[midPoint] Existing Active Directory Users
Pavol Mederly
mederly at evolveum.com
Fri Oct 17 23:31:36 CEST 2014
Hello Jason,
yes, there is a way to do it. Conceptually, you need to create a mapping
assignment -> target attribute
However, there are three facts to bear in mind:
(1) there can be many roles the user has been assigned -> so either you
choose one of them (how?) or the target attribute has to be
multi-valued; let's assume the latter
(2) assignments can be not only roles, but also accounts and orgs -> so
there should be some filter based on the kind of assignment
(3) in the assignment there is only a OID of target roles, and you want
to have its name -> so there has to be a getObject(...) operation in the
process to get the name
Conceptually, the solution could look like this:
(This is a direct mapping from the user roles to a "l" attribute in LDAP
resource - tailor this to your needs. E.g. if you have to map to a user
property, you have to put this mapping into a user template.)
<attribute>
<ref
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:l</ref>
<outbound>
<source>
<path>assignment</path>
</source>
<expression>
<script>
<code>
import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType
if (assignment != null) {
target = assignment.getTargetRef()
if (target != null &&
"RoleType".equals(target.getType().getLocalPart())) { //
filtering, mentioned in (2)
role = midpoint.getObject(RoleType.class, target.getOid(),
null) // getting the object, mentioned
in (3)
return role.getName()
}
}
return null
</code>
</script>
</expression>
</outbound>
</attribute>
Unfortunately, life's not that easy ... because of a limitation in
midPoint (MID-2064 <https://jira.evolveum.com/browse/MID-2064>) we
cannot process individual container values, only the container as a
whole - so we have to rewrite the mapping to process not item after
item, but to process all assignments as a whole. It's called absolute
mode of evaluation.
The solution is then as follows:
<attribute>
<ref
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:l</ref>
<outbound>
<source>
<name>assignmentContainer</name> <!--
just to provide meaningful name to the source -->
<path>assignment</path>
</source>
<expression>
<script>
<relativityMode>absolute</relativityMode>
<code>
import
com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType
rv = new ArrayList()
if (assignmentContainer != null) {
for (assignment in
assignmentContainer.getValues()) {
target =
assignment.asContainerable().getTargetRef()
if (target != null &&
"RoleType".equals(target.getType().getLocalPart())) {
role =
midpoint.getObject(RoleType.class, target.getOid(), null)
rv.add(role.getName().getOrig())
}
}
}
return rv
</code>
</script>
</expression>
</outbound>
</attribute>
Of course, there should be some error handling around getObject method,
because the role that the user has might have been already deleted - so
a simple try {...} catch {...} should be there.
But I hope you get an overall idea from this sample.
Best regards,
Pavol
On 17. 10. 2014 21:43, Jason Everling wrote:
> Ok thanks again, I still have a lot of testing with incoming and
> outgoing attributes, trying to get them just right before I move onto
> Roles/Orgs and such..
>
> Quick question,
>
> Is there a way to get the assigned role name, like the default role
> "end user" into a user attribute field? For instance, the user is
> assigned the role "end user" and I wanted to get the role name "end
> user" into the attribute eduPersonEntitlement in AD. as long as I can
> get that name "end user" into a field on the user details page I can
> move it into AD.
>
>
> JASON
>
> On Fri, Oct 17, 2014 at 5:28 AM, Ivan Noris <Ivan.Noris at evolveum.com
> <mailto:Ivan.Noris at evolveum.com>> wrote:
>
> Hi Jason,
>
> I'm not sure if I understand, but if you are asking if you can
> create (import) organization structure in midPoint according to
> your existing AD structure, the answer is yes.
>
> If you are asking if you can provision your existing midPoint
> organization structure to AD, the answer is double-yes. You can
> actually see this in our generic-sync scenarios. For more simple
> cases where organization structure is maintained in midPoint (and
> not in some kind of authoritative source such as CSV) this is very
> simple and I'm using this just now in current projects.
