[midPoint] LDAP Group Creation
dharmendra parakh
dharm.parakh at gmail.com
Thu Dec 4 11:46:37 CET 2014
Hi Ivan
Thanks for the information. I have this already configured in my LDAP
resource.
I gone through all these documents and then i tried to implement the same
synchronization techinique.
So I created a role MetaRole and added LDAP resource as an inducement (I
did not filled any information in resource form)
Then i created another role and when i try to add that MetaRole as
assignment to this role i am getting an error saying :
Couldn't add object. Schema violation: Schema violation during processing
shadow: shadow: null (OID:null): Schema violation:
javax.naming.directory.SchemaViolationException([LDAP: error code 65 -
object class 'inetOrgPerson' requires attribute 'sn']
I am confused why it is trying to create inetOrgPerson object instead of
groupOfNames.
Is it a configuration issue or i am doing something wrong, Can you help me
figuring this out. My resource configuration is attached just for your
reference,
Regards
Dharmendra
On Thu, Dec 4, 2014 at 3:07 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:
> Hi,
>
> you don't need new connector to create LDAP groups. Just configuration in
> midPoint: new schemaHandling <objectType> and corresponding
> <synchronization><objectType> parts for kind=entitlement and intent=group.
>
> For example you may check the sample:
> samples/reosurces/opendj/opendj-resource-genericsync.xml to see how it can
> be configured.
>
> After you have this configured, you can create a role which will construct
> the kind=entitlement,intent=group object on the LDAP resource.
>
> Then you assign such role to either organization or role in midpoint and
> it will provision corresponding group to LDAP.
>
> Please refer also to:
> https://wiki.evolveum.com/display/midPoint/Generic+Synchronization
> https://wiki.evolveum.com/display/midPoint/Focus+and+Projections
>
> https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization
>
> Regards,
> Ivan
>
>
> On 12/04/2014 10:28 AM, dharmendra parakh wrote:
>
> HI
>
> Is there any out of the box configuration to achieve it or i have to
> write a connector?
>
> Waiting for response..
>
> Regards
> Dharmendra
>
> On Wed, Dec 3, 2014 at 7:00 PM, dharmendra parakh <dharm.parakh at gmail.com>
> wrote:
>
>> Hi
>>
>> I was playing around the ldap connector bundled witth midpoint, It
>> works well for creating user accounts and user group assignment.
>>
>> I want to create ldap group, Is it possible using the same connector to
>> provision ldap group on target ldap resource. basically a
>> groupOfUniqueNames or a posixGroup.
>>
>> If possible please point me to the documentation which i can refer and
>> configure it.
>>
>>
>> Thanks
>> Dharmendra Parakh
>>
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com evolveum.com/blog/
> _____________________________________________
> "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141204/8d0b2977/attachment.htm>
-------------- next part --------------
<schemaHandling>
<objectType>
<kind>account</kind>
<displayName>Normal Account</displayName>
<default>true</default>
<objectClass xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:AccountObjectClass</objectClass>
<attribute>
<ref xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">icfs:name</ref>
<displayName>Distinguished Name</displayName>
<limitations>
<minOccurs>0</minOccurs>
<access>
<read>true</read>
<add>true</add>
<modify>true</modify>
</access>
</limitations>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/name</c:path>
</source>
<expression>
<script>
<code>
'uid=' + name + iterationToken + ',ou=people,dc=example,dc=com'
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">icfs:uid</ref>
<displayName>Entry UUID</displayName>
<limitations>
<access>
<read>true</read>
<add>false</add>
<modify>true</modify>
</access>
</limitations>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn</ref>
<displayName>Common Name</displayName>
<limitations>
<minOccurs>0</minOccurs>
<access>
<read>true</read>
<add>true</add>
<modify>true</modify>
</access>
</limitations>
<outbound>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/fullName</c:path>
</source>
</outbound>
<inbound>
<target>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/fullName</c:path>
</target>
</inbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:sn</ref>
<displayName>Surname</displayName>
<limitations>
<minOccurs>0</minOccurs>
</limitations>
<outbound>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">familyName</c:path>
</source>
</outbound>
<inbound>
<target>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">familyName</c:path>
</target>
</inbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:givenName</ref>
<displayName>Given Name</displayName>
<outbound>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$c:user/c:givenName</c:path>
</source>
</outbound>
<inbound>
<target>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$c:user/c:givenName</c:path>
</target>
</inbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:uid</ref>
<displayName>Login Name</displayName>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<description>Source may have description</description>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/name</c:path>
</source>
</outbound>
<inbound>
<target>
<description>Targets may have description</description>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$c:user/c:name</c:path>
</target>
</inbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:description</ref>
<outbound>
<strength>weak</strength>
<expression>
<description>Expression that assigns a fixed value</description>
<value>Created by midPoint</value>
</expression>
</outbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:l</ref>
<displayName>Location</displayName>
<outbound>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/locality</c:path>
</source>
</outbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:employeeType</ref>
<displayName>Employee Type</displayName>
<tolerant>false</tolerant>
<outbound>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$user/employeeType</c:path>
</source>
</outbound>
</attribute>
<association>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:group</ref>
<displayName>LDAP Group Membership</displayName>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<direction>objectToSubject</direction>
<associationAttribute xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:member</associationAttribute>
<valueAttribute xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">icfs:name</valueAttribute>
</association>
<iteration>
<maxIterations>5</maxIterations>
</iteration>
<protected>
<icfs:name xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">cn=manager,dc=example,dc=com</icfs:name>
</protected>
<activation>
<administrativeStatus>
<outbound/>
<inbound>
<strength>weak</strength>
<expression>
<asIs/>
</expression>
</inbound>
</administrativeStatus>
</activation>
<credentials>
<password>
<outbound>
<expression>
<asIs/>
</expression>
</outbound>
<inbound>
<strength>weak</strength>
<expression>
<generate/>
</expression>
</inbound>
</password>
</credentials>
</objectType>
<objectType>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<displayName>LDAP Group</displayName>
<objectClass xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:CustomgroupOfNamesObjectClass</objectClass>
<attribute>
<ref xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">icfs:name</ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$focus/name</c:path>
</source>
<expression>
<script>
<code>
import javax.naming.ldap.Rdn
import javax.naming.ldap.LdapName
dn = new LdapName('ou=groups,dc=example,dc=com')
dn.add(new Rdn('cn', name.toString()))
return dn.toString()
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:member</ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn</ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">$focus/name</c:path>
</source>
</outbound>
</attribute>
<attribute>
<ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:description</ref>
<outbound>
<source>
<c:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">description</c:path>
</source>
</outbound>
</attribute>
</objectType>
</schemaHandling>
More information about the midPoint
mailing list