[midPoint] Re. Adding users to a group in LDAP

Radovan Semancik radovan.semancik at evolveum.com
Thu Oct 10 14:38:24 CEST 2013 

On 10/09/2013 12:57 PM, Deepak Natarajan wrote:
> Is it possible to configure an LDAP resource so that when a new "group" is detected in one resource (e.g CSV file), a new group is inserted under ou=groups in LDAP? i.e we are not working with user accounts as such but other kinds of subtrees in LDAP/AD.

The short answer is: no in midpoint v2.2, yes in midpoint v2.3

Long answer: MidPoint code that handles the synchronization logic is 
called "projector". It is architected and designed to be quite generic. 
However the first few implementation versions were limited to 
synchronization of users and accounts only. We needed to validate the 
design and make sure that it works before proceeding to higher level of 
complexity. Version 2.2 provided that assurance. Now we are really 
confident about the projector design. We are ready to move on and make 
it generic as it was originally designed. This is planned for version 
2.3 and the development of this part actually already began. And it 
looks very good. Very promising.

The release of midPoint 2.3 is planned for spring 2014.

> We are trying to solve two use cases :
>
> 1. On the LDAP we have various ou's (e.g ou=departments, ou=addresses, ou=employees)  - which have been populated from a legacy database.
> 	We would like to configure a CSV resource on Midpoint, and this file would contain rows of "departments" along with their attributes. Midpoint should accordingly sync this with the ou=departments subtree in LDAP via the LDAP connector. Is this doable?

This should be very easy to do in midPoint 2.3.

As for midPoint 2.2 we are hacking around this using scripts. E.g. we 
use mappings to get list of group names to the user object (extension 
property). When such user is provisioned to target resource we use 
provisioning script before the operation. The script gets the list of 
groups as a parameter and it makes sure all the groups exists. If some 
of them do not exist then the script creates them. The provisioning 
operation then proceeds normally. Of course this assumes that all the 
groups look almost the same. And it is not even close to a nice and 
systemic solution. But if you need this now it is doable and it works 
for us. Or you can wait till midpoint 2.3 release to get a simple, nice 
and clean solution. Or you can help with testing midPoint development 
versions. This feature should be in pretty good shape in a month or two. 
You can get that if you are in a real hurry. But the testing phase of 
complete version 2.3 should start approx. in January. This would be an 
ideal time for you to get an "early access" to this feature.

> 2. Is it possible to configure the LDAP resource so that when a new user needs to be created on the LDAP (on ou=users, say), some of the attributes can be attached to other subtrees (like ou=addresses)?

This is interesting requirement. But I'm not sure that I understand 
exactly what you mean. Can you provide an example please?
I would guess that this could be solved by using "intent" (a.k.a. 
account types) and/or generic synchronization. But the example would 
help a lot.

-- 

                                            Radovan Semancik
                                           Software Architect
                                              evolveum.com

More information about the midPoint mailing list