[midPoint] [Midpoint-dev] Inducement updates are not propagated to User after reconciliation
Anand Kothekar
anand.kothekar at confluxsys.com
Thu Feb 5 14:17:59 CET 2015
Hi,
Using <strength>strong</strength> tag helped me with adding attribute. And
let me also tell you that its working only after you reconcile the user
from administrator.
I was testing the scenario and <strength> tag was never lost in my case.
Adding new attributes is working fine but when you try to delete any of the
attribute its not getting reflected in Ldap.
*Scenario 1* :-
1. Role1 was having Open Ldap account as an Inducement. Induced
Account was also having attributes host1,host2,host3.
2. Now Role1 was assigned to an User and user got the Open Ldap Account
as well as the host1,host2,host3 as expected. Entry added in Ldap also.
3. <attribute>
<ref xmlns:qn546="
http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
">qn546:host</ref>
<outbound>
<strength>strong</strength>
<expression>
<value>host1</value>
<value>host2</value>
<value>host3</value>
</expression>
</outbound>
</attribute>
4. host3 attribute deleted from Role1 xml And User reconciled.
<strength> tag was still present.
5. host3 attribute not removed from the Ldap.
6. host 3 attribute is not getting deleted from OpenLdap account
(midpoint) which user got due to inducement. if we try to remove the
attribute from OpenLdap account, attribute is getting deleted from ldap as
well.
*Scenario 2* :-
1. Role1 has Ldap account with attributes host1,host2,host3 as
inducement.
2. And Role2 has Role1 as an inducement.
3. Role2 is then assigned to User.
4. User gets all the host attributes as well as OpenLdap A/c with
attributes host1,host2,host3.
5. Now when you unassign Role1 from Role2 and reconcile User, Ldap
a/c (midpoint) is not getting removed and attribute host1,host2,host3 are
still present to User.
Please assist me with the proper solution.
Regards
Anand Kothekar
On Tue, Feb 3, 2015 at 1:57 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:
> .. I have just checked your sample once again. You DO have
> strength=strong for inducement mapping, I was looking a few lines above to
> the assignments part.
>
> Can you please check anyway, if the strength is still there (using
> Configuration - Repository objects) and if your testing scenario is somehow
> different from mine?
>
> Thanks,
> Ivan
>
>
> On 02/03/2015 09:23 AM, Ivan Noris wrote:
>
> Hi Anand,
>
> I have experimented a little with similar setup.
>
> First, I took one of my customer roles, which work. I added two attribute
> mappings to the role construction for OpenDJ resource, such as:
>
> <attribute>
> <ref>ri:preferredLanguage</ref>
> <outbound>
> *<strength>strong</strength>*
> <expression>
> <value>sk</value>
> </expression>
> </outbound>
> </attribute>
>
> <attribute>
> <ref>ri:carLicense</ref>
> <outbound>
> *<strength>strong</strength>*
> <expression>
> <value>XXX</value>
> </expression>
> </outbound>
> </attribute>
>
> I've already had an user with this role assigned, so after I reimported
> the role definition (because I've changed the XML file with my role), I've
> edited the user and checked "reconcile" checkbox, and saved. After saving,
> user surely had both attributes (preferredLanguage and carLicense) set to
> predefined values. Before the save, the values were not defined for that
> OpenDJ account, as there were never the part of that role before.
>
> Next I edited the role again through Configure - Repository objects and
> changed the values (e.g. preferredLanguage to "en" and carLicense to
> "YYY"). Then I edited the same user and checked "reconcile" checkbox and
> saved. After saving, the preferredLanguage was set to "en" and carLicense
> had two values (both the original and the new "YYY" because it's multivalue
> field).
>
> Later I just made another change in the attribute value and it still
> worked.
>
> So it seems to be working as it should. *But*, while testing, I
> discovered https://jira.evolveum.com/browse/MID-2194. The symptom is as
> follows: whenever you edit role through GUI, the strength for attributes is
> lost. It's enough just to edit+save role using Role editor. Configure -
> Repository objects (XML editor) is fine.
>
> When I look at your role export, there is *no strength* for any of the
> attributes in outbound mappings. I believe it might be caused by the bug
> I've just reported. So please, either edit the role using Repository
> objects XML editor until we fix it; or please create the roles as XML files
> and import them to midPoint. It should be ok if you export your existing
> roles and fix them in XML files and then reimport.
>
> Best regards,
> Ivan
>
> On 02/02/2015 04:24 PM, Anand Kothekar wrote:
>
> Hi,
>
> As per our discussion I tried to give <strength> tag in role but it didn't
> worked for me.
>
> Basically we had two host attribute values in inducement and member user
> also had the same host membership, then after modifying the inducement I
> reconciled the user but no change in host attribute of user's ldap account.
