[midPoint] LDAP Group Creation

dharmendra parakh dharm.parakh at gmail.com
Thu Dec 4 13:40:58 CET 2014 

Hi

Thanks for all the information.

I added the resource inducement to the role but kind and indent information
was not added to the role definition so i modified the xml and added

<kind>entitlement</kind>
<intent>ldapGroup</intent>

in inducement construction as per my resource configuration.

Now i assigned my role to organization, it goes and tries to create object
of groupOfNames but operation fails because there was no member added to
group and member is a required attribute in groupOfNames objectclass.
So where we have to add the member dn and how can we do that ?

Regards
Dharmendra



On Thu, Dec 4, 2014 at 4:29 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:

>  Hi Dharmendra,
>
> this is my sample role for organization (or a fragment of it), which I
> assign to the organizations in midPoint. This role will cause provisioning
> to LDAP:
>
> <role oid="00000000-dc00-dc00-0004-000000000010"
>         xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>         xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>         xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> <http://prism.evolveum.com/xml/ns/public/types-3>
>         xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"
> <http://midpoint.evolveum.com/xml/ns/samples/piracy>>
>     <name>Role for org. structure replication to directory</name>
>
> . . .
>     <inducement>
>         <construction>
>                 <resourceRef oid="00000000-dc00-dc00-0001-100000000002"
> type="c:ResourceType"/>
>                * <kind>entitlement</kind>*
> *             <intent>billing-group</intent>*
>         </construction>
>     </inducement>
> . . .
>
> This means, that I have to have resource (my oid is
> "00000000-dc00-dc00-0001-100000000002"), where I have defined:
> <schemaHandling>
> . . .
>         <objectType>
>             *<kind>entitlement</kind>*
> *            <intent>billing-group</intent>*
>             <displayName>Group for billing</displayName>
>             <default>false</default>
>             *<objectClass>ri:GroupObjectClass</objectClass>*
>             <attribute>
>                 <ref>icfs:name</ref> <!-- required attribute on AD -->
>                 <matchingRule>mr:stringIgnoreCase</matchingRule>
>                 <outbound>
> . . .
> rest of outbounds needed for group attributes here
> . . .
>
> So, if *role gets assigned to my organization in midPoint (Edit
> organization, and add the role to Assignments, not inducements)*, it will
> construct object of type entitlement, kind of billing-group. The
> schemaHandling associates entitlement/kind with
> objectClass=GroupObjectClass. So provisioning will create group, not
> account. The attributes for the group are based on your schema handling
> expressions for the entitlement/billing-group.
>
> If the role does not specify kind/intent, defaults are used (kind=account,
> intent=default). So this may cause creating accounts instead of groups ...
>
> If everything works, you may have the role automatically assigned to all
> organizations in midPoint as they are created. But I will do this only if
> everything works, because it's easier to debug.
>
> Hope this helps,
> regards,
> Ivan
>
>
>
> On 12/04/2014 11:46 AM, dharmendra parakh wrote:
>
> Hi Ivan
>
>  Thanks for the information. I have this already configured in my LDAP
> resource.
>
>  I gone through all these documents and then i tried to implement the
> same synchronization techinique.
>
>  So I created a role MetaRole and added LDAP resource as an inducement (I
> did not filled any information in resource form)
> Then i created another role and when i try to add that MetaRole as
> assignment to this role i am getting an error saying :
>
>  Couldn't add object. Schema violation: Schema violation during
> processing shadow: shadow: null (OID:null): Schema violation:
> javax.naming.directory.SchemaViolationException([LDAP: error code 65 -
> object class 'inetOrgPerson' requires attribute 'sn']
>
>  I am confused why it is trying to create inetOrgPerson object instead of
> groupOfNames.
>
>  Is it a configuration issue or i am doing something wrong, Can you help
> me figuring this out. My resource configuration is attached just for your
> reference,
>
>
>  Regards
> Dharmendra
>
>
> On Thu, Dec 4, 2014 at 3:07 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Hi,
>>
>> you don't need new connector to create LDAP groups. Just configuration in
>> midPoint: new schemaHandling <objectType> and corresponding
>> <synchronization><objectType> parts for kind=entitlement and intent=group.
>>
>> For example you may check the sample:
>> samples/reosurces/opendj/opendj-resource-genericsync.xml to see how it can
>> be configured.
>>
>> After you have this configured, you can create a role which will
>> construct the kind=entitlement,intent=group object on the LDAP resource.
>>
>> Then you assign such role to either organization or role in midpoint and
>> it will provision corresponding group to LDAP.
>>
>> Please refer also to:
>> https://wiki.evolveum.com/display/midPoint/Generic+Synchronization
>> https://wiki.evolveum.com/display/midPoint/Focus+and+Projections
>>
>> https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization
>>
>> Regards,
>> Ivan
>>
>>
>> On 12/04/2014 10:28 AM, dharmendra parakh wrote:
>>
>>  HI
>>
>>  Is there any out of the box configuration to achieve it or i have to
>> write a connector?
>>
>>  Waiting for response..
>>
>>  Regards
>> Dharmendra
>>
>> On Wed, Dec 3, 2014 at 7:00 PM, dharmendra parakh <dharm.parakh at gmail.com
>> > wrote:
>>
>>> Hi
>>>
>>>  I was playing around the ldap connector bundled witth midpoint, It
>>> works well for creating user accounts and user group assignment.
>>>
>>>  I want to create ldap group, Is it possible using the same connector
>>> to provision ldap group on target ldap resource. basically a
>>> groupOfUniqueNames or a posixGroup.
>>>
>>>  If possible please point me to the documentation which i can refer and
>>> configure it.
>>>
>>>
>>>  Thanks
>>>  Dharmendra Parakh
>>>
>>
>>
>>
>>  _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer
>   evolveum.com     evolveum.com/blog/
>   _____________________________________________
>   "Semper Id(e)M Vix."
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141204/e6acb92c/attachment.htm>

More information about the midPoint mailing list