[midPoint] AD groups reconciliation
Roman Pudil - AMI Praha a.s.
roman.pudil at ami.cz
Thu Jun 26 17:30:14 CEST 2014
Hi Pavol,
great work! Many thanks!
There is a little error in group sync definition (objectSynchronization
section in resource definition) on
https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO:
The account schema has attrib named "sAMAccountName" attribute, but
group schema has attrib named "samAccountName" atribute (different
lower/upper chars). Probably bug in ICF connector... :)
Then group correlation will be:
<correlation>
<q:equal>
<q:path>c:name</q:path>
<expression>
<path>$shadow/attributes/*samAccountName*</path>
</expression>
</q:equal>
</correlation>
Many thanks!
Regards
Roman Pudil
Roman Pudil
solution architect
gsm: [+420] 775 663 666
e-mail: roman.pudil at ami.cz <mailto:roman.pudil at ami.cz>
AMI Praha a.s.
Plánic(kova 11
162 00 Praha 6
tel./fax: [+420] 274 783 239
web: www.ami.cz <http://www.ami.cz>
AMI Praha a.s.
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
Textem tohoto e-mailu podepisující neslibuje uzavr(ít ani neuzavírá za
spolec(nost AMI Praha a.s.
jakoukoliv smlouvu. Kaz(dá smlouva, pokud bude uzavr(ena, musí mít
výhradne( písemnou formu.
Dne 25.6.2014 17:45, Pavol Mederly napsal(a):
> I've rewritten the last mail related to group sync to a HOW-TO. It is
> available at
>
> https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO
>
> ...and I would like to thank Tim for providing the AD resource sample
> which I've used (besides Org Sync Story Test) to construct the
> tutorial. :)
>
> Regards,
> Pavol
>
>>
>> On 23. 6. 2014 21:24, Roman Pudil - AMI Praha a.s. wrote:
>>> Hello Pavol,
>>>
>>> how about the reconciliation groups sample in Active Directory? Have
>>> You any simple example?
>>>
>>> Thanks!
>>> Regards
>>> Roman
>>>
>>> Roman Pudil
>>> solution architect
>>>
>>> gsm: [+420] 775 663 666
>>> e-mail: roman.pudil at ami.cz <mailto:roman.pudil at ami.cz>
>>>
>>>
>>>
>>> AMI Praha a.s.
>>> Plánic(kova 11
>>> 162 00 Praha 6
>>> tel./fax: [+420] 274 783 239
>>> web: www.ami.cz <http://www.ami.cz>
>>>
>>>
>>>
>>> AMI Praha a.s.
>>>
>>>
>>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>>
>>> Textem tohoto e-mailu podepisující neslibuje uzavr(ít ani neuzavírá
>>> za spolec(nost AMI Praha a.s.
>>> jakoukoliv smlouvu. Kaz(dá smlouva, pokud bude uzavr(ena, musí mít
>>> výhradne( písemnou formu.
>>>
>>> Dne 12.6.2014 23:35, Pavol Mederly napsal(a):
>>>> Hello Roman,
>>>>
>>>> both Ivan and me are planning to prepare such a sample for group
>>>> synchronization in next few days.
>>>>
>>>> Unfortunately, both of us have some critical tasks to be done
>>>> immediately, so it could take maybe
>>>> a week until we'll be able to prepare the sample.
>>>>
>>>> Best regards,
>>>> Pavol Mederly
>>>>
>>>>> Hi Radovan,
>>>>> thanks for inspiration.
>>>>> I tried 3 days to find right combination of AD group schema
>>>>> definition, schema handling etc. - with no success.
>>>>> Somebody tried it with success?
>>>>>
>>>>> Thanks!
>>>>> Roman Pudil
>>>>>
>>>>> Roman Pudil
>>>>> solution architect
>>>>>
>>>>> gsm: [+420] 775 663 666
>>>>> e-mail: roman.pudil at ami.cz <mailto:roman.pudil at ami.cz>
>>>>>
>>>>>
>>>>>
>>>>> AMI Praha a.s.
