[midPoint] Active Directory and custom attributes & auxiliary objectclass
midpoint at mybtinternet.com
midpoint at mybtinternet.com
Tue Jul 7 16:07:35 CEST 2015
Hi,
Extending the default user objectClass is just wrong ...
Thx Pavol for the detailed response; much appreciated!
Jason, yes, this is exactly what I want to do. I was thinking that since all the attributes can be defined against
the midPoint __ACCOUNT__ and still read + update the attributes defined as auxiliary in AD, the only thing I
need to achieve is make the connector add the auxiliary class by default on user create.
I was able to do this with OpenIDM by defining (where tscPerson is my auxiliary class):
"accountObjectClasses" : [
"organizationalPerson",
"person",
"user",
"tscPerson"
],
Jason; did you define your custom attributes against __ACCOUNT__ in the ObjectClassesExtensionFile or
against the appropriate auxiliary class? Also, as the account create is atomic, did you override the create
script? Do you have a sample you could share?
If I try to add a custom attribute against the custom class in ObjectClassesExtensionFile; how do I indicate
this applies to the account? midPoint complains that the attribute is not part of the AccountObjectClass -
which makes sense ...
Thx
Regards,
Anton
----Original message----
>From : jeverling at bshp.edu
Date : 06/07/2015 - 17:03 (BST)
To : midpoint at lists.evolveum.com
Subject : Re: [midPoint] Active Directory and custom attributes & auxiliary objectclass
I am using the AD Connector with additional custom auxiliary object classes ( I have 4 additional classes ) and it works fine when I create new users in the GUI or from any other resource and is correctly created in AD.
My Object Classes managed in midPoint using the extension functionality
bshpGroup
bshpOrg
bshpPerson
eduPerson
All of the above in AD Schema are Class Type: Auxiliary with Parent "top"
Is this not the same?
JASON
On Mon, Jul 6, 2015 at 9:05 AM, Pavol Mederly <mederly at evolveum.com> wrote:
Hello Anton,
now I perhaps understand your situation a little bit better.
Because what I was used to see was that people extended the
"basic" AD user object with custom attributes, without introducing
separate objectClasses. Neither did I; and although I've seen that
you had mentioned using auxiliary object classes, I have no
experiences with them in Active Directory.
I was hoping it is possible to override
the objectClasses in the schema handling, but
can't find an example.
If you mean adding auxiliary object classes, then a sample is e.g.
in testing\story\src\test\resources\unix\resource-opendj.xml
file. However, unfortunately, this is a feature of new LDAP
connector. The ActiveDirectory connector does not support
auxiliary object classes yet.
The other option, I guess, would be to use
the the custom
schema feature of ObjectClassesExtensionFile, but I have a few
questions on this:
1) Is the objectClass type always Tenant?
No. The new object class can be anything. "Tenant" was an object
class that was used in a particular customer's setting.
2) Does this add an objectClass in addition of the user class or
instead of the user class?
In addition to the user class. The existing AccountObjectClass
will be left intact. New object class will be seen in midPoint as
CustomsomeNameObjectClass, if the object class will be
defined as "someName" in the connector.
Unfortunately, the connector will not recognize such a class to be
an extension of the AccountObjectClass and will not apply the
standard functionality (written in C#) to manage objects of this
class.
So, if you would like to use it to manage your users, you would
need either
1) to implement everything in PowerShell, which is quite a lot of
work (given that you would have to implement e.g. exception
handling, and so on),
2) or to do some hacking with custom scripts, like calling
original AD connector to do its part of the work and then manage
specific attributes using PowerShell.
Neither of this seems to me a "clean solution".
Overall, we plan to enhance Active Directory connector with some
of the new features Radovan has recently implemented for LDAP one.
Auxiliary object class support is among them. But I cannot say
when that would be done. Maybe you could contact Igor Farinic for
options there.
3) How / when are the custom scripts called?
Custom scripts feature is currently only available in Exchange
connector, which is a superset of AD connector useful mainly if
you want to manage also Exchange objects. (But I think nothing
precludes the use of it in AD-only settings; I hope it no longer
depends on the existence of specific Exchange run time libraries.)
These scripts are called before, after and/or instead of "main" C#
code. They can be configured with regards to object class and
operation. E.g. you can define a "Before" script for each "Create"
operation for "AddressBookList" object class. Or, if you have a
custom object class, you have to define all the operations as
PowerShell custom scripts.
