[Midpoint-dev] Active Directory Group Creation Issue
Dharmendra Parakh
dharmendra at confluxsys.com
Thu Mar 5 10:38:11 CET 2015
Hi Ivan
Thanks for all the information.
My requirement is just to create a AD group on the target and at this point
I do not want to assign this group to any user. So basically we want to use
this resource for group creation purpose only.
I am well aware of the way you have described for group creation as
entitlement (I have tried that and it works) but we want to avoid the
multiple steps involved in entitlement creation and also we want to create
this under a user/role as an assignment/account only because group
management becomes easy for us this way. As i have mentioned we are doing
the same in case of ldap resource and that is working for us. I cannot
think of any reason why midpoint will behave differently for ad and ldap.
AFAIK for connector group is just an object class like account so i think
it should work logically. I think i am missing something or i have some
issue in resource. I will appreciate any help on this.
Thanks!
On Thu, Mar 5, 2015 at 2:39 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:
> Hi Dharmendra,
>
> I'm not sure if I understand what you try to achieve.
>
> Do you want to create AD group for given user in midPoint? Or do you want
> to create the group through midPoint and then assign to user?
>
> I would definitely not change the default object class for "account" to
> CustomGroupObjectClass. Just use kinds and intents in schema handling.
>
> In my project I have the following setup: I want to create users in
> midPoint, accounts for them in AD. I also want to create groups (and other
> objects) in AD that belong to organizations in midPoint (part of org.
> structure replication). And I also want to put AD accounts to these groups.
> The simplified example follows:
>
> 1. in resource, I define new kind=entitlement and
> intent=group-municipality, e.g.:
> <objectType>
> <kind>*entitlement*</kind>
> <intent>*group-municipality*</intent>
> <displayName>Municipality groups</displayName>
> <default>true</default>
> <objectClass>ri:*CustomGroupObjectClass*</objectClass>
> <attribute>
> . . .
>
> This means that I'm able to reference groups of this "type" (I have
> several different types of groups) as kind=entitlement and
> intent=group-municipality.
>
> 2. in resource, I define association for *accounts* with this kind of
> groups:
> <objectType>
> <kind>*account*</kind>
> <intent>*default*</intent>
> <displayName>Default Account -
> Municipality users</displayName>
> <default>true</default>
> <objectClass>ri:*AccountObjectClass*
> </objectClass>
> . . .
> <association>
> <ref>ri:adGroups</ref>
> <tolerant>true</tolerant>
> <matchingRule>mr:stringIgnoreCase</matchingRule>
> <kind>*entitlement*</kind>
> <intent>*group-municipality*</intent>
> <direction>objectToSubject</direction>
> <associationAttribute>ri:member</associationAttribute>
> <valueAttribute>icfs:name</valueAttribute>
>
> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
> </association>
> </objectType>
>
> This means midPoint is able to associate AD accounts with this type of
> groups and will show the "Association" part in GUI when editing user - list
> of groups for that account.
>
> 3. to *assign AD account to any existing AD group* (EmailAllUsers in this
> example), I have a role in midPoint:
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> xmlns:icfs=
> "http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
> <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3>
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> <http://prism.evolveum.com/xml/ns/public/query-3>
> xmlns:ri=
> "http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>
> oid="b4b5059a-5cdc-4a2c-a184-bb6e0c67e064">
> <name>E-Mail</name>
> <inducement>
> <construction>
> <!-- The c: prefix in type must be there due to a JAXB bug
> -->
> <resourceRef oid="00000000-0000-0000-0001-100000000002"
> type="c:ResourceType"/>
> <association>
> <ref>ri:adGroups</ref>
> <outbound>
> <strength>strong</strength>
> <expression>
> <associationTargetSearch>
> <filter>
> <q:equal>
> <q:path>
> declare namespace icfs=
> "http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
> <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3>
> ;
> declare namespace ri=
> "http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>;
> attributes/ri:samAccountName
> </q:path>
> <expression>
> <script>
> <code>
> return '*EmailAllUsers*' <!-- group's sAMAccountName in AD -->
> </code>
> </script>
> </expression>
> </q:equal>
> </filter>
> <searchOnResource>true</searchOnResource>
> </associationTargetSearch>
> </expression>
> </outbound>
> </association>
> </construction>
> </inducement>
> </role>
>
> If this role is assigned to user in midPoint, it will create AD account
> (if it does not exist yet) it will search for a group named "EmailAllUsers"
> (by sAMAccountName) and add user to that group if such group exists.
