[midPoint] LDAP Group Creation
Ivan Noris
ivan.noris at evolveum.com
Thu Dec 4 14:00:48 CET 2014
Hi,
defining kind/intent is now not possible in GUI, only in XML. This will
be enhanced in the near future.
Can you send the resource? Thank you.
I.
On 12/04/2014 01:40 PM, dharmendra parakh wrote:
> Hi
>
> Thanks for all the information.
>
> I added the resource inducement to the role but kind and indent
> information was not added to the role definition so i modified the xml
> and added
>
> <kind>entitlement</kind>
> <intent>ldapGroup</intent>
>
> in inducement construction as per my resource configuration.
>
> Now i assigned my role to organization, it goes and tries to create
> object of groupOfNames but operation fails because there was no member
> added to group and member is a required attribute in groupOfNames
> objectclass.
> So where we have to add the member dn and how can we do that ?
>
> Regards
> Dharmendra
>
>
>
> On Thu, Dec 4, 2014 at 4:29 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
> Hi Dharmendra,
>
> this is my sample role for organization (or a fragment of it),
> which I assign to the organizations in midPoint. This role will
> cause provisioning to LDAP:
>
> <role oid="00000000-dc00-dc00-0004-000000000010"
>
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> <http://prism.evolveum.com/xml/ns/public/types-3>
>
> xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"
> <http://midpoint.evolveum.com/xml/ns/samples/piracy>>
> <name>Role for org. structure replication to directory</name>
>
> . . .
> <inducement>
> <construction>
> <resourceRef
> oid="00000000-dc00-dc00-0001-100000000002" type="c:ResourceType"/>
> *<kind>entitlement</kind>**
> ** <intent>billing-group</intent>*
> </construction>
> </inducement>
> . . .
>
> This means, that I have to have resource (my oid is
> "00000000-dc00-dc00-0001-100000000002"), where I have defined:
> <schemaHandling>
> . . .
> <objectType>
> *<kind>entitlement</kind>**
> ** <intent>billing-group</intent>*
> <displayName>Group for billing</displayName>
> <default>false</default>
> *<objectClass>ri:GroupObjectClass</objectClass>*
> <attribute>
> <ref>icfs:name</ref> <!-- required attribute on AD -->
> <matchingRule>mr:stringIgnoreCase</matchingRule>
> <outbound>
> . . .
> rest of outbounds needed for group attributes here
> . . .
>
> So, if *role gets assigned to my organization in midPoint (Edit
> organization, and add the role to Assignments, not inducements)*,
> it will construct object of type entitlement, kind of
> billing-group. The schemaHandling associates entitlement/kind with
> objectClass=GroupObjectClass. So provisioning will create group,
> not account. The attributes for the group are based on your schema
> handling expressions for the entitlement/billing-group.
>
> If the role does not specify kind/intent, defaults are used
> (kind=account, intent=default). So this may cause creating
> accounts instead of groups ...
>
> If everything works, you may have the role automatically assigned
> to all organizations in midPoint as they are created. But I will
> do this only if everything works, because it's easier to debug.
>
> Hope this helps,
> regards,
> Ivan
>
>
>
> On 12/04/2014 11:46 AM, dharmendra parakh wrote:
>> Hi Ivan
>>
>> Thanks for the information. I have this already configured in my
>> LDAP resource.
>>
>> I gone through all these documents and then i tried to implement
>> the same synchronization techinique.
>>
>> So I created a role MetaRole and added LDAP resource as an
>> inducement (I did not filled any information in resource form)
>> Then i created another role and when i try to add that MetaRole
>> as assignment to this role i am getting an error saying :
>>
>> Couldn't add object. Schema violation: Schema violation during
>> processing shadow: shadow: null (OID:null): Schema violation:
>> javax.naming.directory.SchemaViolationException([LDAP: error code
>> 65 - object class 'inetOrgPerson' requires attribute 'sn']
>>
>> I am confused why it is trying to create inetOrgPerson object
>> instead of groupOfNames.
>>
>> Is it a configuration issue or i am doing something wrong, Can
>> you help me figuring this out. My resource configuration is
>> attached just for your reference,
>>
>>
>> Regards
>> Dharmendra
>>
>>
>> On Thu, Dec 4, 2014 at 3:07 PM, Ivan Noris
>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>> Hi,
>>
>> you don't need new connector to create LDAP groups. Just
>> configuration in midPoint: new schemaHandling <objectType>
>> and corresponding <synchronization><objectType> parts for
>> kind=entitlement and intent=group.
>>
>> For example you may check the sample:
>> samples/reosurces/opendj/opendj-resource-genericsync.xml to
>> see how it can be configured.
>>
>> After you have this configured, you can create a role which
>> will construct the kind=entitlement,intent=group object on
>> the LDAP resource.
>>
>> Then you assign such role to either organization or role in
>> midpoint and it will provision corresponding group to LDAP.
>>
>> Please refer also to:
>> https://wiki.evolveum.com/display/midPoint/Generic+Synchronization
>> https://wiki.evolveum.com/display/midPoint/Focus+and+Projections
>> https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization
>>
>> Regards,
>> Ivan
>>
>>
>> On 12/04/2014 10:28 AM, dharmendra parakh wrote:
>>> HI
>>>
>>> Is there any out of the box configuration to achieve it or i
>>> have to write a connector?
>>>
>>> Waiting for response..
>>>
>>> Regards
>>> Dharmendra
>>>
>>> On Wed, Dec 3, 2014 at 7:00 PM, dharmendra parakh
>>> <dharm.parakh at gmail.com <mailto:dharm.parakh at gmail.com>> wrote:
>>>
>>> Hi
>>>
>>> I was playing around the ldap connector bundled witth
>>> midpoint, It works well for creating user accounts and
>>> user group assignment.
>>>
>>> I want to create ldap group, Is it possible using the
>>> same connector to provision ldap group on target ldap
>>> resource. basically a groupOfUniqueNames or a posixGroup.
>>>
>>> If possible please point me to the documentation which i
>>> can refer and configure it.
>>>
>>>
>>> Thanks
>>> Dharmendra Parakh
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer
>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>> _____________________________________________
>> "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
> _____________________________________________
> "Semper Id(e)M Vix."
>
>
--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com evolveum.com/blog/
_____________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141204/2f70b9be/attachment.htm>
More information about the midPoint
mailing list