This is an example of definition of a custom script:
<?xml version="1.0"?>
<ScriptingInfo>
<OperationInfo>
<Type>Create</Type>
<AfterMain>
<ObjectType>OfflineAddressBook</ObjectType>
<File>after-create-OAB.ps1</File>
</AfterMain>
</OperationInfo>
</ScriptingInfo>
It says that after executing main C# routine for Create operation
for OfflineAddressBook object, the after-create-OAB.ps1 file
(stored in the ConnectorServer directory) will be executed.
Such a script can expect one parameter, called "ctx" (context),
pointing to the following data structure:
public class Context {
public Connector Connector { get; set; }
public ActiveDirectoryConfiguration
ConnectorConfiguration { get; set; }
public string OperationName { get; set; }
public Scripting.Position Position { get; set; }
public ObjectClass ObjectClass { get; set; }
}
(There are specific contexts for individual operations, see https://github.com/Evolveum/openicf/blob/master/connectors/dotnet/ActiveDirectoryConnector/Scripting.cs
4) Is there examples on how to use the custom schema feature?
Well, the documentation of these new features is still in its
beginnings. I'm afraid the wiki article I mentioned is the only
piece available :(
Maybe someone on this list could provide some examples...
Overall, the most clean way (as I currently see it) is to add
support for auxiliary object classes to the standard AD/Exchange
connector.
Best regards,
Pavol
On 6. 7. 2015 14:51, ANTON OPPERMAN wrote:
Thx Pavol! That is getting me very close ...
Took a while to figure out just how to do it; the documentation
can be clearer; e.g. where
the value of ObjectClassesExtensionFile is set and which system it
should be stored on. I
saw a ref in the UI that seemed to allow for this, but this didn't
work for me.
I have defined my custom schema entries in the AccountObjectClass
section and can
retrieve and set values if my auxiliary objectClass is present on
the user. Obviously
creating an account with schema extension fails as newly created
users will not have
the auxiliary objectClass (yet).
I was hoping it is possible to override the objectClasses in the
schema handling, but
can't find an example. The other option, I guess, would be to use
the the custom
schema feature of ObjectClassesExtensionFile, but I have a few
questions on this:
1) Is the objectClass type always Tenant?
2) Does this add an objectClass in addition of the user class or
instead of the user class?
3) How / when are the custom scripts called?
4) Is there examples on how to use the custom schema feature?
Thx!
Regards,
Anton
----Original
message----
From : mederly at evolveum.com
Date : 02/07/2015 - 15:17 (BST)
To : midpoint at lists.evolveum.com
Subject : Re: [midPoint] Active Directory and custom attributes
& auxiliary objectclass
Hello Anton,
the AD connector schema can now be extended via configuration.
Please see https://wiki.evolveum.com/display/midPoint/Extending+AD+and+Exchange+Connector+Schema+HOWTO
for a simple HOWTO.
However, contrary to what's written there, I would recommend
using the latest versions of AD/Exchange connector and ConnId:
- Exchange Connector: 1.4.1.20283 (https://wiki.evolveum.com/display/midPoint/Exchange+Connector)
- Connector Server: 1.4.0.84 (https://wiki.evolveum.com/display/midPoint/.NET+Connector+Server)
Also please note that auxiliary object classes are not
supported for AD. What you need to do is to extend the basic
AccountObjectClass (or object class for group/OU) with your
custom attributes.
Best regards,
Pavol
On 2. 7. 2015 16:10, midpoint at mybtinternet.com
wrote:
Hi,
We intend managing a number of different directories with
similar data but for populations of users that
must be stored separately. We also have a fairly extensive
number of custom attributes grouped in an
auxiliary objectClass.
For OpenDJ, I was able to setup the resources and am able to
manage all the custom attributes; e.g.
the connector allows definition of which classes to use.
Now trying to replicate with AD and have basic AD
provisioning working; however, I don't see similar
options for defining additional objectClasses to use. Have
looked in Jira; all references suggest modifying
objectClasses.xml and building a custom instance of the
connector. I don't see how the custom
objectClass is referenced. Have I missed something?
As for building a custom instance of the connector; I would
prefer not to do that as:
1) we could run into issues that are related
to our attempt of implementing
2) each time there is a new fix, we would need to go and
retro-fit and rebuild
3) each time we extend the schema, we need to go and
ammend and rebuild
While I may be able to build a custom instance, once this is
handed-over to business-as-usual, they
most certainly will not have the skills to support this.
Is this still the process to follow at this time, or has
this changed? If not changed, is there a plan to
make the AD adapter configurable ito custom schema (like
OpenDJ)? Time-frame?
Thx
Regards,
Anton
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
--
JASON
CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150707/158589b8/attachment.htm>
More information about the midPoint
mailing list