>
> I have attached the sample role xml, please have a look and let me know
> if I am doing anything wrong.
>
>
>
> Thanks,
> Anand Kothekar
>
>
>
> On Fri, Jan 23, 2015 at 3:15 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>> Hi Anand,
>>
>> please see inline:
>>
>> On 01/23/2015 06:17 AM, Anand Kothekar wrote:
>>
>> Hi Ivan
>>
>> First of all Ldap connector supports Auxiliary object classes. I have
>> tested it and it works for me.
>>
>> Secondly, The host attribute is defined in resource schema and I have
>> added it in Schema Handling but i do not have any outbound mapping right
>> now (quite usual for our requirement, most of the resources have such
>> attributes that cannot be mapped to any focal object in midpoint).
>>
>> Is it possible that i can map whatever user has entered (instead of
>> mapping the host or any other attribute to midpoint's focal object) to
>> target resource attribute in outbound mapping.
>>
>>
>> If user enters the value in the form, you don't need mappings.
>> Mapping are used to set the target attribute value according to some
>> other attribute value or expression.
>>
>> Some example:
>> If you need to copy user/givenName attribute value to LDAP's sn
>> attribute, you need outbound mapping in resource schema handling.
>> If you need to generate LDAP's sn attribute value by taking
>> user/givenName attribute value and (for example) lowercase all attributes
>> and remove diacritics, you need outbound mapping in resource schema
>> handling.
>> If you want the user to set the LDAP's host attribute to
>> user-defined-value, i.e. in the GUI form, manually, you don't need any
>> mapping for this attribute. If user enters the value manually, provisioning
>> will store the value to the resource. It is NOT remembered in midPoint.
>> There is no expression how to derive the value, thus no mapping. And
>> midPoint has no way of forcing the attribute value to contain the user
>> defined value during the reconciliation, because the user defined value is
>> stored only on LDAP, not in midPoint. When outbound mappings are used, the
>> target attribute value can be derived from some source
>> attribute(s)/expressions, co midPoint can enforce these values.
>>
>> Maybe there is another way how to achieve what you need if I understand
>> it correctly. Define an extended attribute in User (by extending schema)
>> and let the user set/modify this extended attribute. Then you can have
>> schema handling mapping in resource, and you can thus use strong mapping
>> strength.
>>
>> Best regards,
>> Ivan
>>
>>
>>
>> What my concern is there is no way in UI to set the strength and doing
>> it at policy level is quite unmanageable(resource is one but inducement
>> will be thousands).
>>
>> So just to summarize
>> - we want this to be done at resource level.
>>
>> - i think it is achievable if we can define outbound mapping so that
>> user entered value is mapped to target attribute.
>>
>>
>> Thanks
>> Anand
>>
>>
>> On Thu, Jan 22, 2015 at 8:36 PM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>> Hi,
>>>
>>> as you have the mapping in role, not in resource, you should have the
>>> mapping set as strong for "host" attribute in *all* applicable roles
>>> (that are setting this attribute).
>>>
>>> There will be no configuration in resource, because there is no mapping
>>> for that attribute at the resource level. The strength always applies to
>>> the mapping definition.
>>>
>>> You mentioned that this is auxiliary object class. Not sure if the LDAP
>>> connector supports such classes...
>>>
>>> Regards,
>>> I.
>>>
>>>
>>> On 01/22/2015 03:49 PM, Anand Kothekar wrote:
>>>
>>> Hi,
>>>
>>> Yes, the host attribute will be entered by the user who is managing
>>> the midpoint or it will be populated in inducement of a role by our custom
>>> code . It will never be automated to get the value from any focus object
>>> like User.
>>>
>>>
>>> Thanks
>>> Anand
>>>
>>>
>>>
>>> On Thu, Jan 22, 2015 at 7:56 PM, Ivan Noris <ivan.noris at evolveum.com>
>>> wrote:
>>>
>>>> Hi Anand,
>>>>
>>>> can you please be more precise about "value entered by user"?
>>>> Do you mean that the host and/or(?) description attributes are expected
>>>> to be managed by the user who is editing the user in midPoint, on the right
>>>> side of User details in Accounts part? Are these expected to be set always
>>>> explicitly by the user? No automation from midpoint user attributes?
>>>>
>>>> Thanks,
>>>> I.
>>>>
>>>>
>>>> On 01/22/2015 02:03 PM, Anand Kothekar wrote:
>>>>
>>>> Hi Ivan,
>>>>
>>>> Thanks for your inputs.
>>>>
>>>> I tried it by adding this constraint in inducement itself and it
>>>> worked but I want to do this at resource level.
