[midPoint] [Midpoint-dev] Inducement updates are not propagated to User after reconciliation
Ivan Noris
ivan.noris at evolveum.com
Fri Jan 23 10:45:18 CET 2015
Hi Anand,
please see inline:
On 01/23/2015 06:17 AM, Anand Kothekar wrote:
> Hi Ivan
>
> First of all Ldap connector supports Auxiliary object classes. I have
> tested it and it works for me.
>
> Secondly, The host attribute is defined in resource schema and I have
> added it in Schema Handling but i do not have any outbound mapping
> right now (quite usual for our requirement, most of the resources have
> such attributes that cannot be mapped to any focal object in midpoint).
>
> Is it possible that i can map whatever user has entered (instead of
> mapping the host or any other attribute to midpoint's focal object) to
> target resource attribute in outbound mapping.
If user enters the value in the form, you don't need mappings.
Mapping are used to set the target attribute value according to some
other attribute value or expression.
Some example:
If you need to copy user/givenName attribute value to LDAP's sn
attribute, you need outbound mapping in resource schema handling.
If you need to generate LDAP's sn attribute value by taking
user/givenName attribute value and (for example) lowercase all
attributes and remove diacritics, you need outbound mapping in resource
schema handling.
If you want the user to set the LDAP's host attribute to
user-defined-value, i.e. in the GUI form, manually, you don't need any
mapping for this attribute. If user enters the value manually,
provisioning will store the value to the resource. It is NOT remembered
in midPoint. There is no expression how to derive the value, thus no
mapping. And midPoint has no way of forcing the attribute value to
contain the user defined value during the reconciliation, because the
user defined value is stored only on LDAP, not in midPoint. When
outbound mappings are used, the target attribute value can be derived
from some source attribute(s)/expressions, co midPoint can enforce these
values.
Maybe there is another way how to achieve what you need if I understand
it correctly. Define an extended attribute in User (by extending schema)
and let the user set/modify this extended attribute. Then you can have
schema handling mapping in resource, and you can thus use strong mapping
strength.
Best regards,
Ivan
>
> What my concern is there is no way in UI to set the strength and doing
> it at policy level is quite unmanageable(resource is one but
> inducement will be thousands).
>
> So just to summarize
> - we want this to be done at resource level.
>
> - i think it is achievable if we can define outbound mapping so
> that user entered value is mapped to target attribute.
>
>
> Thanks
> Anand
>
>
> On Thu, Jan 22, 2015 at 8:36 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
> Hi,
>
> as you have the mapping in role, not in resource, you should have
> the mapping set as strong for "host" attribute in *all* applicable
> roles (that are setting this attribute).
>
> There will be no configuration in resource, because there is no
> mapping for that attribute at the resource level. The strength
> always applies to the mapping definition.
>
> You mentioned that this is auxiliary object class. Not sure if the
> LDAP connector supports such classes...
>
> Regards,
> I.
>
>
> On 01/22/2015 03:49 PM, Anand Kothekar wrote:
>> Hi,
>>
>> Yes, the host attribute will be entered by the user who is
>> managing the midpoint or it will be populated in inducement of a
>> role by our custom code . It will never be automated to get the
>> value from any focus object like User.
>>
>>
>> Thanks
>> Anand
>>
>>
>>
>> On Thu, Jan 22, 2015 at 7:56 PM, Ivan Noris
>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>> Hi Anand,
>>
>> can you please be more precise about "value entered by user"?
>> Do you mean that the host and/or(?) description attributes
>> are expected to be managed by the user who is editing the
>> user in midPoint, on the right side of User details in
>> Accounts part? Are these expected to be set always explicitly
>> by the user? No automation from midpoint user attributes?
>>
>> Thanks,
>> I.
>>
>>
>> On 01/22/2015 02:03 PM, Anand Kothekar wrote:
>>> Hi Ivan,
>>>
>>> Thanks for your inputs.
>>>
>>> I tried it by adding this constraint in inducement itself
>>> and it worked but I want to do this at resource level.
>>>
>>> I tried adding the same in resource but the thing is I do
>>> not have any outbound mapping defined for these attributes
>>> (as I use the value entered by user ) now if I add only
>>> strength property in outbound it gives me Error.
>>>
>>> Can you help me with pointing to the right kind of mapping I
>>> need to do.
>>>
>>> Here is the host attribute snippet from my resource:
>>> <attribute>
>>> <ref
>>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:host</ref>
>>> <matchingRule
>>> xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
>>> <outbound>
>>> <strength>strong</strength>
>>> </outbound>
>>> </attribute>
>>>
>>> I need to know how I can map value entered by user.
>>>
>>>
>>>
>>> Thanks,
>>> Anand Kothekar
>>>
>>>
>>> On Thu, Jan 22, 2015 at 5:52 PM, Ivan Noris
>>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>>
>>> wrote:
>>>
>>> Hi Anand,
>>>
>>> can you please define the mappings for description and
>>> host attributes as strong?
>>>
>>> Something like:
>>>
>>> <attribute>
>>> <ref>ri:description</ref>
>>> <outbound>
>>> * <strength>strong</strength>**
>>> *. . .
>>> </outbound>
>>> </attribute>
>>> Then run the reconciliation again please.
>>>
>>> If you already have this configured and it does not
>>> work, please share the attribute mappings here.
>>>
>>> Regards,
>>> I.
>>>
>>>
>>> On 01/20/2015 11:15 AM, Anand Kothekar wrote:
>>>> Hi,
>>>>
>>>> I have been playing around with role inducements and
>>>> found some issue, need some quick help as inducements
>>>> are quite important for our solution.
>>>>
>>>> _Issue:_ Inducement updates are not propagated properly
>>>> to User after reconciliation.
>>>>
>>>> _Details:_ When user is a assigned a role having a
>>>> resource inducement, User gets appropriate accounts and
>>>> induced group memberships. Now Changing some attributes
>>>> in role inducements are not propagated after
>>>> reconciling User.
>>>>
>>>> _Steps Followed:_
>>>> - I added and ldap resource inducement in a new Role*.
>>>> *I provided some attributes like LdapGroups, Host, and
>>>> description.
>>>> - User is assigned to this Role. User gets the ldap
>>>> account, appropriate group memberships and other
>>>> attributes specified in inducement (i.e. description
>>>> ,host(multivalued attribute from an Auxiliary object
>>>> class)). So all good till now.
>>>> - Now I updated the Resource inducement for example
>>>> changed the description, added few groups, added few host.
>>>> - After inducement modification I reconciled the User,
>>>> and following are the results:
>>>>
>>>> - Group membership is updated appropriately.
>>>>
>>>> - Description is not updated
>>>>
>>>> - host attribute is not updated
>>>>
>>>>
>>>> Can you guys please check and let me know if I am doing
>>>> something wrong or is it a problem somewhere in my
>>>> resource or some other issue with midpoint system.
>>>>
>>>> Regards
>>>> Anand Kothekar
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint-dev mailing list
>>>> midPoint-dev at lists.evolveum.com <mailto:midPoint-dev at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint-dev
>>>
>>> --
>>> Ing. Ivan Noris
>>> Senior Identity Management Engineer
>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>> _____________________________________________
>>> "Semper Id(e)M Vix."
>>>
>>>
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer
>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>> _____________________________________________
>> "Semper Id(e)M Vix."
>>
>>
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
> _____________________________________________
> "Semper Id(e)M Vix."
>
>
--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com evolveum.com/blog/
_____________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150123/ecf2cc39/attachment.htm>
More information about the midPoint
mailing list