[midPoint] Help looping on Active Directory groups
f.contessi
f.contessi at nsr.it
Thu Sep 3 17:19:26 CEST 2015
Ok, I've resolved. The expression is evaluated two times: I've protected the script from null input and the second time (with new value) it works!
<attribute>
<ref>icfs:groups</ref>
<displayName>Gruppi</displayName>
<inbound>
<expression>
<script>
<relativityMode>absolute</relativityMode>
<code>
if (input != null) {
def isdirettore = false
input.eachWithIndex { gruppo, index ->
if (gruppo =~ /^.*_DIR,OU=.*$/) {
isdirettore = true
}
}
isdirettore
}
</code>
</script>
</expression>
<target>
<path>$user/extension/mise:isDirettore</path>
</target>
</inbound>
</attribute>
Thanks a lot.
Fabio
Da: "midPoint" midpoint-bounces at lists.evolveum.com
A: midpoint at lists.evolveum.com
Cc:
Data: Thu, 3 Sep 2015 16:48:16 +0200
Oggetto: Re: [midPoint] Help looping on Active Directory groups
>
> Fabio,
>
>
you're right: it's icfs:groups, not ri:groups (sorry for that).
>
>
The error you're experiencing is caused by the fact that midPoint
evaluates not only the current value of attribute, but also a
change in that value. So, sometimes it needs to take the old
attribute value (which is null in this case, because - at least I
am convinced so - midPoint considers the account as being newly
created in this particular case) and execute the provided script
on it.
>
>
So you should just assume that input might be null, and treat is
just like an empty array.
>
>
See also http://lists.evolveum.com/pipermail/midpoint/2015-August/001292.html
>
>
Best regards,
>
Pavol
>
>
>
>
> Hi Pavol,
> thanks for your suggestions. Now, I have modified the xml
code for attribute on the AD resource:
>
>
> <attribute>
> <ref>icfs:groups</ref>
>
<displayName>Gruppi</displayName>
> <inbound>
> <expression>
> <script>
>
<relativityMode>absolute</relativityMode>
> <code>
>
def isdirettore = false
> def n = input.size()
>
for (def i = 0; i < n; i++)
{
> def gruppo =
input.get(i)
>
if (it =~
/^CN=.*_DIV.._DIR.*$/) {
>
isdirettore = true
> }
> }
> isdirettore
> </code>
> </script>
> </expression>
> <target>
>
<path>$user/extension/mise:organizzazione</path>
> </target>
> </inbound>
> </attribute>
>
>
> But I have the "input" variable null, as I can see from
idm.log:
>
>
> ERROR (com.evolveum.midpoint.model.common.expression.script.ScriptExpression):
Expression error: java.lang.NullPointerException: Cannot
invoke method size() on null object (old)
expression in mapping in inbound expression for
{http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3}groups
in resource:Resource-ActiveDirectoryXXX(Active Directory
XXX)
>
> The only difference is the namespace: you have suggested
me "ri:groups" but it isn't defined in ns instance-3; so I
put "icfs:groups". It could made the difference?
> Any other suggestion?
>
> Thanks in advance. Regards.
>
> Fabio
>
> Da:
"midPoint" midpoint-bounces at lists.evolveum.com
> A:
midpoint at lists.evolveum.com
> Cc:
> Data: Thu, 3
Sep 2015 15:45:57 +0200
> Oggetto: Re: [midPoint] Help looping on Active
Directory groups
>
> >
> > Hello Fabio,
>
>
>
> the problem is that you've put your script to ri:title
attribute. So (I think) that as an input you get the value
of this attribute, which is a string. The <source>
declaration is not appropriate here.
>
>
>
> If you want to process ri:groups attribute, please
put this mapping under ri:groups attribute.
>
> Also, use <relativityMode>absolute</relativityMode>
(as a child of <script>) in order to get all the
values of ri:groups at once.
>
> Remove the <source> part and refer to the input
variable (now called gruppi) simply as input.
>
>
>
> Hope this helps,
>
> Pavol
>
>
>
>
> >
> > Hi,
> > I have an Active Directory resource
and I need to reconcile users. In populating a virtual
user attribute I need to check if the corresponding AD
account has a particular group assigned. This is a
snippet of the resource xml:
>
>
> >
> > <attribute>
> >
<c:ref>ri:title</c:ref>
> >
<displayName>Gruppi</displayName>
> > <inbound>
> >
<source>
> >
<name>gruppi</name>
> >
<path>$shadow/attributes/groups</path>
> >
</source>
> >
<expression>
> >
<script>
> >
<code>
> > def
isdirettore = false
> > def n
= gruppi.size()
> > for
(def i = 0; i < n; i++) {
> >
def gruppo = gruppi.get(i)
> >
if (it =~ /^CN=.*_DIV.._DIR.*$/) {
> >
isdirettore = true
> > }
> > }
> >
isdirettore
> >
</code>
> >
</script>
> >
</expression>
> >
<target>
> >
<path>$user/extension/mise:organizzazione</path>
> >
</target>
> > </inbound>
> > </attribute>
>
>
> > I need to loop on assigned AD
groups and I need to check the string format of each
group using a regular expression. The problem is that in
the variable named “gruppi” I have only a string and not
an array or List. Do you have any ideas?
>
>
> > Thanks and regards.
>
>
> > Fabio
>
>
> >
> >
> >
> >
> >
> > --
>
> Fabio Contessi
<f.contessi at nsr.it>
>
>
>
> nova systems roma
/ nsr
>
>
>
>
>
>
> > _______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150903/d37692d7/attachment.htm>
More information about the midPoint
mailing list