[midPoint] Group Synchronisation - Active Directory
Ivan Noris
ivan.noris at evolveum.com
Wed Apr 20 14:41:36 CEST 2016
Hi Martin,
ok, glad to hear that!
Ivan
On 04/20/2016 02:38 PM, Martin Herbert wrote:
> Hi Ivan,
>
> Thanks for some of the hints on this one ;) Got it all resolved now
> realised the Live Sync job for the User accounts was not running.
>
> Thanks
> Martin
> ------------------------------------------------------------------------
> *MARTIN HERBERT*
> Hosting Support Manager
> *m*: +44 (0)7862 993003
> *skype:* live:mherbert84
>
> <http://www.tahzoo.com/>
>
> From: midPoint <midpoint-bounces at lists.evolveum.com
> <mailto:midpoint-bounces at lists.evolveum.com>> on behalf of Martin
> Herbert <martinh at tahzoo.com <mailto:martinh at tahzoo.com>>
> Reply-To: midPoint General Discussion <midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>>
> Date: Wednesday, 20 April 2016 at 13:27
> To: midPoint General Discussion <midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>>
> Subject: Re: [midPoint] Group Synchronisation - Active Directory
>
> Hi Ivan,
>
> OK so the association on the Group object type isn’t in the samples so
> not sure how that ended up in there, but yes we have been using the
> wizard. I now have the got past the first error however still not
> able to update the group by adding new users. The user association
> shows in the GUI, but as not present in AD and there is no errors.
>
> Association now shows as below for the User object type under schema
> handling.
>
> <association>
> <c:ref>ri:group</c:ref>
> <displayName>AD Group Membership</displayName>
> <kind>entitlement</kind>
> <intent>group</intent>
> <direction>objectToSubject</direction>
> <associationAttribute>ri:member</associationAttribute>
> <valueAttribute>icfs:name</valueAttribute>
>
> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
> </association>
>
> With the group object type of below
>
> <objectType>
> <kind>entitlement</kind>
> <intent>group</intent>
> <displayName>Default Group</displayName>
> <default>true</default>
> <objectClass>ri:CustomGroupObjectClass</objectClass>
> <attribute>
> <c:ref>ri:samAccountName</c:ref>
> <tolerant>true</tolerant>
> <exclusiveStrong>false</exclusiveStrong>
> <outbound>
> <authoritative>true</authoritative>
> <exclusive>false</exclusive>
> <strength>normal</strength>
> <source>
> <c:path>$focus/name</c:path>
> </source>
> </outbound>
> <inbound>
> <authoritative>true</authoritative>
> <exclusive>false</exclusive>
> <strength>normal</strength>
> <target>
> <c:path>$focus/name</c:path>
> </target>
> </inbound>
> </attribute>
> <attribute>
> <c:ref>icfs:description</c:ref>
> <tolerant>true</tolerant>
> <exclusiveStrong>false</exclusiveStrong>
> <outbound>
> <authoritative>true</authoritative>
> <exclusive>false</exclusive>
> <strength>normal</strength>
> <source>
> <c:path>$focus/description</c:path>
> </source>
> </outbound>
> <inbound>
> <authoritative>true</authoritative>
> <exclusive>false</exclusive>
> <strength>normal</strength>
> <target>
> <c:path>$focus/description</c:path>
> </target>
> </inbound>
> </attribute>
> <attribute>
> <c:ref>icfs:name</c:ref>
> <displayName>Distinguished Name</displayName>
> <tolerant>true</tolerant>
> <exclusiveStrong>false</exclusiveStrong>
> <outbound>
> <authoritative>true</authoritative>
> <exclusive>false</exclusive>
> <strength>normal</strength>
> <source>
> <c:path>$focus/name</c:path>
> </source>
> <expression>
> <script>
> <code>
> 'cn='+name+',ou=Groups,ou=REDACTED'
> </code>
> </script>
> </expression>
> </outbound>
> </attribute>
> <attribute>
> <c:ref>ri:cn</c:ref>
> <matchingRule
> xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule
> <http://prism.evolveum.com/xml/ns/public/matching-rule-3%22%3Emr:stringIgnoreCase%3C/matchingRule>>
> <tolerant>true</tolerant>
> <exclusiveStrong>false</exclusiveStrong>
> <outbound>
> <authoritative>true</authoritative>
> <exclusive>false</exclusive>
> <strength>normal</strength>
> <source>
> <c:path>$focus/name</c:path>
> </source>
> </outbound>
> <inbound>
> <authoritative>true</authoritative>
> <exclusive>false</exclusive>
> <strength>normal</strength>
> <target>
> <c:path>$focus/name</c:path>
> </target>
> </inbound>
> </attribute>
>
>
> Thanks
> Martin
>
> From: midPoint <midpoint-bounces at lists.evolveum.com
> <mailto:midpoint-bounces at lists.evolveum.com>> on behalf of Ivan Noris
> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>>
> Organization: Evolveum, s.r.o.
