[midPoint] Syncing only specific groups
Pavol Mederly
mederly at evolveum.com
Mon Dec 1 18:11:23 CET 2014
Hello Jason,
I would suggest looking at
http://msdn.microsoft.com/en-us/library/cc223142.aspx.
Then e.g. Security + Global group would be 0x80000002, i.e. decimally
either 2147483650 or -2147483646, depending on whether the connector
expects the value as unsigned int32/64 or signed int32. I have not used
that yet; so please try them both and see what works for you.
Best regards,
Pavol
On 1. 12. 2014 17:58, Jason Everling wrote:
> Yeah I was going to try to set the grouptType attribute which controls
> what group type it is but it is a integer and not a string, if not
> then no big deal, was just wondering.
>
> JASON
>
> On Mon, Dec 1, 2014 at 10:22 AM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
> Hi Jason,
>
> I don't have AD right now handy, so this one is a meta-answer:
>
> - Try to lookup some other-than-global/security groups in your AD,
> and see their attributes right in AD.
> - Then try to see if those attributes are managable by the
> connector (in schema, CustomGroupObjectClass AFAIK).
> - Then you can try to set corresponding values.
>
> In my projects, I've only needed Security and standard groups, I
> didn't set the other attribute/values, so they were pretty much
> filled by AD or the connector itself.
>
> I'm sure Pavol can give you more precise answer regarding the
> support of this; and I may have some time later today or tomorrow
> to explore this myself.
>
> Regards,
> Ivan
>
>
> On 12/01/2014 05:12 PM, Jason Everling wrote:
>> I think that would be a bit much, more than likely, I will move
>> all groups that would be sync'd to Midpoint into its own
>> container in AD and move all our other groups to another
>> container and use the <protected> to filter them out so they are
>> not sync'd.
>>
>> Is there a way to build a specific group type instead of just
>> Global | Security, maybe Domain Local or Universal or is it hard
>> coded to Global Security?
>>
>> Thanks!
>> JASON
>>
>> On Mon, Dec 1, 2014 at 4:12 AM, Radovan Semancik
>> <radovan.semancik at evolveum.com
>> <mailto:radovan.semancik at evolveum.com>> wrote:
>>
>> Hi Jason,
>>
>> This is slightly different. The condition tells whether to
>> apply the specific <objectSynchronization> block or on. The
>> primary use of the condition is to sort objects of the same
>> object class to "intents" (see
>> https://wiki.evolveum.com/display/midPoint/Kind%2C+Intent+and+ObjectClass).
>> The primary meaning of this is to synchronize group object
>> with a role object (or org object). But it does not
>> synchronize account-group association (i.e. group membership)
>> with a user-role assignment.
>>
>> With a bit of trickery it could theoretically work for your
>> case. But I doubt that it will be practical. You will need
>> one <objectSynchronization> block for each group that you are
>> trying to synchronize.
>>
>> --
>>
>> Radovan Semancik
>> Software Architect
>> evolveum.com <http://evolveum.com>
>>
>>
>>
>> On 11/29/2014 05:21 PM, Jason Everling wrote:
>>> Is what I was asking, in the wiki it says you can add a
>>> condition to the synchronization policy, under
>>> https://wiki.evolveum.com/display/midPoint/Synchronization+Configuration
>>>
>>>
>>> * *condition* is an expression which has to evaluate to
>>> true for the policy to be used. It can be used for a
>>> very fine-grain selection of applicable policies.
>>>
>>>
>>> I found a sample, kind of here,
>>> https://github.com/Evolveum/midpoint/blob/a6c023945dbea34db69a8ff17c9a61b7184c42cc/testing/consistency-mechanism/src/test/resources/request/resource-modify-synchronization.xml
>>>
>>> I am just a little confused on the condition statement, I
>>> was thinking it would look something like,
>>>
>>> <condition>
>>> <script>
>>> <code>
>>> declare default namespace
>>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3";
>>> basic.getAttributeValue(account,
>>> 'http://midpoint.evolveum.com/xml/ns/public/common/common-3', 'info')
>>> = replicated
>>> </code>
>>> </script>
>>> </condition>
>>>
>>>
>>> JASON
>>>
>>>
>>> On Sat, Nov 29, 2014 at 2:47 AM, Pavol Mederly
>>> <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>>>
>>> Hello Jason,
>>>
>>> although I don't understand what you would like to
>>> achieve, a quick answer though:
>>>
>>> If you would apply a condition to a mapping (incoming or
>>> outgoing, it does not matter), you can use <condition>
>>> subelement directly under <incoming> or <outgoing> one.
>>> However, take this only as a quick hint. I haven't done
>>> that, nor I'm sure it's implemented. Please try it.
>>>
>>> Best regards,
>>> Pavol
>>>
>>>
>>> On 28. 11. 2014 22:46, Jason Everling wrote:
>>>> So I have the roleType syncing to the AD attribute,
>>>> info, the info or roleType. I want any group that
>>>> contains this roleType or info attribute sync'd, any
>>>> other s will not be sync'd.
>>>>
>>>> I know how to do this in objectTemplate but how in the
>>>> resource so that it only syncs those groups and not all
>>>> groups.
>>>>
>>>> Where do I put in the condition statement in the
>>>> resource definition? I searched through what I could in
>>>> the samples but couldn't find anything like this.
>>>>
>>>> JASON
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is
>>>> proprietary and confidential; intended for only the
>>>> recipient(s) named above and may contain information
>>>> that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or
>>>> disclose all or any part of the contents to any person.
>>>> Any views or opinions expressed in this e-mail are
>>>> those of the author and do not represent those of the
>>>> Baptist School of Health Professions. If you have
>>>> received this e-mail in error, or are not the named
>>>> recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this
>>>> communication is prohibited by the sender and to do so
>>>> might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section
>>>> 2510-2521. Please immediately notify the sender and
>>>> delete this e-mail and any attachments from your computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above
>>> and may contain information that is privileged. You should
>>> not retain, copy or use this e-mail or any attachments for
>>> any purpose, or disclose all or any part of the contents to
>>> any person. Any views or opinions expressed in this e-mail
>>> are those of the author and do not represent those of the
>>> Baptist School of Health Professions. If you have received
>>> this e-mail in error, or are not the named recipient(s), you
>>> are hereby notified that any review, dissemination,
>>> distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of
>>> the Electronic Communications Privacy Act, 18 U.S.C. section
>>> 2510-2521. Please immediately notify the sender and delete
>>> this e-mail and any attachments from your computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and
>> may contain information that is privileged. You should not
>> retain, copy or use this e-mail or any attachments for any
>> purpose, or disclose all or any part of the contents to any
>> person. Any views or opinions expressed in this e-mail are those
>> of the author and do not represent those of the Baptist School of
>> Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any
>> review, dissemination, distribution or copying of this
>> communication is prohibited by the sender and to do so might
>> constitute a violation of the Electronic Communications Privacy
>> Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>> sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
> _____________________________________________
> "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141201/bdf973f0/attachment.htm>
More information about the midPoint
mailing list