>>>>
>>>> I tried adding the same in resource but the thing is I do not have
>>>> any outbound mapping defined for these attributes (as I use the value
>>>> entered by user ) now if I add only strength property in outbound it gives
>>>> me Error.
>>>>
>>>> Can you help me with pointing to the right kind of mapping I need to
>>>> do.
>>>>
>>>> Here is the host attribute snippet from my resource:
>>>> <attribute>
>>>> <ref xmlns:ri="
>>>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
>>>> ">ri:host</ref>
>>>> <matchingRule xmlns:mr="
>>>> http://prism.evolveum.com/xml/ns/public/matching-rule-3
>>>> ">mr:stringIgnoreCase</matchingRule>
>>>> <outbound>
>>>> <strength>strong</strength>
>>>> </outbound>
>>>> </attribute>
>>>>
>>>> I need to know how I can map value entered by user.
>>>>
>>>>
>>>>
>>>> Thanks,
>>>> Anand Kothekar
>>>>
>>>>
>>>> On Thu, Jan 22, 2015 at 5:52 PM, Ivan Noris <ivan.noris at evolveum.com>
>>>> wrote:
>>>>
>>>>> Hi Anand,
>>>>>
>>>>> can you please define the mappings for description and host attributes
>>>>> as strong?
>>>>>
>>>>> Something like:
>>>>>
>>>>> <attribute>
>>>>> <ref>ri:description</ref>
>>>>> <outbound>
>>>>> * <strength>strong</strength>*
>>>>> . . .
>>>>> </outbound>
>>>>> </attribute>
>>>>> Then run the reconciliation again please.
>>>>>
>>>>> If you already have this configured and it does not work, please share
>>>>> the attribute mappings here.
>>>>>
>>>>> Regards,
>>>>> I.
>>>>>
>>>>>
>>>>> On 01/20/2015 11:15 AM, Anand Kothekar wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I have been playing around with role inducements and found some
>>>>> issue, need some quick help as inducements are quite important for our
>>>>> solution.
>>>>>
>>>>> *Issue:* Inducement updates are not propagated properly to User
>>>>> after reconciliation.
>>>>>
>>>>> *Details:* When user is a assigned a role having a resource
>>>>> inducement, User gets appropriate accounts and induced group memberships.
>>>>> Now Changing some attributes in role inducements are not propagated after
>>>>> reconciling User.
>>>>>
>>>>> *Steps Followed:*
>>>>> - I added and ldap resource inducement in a new Role*. *I provided
>>>>> some attributes like LdapGroups, Host, and description.
>>>>> - User is assigned to this Role. User gets the ldap account,
>>>>> appropriate group memberships and other attributes specified in inducement
>>>>> (i.e. description ,host(multivalued attribute from an Auxiliary object
>>>>> class)). So all good till now.
>>>>> - Now I updated the Resource inducement for example changed the
>>>>> description, added few groups, added few host.
>>>>> - After inducement modification I reconciled the User, and following
>>>>> are the results:
>>>>>
>>>>> - Group membership is updated appropriately.
>>>>>
>>>>> - Description is not updated
>>>>>
>>>>> - host attribute is not updated
>>>>>
>>>>>
>>>>> Can you guys please check and let me know if I am doing something
>>>>> wrong or is it a problem somewhere in my resource or some other issue with
>>>>> midpoint system.
>>>>>
>>>>> Regards
>>>>> Anand Kothekar
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint-dev mailing listmidPoint-dev at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint-dev
>>>>>
>>>>>
>>>>> --
>>>>> Ing. Ivan Noris
>>>>> Senior Identity Management Engineer
>>>>> evolveum.com evolveum.com/blog/
>>>>> _____________________________________________
>>>>> "Semper Id(e)M Vix."
>>>>>
>>>>>
>>>>
>>>> --
>>>> Ing. Ivan Noris
>>>> Senior Identity Management Engineer
>>>> evolveum.com evolveum.com/blog/
>>>> _____________________________________________
>>>> "Semper Id(e)M Vix."
>>>>
>>>>
>>>
>>> --
>>> Ing. Ivan Noris
>>> Senior Identity Management Engineer
>>> evolveum.com evolveum.com/blog/
>>> _____________________________________________
>>> "Semper Id(e)M Vix."
>>>
>>>
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer
>> evolveum.com evolveum.com/blog/
>> _____________________________________________
>> "Semper Id(e)M Vix."
>>
>>
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com evolveum.com/blog/
> _____________________________________________
> "Semper Id(e)M Vix."
>
>
>
> _______________________________________________
> midPoint-dev mailing listmidPoint-dev at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint-dev
>
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com evolveum.com/blog/
> _____________________________________________
> "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint-dev mailing list
> midPoint-dev at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150205/082b8235/attachment.htm>
More information about the midPoint
mailing list