[midPoint] Group Synchronisation - Active Directory
Martin Herbert
martinh at tahzoo.com
Wed Apr 20 14:27:54 CEST 2016
Hi Ivan,
OK so the association on the Group object type isn’t in the samples so not sure how that ended up in there, but yes we have been using the wizard. I now have the got past the first error however still not able to update the group by adding new users. The user association shows in the GUI, but as not present in AD and there is no errors.
Association now shows as below for the User object type under schema handling.
<association>
<c:ref>ri:group</c:ref>
<displayName>AD Group Membership</displayName>
<kind>entitlement</kind>
<intent>group</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>icfs:name</valueAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
With the group object type of below
<objectType>
<kind>entitlement</kind>
<intent>group</intent>
<displayName>Default Group</displayName>
<default>true</default>
<objectClass>ri:CustomGroupObjectClass</objectClass>
<attribute>
<c:ref>ri:samAccountName</c:ref>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<source>
<c:path>$focus/name</c:path>
</source>
</outbound>
<inbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<target>
<c:path>$focus/name</c:path>
</target>
</inbound>
</attribute>
<attribute>
<c:ref>icfs:description</c:ref>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<source>
<c:path>$focus/description</c:path>
</source>
</outbound>
<inbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<target>
<c:path>$focus/description</c:path>
</target>
</inbound>
</attribute>
<attribute>
<c:ref>icfs:name</c:ref>
<displayName>Distinguished Name</displayName>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<source>
<c:path>$focus/name</c:path>
</source>
<expression>
<script>
<code>
'cn='+name+',ou=Groups,ou=REDACTED'
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<c:ref>ri:cn</c:ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<source>
<c:path>$focus/name</c:path>
</source>
</outbound>
<inbound>
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<target>
<c:path>$focus/name</c:path>
</target>
</inbound>
</attribute>
Thanks
Martin
From: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> on behalf of Ivan Noris <ivan.noris at evolveum.com<mailto:ivan.noris at evolveum.com>>
Organization: Evolveum, s.r.o.
Reply-To: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Date: Wednesday, 20 April 2016 at 13:02
To: "midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>" <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Subject: Re: [midPoint] Group Synchronisation - Active Directory
Martin,
according to this and the previous error, I'd say you are missing <direction> element.
Also <c:ref>.</c:ref> looks very strange. Was the resource created using resource wizard?
Please see sample in samples/resources/ad/ad-resource-groups-medusa-advanced.xml:
<!-- This defines an association between user and groups he is a member of -->
<association>
<ref>ri:group</ref>
<displayName>AD Group Membership</displayName>
<kind>entitlement</kind>
<intent>group</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>icfs:name</valueAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
I'm usually not using wizard, but importing samples, so it might be you've hit bug in wizard...
Ivan
On 04/20/2016 01:33 PM, Martin Herbert wrote:
Hi Ivan,
Association element definition is below.
<association>
<c:ref>.</c:ref>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<kind>entitlement</kind>
<intent>group</intent>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>icfs:name</valueAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
MidPoint version is 3.3 with AD 2012 R2
Thanks
Martin
From: midPoint <<mailto:midpoint-bounces at lists.evolveum.com>midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> on behalf of Ivan Noris <ivan.noris at evolveum.com<mailto:ivan.noris at evolveum.com>>
Organization: Evolveum, s.r.o.
Reply-To: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Date: Wednesday, 20 April 2016 at 12:30
To: "<mailto:midpoint at lists.evolveum.com>midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>" <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Subject: Re: [midPoint] Group Synchronisation - Active Directory
Hi,
what is the association definition in the resource? (The <association> container in schema handling).
Regards,
Ivan
On 04/20/2016 12:17 PM, Martin Herbert wrote:
Hi Guys,
Trying to get Group synchronisation working with Active Directory. So far have the group being created without issue, but modifying the group suspends the Live Sync task with the following error.
Internal Error: Unknown entitlement direction null in association com.evolveum.midpoint.common.refinery.RefinedAssociationDefinition at 33244c2b in resource:bca287ee-054c-4cd4-b7e5-a1c5db470cea
Any ideas what I’m doing wrong?
Thanks
Martin
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160420/c264ffc8/attachment.htm>
More information about the midPoint
mailing list