[midPoint] Existing Active Directory Users
Ivan Noris
Ivan.Noris at evolveum.com
Mon Oct 20 09:00:50 CEST 2014
Hi Jason,
in addition to what my coleague Pavol has suggested, I'm using this little hack (well, not a hack but feature implemented some time ago):
1. create a meta-role in midPoint which will be automatically assigned (via object template) to any organization/role (or based on any conditions you specify in object template) with the mapping similar to this:
<inducement>
<focusMappings>
<mapping>
<source>
<path>$immediateRole/name</path>
</source>
<target>
<path> $focus/organization </path>
</target>
</mapping>
</focusMappings>
<order>2</order>
</inducement>
This example will put the name of the role/organization assigned to user to user's organization attribute. This attribute is multivalue, so you can then map it to any target (e.g. AD) attribute that is also multivalue.
2. create object template for role and/or organization objects (whatever you need), which will assign a meta-role to any created/modified role/organization based on any conditions you specify.
3. use your object template created in step 2) as you default object template for your type of objects (OrgType or RoleType)
4. Create/modify organization/role you wish, to make the object template automatically add the inducement from step 1)
5. Assign the role/organization to user and see if it works. If your object template get picked up and conditions for assigning the meta-role succeed, your role/organization will be assigned your meta-role.
6. If this works, assign this role/organization to user - the organization attribute should be populated by role/organization name.
I'm writing "organization/role" because the concept is the same for both. In fact, I'm using this for organizations, because for some mappings I need to have name of the organization which is assigned to the user.
See also:
https://wiki.evolveum.com/display/midPoint/Generic+Synchronization
https://wiki.evolveum.com/display/midPoint/Assignment+Configuration
https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization
Regards,
Ivan
----- Original Message -----
> From: "Jason Everling" <jeverling at bshp.edu>
> To: "midPoint General Discussion" <midpoint at lists.evolveum.com>
> Sent: Friday, October 17, 2014 9:43:15 PM
> Subject: Re: [midPoint] Existing Active Directory Users
> Ok thanks again, I still have a lot of testing with incoming and outgoing
> attributes, trying to get them just right before I move onto Roles/Orgs and
> such..
> Quick question,
> Is there a way to get the assigned role name, like the default role "end
> user" into a user attribute field? For instance, the user is assigned the
> role "end user" and I wanted to get the role name "end user" into the
> attribute eduPersonEntitlement in AD. as long as I can get that name "end
> user" into a field on the user details page I can move it into AD.
> JASON
> On Fri, Oct 17, 2014 at 5:28 AM, Ivan Noris < Ivan.Noris at evolveum.com >
> wrote:
> > Hi Jason,
>
> > I'm not sure if I understand, but if you are asking if you can create
> > (import) organization structure in midPoint according to your existing AD
> > structure, the answer is yes.
>
> > If you are asking if you can provision your existing midPoint organization
> > structure to AD, the answer is double-yes. You can actually see this in our
> > generic-sync scenarios. For more simple cases where organization structure
> > is maintained in midPoint (and not in some kind of authoritative source
> > such
> > as CSV) this is very simple and I'm using this just now in current
> > projects.
>
> > It's all just configuration in midPoint (resource, roles, object
> > templates).
> > The inbound (from AD to midPoint) organization synchronization is a little
> > more difficult than the outbound (midPoint to AD), but certainly doable.
>
> > Regards,
>
> > Ivan
>
> > > From: "Jason Everling" < jeverling at bshp.edu >
> >
>
> > > To: "midPoint General Discussion" < midpoint at lists.evolveum.com >
> >
>
> > > Sent: Thursday, October 16, 2014 10:07:34 PM
> >
>
> > > Subject: Re: [midPoint] Existing Active Directory Users
> >
>
> > > That is great! I was testing this and it seems to be working. I was
> > > thinking
> > > about this more also and down the road once I move into Orgs and such.
> >
>
> > > I am almost certain, correct me if I am wrong, but I could also base the
> > > DN
> > > by pulling information from the Orgs in Midpoint. I would pretty much be
> > > building out the Orgs in the same manner that our AD orgs are setup.
> >
>
> > > JASON
> >
>
> > > On Thu, Oct 16, 2014 at 10:27 AM, Ivan Noris < Ivan.Noris at evolveum.com >
> > > wrote:
> >
>
> > > > Hi Jason,
> > >
> >
>
> > > > > AD only needs to be authoritative during the initial deployment since
> > > > > we
> > > > > have
> > > > > thousands of accounts in AD, after that, all accounts will be
> > > > > modified/added
> > > > > using midpoint.
