[midPoint] LDAP Group Creation

Ivan Noris ivan.noris at evolveum.com
Thu Dec 4 14:39:13 CET 2014


Hi Dharmendra,

your fix is ok, but it means that every group created by you will have
this member...

Anyway, I'd like to see the resource configuration, because in my
deployments on LDAP I must have been using another group type - as I
never needed to put member there.

See answers below:

On 12/04/2014 02:20 PM, dharmendra parakh wrote:
> Hi Ivan
>
> I figured it out, i modified my role definition and added member
> attribute to it, for example:
>
> <inducement id="1">
>       <construction>
>          <resourceRef oid="d0811790-1d80-11e4-86b2-3c970e467874"
> type="ResourceType"/>
>          <kind>entitlement</kind>
>          <intent>ldapGroup</intent>
>          <attribute>
>             <ref>ri:member</ref>
>             <outbound>
>                <expression>
>                   <value>uid=jodoe,dc=example,dc=com</value>
>                </expression>
>             </outbound>
>          </attribute>
>       </construction>
>    </inducement>
>
> Now when i assign this role to any other role or organization it
> creates a ldap group with that role/organization name.
>
>
> Now i have few questions:
>
> Q. Is it the right way to add member attribute ?

I doubt so. I could create groups without this mandatory member.
What directory server are you using? I was testing on OpenDJ.

>
> Q. To make the role of kind "entitlement" do we always have to update
> the xml to add kind, intent and member information?
>
Only when you create the role, which has construction for something
other than default account. As I said, this will be enhanced.


> Q.  When i make any changes like i changed the role name then the
> member information was gone from my role. Is it an issue or we cannot
> change this?

This seems to be a bug. Changing role name is definitely ok. I would set
the member in schema handling in the resource though.

>
> Q. What all types of group are supported with this ldap connector like
> groupOfUniqueNames and PosixGroup?

Everything what is in the schema fetched from the resource.

You can go to Configuration - Repository objects - Resource - open your
LDAP resource and check the contents of <schema>..</schema>. That are
all types that can be provisioned.

I.

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."




More information about the midPoint mailing list