[midPoint] LDAP Group Creation

dharmendra parakh dharm.parakh at gmail.com
Thu Dec 4 14:20:57 CET 2014 

Hi Ivan

I figured it out, i modified my role definition and added member attribute
to it, for example:

<inducement id="1">
      <construction>
         <resourceRef oid="d0811790-1d80-11e4-86b2-3c970e467874"
type="ResourceType"/>
         <kind>entitlement</kind>
         <intent>ldapGroup</intent>
         <attribute>
            <ref>ri:member</ref>
            <outbound>
               <expression>
                  <value>uid=jodoe,dc=example,dc=com</value>
               </expression>
            </outbound>
         </attribute>
      </construction>
   </inducement>

Now when i assign this role to any other role or organization it creates a
ldap group with that role/organization name.


Now i have few questions:

Q. Is it the right way to add member attribute ?

Q. To make the role of kind "entitlement" do we always have to update the
xml to add kind, intent and member information?

Q.  When i make any changes like i changed the role name then the member
information was gone from my role. Is it an issue or we cannot change this?

Q. What all types of group are supported with this ldap connector like
groupOfUniqueNames and PosixGroup?




Thanks
Dharmendra




On Thu, Dec 4, 2014 at 6:10 PM, dharmendra parakh <dharm.parakh at gmail.com>
wrote:

