[midPoint] create LDAP group
Pavol Mederly
mederly at evolveum.com
Thu Oct 1 12:56:35 CEST 2015
Hello MiSo,
your script could work.
But please set the mapping strength to strong (or normal) and set script
relativityMode to absolute by setting
<relativityMode>absolute</relativityMode> as a child of <script> element.
Haven't tried that but it could work. The mapping would maintain
uniqueMembers property to be either one-element set (containing the user
if he's enabled) or an empty set otherwise.
Best regards,
Pavol
> Hi,
>
> I have LDAP resource, where I create ldap group for user from
> midpoint. When is group in LDAP created, then is user added to this
> group in LDAP. Next users is added to LDAP groups in LDAP.
> It is possible remove all uniquemenbers in LDAP when user is disabled
> in midPoint? This is example
> ...
> <attribute>
> <ref>ri:uniqueMember</ref>
> <matchingRule>mr:stringIgnoreCase</matchingRule>
> <outbound>
> <strength>weak</strength>
> <source>
> <path>$focus/name</path>
> </source>
> <source>
> <path>$user/activation/administrativeStatus</path>
> </source>
> <expression>
> <script>
> <code>
> import
> com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
>
> if(ActivationStatusType.DISABLED == administrativeStatus){
> return ''; // REMOVE ALL UNIQUEMEMBE
> } else {
> def suffix = ',ou=people,dc=bla,dc=sk'
> def prefix = 'uid=';
> dn = prefix + name + suffix;
> return dn;
> }
> </code>
> </script>
> </expression>
> </outbound>
> </attribute>
> ...
>
> Thanks & regard
> MiSo
>
> On St, 2015-08-19 at 11:16 +0000, Steklac Michal wrote:
>> Hi Ivan,
>>
>> Thank you, I try it.
>> Sorry. I wrote again, because I don't received response. In the
>> period from 07/22/2015 to 08/17/2015 I don't received any emails in
>> this mailing list. Now I receive mail.
>>
>> Thanks & regard
>> MiSo
>>
>> On St, 2015-08-19 at 12:31 +0200, Ivan Noris wrote:
>>> Hi MiSo,
>>>
>>> I believe we have already discussed this here
>>> http://lists.evolveum.com/pipermail/midpoint/2015-July/001285.html
>>>
>>> Regards,
>>> Ivan
>>>
>>> On 08/18/2015 08:19 PM, Steklac Michal wrote:
>>>
>>>> Hi,
>>>>
>>>> I have configuration where AD is authoritative source for users.
>>>> When is user create in AD then is create user in LDAP (in midpoint
>>>> terminology account). It is possible create group in different ldap
>>>> subtree with same name? What is best way?
>>>> Example:
>>>> AD - cn=Janko Hrasko,ou=midpoint,dc=sk (with sAMAccountName=jhrasko)
>>>> LDAP user - uid=jhrasko,ou=people,ou=midpoint,dc=sk
>>>> LDAP group - cn=jhrasko,ou=group,ou=midpoint,dc=sk
>>>>
>>>> Thanks & Best regards
>>>> MiSo
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20151001/caf49840/attachment.htm>
More information about the midPoint
mailing list