[midPoint] Help looping on Active Directory groups

f.contessi f.contessi at nsr.it
Thu Sep 3 17:19:26 CEST 2015


Ok, I've resolved. The expression is evaluated two times: I've protected the script from null input and the second time (with new value) it works!


                <attribute>
                    <ref>icfs:groups</ref>
                    <displayName>Gruppi</displayName>
                    <inbound>
                        <expression>
                          <script>
                            <relativityMode>absolute</relativityMode>
                            <code>
                                if (input != null) {
                                    def isdirettore = false
                                    input.eachWithIndex { gruppo, index ->                                        
                                        if (gruppo =~ /^.*_DIR,OU=.*$/) {
                                            isdirettore = true
                                        }
                                    }
                                    isdirettore
                                }
                            </code>
                          </script>
                        </expression>
                        <target>
                            <path>$user/extension/mise:isDirettore</path>
                        </target>
                    </inbound>
                 </attribute>


Thanks a lot.


  Fabio



Da: "midPoint" midpoint-bounces at lists.evolveum.com
A: midpoint at lists.evolveum.com
Cc: 
Data: Thu, 3 Sep 2015 16:48:16 +0200
Oggetto: Re: [midPoint] Help looping on Active Directory groups



> 

  
    
  
  
    > Fabio,
> 
      
> 
      you're right: it's icfs:groups, not ri:groups (sorry for that).
> 
      
> 
      The error you're experiencing is caused by the fact that midPoint
      evaluates not only the current value of attribute, but also a
      change in that value. So, sometimes it needs to take the old
      attribute value (which is null in this case, because - at least I
      am convinced so - midPoint considers the account as being newly
      created in this particular case) and execute the provided script
      on it.
> 
      
> 
      So you should just assume that input might be null, and treat is
      just like an empty array.
> 
      
> 
      See also http://lists.evolveum.com/pipermail/midpoint/2015-August/001292.html
> 
      
> 
      Best regards,
> 
      Pavol
> 
      
> 
    
    
      > 
        > 
          > Hi Pavol,
          > thanks for your suggestions. Now, I have modified the xml
            code for attribute on the AD resource:
          
> 
          
          > 
            >                  <attribute>
            >                     <ref>icfs:groups</ref>
            >                    
              <displayName>Gruppi</displayName>
            >                     <inbound>
            >                         <expression>
            >                           <script>
            >                            
              <relativityMode>absolute</relativityMode>
            >                             <code>
            >          
                                      def isdirettore = false
            >                                 def n = input.size()
            >          
                                      for (def i = 0; i < n; i++)
                {
            >                                     def gruppo =
              input.get(i)
            >          
                                          if (it =~
                /^CN=.*_DIV.._DIR.*$/) {
            >          
                                              isdirettore = true
            >                                     }
            >                                 }
            >                                 isdirettore
            >                             </code>
            >                           </script>
            >                         </expression>
            >                         <target>
            >                            
              <path>$user/extension/mise:organizzazione</path>
            >                         </target>
            >                     </inbound>
            >                  </attribute>
          
          
> 
          
          
> 
          
          > But I have the "input" variable null, as I can see from
            idm.log:
          
> 
          
          > 
            > ERROR (com.evolveum.midpoint.model.common.expression.script.ScriptExpression):
                Expression error: java.lang.NullPointerException: Cannot
                invoke method size() on null object (old)
                expression in mapping in inbound expression for
                {http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3}groups
                in resource:Resource-ActiveDirectoryXXX(Active Directory
                XXX)
          
          
> 
          
          > The only difference is the namespace: you have suggested
            me "ri:groups" but it isn't defined in ns instance-3; so I
            put "icfs:groups". It could made the difference?
          > Any other suggestion?
          
> 
          
          > Thanks in advance. Regards.
          
> 
          
          >   Fabio
          
> 
          > Da:
              "midPoint" midpoint-bounces at lists.evolveum.com
          > A:
              midpoint at lists.evolveum.com
          > Cc: 
          > Data: Thu, 3
              Sep 2015 15:45:57 +0200
          > Oggetto: Re: [midPoint] Help looping on Active
              Directory groups
          
> 
          > >
            
            > > Hello Fabio,
> 
              > 
> 
              > the problem is that you've put your script to ri:title
              attribute. So (I think) that as an input you get the value
              of this attribute, which is a string. The <source>
              declaration is not appropriate here.
> 
              > 
> 
              > If you want to process ri:groups attribute, please
              put this mapping under ri:groups attribute.
> 
              > Also, use <relativityMode>absolute</relativityMode>
              (as a child of <script>) in order to get all the
              values of ri:groups at once.
> 
              > Remove the <source> part and refer to the input
              variable (now called gruppi) simply as input.
> 
              > 
> 
              > Hope this helps,
> 
              > Pavol
> 
              > 
> 
              > 
            
              
              > >
                > > Hi,
                > > I have an Active Directory resource
                  and I need to reconcile users. In populating a virtual
                  user attribute I need to check if the corresponding AD
                  account has a particular group assigned. This is a
                  snippet of the resource xml:
              
              
> 
                > 
              > >
                > >                 <attribute>
                > >                    
                  <c:ref>ri:title</c:ref>
                > >                    
                  <displayName>Gruppi</displayName>
                > >                     <inbound>
                > >                        
                  <source>
                > >                            
                  <name>gruppi</name>
                > >                            
                  <path>$shadow/attributes/groups</path>
                > >                        
                  </source>                        
                > >                        
                  <expression>
                > >                          
                  <script>
                > >                            
                   <code>
                > >                                 def
                  isdirettore = false
                > >                                 def n
                  = gruppi.size()
                > >                                 for
                  (def i = 0; i < n; i++) {
                > >                                    
                  def gruppo = gruppi.get(i)
                > >                                    
                  if (it =~ /^CN=.*_DIV.._DIR.*$/) {
                > >                                      
                    isdirettore = true
                > >                                     }
                > >                                 }
                > >                                
                  isdirettore
                > >                            
                   </code>
                > >                          
                  </script>
                > >                        
                  </expression>
                > >                        
                  <target>
                > >                            
                  <path>$user/extension/mise:organizzazione</path>
                > >                        
                  </target>
                > >                     </inbound>
                > >                  </attribute>
              
              
> 
                > 
              > > I need to loop on assigned AD
                groups and I need to check the string format of each
                group using a regular expression. The problem is that in
                the variable named “gruppi” I have only a string and not
                an array or List. Do you have any ideas?
              
> 
                > 
              > > Thanks and regards.
              
> 
                > 
              > >   Fabio
              
> 
                > 
              > >
                > >
                  > >
                    > >
                      > >
                        > > --
> 
                            > Fabio Contessi
                              <f.contessi at nsr.it>
> 
                            > 
> 
                            > nova systems roma
                                / nsr
                        
> 
                          > 
                      
                    
                  
                
              
              
> 
              >
              
              
> 
              >
              > > _______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint

            
            
> 
            > 
        
      
      
> 
      
      
> 
      > _______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint

    
    
> 
  



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150903/d37692d7/attachment.htm>


More information about the midPoint mailing list