> Hi
>
> Thanks for all the information.
>
> I added the resource inducement to the role but kind and indent
> information was not added to the role definition so i modified the xml and
> added
>
> <kind>entitlement</kind>
> <intent>ldapGroup</intent>
>
> in inducement construction as per my resource configuration.
>
> Now i assigned my role to organization, it goes and tries to create object
> of groupOfNames but operation fails because there was no member added to
> group and member is a required attribute in groupOfNames objectclass.
> So where we have to add the member dn and how can we do that ?
>
> Regards
> Dharmendra
>
>
>
> On Thu, Dec 4, 2014 at 4:29 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>>  Hi Dharmendra,
>>
>> this is my sample role for organization (or a fragment of it), which I
>> assign to the organizations in midPoint. This role will cause provisioning
>> to LDAP:
>>
>> <role oid="00000000-dc00-dc00-0004-000000000010"
>>         xmlns=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>         xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>         xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>> <http://prism.evolveum.com/xml/ns/public/types-3>
>>         xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"
>> <http://midpoint.evolveum.com/xml/ns/samples/piracy>>
>>     <name>Role for org. structure replication to directory</name>
>>
>> . . .
>>     <inducement>
>>         <construction>
>>                 <resourceRef oid="00000000-dc00-dc00-0001-100000000002"
>> type="c:ResourceType"/>
>>                * <kind>entitlement</kind>*
>> *             <intent>billing-group</intent>*
>>         </construction>
>>     </inducement>
>> . . .
>>
>> This means, that I have to have resource (my oid is
>> "00000000-dc00-dc00-0001-100000000002"), where I have defined:
>> <schemaHandling>
>> . . .
>>         <objectType>
>>             *<kind>entitlement</kind>*
>> *            <intent>billing-group</intent>*
>>             <displayName>Group for billing</displayName>
>>             <default>false</default>
>>             *<objectClass>ri:GroupObjectClass</objectClass>*
>>             <attribute>
>>                 <ref>icfs:name</ref> <!-- required attribute on AD -->
>>                 <matchingRule>mr:stringIgnoreCase</matchingRule>
>>                 <outbound>
>> . . .
>> rest of outbounds needed for group attributes here
>> . . .
>>
>> So, if *role gets assigned to my organization in midPoint (Edit
>> organization, and add the role to Assignments, not inducements)*, it
>> will construct object of type entitlement, kind of billing-group. The
>> schemaHandling associates entitlement/kind with
>> objectClass=GroupObjectClass. So provisioning will create group, not
>> account. The attributes for the group are based on your schema handling
>> expressions for the entitlement/billing-group.
>>
>> If the role does not specify kind/intent, defaults are used
>> (kind=account, intent=default). So this may cause creating accounts instead
>> of groups ...
>>
>> If everything works, you may have the role automatically assigned to all
>> organizations in midPoint as they are created. But I will do this only if
>> everything works, because it's easier to debug.
>>
>> Hope this helps,
>> regards,
>> Ivan
>>
>>
>>
>> On 12/04/2014 11:46 AM, dharmendra parakh wrote:
>>
>> Hi Ivan
>>
>>  Thanks for the information. I have this already configured in my LDAP
>> resource.
>>
>>  I gone through all these documents and then i tried to implement the
>> same synchronization techinique.
>>
>>  So I created a role MetaRole and added LDAP resource as an inducement
>> (I did not filled any information in resource form)
>> Then i created another role and when i try to add that MetaRole as
>> assignment to this role i am getting an error saying :
>>
>>  Couldn't add object. Schema violation: Schema violation during
>> processing shadow: shadow: null (OID:null): Schema violation:
>> javax.naming.directory.SchemaViolationException([LDAP: error code 65 -
>> object class 'inetOrgPerson' requires attribute 'sn']
>>
>>  I am confused why it is trying to create inetOrgPerson object instead
>> of groupOfNames.
>>
>>  Is it a configuration issue or i am doing something wrong, Can you help
>> me figuring this out. My resource configuration is attached just for your
>> reference,
>>
>>
>>  Regards
>> Dharmendra
>>
>>
>> On Thu, Dec 4, 2014 at 3:07 PM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>>  Hi,
>>>
>>> you don't need new connector to create LDAP groups. Just configuration
>>> in midPoint: new schemaHandling <objectType> and corresponding
>>> <synchronization><objectType> parts for kind=entitlement and intent=group.
>>>
>>> For example you may check the sample:
>>> samples/reosurces/opendj/opendj-resource-genericsync.xml to see how it can
>>> be configured.
>>>
>>> After you have this configured, you can create a role which will
>>> construct the kind=entitlement,intent=group object on the LDAP resource.
>>>
>>> Then you assign such role to either organization or role in midpoint and
>>> it will provision corresponding group to LDAP.
>>>
>>> Please refer also to:
>>> https://wiki.evolveum.com/display/midPoint/Generic+Synchronization
>>> https://wiki.evolveum.com/display/midPoint/Focus+and+Projections
>>>
>>> https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization
>>>
>>> Regards,
>>> Ivan
>>>
>>>
>>> On 12/04/2014 10:28 AM, dharmendra parakh wrote:
>>>
>>>  HI
>>>
>>>  Is there any out of the box configuration to achieve it or i have to
>>> write a connector?
>>>
>>>  Waiting for response..
>>>
>>>  Regards
>>> Dharmendra
>>>
>>> On Wed, Dec 3, 2014 at 7:00 PM, dharmendra parakh <
>>> dharm.parakh at gmail.com> wrote:
>>>
>>>> Hi
>>>>
>>>>  I was playing around the ldap connector bundled witth midpoint, It
>>>> works well for creating user accounts and user group assignment.
>>>>
>>>>  I want to create ldap group, Is it possible using the same connector
>>>> to provision ldap group on target ldap resource. basically a
>>>> groupOfUniqueNames or a posixGroup.
>>>>
>>>>  If possible please point me to the documentation which i can refer
>>>> and configure it.
>>>>
>>>>
>>>>  Thanks
>>>>  Dharmendra Parakh
>>>>
>>>
>>>
>>>
>>>  _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> --
>>>   Ing. Ivan Noris
>>>   Senior Identity Management Engineer
>>>   evolveum.com     evolveum.com/blog/
>>>   _____________________________________________
>>>   "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>> --
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer
>>   evolveum.com     evolveum.com/blog/
>>   _____________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141204/e4121cb4/attachment.htm>

More information about the midPoint mailing list