[midPoint] Re. Group Membership in an AD Resource.

Radovan Semancik radovan.semancik at evolveum.com
Thu Jan 9 10:13:18 CET 2014 

Hi,

This is a tricky question. For midpoint 2.2.x it is only possible using 
a provisioning scripts. But there is already a functionality in midpoint 
2.3 development master that allows to do what you want to. You can 
automatically create groups as a representation of midPoint roles or org 
units so the groups will be created at the same time an role/org is 
created - and that's guaranteed to be before a user is assigned to any 
of these. Although we have only a handful of tests for this I'm quite 
confident that it will work well because it is reusing bulk of the code 
that works well for users and accounts. The basic idea is described here:
https://wiki.evolveum.com/display/midPoint/Generic+Synchronization

Simply speaking you need to do two things:
* Define an entitlement object type and appropriate associations in 
resource schema handling section
* Add an *assignment* (not inducement!) to the org or role. Or create a 
meta-role and assign that to the org/role for which you want to create a 
group.
There is an example in the tests:
* resource with entitlement definition: 
http://git.evolveum.com/view/midpoint/master/model/model-intest/src/test/resources/common/resource-dummy.xml
* meta-role: 
http://git.evolveum.com/view/midpoint/master/model/model-intest/src/test/resources/gensync/role-meta-dummygroup.xml

I just need to document this functionality. I hope to find some time for 
documentation later today.

-- 

                                            Radovan Semancik
                                           Software Architect
                                              evolveum.com



On 01/08/2014 05:29 PM, Deepak Natarajan wrote:
>
> Hi Ivan -
>
> A quick (hopefully last) question about this issue - is it necessary 
> that the group should exist in AD already..or will Midpoint be able to 
> create them using the connector if they are not present? (I assumed 
> the latter and am running into an error...)
>
> Thanks!
>
> BR/Deepak
>> Ivan Noris <mailto:ivan.noris at evolveum.com>
>> January 8, 2014 at 1:19 PM
>> Hi Deepak,
>>
>> I'm doing it with the code based on the following (Groovy):
>>
>> tmpOut = []
>> tmpOut.add('cn=group1,ou=groups,ou=orgA')
>> tmpOut.add('cn=group2,ou=groups,ou=depts,ou=orgB')
>> return tmpOut
>>
>> Just be sure you are using the latest connector and connector server 
>> (from our Nexus) and the setup mentioned earlier or you can have 
>> problems when specifying the group name as "cn=group1,ou=..." and the 
>> group is actually stored in AD and returned from its LDAP as 
>> "CN=group1,OU=..."
>>
>> Regards,
>> Ivan
>>
>> On 01/08/2014 01:04 PM, Deepak Natarajan wrote:
>>
>> -- 
>> Ing. Ivan Noris
>> Consultant
>> Evolveum, s.r.o
>> ___________________________________________________
>> "Semper cautus - semper paratus - semper idem Vix."
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> Deepak Natarajan <mailto:dnataraj at trilobytesystems.com>
>> January 8, 2014 at 1:04 PM
>>
>> Hi Ivan -
>>
>> A quick question about returning groups :
>>
>> How do I return multiple groups...are they comma separated or?
>>
>> If I have two group DN's to return :
>> cn=group1,ou=groups,ou=orgA
>> cn=group2,ou=groups,ou=depts,ou=orgB
>>
>> can I return an array from within the script?
>>
>> Thank you.
>> Ivan Noris <mailto:ivan.noris at evolveum.com>
>> January 7, 2014 at 5:23 PM
>> Hi Deepak,
>>
>> I'm using the Active Directory connector to manage accounts in AD, and a
>> mapping which assigns user to groups. I didn't have to change resource
>> schema to use groups; it is available out of the box.
>>
>> The mapping is for the icfs:groups attribute and midPoint 2.2.x,
>> although it should still be the same for 2.3.
>>
>> I've adapted this from actual customer configuration, removing the
>> customer-specific code, but leaving the XML comments for you:
>>
>> <attribute>
>> <ref>icfs:groups</ref>
>> <displayName>Groups</displayName>
>>
>> <limitations>
>> <access>
>> <create>true</create>
>> <read>true</read>
>> <update>true</update>
>> </access>
>> </limitations>
>> <!-- tolerant=false + strength=strong removes ALL other values including
>> groups not managed by midpoint
>>
>> tolerant=true + strength=strong removes old group when the condition
>> changes, keeping groups managed outside of midpoint -->
>>
>> <tolerant>true</tolerant><!-- See above -->
>> <matchingRule>mr:stringIgnoreCase</matchingRule>
>> <outbound>
>> <strength>strong</strength><!-- See above -->
>> <source>
>> <path>$user/employeeType</path>
>> </source>
>> <expression>
>> <script>
>> <code>
>> if (employeeType == 'FTE')
>> {
>> return 'CN=group1,.........................'
>> }
>>
>> </code>
>> </script>
>> </expression>
>> </outbound>
>> </attribute>
>>
>> You may need to use our versions of Connector Server and Active
>> Directory connector, there were some case-sensitivity issues in the
>> original versions (causing groups like "cn=group1,... and CN=group1" to
>> cause problems):
>>
>> http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/ActiveDirectory.Connector/1.0.0.20069/
>>
>> http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/openicf-dotnet/1.4.0.20081/
>>
>> And update your resource configuration:
>>
>> <icfc:resultsHandlerConfiguration>
>> <!-- currently this requires latest Evolveum
>> version of .net connector server -->
>>
>> <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
>> </icfc:resultsHandlerConfiguration>
>>
>> <!-- Configuration specific for the Active Directory
>> connector -->
>>
>> <icfc:configurationProperties
>> . . .
>>
>> This is the combination I currently use and seems to work well.
>>
>> Hope this helps,
>> regards,
>> Ivan
>>
>> Deepak Natarajan <mailto:dnataraj at trilobytesystems.com>
>> January 7, 2014 at 4:55 PM
>> Hi -
>>
>> I'm trying to figure out how to implement group membership for an Active
>> Directory resource.
>>
>> We are using Midpoint 2.3-SNAPSHOT.
>>
>> Is it still possible to execute this using the idea of LDAP groups
>> described here :
>> https://wiki.evolveum.com/display/midPoint/LDAP+Groups+HOWTO (since AD
>> supports LDAPv3)?
>>
>> Does anyone have any working configuration they can share that they use
>> against Active Directory to provision users and also set up group
>> memberships?
>>
>> Thanks in advance!
>> BR/Deepak
>>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140109/95cfcb63/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140109/95cfcb63/attachment.jpg>

More information about the midPoint mailing list