[Midpoint-dev] Active Directory Group Creation Issue
Ivan Noris
ivan.noris at evolveum.com
Thu Mar 5 10:09:44 CET 2015
Hi Dharmendra,
I'm not sure if I understand what you try to achieve.
Do you want to create AD group for given user in midPoint? Or do you
want to create the group through midPoint and then assign to user?
I would definitely not change the default object class for "account" to
CustomGroupObjectClass. Just use kinds and intents in schema handling.
In my project I have the following setup: I want to create users in
midPoint, accounts for them in AD. I also want to create groups (and
other objects) in AD that belong to organizations in midPoint (part of
org. structure replication). And I also want to put AD accounts to these
groups. The simplified example follows:
1. in resource, I define new kind=entitlement and
intent=group-municipality, e.g.:
<objectType>
<kind>*entitlement*</kind>
<intent>*group-municipality*</intent>
<displayName>Municipality groups</displayName>
<default>true</default>
<objectClass>ri:*CustomGroupObjectClass*</objectClass>
<attribute>
. . .
This means that I'm able to reference groups of this "type" (I have
several different types of groups) as kind=entitlement and
intent=group-municipality.
2. in resource, I define association for *accounts* with this kind of
groups:
<objectType>
<kind>*account*</kind>
<intent>*default*</intent>
<displayName>Default Account -
Municipality users</displayName>
<default>true</default>
<objectClass>ri:*AccountObjectClass*</objectClass>
. . .
<association>
<ref>ri:adGroups</ref>
<tolerant>true</tolerant>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<kind>*entitlement*</kind>
<intent>*group-municipality*</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>icfs:name</valueAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
</objectType>
This means midPoint is able to associate AD accounts with this type of
groups and will show the "Association" part in GUI when editing user -
list of groups for that account.
3. to *assign AD account to any existing AD group* (EmailAllUsers in
this example), I have a role in midPoint:
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
oid="b4b5059a-5cdc-4a2c-a184-bb6e0c67e064">
<name>E-Mail</name>
<inducement>
<construction>
<!-- The c: prefix in type must be there due to a JAXB
bug -->
<resourceRef oid="00000000-0000-0000-0001-100000000002"
type="c:ResourceType"/>
<association>
<ref>ri:adGroups</ref>
<outbound>
<strength>strong</strength>
<expression>
<associationTargetSearch>
<filter>
<q:equal>
<q:path>
declare namespace
icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3";
declare namespace
ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3";
attributes/ri:samAccountName
</q:path>
<expression>
<script>
<code>
return '*EmailAllUsers*' <!-- group's sAMAccountName in AD -->
</code>
</script>
</expression>
</q:equal>
</filter>
<searchOnResource>true</searchOnResource>
</associationTargetSearch>
</expression>
</outbound>
</association>
</construction>
</inducement>
</role>
If this role is assigned to user in midPoint, it will create AD account
(if it does not exist yet) it will search for a group named
"EmailAllUsers" (by sAMAccountName) and add user to that group if such
group exists.
4. if you want to *create groups* in AD from midPoint, they must be
regarded as a projection of either User, Organization or Role in
midPoint. In my scenario, for some Organization I create the type of
groups I referred to above by assignin a role to an *organization*, e.g.:
<role oid="00000000-0000-0000-0004-000000000010"
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
<name>Meta-role for organizational structure replication to AD</name>
<inducement>
<construction>
<!-- AD resource -->
<resourceRef oid="00000000-0000-0000-0001-100000000002"
type="c:ResourceType"/>
* <kind>entitlement</kind>**
** <intent>group-municipality</intent>*
</construction>
</inducement>
...
</role>
This means that midPoint will create a group of that type for the
organization in midPoint. Of course, in schemaHandling for AD resource,
in the kind=entitlement and intent=group-municipality part, you have to
define proper outbound mappings (icfs:name = DN; sAMAccountName and
possibly other attributes) to actually create the group.
And that's all, so simple.
Some examples can be also seen in our OrgSync scenario wiki page:
https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test (it is
different scenario as I've described in my example, but it's very usable
for concept understanding).
Hope this helps.
Regards,
Ivan
On 03/05/2015 09:44 AM, Dharmendra Parakh wrote:
> Hi
>
> I have been playing around with AD Connector and i am facing an issue
> where i was trying to create an AD group using the AD Connector.
>
> I have a resource configured where the default object class is my AD
> Group object class and kind is set to account.
> When i try to create the group by creating a account of this resource
> i see the*group is created on Active Directory* but same does not show
> up in the midpoint UI under User's accounts panel.
>
> I can see the linkRef in user's xml but it is not getting loaded in UI
> and also when i open the user xml i see an error:
>
> [RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]],
> objectclass={.../resource/instance-3}CustomGroupObjectClass:
> Object identified by
> [RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]]
> was not found by
> connector:1529887f-2adc-4a76-99fd-75d34c865332(ICF
> Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector
> v1.4.1.20257 @ConnectorServer27:22:8759)
> com.evolveum.midpoint.util.exception.ObjectNotFoundException:
> Object not found.
> identifiers=[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]],
> objectclass={.../resource/instance-3}CustomGroupObjectClass:
> Object identified by
> [RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]]
> was not found by
> connector:1529887f-2adc-4a76-99fd-75d34c865332(ICF
> Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector
> v1.4.1.20257 @ConnectorServer27:22:8759)
> at
> com.evolveum.midpoint.provisioning.consistency.impl.ObjectNotFoundHandler.handleError(ObjectNotFoundHandler.java:268)
> ~[provisioning-impl-3.2-SNAPSHOT.jar:na]
> at
> com.evolveum.midpoint.provisioning.impl.ShadowCache.handleError(ShadowCache.java:683)
> ~[provisioning-impl-3.2-SNAPSHOT.jar:na]
>
>
>
> We have similar setup for ldap group provisioning and that works very
> fine.
>
> I have attached my resource xml with the email, please have a look and
> let me know if i am doing anything wrong here.
>
>
> Regards
> Dharmendra
>
>
> _______________________________________________
> midPoint-dev mailing list
> midPoint-dev at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint-dev
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolveum.com/pipermail/midpoint-dev/attachments/20150305/36164ac3/attachment-0001.html>
More information about the midPoint-dev
mailing list