>>>>>
>>>>>>>> Hi Anand,
>>>>>>>>
>>>>>>>> can you please define the mappings
>>>>>>>> for description and host attributes
>>>>>>>> as strong?
>>>>>>>>
>>>>>>>> Something like:
>>>>>>>>
>>>>>>>> <attribute>
>>>>>>>>
>>>>>>>> <ref>ri:description</ref>
>>>>>>>> <outbound>
>>>>>>>> *
>>>>>>>> <strength>strong</strength>**
>>>>>>>> *. . .
>>>>>>>> </outbound>
>>>>>>>> </attribute>
>>>>>>>> Then run the reconciliation again
>>>>>>>> please.
>>>>>>>>
>>>>>>>> If you already have this configured
>>>>>>>> and it does not work, please share
>>>>>>>> the attribute mappings here.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> I.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 01/20/2015 11:15 AM, Anand
>>>>>>>> Kothekar wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I have been playing around with
>>>>>>>>> role inducements and found some
>>>>>>>>> issue, need some quick help as
>>>>>>>>> inducements are quite important
>>>>>>>>> for our solution.
>>>>>>>>>
>>>>>>>>> _Issue:_ Inducement updates are
>>>>>>>>> not propagated properly to User
>>>>>>>>> after reconciliation.
>>>>>>>>>
>>>>>>>>> _Details:_ When user is a assigned
>>>>>>>>> a role having a resource
>>>>>>>>> inducement, User gets appropriate
>>>>>>>>> accounts and induced group
>>>>>>>>> memberships. Now Changing some
>>>>>>>>> attributes in role inducements are
>>>>>>>>> not propagated after reconciling User.
>>>>>>>>>
>>>>>>>>> _Steps Followed:_
>>>>>>>>> - I added and ldap resource
>>>>>>>>> inducement in a new Role*. *I
>>>>>>>>> provided some attributes
>>>>>>>>> like LdapGroups, Host, and
>>>>>>>>> description.
>>>>>>>>> - User is assigned to this Role.
>>>>>>>>> User gets the ldap account,
>>>>>>>>> appropriate group memberships and
>>>>>>>>> other attributes specified in
>>>>>>>>> inducement (i.e. description
>>>>>>>>> ,host(multivalued attribute from
>>>>>>>>> an Auxiliary object class)). So
>>>>>>>>> all good till now.
>>>>>>>>> - Now I updated the
>>>>>>>>> Resource inducement for example
>>>>>>>>> changed the description, added few
>>>>>>>>> groups, added few host.
>>>>>>>>> - After inducement modification I
>>>>>>>>> reconciled the User, and following
>>>>>>>>> are the results:
>>>>>>>>>
>>>>>>>>> - Group membership is updated
>>>>>>>>> appropriately.
>>>>>>>>>
>>>>>>>>> - Description is not updated
>>>>>>>>>
>>>>>>>>> - host attribute is not updated
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Can you guys please check and let
>>>>>>>>> me know if I am doing something
>>>>>>>>> wrong or is it a problem somewhere
>>>>>>>>> in my resource or some other issue
>>>>>>>>> with midpoint system.
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>> Anand Kothekar
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> midPoint-dev mailing list
>>>>>>>>> midPoint-dev at lists.evolveum.com <mailto:midPoint-dev at lists.evolveum.com>
>>>>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint-dev
>>>>>>>>
>>>>>>>> --
>>>>>>>> Ing. Ivan Noris
>>>>>>>> Senior Identity Management Engineer
>>>>>>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>>>>>>> _____________________________________________
>>>>>>>> "Semper Id(e)M Vix."
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Ing. Ivan Noris
>>>>>>> Senior Identity Management Engineer
>>>>>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>>>>>> _____________________________________________
>>>>>>> "Semper Id(e)M Vix."
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Ing. Ivan Noris
>>>>>> Senior Identity Management Engineer
>>>>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>>>>> _____________________________________________
>>>>>> "Semper Id(e)M Vix."
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Ing. Ivan Noris
>>>>> Senior Identity Management Engineer
>>>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>>>> _____________________________________________
>>>>> "Semper Id(e)M Vix."
>>>>>
>>>>>
>>>>
>>>> --
>>>> Ing. Ivan Noris
>>>> Senior Identity Management Engineer
>>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>>> _____________________________________________
>>>> "Semper Id(e)M Vix."
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint-dev mailing list
>>>> midPoint-dev at lists.evolveum.com <mailto:midPoint-dev at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint-dev
>>>
>>> --
>>> Ing. Ivan Noris
>>> Senior Identity Management Engineer
>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>> _____________________________________________
>>> "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint-dev mailing list
>>> midPoint-dev at lists.evolveum.com
>>> <mailto:midPoint-dev at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint-dev
>>>
>>>
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer
>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>> _____________________________________________
>> "Semper Id(e)M Vix."
>>
>>
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
> _____________________________________________
> "Semper Id(e)M Vix."
>
>
--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com evolveum.com/blog/
_____________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolveum.com/pipermail/midpoint-dev/attachments/20150205/2f89093b/attachment-0001.html>
More information about the midPoint-dev
mailing list