> > > >
> > >
> >
>
> > > > > I think using the method I outlined last to build the DN is more or
> > > > > less
> > > > > what
> > > > > I am moving towards. I have looked through AD attributes and the
> > > > > attribute,
> > > > > "ou" in AD is not used and would make sense to populate that
> > > > > attribute
> > > > > with
> > > > > the actual OU. I can simply use a powershell script to add the
> > > > > correct
> > > > > value
> > > > > to this attribute based on the users current ou and then build the DN
> > > > > in
> > > > > midpoint off this value.
> > > >
> > >
> >
>
> > > > > Using the "ou" attribute in AD might also be the best way since later
> > > > > on
> > > > > I
> > > > > can use the attribute in roles and orgs, I have been looking to the
> > > > > orgsync
> > > > > story test on github for inspiration.
> > > >
> > >
> >
>
> > > > You can use PS script in AD to fill "ou" attribute in accounts and then
> > > > import it to midPoint, but you can construct the value directly during
> > > > initial import in inbound expression with no changes in AD. Roughly -
> > > > something like this:
> > >
> >
>
> > > > <attribute>
> > >
> >
>
> > > > <ref>icfs:name</ref>
> > >
> >
>
> > > > <displayName>Distinguished Name</displayName>
> > >
> >
>
> > > > <inbound>
> > >
> >
>
> > > > <expression>
> > >
> >
>
> > > > <script>
> > >
> >
>
> > > > <code>
> > >
> >
>
> > > > // parse OU value from variable named input (represents DN) using
> > > > groovy
> > > > regular expressions
> > >
> >
>
> > > > // e.g. from OU=The Student,DC=TEST,DC=LOCAL take "The Student" value
> > >
> >
>
> > > > // please fix the regular expression according to your setup, this is
> > > > just
> > > > a
> > > > rough example
> > >
> >
>
> > > > re = /(?i)^.*OU=(.*),DC=TEST,DC=LOCAL$/
> > >
> >
>
> > > > matcher = (input =~ re)
> > >
> >
>
> > > > if (matcher.matches()) return matcher[0][1]
> > >
> >
>
> > > > // will be stored in user/organization attribute, modify as needed
> > >
> >
>
> > > > </code>
> > >
> >
>
> > > > </script>
> > >
> >
>
> > > > </expression>
> > >
> >
>
> > > > <target>
> > >
> >
>
> > > > <path>$user/organization</path>
> > >
> >
>
> > > > </target>
> > >
> >
>
> > > > </inbound>
> > >
> >
>
> > > > </attribute>
> > >
> >
>
> > > > This is also to show you the power of the expressions in the mappings.
> > >
> >
>
> > > > Regards,
> > >
> >
>
> > > > Ivan
> > >
> >
>
> > > > --
> > >
> >
>
> > > > Ing. Ivan Noris
> > >
> >
>
> > > > Senior Identity Management Engineer
> > >
> >
>
> > > > evolveum.com
> > >
> >
>
> > > > ___________________________________________
> > >
> >
>
> > > > "Idem per idem - semper idem Vix."
> > >
> >
>
> > > > _______________________________________________
> > >
> >
>
> > > > midPoint mailing list
> > >
> >
>
> > > > midPoint at lists.evolveum.com
> > >
> >
>
> > > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > >
> >
>
> > > CONFIDENTIALITY NOTICE:
> >
>
> > > This e-mail together with any attachments is proprietary and
> > > confidential;
> > > intended for only the recipient(s) named above and may contain
> > > information
> > > that is privileged. You should not retain, copy or use this e-mail or any
> > > attachments for any purpose, or disclose all or any part of the contents
> > > to
> > > any person. Any views or opinions expressed in this e-mail are those of
> > > the
> > > author and do not represent those of the Baptist School of Health
> > > Professions. If you have received this e-mail in error, or are not the
> > > named
> > > recipient(s), you are hereby notified that any review, dissemination,
> > > distribution or copying of this communication is prohibited by the sender
> > > and to do so might constitute a violation of the Electronic
> > > Communications
> > > Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> > > sender and delete this e-mail and any attachments from your computer.
> >
>
> > > _______________________________________________
> >
>
> > > midPoint mailing list
> >
>
> > > midPoint at lists.evolveum.com
> >
>
> > > http://lists.evolveum.com/mailman/listinfo/midpoint
> >
>
> > --
>
> > Ing. Ivan Noris
>
> > Senior Identity Management Engineer
>
> > evolveum.com
>
> > ___________________________________________
>
> > "Idem per idem - semper idem Vix."
>
> > _______________________________________________
>
> > midPoint mailing list
>
> > midPoint at lists.evolveum.com
>
> > http://lists.evolveum.com/mailman/listinfo/midpoint
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the named
> recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com
___________________________________________
"Idem per idem - semper idem Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20141020/9b218b2f/attachment.htm>
More information about the midPoint
mailing list