[midPoint] Help looping on Active Directory groups

Pavol Mederly mederly at evolveum.com
Thu Sep 3 16:48:16 CEST 2015 

Fabio,

you're right: it's icfs:groups, not ri:groups (sorry for that).

The error you're experiencing is caused by the fact that midPoint 
evaluates not only the current value of attribute, but also a change in 
that value. So, sometimes it needs to take the old attribute value 
(which is null in this case, because - at least I am convinced so - 
midPoint considers the account as being newly created in this particular 
case) and execute the provided script on it.

So you should just assume that input might be null, and treat is just 
like an empty array.

See also 
http://lists.evolveum.com/pipermail/midpoint/2015-August/001292.html

Best regards,
Pavol

> Hi Pavol,
> thanks for your suggestions. Now, I have modified the xml code for 
> attribute on the AD resource:
>
>                  <attribute>
>                     <ref>icfs:groups</ref>
> <displayName>Gruppi</displayName>
>                     <inbound>
>                         <expression>
>                           <script>
> <relativityMode>absolute</relativityMode>
>                             <code>
>                       def isdirettore = false
>                                 def n = input.size()
>                       for (def i = 0; i < n; i++) {
>                                     def gruppo = input.get(i)
>                           if (it =~ /^CN=.*_DIV.._DIR.*$/) {
>                               isdirettore = true
>                                     }
>                                 }
>                                 isdirettore
>                             </code>
>                           </script>
>                         </expression>
>                         <target>
> <path>$user/extension/mise:organizzazione</path>
>                         </target>
>                     </inbound>
>                  </attribute>
>
>
> But I have the "input" variable null, as I can see from idm.log:
>
> ERROR 
> (com.evolveum.midpoint.model.common.expression.script.ScriptExpression): 
> Expression error: java.lang.NullPointerException: Cannot invoke method 
> size() on null object (old) expression in mapping in inbound 
> expression for 
> {http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3}groups 
> in resource:Resource-ActiveDirectoryXXX(Active Directory XXX)
>
> The only difference is the namespace: you have suggested me 
> "ri:groups" but it isn't defined in ns instance-3; so I put 
> "icfs:groups". It could made the difference?
> Any other suggestion?
>
> Thanks in advance. Regards.
>
>   Fabio
>
> Da: "midPoint" midpoint-bounces at lists.evolveum.com
> A: midpoint at lists.evolveum.com
> Cc:
> Data: Thu, 3 Sep 2015 15:45:57 +0200
> Oggetto: Re: [midPoint] Help looping on Active Directory groups
>
> >
> > Hello Fabio,
> >
> > the problem is that you've put your script to *ri:title* attribute. 
> So (I think) that as an input you get the value of this attribute, 
> which is a string. The <source> declaration is not appropriate here.
> >
> > If you want to process ri:groups attribute, please put this mapping 
> under *ri:groups* attribute.
> > Also, use *<relativityMode>absolute</relativityMode>* (as a child of 
> <script>) in order to get all the values of ri:groups at once.
> > Remove the <source> part and refer to the input variable (now called 
> gruppi) simply as *input*.
> >
> > Hope this helps,
> > Pavol
> >
> >
>> >
>> > Hi,
>> > I have an Active Directory resource and I need to reconcile users. 
>> In populating a virtual user attribute I need to check if the 
>> corresponding AD account has a particular group assigned. This is a 
>> snippet of the resource xml:
>>
>> >
>> >
>> >                 <attribute>
>> > <c:ref>ri:title</c:ref>
>> > <displayName>Gruppi</displayName>
>> >                     <inbound>
>> > <source>
>> > <name>gruppi</name>
>> > <path>$shadow/attributes/groups</path>
>> > </source>
>> > <expression>
>> > <script>
>> >  <code>
>> >                                 def isdirettore = false
>> >                                 def n = gruppi.size()
>> >                                 for (def i = 0; i < n; i++) {
>> > def gruppo = gruppi.get(i)
>> > if (it =~ /^CN=.*_DIV.._DIR.*$/) {
>> >   isdirettore = true
>> >                                     }
>> >                                 }
>> > isdirettore
>> >  </code>
>> > </script>
>> > </expression>
>> > <target>
>> > <path>$user/extension/mise:organizzazione</path>
>> > </target>
>> >                     </inbound>
>> >                  </attribute>
>>
>> >
>> > I need to loop on assigned AD groups and I need to check the string 
>> format of each group using a regular expression. The problem is that 
>> in the variable named “gruppi” I have only a string and not an array 
>> or List. Do you have any ideas?
>>
>> >
>> > Thanks and regards.
>>
>> >
>> >   Fabio
>>
>> >
>> >
>> >
>> >
>> >
>> >
>> > --
>> > Fabio Contessi <f.contessi at nsr.it <mailto:f.contessi at nsr.it>>
>> >
>> > nova systems roma / nsr
>>
>> >
>>
>> >
>>
>>
>> >
>> > _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> >
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150903/e4f7fecb/attachment.htm>

More information about the midPoint mailing list