[midPoint] LDAP Group Creation
Ivan Noris
ivan.noris at evolveum.com
Thu Dec 4 15:07:25 CET 2014
OK, so now I know...
Seems you are using OpenLDAP... and its GroupOfNames objectClass
requires having at least one member of any group.
So there are basically 3 options:
1) having one static (dummy) member in each group - which probably you
have even now before you tried to test midPoint
2) modification of schema in OpenLDAP
3) another directory server
>From these options, 1) seems to be the fastest and with no collateral
damage.
So the mapping you have for ri:member can be either in the role or in
the resource schemaHandling for this kind/intent combination.
>From your schema I see that the following can be used:
- CustomposixGroupObjectClass (corresponding to LDAP's posixGroup) with
memberUid attribute
- GroupObjectClass (corresponding perhaps to GroupOfUniqueNames?
connector hides this as __GROUP__) with
- CustomGroupOfNamesObjectClass (corresponding to LDAP's groupOfNames)
with member attribute - this is what you use now
If you need to create groups of more than one type, you need to extend
your resource configuration (almost copy/paste from what you have now
for CustomGroupOfNamesObjectClass, but with different objectClass, and
intent. The kind will be entitlement for all of them.
Regards,
Ivan
On 12/04/2014 02:20 PM, dharmendra parakh wrote:
> Hi Ivan
>
> I figured it out, i modified my role definition and added member
> attribute to it, for example:
>
> <inducement id="1">
> <construction>
> <resourceRef oid="d0811790-1d80-11e4-86b2-3c970e467874"
> type="ResourceType"/>
> <kind>entitlement</kind>
> <intent>ldapGroup</intent>
> <attribute>
> <ref>ri:member</ref>
> <outbound>
> <expression>
> <value>uid=jodoe,dc=example,dc=com</value>
> </expression>
> </outbound>
> </attribute>
> </construction>
> </inducement>
>
> Now when i assign this role to any other role or organization it
> creates a ldap group with that role/organization name.
>
>
> Now i have few questions:
>
> Q. Is it the right way to add member attribute ?
>
> Q. To make the role of kind "entitlement" do we always have to update
> the xml to add kind, intent and member information?
>
> Q. When i make any changes like i changed the role name then the
> member information was gone from my role. Is it an issue or we cannot
> change this?
>
> Q. What all types of group are supported with this ldap connector like
> groupOfUniqueNames and PosixGroup?
>
>
>
>
> Thanks
> Dharmendra
>
>
>
>
> On Thu, Dec 4, 2014 at 6:10 PM, dharmendra parakh
> <dharm.parakh at gmail.com <mailto:dharm.parakh at gmail.com>> wrote:
>
> Hi
>
> Thanks for all the information.
>
> I added the resource inducement to the role but kind and indent
> information was not added to the role definition so i modified the
> xml and added
>
> <kind>entitlement</kind>
> <intent>ldapGroup</intent>
>
> in inducement construction as per my resource configuration.
>
> Now i assigned my role to organization, it goes and tries to
> create object of groupOfNames but operation fails because there
> was no member added to group and member is a required attribute in
> groupOfNames objectclass.
> So where we have to add the member dn and how can we do that ?
>
> Regards
> Dharmendra
>
>
>
> On Thu, Dec 4, 2014 at 4:29 PM, Ivan Noris
> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>
> Hi Dharmendra,
>
> this is my sample role for organization (or a fragment of it),
> which I assign to the organizations in midPoint. This role
> will cause provisioning to LDAP:
>
> <role oid="00000000-dc00-dc00-0004-000000000010"
>
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> <http://prism.evolveum.com/xml/ns/public/types-3>
>
> xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy"
> <http://midpoint.evolveum.com/xml/ns/samples/piracy>>
> <name>Role for org. structure replication to directory</name>
>
> . . .
> <inducement>
> <construction>
> <resourceRef
> oid="00000000-dc00-dc00-0001-100000000002" type="c:ResourceType"/>
> *<kind>entitlement</kind>**
> ** <intent>billing-group</intent>*
> </construction>
> </inducement>
> . . .
>
> This means, that I have to have resource (my oid is
> "00000000-dc00-dc00-0001-100000000002"), where I have defined:
> <schemaHandling>
> . . .