>>>>> Plánic(kova 11
>>>>> 162 00 Praha 6
>>>>> tel./fax: [+420] 274 783 239
>>>>> web: www.ami.cz <http://www.ami.cz>
>>>>>
>>>>>
>>>>>
>>>>> AMI Praha a.s.
>>>>>
>>>>>
>>>>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>>>>
>>>>>
>>>>> Textem tohoto e-mailu podepisující neslibuje uzavr(ít ani
>>>>> neuzavírá za spolec(nost AMI Praha a.s.
>>>>> jakoukoliv smlouvu. Kaz(dá smlouva, pokud bude uzavr(ena, musí mít
>>>>> výhradne( písemnou formu.
>>>>>
>>>>> Dne 9.6.2014 18:08, Radovan Semancik napsal(a):
>>>>>> Hi Roman,
>>>>>>
>>>>>> We haven't tried group synchronization in AD yet. But we have
>>>>>> done it is LDAP and the principle is the same. Perhaps the best
>>>>>> place for inspiration is our "OrgSync" story test. This test
>>>>>> synchronized orgunits and groups in the LDAP server. The
>>>>>> configuration files are here:
>>>>>>
>>>>>> https://github.com/Evolveum/midpoint/tree/master/testing/story/src/test/resources/orgsync
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Radovan Semancik
>>>>>> Software Architect
>>>>>> evolveum.com
>>>>>>
>>>>>>
>>>>>> On 06/05/2014 01:03 PM, Roman Pudil - AMI Praha a.s. wrote:
>>>>>>> Hi,
>>>>>>> I need synchronize/reconcile AD Groups into midPoint as
>>>>>>> Entitlements (Roles). Any simple example about this?
>>>>>>> Importing groups over midpoint webservices is also acceptable
>>>>>>> solution, but when I tried Your example in
>>>>>>> \samples\model-client-sample\ it getting error in 3.0 version.
>>>>>>>
>>>>>>> Thanks!
>>>>>>> R. Pudil
>>>>>>> --
>>>>>>>
>>>>>>> Roman Pudil
>>>>>>> solution architect
>>>>>>>
>>>>>>> gsm: [+420] 775 663 666
>>>>>>> e-mail: roman.pudil at ami.cz <mailto:roman.pudil at ami.cz>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> AMI Praha a.s.
>>>>>>> Plánic(kova 11
>>>>>>> 162 00 Praha 6
>>>>>>> tel./fax: [+420] 274 783 239
>>>>>>> web: www.ami.cz <http://www.ami.cz>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> AMI Praha a.s.
>>>>>>>
>>>>>>>
>>>>>>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>>>>>>
>>>>>>>
>>>>>>> Textem tohoto e-mailu podepisující neslibuje uzavr(ít ani
>>>>>>> neuzavírá za spolec(nost AMI Praha a.s.
>>>>>>> jakoukoliv smlouvu. Kaz(dá smlouva, pokud bude uzavr(ena, musí
>>>>>>> mít výhradne( písemnou formu.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> midPoint mailing list
>>>>>>> midPoint at lists.evolveum.com
>>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140626/ff0f5298/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ami_logo.gif
Type: image/gif
Size: 2895 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140626/ff0f5298/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: AMI-podpis-IdM_1.png
Type: image/png
Size: 21628 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140626/ff0f5298/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2895 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140626/ff0f5298/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 21628 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140626/ff0f5298/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2895 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140626/ff0f5298/attachment-0002.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 21628 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140626/ff0f5298/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2895 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140626/ff0f5298/attachment-0003.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 21628 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140626/ff0f5298/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3924 bytes
Desc: Elektronicky podpis S/MIME
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140626/ff0f5298/attachment.bin>
More information about the midPoint
mailing list