> Reply-To: midPoint General Discussion <midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>>
> Date: Wednesday, 20 April 2016 at 13:02
> To: "midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>"
> <midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>>
> Subject: Re: [midPoint] Group Synchronisation - Active Directory
>
> Martin,
>
> according to this and the previous error, I'd say you are missing
> <direction> element.
> Also <c:ref>.</c:ref> looks very strange. Was the resource created
> using resource wizard?
>
> Please see sample in
> samples/resources/ad/ad-resource-groups-medusa-advanced.xml:
>
> <!-- This defines an association between user and
> groups he is a member of -->
> <association>
> <ref>ri:group</ref>
> <displayName>AD Group Membership</displayName>
> <kind>entitlement</kind>
> <intent>group</intent>
> * <direction>objectToSubject</direction>*
> <associationAttribute>ri:member</associationAttribute>
> <valueAttribute>icfs:name</valueAttribute>
>
> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
> </association>
>
> I'm usually not using wizard, but importing samples, so it might be
> you've hit bug in wizard...
>
> Ivan
>
> On 04/20/2016 01:33 PM, Martin Herbert wrote:
>> Hi Ivan,
>>
>> Association element definition is below.
>>
>> <association>
>> <c:ref>.</c:ref>
>> <tolerant>true</tolerant>
>> <exclusiveStrong>false</exclusiveStrong>
>> <kind>entitlement</kind>
>> <intent>group</intent>
>> <associationAttribute>ri:member</associationAttribute>
>> <valueAttribute>icfs:name</valueAttribute>
>>
>> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
>> </association>
>>
>> MidPoint version is 3.3 with AD 2012 R2
>>
>> Thanks
>> Martin
>>
>>
>> From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of
>> Ivan Noris <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>>
>> Organization: Evolveum, s.r.o.
>> Reply-To: midPoint General Discussion <midpoint at lists.evolveum.com
>> <mailto:midpoint at lists.evolveum.com>>
>> Date: Wednesday, 20 April 2016 at 12:30
>> To: "midpoint at lists.evolveum.com" <midpoint at lists.evolveum.com
>> <mailto:midpoint at lists.evolveum.com>>
>> Subject: Re: [midPoint] Group Synchronisation - Active Directory
>>
>> Hi,
>>
>> what is the association definition in the resource? (The
>> <association> container in schema handling).
>>
>> Regards,
>> Ivan
>>
>> On 04/20/2016 12:17 PM, Martin Herbert wrote:
>>> Hi Guys,
>>>
>>> Trying to get Group synchronisation working with Active Directory.
>>> So far have the group being created without issue, but modifying
>>> the group suspends the Live Sync task with the following error.
>>>
>>> Internal Error: Unknown entitlement direction null in association
>>> com.evolveum.midpoint.common.refinery.RefinedAssociationDefinition at 33244c2b
>>> in resource:bca287ee-054c-4cd4-b7e5-a1c5db470cea
>>>
>>> Any ideas what I’m doing wrong?
>>>
>>> Thanks
>>> Martin
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer & IDM Architect
>> evolveum.com evolveum.com/blog/
>> ___________________________________________________
>> "Semper ID(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer & IDM Architect
> evolveum.com evolveum.com/blog/
> ___________________________________________________
> "Semper ID(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160420/ffbad787/attachment.htm>
More information about the midPoint
mailing list