[midPoint] create LDAP group
Ivan Noris
ivan.noris at evolveum.com
Wed Jul 29 09:13:22 CEST 2015
HI MiSo,
yes, it's possible, but be advised that the number of the groups will be
at least the number of your users...
If it's really what you want, the concept is quite simple:
1. synchronization from AD will create User in midPoint
2. (default) user template will assign a role e.g. "Basic LDAP" to each
User in midPoint (or whatever conditions you specify)
3. "Basic LDAP" role will have *two inducements/construction to create
**two**objects in LDAP*:
- kind: account, intent: default: to create user account in LDAP
- kind: entitlement, intent: usergroup: to create a group for each
account in LDAP (the intent value can be anything you wish)
4. the LDAP resource needs two <objectType> parts in <schemaHandling>
(and probably also two <objectSynchronization> parts in
<synchronization>) to define rules for:
- kind: account, intent: default, objectClass: ri:AccountObjectClass
(you should have this already if you are creating any accounts)
- kind: entitlement, intent: usergroup, objectClass: ri:GroupObjectClass
In the entitlement/usergroup part of schema handling, you need to define
mappings for at least all mandatory LDAP attributes, so at least DN
(icfs:name for pre-3.2 midPoint LDAP connector) and CN. There you can
define any suffix you want and use e.g.:
<attribute>
<ref>icfs:name</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<source>
<path>$focus/name</path>
</source>
<expression>
<script>
<code> <!-- for user *jsmith*, the group DN
is *CN=usergroup-jsmith,OU=groups,dc=example,dc=com* -->
tmpSuffix = 'OU=groups,dc=example,dc=com'
return 'CN=usergroup-' + name' + ',' + tmpSuffix
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:cn</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<path>$focus/name</path>
</source>
<expression>
<script>
<code> <!-- for user *jsmith*, the group CN
is *usergroup-jsmith* -->
return 'usergroup-' + name'
</code>
</script>
</expression>
</outbound>
</attribute>
(You don't need the "usergroup-" concatenation if you wish to have the
group name equal to username in midPoint. This is just a modified
example from one of my mappings.)
As new user is created in midPoint and user template mapping which
assigns the "Basic LDAP" role is evaluated, two objects will be created
in LDAP.
Regards,
Ivan
On 07/28/2015 07:54 PM, Steklac Michal wrote:
> Hi,
>
> I have configuration where AD is authoritative source for users. When
> is user create in AD then is create user in LDAP (in midpoint
> terminology account). It is possible create group in different ldap
> subtree with same name? What is best way?
> Example:
> AD - cn=Janko Hrasko,ou=midpoint,dc=sk with sAMAccountName=jhrasko
> LDAP user - uid=jhrasko,ou=people,ou=midpoint,dc=sk
> LDAP group - cn=jhrasko,ou=group,ou=midpoint,dc=sk
>
> Thanks & Best regards
> MiSo
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150729/d5080e1b/attachment.htm>
More information about the midPoint
mailing list