> <objectType>
> *<kind>entitlement</kind>**
> ** <intent>billing-group</intent>*
> <displayName>Group for billing</displayName>
> <default>false</default>
> *<objectClass>ri:GroupObjectClass</objectClass>*
> <attribute>
> <ref>icfs:name</ref> <!-- required attribute
> on AD -->
> <matchingRule>mr:stringIgnoreCase</matchingRule>
> <outbound>
> . . .
> rest of outbounds needed for group attributes here
> . . .
>
> So, if *role gets assigned to my organization in midPoint
> (Edit organization, and add the role to Assignments, not
> inducements)*, it will construct object of type entitlement,
> kind of billing-group. The schemaHandling associates
> entitlement/kind with objectClass=GroupObjectClass. So
> provisioning will create group, not account. The attributes
> for the group are based on your schema handling expressions
> for the entitlement/billing-group.
>
> If the role does not specify kind/intent, defaults are used
> (kind=account, intent=default). So this may cause creating
> accounts instead of groups ...
>
> If everything works, you may have the role automatically
> assigned to all organizations in midPoint as they are created.
> But I will do this only if everything works, because it's
> easier to debug.
>
> Hope this helps,
> regards,
> Ivan
>
>
>
> On 12/04/2014 11:46 AM, dharmendra parakh wrote:
>> Hi Ivan
>>
>> Thanks for the information. I have this already configured in
>> my LDAP resource.
>>
>> I gone through all these documents and then i tried to
>> implement the same synchronization techinique.
>>
>> So I created a role MetaRole and added LDAP resource as an
>> inducement (I did not filled any information in resource form)
>> Then i created another role and when i try to add that
>> MetaRole as assignment to this role i am getting an error
>> saying :
>>
>> Couldn't add object. Schema violation: Schema violation
>> during processing shadow: shadow: null (OID:null): Schema
>> violation:
>> javax.naming.directory.SchemaViolationException([LDAP: error
>> code 65 - object class 'inetOrgPerson' requires attribute 'sn']
>>
>> I am confused why it is trying to create inetOrgPerson object
>> instead of groupOfNames.
>>
>> Is it a configuration issue or i am doing something wrong,
>> Can you help me figuring this out. My resource configuration
>> is attached just for your reference,
>>
>>
>> Regards
>> Dharmendra
>>
>>
>> On Thu, Dec 4, 2014 at 3:07 PM, Ivan Noris
>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>> Hi,
>>
>> you don't need new connector to create LDAP groups. Just
>> configuration in midPoint: new schemaHandling
>> <objectType> and corresponding
>> <synchronization><objectType> parts for kind=entitlement
>> and intent=group.
>>
>> For example you may check the sample:
>> samples/reosurces/opendj/opendj-resource-genericsync.xml
>> to see how it can be configured.
>>
>> After you have this configured, you can create a role
>> which will construct the kind=entitlement,intent=group
>> object on the LDAP resource.
>>
>> Then you assign such role to either organization or role
>> in midpoint and it will provision corresponding group to
>> LDAP.
>>
>> Please refer also to:
>> https://wiki.evolveum.com/display/midPoint/Generic+Synchronization
>> https://wiki.evolveum.com/display/midPoint/Focus+and+Projections
>> https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization
>>
>> Regards,
>> Ivan
>>
>>
>> On 12/04/2014 10:28 AM, dharmendra parakh wrote:
>>> HI
>>>
>>> Is there any out of the box configuration to achieve it
>>> or i have to write a connector?
>>>
>>> Waiting for response..
>>>
>>> Regards
>>> Dharmendra
>>>
>>> On Wed, Dec 3, 2014 at 7:00 PM, dharmendra parakh
>>> <dharm.parakh at gmail.com <mailto:dharm.parakh at gmail.com>>
>>> wrote:
>>>
>>> Hi
>>>
>>> I was playing around the ldap connector bundled
>>> witth midpoint, It works well for creating user
>>> accounts and user group assignment.
>>>
>>> I want to create ldap group, Is it possible using
>>> the same connector to provision ldap group on target
>>> ldap resource. basically a groupOfUniqueNames or a
>>> posixGroup.
>>>
>>> If possible please point me to the documentation
>>> which i can refer and configure it.
>>>
>>>
>>> Thanks
>>> Dharmendra Parakh
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer
>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>> _____________________________________________
>> "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
> _____________________________________________
> "Semper Id(e)M Vix."
>
>
>
--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com evolveum.com/blog/
_____________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141204/97b8c86b/attachment.htm>
More information about the midPoint
mailing list