[midPoint] Syncing only specific groups

Jason Everling jeverling at bshp.edu
Mon Dec 1 17:58:47 CET 2014


Yeah I was going to try to set the grouptType attribute which controls what
group type it is but it is a integer and not a string, if not then no big
deal, was just wondering.

JASON

On Mon, Dec 1, 2014 at 10:22 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Hi Jason,
>
> I don't have AD right now handy, so this one is a meta-answer:
>
> - Try to lookup some other-than-global/security groups in your AD, and see
> their attributes right in AD.
> - Then try to see if those attributes are managable by the connector (in
> schema, CustomGroupObjectClass AFAIK).
> - Then you can try to set corresponding values.
>
> In my projects, I've only needed Security and standard groups, I didn't
> set the other attribute/values, so they were pretty much filled by AD or
> the connector itself.
>
> I'm sure Pavol can give you more precise answer regarding the support of
> this; and I may have some time later today or tomorrow to explore this
> myself.
>
> Regards,
> Ivan
>
>
> On 12/01/2014 05:12 PM, Jason Everling wrote:
>
> I think that would be a bit much, more than likely, I will move all groups
> that would be sync'd to Midpoint into its own container in AD and move all
> our other groups to another container and use the <protected> to filter
> them out so they are not sync'd.
>
>  Is there a way to build a specific group type instead of just Global |
> Security, maybe Domain Local or Universal or is it hard coded to Global
> Security?
>
>  Thanks!
> JASON
>
> On Mon, Dec 1, 2014 at 4:12 AM, Radovan Semancik <
> radovan.semancik at evolveum.com> wrote:
>
>>  Hi Jason,
>>
>> This is slightly different. The condition tells whether to apply the
>> specific <objectSynchronization> block or on. The primary use of the
>> condition is to sort objects of the same object class to "intents" (see
>> https://wiki.evolveum.com/display/midPoint/Kind%2C+Intent+and+ObjectClass).
>> The primary meaning of this is to synchronize group object with a role
>> object (or org object). But it does not synchronize account-group
>> association (i.e. group membership) with a user-role assignment.
>>
>> With a bit of trickery it could theoretically work for your case. But I
>> doubt that it will be practical. You will need one <objectSynchronization>
>> block for each group that you are trying to synchronize.
>>
>> --
>>
>>                                            Radovan Semancik
>>                                           Software Architect
>>                                              evolveum.com
>>
>>
>>
>> On 11/29/2014 05:21 PM, Jason Everling wrote:
>>
>> Is what I was asking, in the wiki it says you can add a condition to the
>> synchronization policy, under
>> https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
>>
>>
>>    - *condition* is an expression which has to evaluate to true for the
>>    policy to be used. It can be used for a very fine-grain selection of
>>    applicable policies.
>>
>>
>>  I found a sample, kind of here,
>> https://github.com/Evolveum/midpoint/blob/a6c023945dbea34db69a8ff17c9a61b7184c42cc/testing/consistency-mechanism/src/test/resources/request/resource-modify-synchronization.xml
>>
>>  I am just a little confused on the condition statement, I was thinking
>> it would look something like,
>>
>>  <condition>
>>    <script>
>>      <code>
>>         declare default namespace "
>> http://midpoint.evolveum.com/xml/ns/public/common/common-3";
>>         basic.getAttributeValue(account, '
>> http://midpoint.evolveum.com/xml/ns/public/common/common-3', 'info') =
>> replicated
>>      </code>
>>   </script>
>> </condition>
>>
>>
>>  JASON
>>
>>
>> On Sat, Nov 29, 2014 at 2:47 AM, Pavol Mederly <mederly at evolveum.com>
>> wrote:
>>
>>>  Hello Jason,
>>>
>>> although I don't understand what you would like to achieve, a quick
>>> answer though:
>>>
>>> If you would apply a condition to a mapping (incoming or outgoing, it
>>> does not matter), you can use <condition> subelement directly under
>>> <incoming> or <outgoing> one.
>>> However, take this only as a quick hint. I haven't done that, nor I'm
>>> sure it's implemented. Please try it.
>>>
>>> Best regards,
>>> Pavol
>>>
>>>
>>> On 28. 11. 2014 22:46, Jason Everling wrote:
>>>
>>>  So I have the roleType syncing to the AD attribute, info, the info or
>>> roleType. I want any group that contains this roleType or info attribute
>>> sync'd, any other s will not be sync'd.
>>>
>>>  I know how to do this in objectTemplate but how in the resource so
>>> that it only syncs those groups and not all groups.
>>>
>>>  Where do I put in the condition statement in the resource definition?
>>> I searched through what I could in the samples but couldn't find anything
>>> like this.
>>>
>>>  JASON
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141201/88f4c113/attachment.htm>


More information about the midPoint mailing list