[midPoint] LDAP Group Creation
Ivan Noris
ivan.noris at evolveum.com
Thu Dec 4 11:59:43 CET 2014
Hi Dharmendra,
this is my sample role for organization (or a fragment of it), which I
assign to the organizations in midPoint. This role will cause
provisioning to LDAP:
<role oid="00000000-dc00-dc00-0004-000000000010"
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy">
<name>Role for org. structure replication to directory</name>
. . .
<inducement>
<construction>
<resourceRef oid="00000000-dc00-dc00-0001-100000000002"
type="c:ResourceType"/>
*<kind>entitlement</kind>**
** <intent>billing-group</intent>*
</construction>
</inducement>
. . .
This means, that I have to have resource (my oid is
"00000000-dc00-dc00-0001-100000000002"), where I have defined:
<schemaHandling>
. . .
<objectType>
*<kind>entitlement</kind>**
** <intent>billing-group</intent>*
<displayName>Group for billing</displayName>
<default>false</default>
*<objectClass>ri:GroupObjectClass</objectClass>*
<attribute>
<ref>icfs:name</ref> <!-- required attribute on AD -->
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
. . .
rest of outbounds needed for group attributes here
. . .
So, if *role gets assigned to my organization in midPoint (Edit
organization, and add the role to Assignments, not inducements)*, it
will construct object of type entitlement, kind of billing-group. The
schemaHandling associates entitlement/kind with
objectClass=GroupObjectClass. So provisioning will create group, not
account. The attributes for the group are based on your schema handling
expressions for the entitlement/billing-group.
If the role does not specify kind/intent, defaults are used
(kind=account, intent=default). So this may cause creating accounts
instead of groups ...
If everything works, you may have the role automatically assigned to all
organizations in midPoint as they are created. But I will do this only
if everything works, because it's easier to debug.
Hope this helps,
regards,
Ivan
On 12/04/2014 11:46 AM, dharmendra parakh wrote:
> Hi Ivan
>
> Thanks for the information. I have this already configured in my LDAP
> resource.
>
> I gone through all these documents and then i tried to implement the
> same synchronization techinique.
>
> So I created a role MetaRole and added LDAP resource as an inducement
> (I did not filled any information in resource form)
> Then i created another role and when i try to add that MetaRole as
> assignment to this role i am getting an error saying :
>
> Couldn't add object. Schema violation: Schema violation during
> processing shadow: shadow: null (OID:null): Schema violation:
> javax.naming.directory.SchemaViolationException([LDAP: error code 65 -
> object class 'inetOrgPerson' requires attribute 'sn']
>
> I am confused why it is trying to create inetOrgPerson object instead
> of groupOfNames.
>
> Is it a configuration issue or i am doing something wrong, Can you
> help me figuring this out. My resource configuration is attached just
> for your reference,
>
>
> Regards
> Dharmendra
>
>
> On Thu, Dec 4, 2014 at 3:07 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
> Hi,
>
> you don't need new connector to create LDAP groups. Just
> configuration in midPoint: new schemaHandling <objectType> and
> corresponding <synchronization><objectType> parts for
> kind=entitlement and intent=group.
>
> For example you may check the sample:
> samples/reosurces/opendj/opendj-resource-genericsync.xml to see
> how it can be configured.
>
> After you have this configured, you can create a role which will
> construct the kind=entitlement,intent=group object on the LDAP
> resource.
>
> Then you assign such role to either organization or role in
> midpoint and it will provision corresponding group to LDAP.
>
> Please refer also to:
> https://wiki.evolveum.com/display/midPoint/Generic+Synchronization
> https://wiki.evolveum.com/display/midPoint/Focus+and+Projections
> https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization
>
> Regards,
> Ivan
>
>
> On 12/04/2014 10:28 AM, dharmendra parakh wrote:
>> HI
>>
>> Is there any out of the box configuration to achieve it or i have
>> to write a connector?
>>
>> Waiting for response..
>>
>> Regards
>> Dharmendra
>>
>> On Wed, Dec 3, 2014 at 7:00 PM, dharmendra parakh
>> <dharm.parakh at gmail.com <mailto:dharm.parakh at gmail.com>> wrote:
>>
>> Hi
>>
>> I was playing around the ldap connector bundled witth
>> midpoint, It works well for creating user accounts and user
>> group assignment.
>>
>> I want to create ldap group, Is it possible using the same
>> connector to provision ldap group on target ldap resource.
>> basically a groupOfUniqueNames or a posixGroup.
>>
>> If possible please point me to the documentation which i can
>> refer and configure it.
>>
>>
>> Thanks
>> Dharmendra Parakh
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
> _____________________________________________
> "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com evolveum.com/blog/
_____________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141204/a59d0b19/attachment.htm>
More information about the midPoint
mailing list