[midPoint] Discovering Custom objectClasses

Pavol Mederly pavol.mederly at evolveum.com
Fri Aug 19 20:04:46 CEST 2016


Matt, 

as for your second question, 



Also, my resource XML that I edit and put in my source control system.... Is there a place to put that in midpoint.home that gets imported automatically (midpoint.home/import)? Or do I need to manually import that every time I make a change to it? 



We do not recommend such auto-import feature, although it could be implemented quite easily. We prefer importing the resource after a change instead. It is not necessary to do that via GUI, however. You could prepare simple scripts that would do the same: an example is this one: 

curl.exe --user administrator:5ecr3t -H "Content-Type: application/xml" -X PUT http://localhost:8080/midpoint/ws/rest/resources/ ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a2 -d @ resource.xml -v 

Note that ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a2 is OID of the object to be imported or re-imported. (And, as of 3.4, it has to be present also in the resource.xml file that is being imported: in oid attribute of the resource object.) 

I'd suggest creating a simple .bat (.sh) file containing the above command and invoking it after you make a change in the resource XML file. 

Also, if time permits, we hope to prepare an Eclipse plugin that would allow uploading such XML files by clicking of a key. (See MID-3358 .) 

Best regards, 
Pavol 

----- Original Message -----

From: "Jason Everling" <jeverling at bshp.edu> 
To: "midPoint General Discussion" <midpoint at lists.evolveum.com> 
Sent: Friday, August 19, 2016 6:49:15 PM 
Subject: Re: [midPoint] Discovering Custom objectClasses 

I can answer the first question, 2 options, taken from ours , 

Add a protected section for everything you do not want to sync, 
https://github.com/Evolveum/midpoint/blob/master/samples/resources/opendj/opendj-localhost-resource-sync-advanced.xml#L309 

<protected> <filter> <q:substring xmlns:q= " http://prism.evolveum.com/xml/ns/public/query-3 " > <q:matching> stringIgnoreCase </q:matching> <q:path> attributes/name </q:path> <q:value> OU=TEMPLATE,DC=TEST,DC=LOCAL </q:value> <q:anchorEnd> true </q:anchorEnd> </q:substring> </filter> </protected> 


you could also instead add into the objectSynchronization section. Not necessarily based on a query but more of specific attribute values. In the below (..... ....... 'info') is the ad attribute and values are mpSecurity or mpDistribution . This keeps midPoint from syncing all AD groups and only the ones we want to sync. 

<objectSynchronization> <objectClass> ri:CustomGroupObjectClass </objectClass> <kind> entitlement </kind> <intent> group </intent> <focusType> c:RoleType </focusType> <enabled> true </enabled> <!-- Only Sync Groups from AD that have info set as either " mpSecurity" or "mpDistribution" --> <condition> <script> <code> tmp = basic.getAttributeValue(shadow, ' http://midpoint.evolveum.com/xml/ns/public/resource/instance-3 ', 'info'); return (tmp == 'mpSecurity' || tmp == 'mpDistribution') </code> </script> 
</condition> 


JASON 

On Fri, Aug 19, 2016 at 11:35 AM, Mencel, Matt < mr-mencel at wiu.edu > wrote: 

<blockquote>

OK. I think it's correct in the XML. It's just throwing the warning in the UI. I'll try a sync and see how it goes. 

Is there a way to specify an LDAP query for the sync/import? I just want to sync for example my department '(&(objectClass=person)(department=IT))' during testing, rather than every user object in my LDAP directory. 


Also, my resource XML that I edit and put in my source control system.... Is there a place to put that in midpoint.home that gets imported automatically (midpoint.home/import)? Or do I need to manually import that every time I make a change to it? 

Thanks for being patient with my questions... 

Matt 


On Fri, Aug 19, 2016 at 11:22 AM, Pavol Mederly < pavol.mederly at evolveum.com > wrote: 

<blockquote>

Hello Matt, 

I'm afraid that the resource wizard maybe does not work 100% correctly with auxiliary classes. At least I haven't tested it in this way when preparing it for 3.4 release. I've now created MID-3359 for it. 

For the time being, I'd recommend setting schemaHandling for that particular attribute by hand (via XML editor). 

Best regards, 
Pavol 


From: "Matt Mencel" < mr-mencel at wiu.edu > 
To: "midPoint General Discussion" < midpoint at lists.evolveum.com > 
Sent: Friday, August 19, 2016 6:11:13 PM 
Subject: Re: [midPoint] Discovering Custom objectClasses 


Capitalization looks correct. I notice that I cannot select wiuId on the Schema Handling tab for that attribute. It defaults to CN. 

The Atttribute drop down is only presenting attributes from the person OC, not the other auxiliary OCs. 

Matt 



On Fri, Aug 19, 2016 at 10:47 AM, Radovan Semancik < radovan.semancik at evolveum.com > wrote: 

<blockquote>

Hi, 

Yes, that should work. 
Just check that you have correct lowercase/uppercase form for the attribute names. LDAP is (mostly) case insensitive, but midPoint is case sensitive. Look at the <schema> part of the resource definition. That is generated from the resource. Look for your auxiliary object class definition there. And use the same capitalization as you see in the <schema> section. 

-- 
Radovan Semancik
Software Architect evolveum.com 



On 08/19/2016 05:23 PM, Mencel, Matt wrote: 

<blockquote>

Thanks Radovan, 

That helps. Do I declare the auxiliary's attributes in the same place as the default objectClass then? I'm getting this error in the UI... 


<blockquote>
There is no attribute named '{ http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}wiuId ' in object class '{ http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}person ' (defined in schema handling for 'User Account (kind: ACCOUNT, intent: person)'). 
</blockquote>


https://gist.github.com/MattMencel/2a3208371a1b0ce422e0b4923df413f7 

On Fri, Aug 19, 2016 at 9:54 AM, Radovan Semancik < radovan.semancik at evolveum.com > wrote: 

<blockquote>

Hi, 

On 08/19/2016 04:26 PM, Mencel, Matt wrote: 

<blockquote>

I have multiple LDAP objectclasses that contain all the attributes that make up a person's identity. I've associated multiple OCs with the same kind/intent in midpoint and am getting a warning in the UI. 


<blockquote>
There are multiple schema handling definitions for kind/intent: ACCOUNT/person. 
</blockquote>

Should I be doing this another way? 

</blockquote>

Yes. Just one of the objectclasses is structural (primary). Other object classes are auxiliary. MidPoint fully supports auxiliary object classes, but you need to use a slightly different approach. Use something like this: 

<schemaHandling>
		<objectType>
			<kind>account</kind>
			<displayName>Normal Account</displayName>
			<default>true</default>
			<objectClass>ri:inetOrgPerson</objectClass>
                        <auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>
                        <auxiliaryObjectClass>ri:foo</auxiliaryObjectClass>
                        <auxiliaryObjectClass>ri:bar</auxiliaryObjectClass>
... 
-- 
Radovan Semancik
Software Architect evolveum.com 
_______________________________________________ midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint 

</blockquote>

_______________________________________________
midPoint mailing list midPoint at lists.evolveum.com http://lists.evolveum.com/mailman/listinfo/midpoint 

</blockquote>


_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 


</blockquote>



_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 


_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 


</blockquote>



_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 


</blockquote>





CONFIDENTIALITY NOTICE: 
This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. 

_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
http://lists.evolveum.com/mailman/listinfo/midpoint 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160819/d76e5af7/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-08-19 at 11.09.04 AM.png
Type: image/png
Size: 126703 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160819/d76e5af7/attachment.png>


More information about the midPoint mailing list