[midPoint] Problem creating new users with their role assignments
Ivan Noris
ivan.noris at evolveum.com
Thu Apr 7 16:25:25 CEST 2016
Well this is strange, I had a problem and it dissapeared during
testing... ;-)
The only thing I had to do was create the
ou=unixgroups,dc=example,dc=com container.
Anyway. I used the (adapted for OpenLDAP) resource, and imported also
the sequences and then role-unix.xml and role-meta-unix-group2.xml.
I wanted to specifically test if the role-meta-unix-group2.xml metarole
works, because the object in test scenario is from our real deployment
where it works.
So, I tested it and it worked. Then I tried to use Unix User role
instead and it also worked.
I tried various combinations starting with creating user, where the
following attributes were filled:
- name
- givenName
- familyName
- fullName
- password
And assigned the roles Unix User and two previously created LDAP roles
shawnrole1-331 and shawnrole2-331. Then I saved the user.
LDAP account was created and put to groups cn=shawnrole1-331,... and
cn=shawnrole2-331,... and also posixAccount attributes were set (from
Unix User role). Everything worked.
After that I tried to unassign some of the roles and everything worked.
Also I tried to utilize LDAP Unix Group Metarole 2 instead of Unix USer
role. I created two roles in midPoint (shawnunix1-331 and
shawnunix2-331) and assigned LDAP Unix Group Metarole 2 to them. The
Unix (posixGroup) groups were created in ou=unixgroups,dc=example,dc=com.
Then I assigned the shawnunix1-331/shawnunix2-331 roles to the user
with/without the normal LDAP roles and user was correctly put to
standard groups as well as the posixGroups.
So, the only real changes in OpenDJ -> OpenLDAP resource except
connection parameters were:
1) I removed all inbound mappings
2) <association> was changed as below:
<association>
<ref>ri:ldapGroup</ref>
+ <matchingRule>mr:stringIgnoreCase</matchingRule>
<displayName>LDAP Group Membership</displayName>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:uniqueMember</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
+<!--
<shortcutAssociationAttribute>ri:isMemberOf</shortcutAssociationAttribute>
<shortcutValueAttribute>ri:dn</shortcutValueAttribute>
+-->
<explicitReferentialIntegrity>true</explicitReferentialIntegrity>
</association>
<association>
<ref>ri:unixGroup</ref>
+ <matchingRule>mr:stringIgnoreCase</matchingRule>
<displayName>UNIX Group Membership</displayName>
<auxiliaryObjectClass>posixAccount</auxiliaryObjectClass> <!-- Strictly
speaking should be ri:posixAccount. but it also should work without
namespace prefix. -->
<kind>entitlement</kind>
<intent>unixGroup</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:memberUid</associationAttribute>
- <valueAttribute>ri:uidNumber</valueAttribute>
+ <valueAttribute>ri:uid</valueAttribute>
+<!-- <valueAttribute>ri:uidNumber</valueAttribute>-->
<explicitReferentialIntegrity>true</explicitReferentialIntegrity>
</association>
3) I removed <activation> mapping.
4) I added attribute ri:uniqueMember mapping for ldapGroups:
+ <ref>ri:uniqueMember</ref>
+
<matchingRule>mr:distinguishedName</matchingRule>
+ <outbound>
+ <strength>strong</strength>
+ <expression>
+ <value>cn=dummy,dc=example,dc=com</value>
+ </expression>
+ </outbound>
+ </attribute>
4) maybe the most important change: entitlement/unixGroup must have
objectClass as follows:
<objectType>
<kind>entitlement</kind>
<intent>unixGroup</intent>
<displayName>UNIX Group</displayName>
<objectClass>ri:posixGroup</objectClass>
So overall, after those changes the scenarios work just fine in the
upcoming 3.3.1 release. (git-v3.3support-72-g760e30a)
Best regards,
Ivan
On 04/06/2016 04:47 PM, Shawn McKinney wrote:
> Hello,
>
> I am following this story:
> https://github.com/Evolveum/midpoint/tree/master/testing/story/src/test/resources/unix
>
> and have managed to get the OpenLDAP resource, unix user and ldap group (metarole) working. My problem is when I create a new user. I can create and add an OpenLDAP projection at same time and everything works as expected with user being added to both midpoint database and openldap. But when I try to also assign either the unix user &/or ldap group ‘roles’ at same time, I get this error in the console when I save:
>
> Warning: Property for 'pageFocus.message.cantCreateFocus' not found]
> operation.com.evolveum.midpoint.web.page.admin.PageAdminFocus.save
> Cause: No prism context in ObjectDelta(ShadowType:null,ADD: object:null(null))
>
> I also noticed the following in IDM.log:
>
> 2016-04-06 14:44:50,965 [] [http-nio-8080-exec-6] ERROR (com.evolveum.midpoint.web.page.admin.PageAdminFocus): Create user failed, reason: No prism context in ObjectDelta(ShadowType:null,ADD: object:null(null)) (class java.lang.IllegalStateException)
>
> Is this type of combined user create operation supported, and if so what am I doing wrong here?
>
> Thanks,
>
> Shawn
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
More information about the midPoint
mailing list