[midPoint] Re. Group Membership in an AD Resource.
Ivan Noris
ivan.noris at evolveum.com
Tue Jan 7 17:23:10 CET 2014
Hi Deepak,
I'm using the Active Directory connector to manage accounts in AD, and a
mapping which assigns user to groups. I didn't have to change resource
schema to use groups; it is available out of the box.
The mapping is for the icfs:groups attribute and midPoint 2.2.x,
although it should still be the same for 2.3.
I've adapted this from actual customer configuration, removing the
customer-specific code, but leaving the XML comments for you:
<attribute>
<ref>icfs:groups</ref>
<displayName>Groups</displayName>
<limitations>
<access>
<create>true</create>
<read>true</read>
<update>true</update>
</access>
</limitations>
<!-- tolerant=false + strength=strong removes ALL other values including
groups not managed by midpoint
tolerant=true + strength=strong removes old group when the condition
changes, keeping groups managed outside of midpoint -->
<tolerant>true</tolerant><!-- See above -->
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>strong</strength><!-- See above -->
<source>
<path>$user/employeeType</path>
</source>
<expression>
<script>
<code>
if (employeeType == 'FTE')
{
return 'CN=group1,.........................'
}
</code>
</script>
</expression>
</outbound>
</attribute>
You may need to use our versions of Connector Server and Active
Directory connector, there were some case-sensitivity issues in the
original versions (causing groups like "cn=group1,... and CN=group1" to
cause problems):
http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/ActiveDirectory.Connector/1.0.0.20069/
http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/openicf-dotnet/1.4.0.20081/
And update your resource configuration:
<icfc:resultsHandlerConfiguration>
<!-- currently this requires latest Evolveum
version of .net connector server -->
<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
</icfc:resultsHandlerConfiguration>
<!-- Configuration specific for the Active Directory
connector -->
<icfc:configurationProperties
. . .
This is the combination I currently use and seems to work well.
Hope this helps,
regards,
Ivan
On 01/07/2014 04:55 PM, Deepak Natarajan wrote:
> Hi -
>
> I'm trying to figure out how to implement group membership for an Active
> Directory resource.
>
> We are using Midpoint 2.3-SNAPSHOT.
>
> Is it still possible to execute this using the idea of LDAP groups
> described here :
> https://wiki.evolveum.com/display/midPoint/LDAP+Groups+HOWTO (since AD
> supports LDAPv3)?
>
> Does anyone have any working configuration they can share that they use
> against Active Directory to provision users and also set up group
> memberships?
>
> Thanks in advance!
> BR/Deepak
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Consultant
Evolveum, s.r.o
___________________________________________________
"Semper cautus - semper paratus - semper idem Vix."
More information about the midPoint
mailing list