>
> It's all just configuration in midPoint (resource, roles, object
> templates). The inbound (from AD to midPoint) organization
> synchronization is a little more difficult than the outbound
> (midPoint to AD), but certainly doable.
>
> Regards,
> Ivan
>
> ------------------------------------------------------------------------
>
> *From: *"Jason Everling" <jeverling at bshp.edu
> <mailto:jeverling at bshp.edu>>
> *To: *"midPoint General Discussion"
> <midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>>
> *Sent: *Thursday, October 16, 2014 10:07:34 PM
> *Subject: *Re: [midPoint] Existing Active Directory Users
>
> That is great! I was testing this and it seems to be working.
> I was thinking about this more also and down the road once I
> move into Orgs and such.
>
> I am almost certain, correct me if I am wrong, but I could
> also base the DN by pulling information from the Orgs in
> Midpoint. I would pretty much be building out the Orgs in the
> same manner that our AD orgs are setup.
>
> JASON
>
> On Thu, Oct 16, 2014 at 10:27 AM, Ivan Noris
> <Ivan.Noris at evolveum.com <mailto:Ivan.Noris at evolveum.com>> wrote:
>
> Hi Jason,
>
>
> AD only needs to be authoritative during the initial
> deployment since we have thousands of accounts in AD,
> after that, all accounts will be modified/added using
> midpoint.
>
> I think using the method I outlined last to build the
> DN is more or less what I am moving towards. I have
> looked through AD attributes and the attribute, "ou"
> in AD is not used and would make sense to populate
> that attribute with the actual OU. I can simply use a
> powershell script to add the correct value to this
> attribute based on the users current ou and then build
> the DN in midpoint off this value.
>
> Using the "ou" attribute in AD might also be the best
> way since later on I can use the attribute in roles
> and orgs, I have been looking to the orgsync story
> test on github for inspiration.
>
>
> You can use PS script in AD to fill "ou" attribute in
> accounts and then import it to midPoint, but you can
> construct the value directly during initial import in
> inbound expression with no changes in AD. Roughly -
> something like this:
>
> <attribute>
> <ref>icfs:name</ref>
> <displayName>Distinguished Name</displayName>
> <inbound>
> <expression>
> <script>
> <code>
> // parse OU value from
> variable named *input* (represents DN) using groovy
> regular expressions
> // e.g. from OU=The
> Student,DC=TEST,DC=LOCAL take "The Student" value
> // please fix the regular expression according to your
> setup, this is just a rough example
>
> re =
> /(?i)^.*OU=(.*),DC=TEST,DC=LOCAL$/
> matcher = (input =~ re)
> if (matcher.matches())
> return matcher[0][1]
>
> // will be stored in
> *user/organization* attribute, modify as needed
> </code>
> </script>
> </expression>
> <target>
> <path>$user/organization</path>
> </target>
> </inbound>
> </attribute>
>
> This is also to show you the power of the expressions in
> the mappings.
>
> Regards,
> Ivan
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com <http://evolveum.com>
> ___________________________________________
> "Idem per idem - semper idem Vix."
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above
> and may contain information that is privileged. You should not
> retain, copy or use this e-mail or any attachments for any
> purpose, or disclose all or any part of the contents to any
> person. Any views or opinions expressed in this e-mail are
> those of the author and do not represent those of the Baptist
> School of Health Professions. If you have received this e-mail
> in error, or are not the named recipient(s), you are hereby
> notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and
> to do so might constitute a violation of the Electronic
> Communications Privacy Act, 18 U.S.C. section 2510-2521.
> Please immediately notify the sender and delete this e-mail
> and any attachments from your computer.
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com <http://evolveum.com>
> ___________________________________________
> "Idem per idem - semper idem Vix."
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141017/035bcdb7/attachment.htm>
More information about the midPoint
mailing list