[midPoint] Group synchronization, 3.0 SNAPSHOT

Sam Verboven sam.verboven at gmail.com
Wed May 7 11:55:20 CEST 2014


Dear,

I am trying to synchronize groups and group membership on AD using the .Net
connector framework. Currently I've been able to add a user to a group by
using an inducement on a role:

<role oid="9991" xmlns="
http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:icfs="
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
">
    <name>TestGroup</name>
    <inducement>
        <construction>
            <resourceRef oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3eaef"
type="ResourceType"/>
            <kind>account</kind>
            <attribute>
                <ref>icfs:groups</ref>
                <outbound>
                    <expression>

<value>CN=TestGroup,CN=MidpointUsers,DC=rd,DC=local</value>
                    </expression>
                </outbound>
            </attribute>
        </construction>
    </inducement>
</role>

However, I can't seem to figure out how I can sync back. A couple of
questions:

1)  If a user is added to a group in AD, how does one synchronize this
information back to Midpoint? I found some information using Entitlements
but I can't figure out if this has been fully implemented yet or how to use
it. Can this information be stored somewhere in the current Midpoint
user/role model?

2) Is there any method to sync the creation/deletion of the actual groups
themselves?

3) Is adding users to groups using a role inducement even a good idea?

I'm sorry if my questions are not really clear, but the entire
implementation of group and group membership syncing is not yet very clear
to me.

4) An additional question regarding password synchronization. I found some
information about this in the FAQ :
https://wiki.evolveum.com/display/midPoint/Frequently+Asked+Questions#FrequentlyAskedQuestions-CanmidPointsynchronizepasswordsfromActiveDirectoryorLDAP%3F
.

But I also found an agent on github:
https://github.com/Evolveum/midpoint-password-agent-ad

Is it a good idea to use this agent, or is it simply some test code that is
not ready for production use?


Regards,
Sam Verboven
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20140507/74f15121/attachment.htm>


More information about the midPoint mailing list