[midPoint] Construct DN based on role

Pavol Mederly mederly at evolveum.com
Fri Jun 26 19:41:24 CEST 2015 

Hello Anton,

one of options is to get a list of all the user assignments, and act on 
it. In a similar way that I wrote Roman today morning, i.e.

     <outbound>
       <strength>strong</strength>
       <source>
          <c:path>assignment</c:path>
       </source>
       <source> ....... any other sources, e.g. name, ... </source>
       <expression>
          <script>
<relativityMode>absolute</relativityMode>
             <code>
                 isStaff = false
                 isAdmin = false
                 ...
                 log.info('assignment = {}', assignment)          // 
assignment is a PrismContainer
                 for (assignmentValue in assignment.getValues()) {
                   log.info('checking {}', assignmentValue)
                   targetRef = 
assignmentValue.asContainerable().getTargetRef()
                   if (targetRef?.getOid()?.equals("....staff role 
OID.....")) {
                      isStaff = true
                   }else if (targetRef?.getOid()?.equals("....admin role 
OID.....")) {
                      isAdmin = true
                   }
                   ...
                 }

                 ... and now construct the DN based on isStaff, isAdmin etc.

             </code>
          </script>
       </expression>
    </outbound>

I haven't actually tried it; but it could work.

Another, and perhaps more elegant, way is to induce some user properties 
in the roles. E.g. admin role could put value of "Admin" to 
"employeeType" property. It would look like this:

<role>
     <name>admin</name>
     <displayName>admin</displayName>
     <inducement>
         <focusMappings>
             <mapping>
                 <expression>
                     <value>Admin</value>
                 </expression>
                 <target>
                     <path>employeeType</path>
                 </target>
             </mapping>
         </focusMappings>
     </inducement>
</role>

And then you can use employeeType as just another source when 
constructing the user DN. Beware of situations when there would be more 
than one employeeType value (e.g. user would be both admin and let's say 
manager). Naive implementation of the mapping would yield to two DN's 
for the user.

Maybe someone with more experiences in midPoint deployment (Ivan?) would 
improve these options a bit.

Best regards,
Pavol

On 26. 6. 2015 19:08, midpoint at mybtinternet.com wrote:
> Hi,
>
>   I have a role defined with an inducement for an Active Directory 
> account and am able to successfully
>   provision a basic account. However, I need the target container to 
> be variable based on the user's
>   role; e.g. staff goes to ou=staff,<directory-suffix> and admin users 
> to ou=admin,<directory-suffix>.
>
>   I was hoping to use ad_container in the role's inducement of the 
> Active Directory account. The
>   attempted provisioning fails with "Cannot represent container value 
> without a parent as containerable".
>
>   Also tried to find, unsuccessfully, references on how to 
> programatically get the the user's role/s or
>   assignments and then construct the DN based on values.
>
>   Any suggestions?
>
> Thx,
>   Anton
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150626/c51d4282/attachment.htm>

More information about the midPoint mailing list