[midPoint] create LDAP group

Ivan Noris ivan.noris at evolveum.com
Thu Aug 20 16:53:46 CEST 2015


Hi,

DB Table connector is capable to synchronize only accounts, and only in
one table. For anything else you need either ScriptedSQL connector or a
custom connector for your specific needs.

You can then have two object types supported in your connector, e.g.
"accounts" (e.g. AccountObjectClass, mapped to midPoint Users - in
schema handling kind=account, intent=default) and "groups" (e.g.
GroupObjectClass, mapped to midPoint Organizations or Roles - in schema
handling kind=entitlement, intent=group).

USER / GROUP relationship seems to me best represented as association.

So midPoint will be able to create accounts in DB (USER_TBL), groups
(GROUP_TBL) and have associations between accounts and groups (USER_GROUP).

If your objects originate in LDAP and not in midPoint, you have to first
sync them to midPoint and then from midPoint to DB (by assigning roles
to provision them there).

Anyway you will need ScriptedSQL or custom connector to achieve this.

Regards,
Ivan

On 08/20/2015 01:17 PM, Steklac Michal wrote:
> Hi,
>
> Your instruction for create LDAP groups works well.
>
> I have
> In LDAP I have users and groups. Not only groups, which have same name
> as users. From LDAP I want to synchronize users and groups to DB tables.
> I have 3 tables:
> 1) USER_TBL - contain users
> primary key is USER_ID
> 2) GROUP_TBL - contain groups
> primary key is GROUP_ID
> 3) USER_GROUP - mapping table
> contain two columns USER_ID and GROUP_ID
> It is posible synchronize users and groups from LDAP to DB tables?
> I use  DB connector to   synchronize users to USER_TBL table. How can
> I synchronize GROUP_TBL and USER_GROUP tables?
>
> Thanks & Best regards
> MiSo
>
> On St, 2015-08-19 at 12:31 +0200, Ivan Noris wrote:
>> Hi MiSo,
>>
>> I believe we have already discussed this here
>> http://lists.evolveum.com/pipermail/midpoint/2015-July/001285.html
>>
>> Regards,
>> Ivan
>>
>> On 08/18/2015 08:19 PM, Steklac Michal wrote:
>>
>>> Hi,
>>>
>>> I have configuration where AD is authoritative source for users.
>>> When is user create in AD then is create user in LDAP (in midpoint
>>> terminology account). It is possible create group in different ldap
>>> subtree with same name? What is best way?
>>> Example:
>>> AD - cn=Janko Hrasko,ou=midpoint,dc=sk (with sAMAccountName=jhrasko)
>>> LDAP user - uid=jhrasko,ou=people,ou=midpoint,dc=sk
>>> LDAP group - cn=jhrasko,ou=group,ou=midpoint,dc=sk
>>>
>>> Thanks & Best regards
>>> MiSo
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> -- 
>>   Ing. Ivan Noris
>>   Senior Identity Management Engineer & IDM Architect
>>   evolveum.com                     evolveum.com/blog/
>>   ___________________________________________________
>>   "Semper Id(e)M Vix."
>>
>>
>> __________ Information from ESET Mail Security, version of virus
>> signature database 12117 (20150819) __________
>>
>> The message was checked by ESET Mail Security.
>> http://www.eset.com
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150820/25105c38/attachment.htm>


More information about the midPoint mailing list