[midPoint] Problem Unassigning LDAP Group Metarole
Ivan Noris
ivan.noris at evolveum.com
Thu Apr 7 09:43:15 CEST 2016
Hi Shawn,
please which version of midpoint and which version of connector are you
using?
Thanks,
Ivan
On 04/06/2016 04:38 PM, Shawn McKinney wrote:
> Hello,
>
> I am following the unix story:
> https://github.com/Evolveum/midpoint/tree/master/testing/story/src/test/resources/unix
>
> and have a problem unassigning ldap group (metaroles) from a user. When I pull up the user, select the group and unassign, it disappears from the console but the association remains in the corresponding LDAP group.
>
> Is there something more I have to do in order to make this op remove the member from the group?
>
> Thanks,
>
> Shawn
>
> Here’s is config for metarole:
> <role oid="9c6d1dbe-1a87-11e5-b107-001e8c717e5b"
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy">
> <name>LDAP Group Metarole</name>
>
> <inducement>
> <description>LDAPGROUP-I</description>
> <construction>
> <description>LDAPGROUP-I</description>
> <!-- OpenLDAP resource -->
> <resourceRef oid="d0811790-1d80-11e4-86b2-3c970e467874" type="c:ResourceType"/>
> <kind>entitlement</kind>
> <intent>ldapGroup</intent>
> </construction>
> </inducement>
>
> <inducement>
> <description>LDAPGROUP-I2</description>
> <construction>
> <description>LDAPGROUP-I2</description>
> <resourceRef oid="d0811790-1d80-11e4-86b2-3c970e467874" type="c:ResourceType"/>
> <kind>account</kind>
> <intent>default</intent>
> <association>
> <ref>ri:ldapGroup</ref>
> <outbound>
> <expression>
> <associationFromLink>
> <projectionDiscriminator>
> <kind>entitlement</kind>
> <intent>ldapGroup</intent>
> </projectionDiscriminator>
> </associationFromLink>
> </expression>
> </outbound>
> </association>
> </construction>
> <order>2</order>
> </inducement>
>
> </role>
>
> ****
>
> And its config in the ldap resource:
>
> <association>
> <ref>ri:ldapGroup</ref>
> <displayName>LDAP Group Membership</displayName>
> <kind>entitlement</kind>
> <intent>ldapGroup</intent>
> <direction>objectToSubject</direction>
> <associationAttribute>ri:uniqueMember</associationAttribute>
> <valueAttribute>ri:dn</valueAttribute>
> <shortcutAssociationAttribute>ri:isMemberOf</shortcutAssociationAttribute>
> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
> <explicitReferentialIntegrity>true</explicitReferentialIntegrity>
> </association>
>
> ...
>
> <objectType>
> <kind>entitlement</kind>
> <intent>ldapGroup</intent>
> <displayName>LDAP Group</displayName>
> <objectClass>ri:groupOfUniqueNames</objectClass>
> <baseContext>
> <objectClass>ri:organizationalUnit</objectClass>
> <filter>
> <q:equal>
> <q:path>attributes/dn</q:path>
> <q:value>ou=groups,dc=example,dc=com</q:value>
> </q:equal>
> </filter>
> </baseContext>
> <attribute>
> <ref>ri:dn</ref>
> <matchingRule>mr:stringIgnoreCase</matchingRule>
> <outbound>
> <source>
> <path>$focus/name</path>
> </source>
> <expression>
> <script>
> <code>
> import javax.naming.ldap.Rdn
> import javax.naming.ldap.LdapName
>
> dn = new LdapName('ou=groups,dc=example,dc=com')
> dn.add(new Rdn('cn', name.toString()))
>
> return dn.toString()
> </code>
> </script>
> </expression>
> </outbound>
> </attribute>
>
> <attribute>
> <ref>ri:uniqueMember</ref>
> <matchingRule>mr:stringIgnoreCase</matchingRule>
> <outbound>
> <strength>strong</strength>
> <source>
> <path>$focus/name</path>
> </source>
> <expression>
> <script>
> <code>
> import javax.naming.ldap.Rdn
> import javax.naming.ldap.LdapName
>
> uniqueMember = new LdapName('ou=groups,dc=example,dc=com')
> uniqueMember.add(new Rdn('uid', 'foo1'))
>
> return uniqueMember.toString()
> </code>
> </script>
> </expression>
> </outbound>
> </attribute>
>
> <attribute>
> <ref>ri:cn</ref>
> <matchingRule>mr:stringIgnoreCase</matchingRule>
> <outbound>
> <strength>weak</strength>
> <source>
> <path>$focus/name</path>
> </source>
> </outbound>
> </attribute>
> <attribute>
> <ref>ri:description</ref>
> <outbound>
> <strength>strong</strength>
> <source>
> <path>description</path>
> </source>
> </outbound>
> </attribute>
> </objectType>
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
More information about the midPoint
mailing list