>
> 4. if you want to *create groups* in AD from midPoint, they must be
> regarded as a projection of either User, Organization or Role in midPoint.
> In my scenario, for some Organization I create the type of groups I
> referred to above by assignin a role to an *organization*, e.g.:
>
> <role oid="00000000-0000-0000-0004-000000000010"
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> <http://prism.evolveum.com/xml/ns/public/types-3>>
> <name>Meta-role for organizational structure replication to AD</name>
> <inducement>
> <construction>
> <!-- AD resource -->
> <resourceRef oid="00000000-0000-0000-0001-100000000002"
> type="c:ResourceType"/>
> * <kind>entitlement</kind>*
> * <intent>group-municipality</intent>*
> </construction>
> </inducement>
> ...
> </role>
>
> This means that midPoint will create a group of that type for the
> organization in midPoint. Of course, in schemaHandling for AD resource, in
> the kind=entitlement and intent=group-municipality part, you have to define
> proper outbound mappings (icfs:name = DN; sAMAccountName and possibly other
> attributes) to actually create the group.
>
> And that's all, so simple.
>
> Some examples can be also seen in our OrgSync scenario wiki page:
> https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test (it is
> different scenario as I've described in my example, but it's very usable
> for concept understanding).
>
> Hope this helps.
> Regards,
> Ivan
>
>
> On 03/05/2015 09:44 AM, Dharmendra Parakh wrote:
>
> Hi
>
> I have been playing around with AD Connector and i am facing an issue
> where i was trying to create an AD group using the AD Connector.
>
> I have a resource configured where the default object class is my AD
> Group object class and kind is set to account.
> When i try to create the group by creating a account of this resource i
> see the* group is created on Active Directory* but same does not show up
> in the midpoint UI under User's accounts panel.
>
> I can see the linkRef in user's xml but it is not getting loaded in UI
> and also when i open the user xml i see an error:
>
> [RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]],
> objectclass={.../resource/instance-3}CustomGroupObjectClass: Object
> identified by
> [RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]]
> was not found by connector:1529887f-2adc-4a76-99fd-75d34c865332(ICF
> Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector
> v1.4.1.20257 @ConnectorServer27:22:8759)
> com.evolveum.midpoint.util.exception.ObjectNotFoundException: Object not
> found.
> identifiers=[RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]],
> objectclass={.../resource/instance-3}CustomGroupObjectClass: Object
> identified by
> [RA({.../connector/icf-1/resource-schema-3}uid):[PPV(String:<guid=b611c389eb74224ba3cae9b9738ba1a6>)]]
> was not found by connector:1529887f-2adc-4a76-99fd-75d34c865332(ICF
> Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector
> v1.4.1.20257 @ConnectorServer27:22:8759)
> at
> com.evolveum.midpoint.provisioning.consistency.impl.ObjectNotFoundHandler.handleError(ObjectNotFoundHandler.java:268)
> ~[provisioning-impl-3.2-SNAPSHOT.jar:na]
> at
> com.evolveum.midpoint.provisioning.impl.ShadowCache.handleError(ShadowCache.java:683)
> ~[provisioning-impl-3.2-SNAPSHOT.jar:na]
>
>
>
> We have similar setup for ldap group provisioning and that works very
> fine.
>
> I have attached my resource xml with the email, please have a look and
> let me know if i am doing anything wrong here.
>
>
> Regards
> Dharmendra
>
>
> _______________________________________________
> midPoint-dev mailing listmidPoint-dev at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint-dev
>
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer & IDM Architect
> evolveum.com evolveum.com/blog/
> ___________________________________________________
> "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint-dev mailing list
> midPoint-dev at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolveum.com/pipermail/midpoint-dev/attachments/20150305/5da5c8e4/attachment-0001.html>
More information about the midPoint-dev
mailing list