[midPoint] Adding Custom Attributes to Midpoint
Jason Everling
jeverling at bshp.edu
Tue Aug 23 21:04:45 CEST 2016
I sent it to your email address, most of of it was asked on this list as I
was setting up our environment, in the archives
http://lists.evolveum.com/pipermail/midpoint/ around Oct 2014 up until
Mar/April 2015 I blew up this mailing list with a ton of emails. Thanks
again to everyone at Evolveum for being so patient with me!!
JASON
On Tue, Aug 23, 2016 at 12:58 PM, Mencel, Matt <mr-mencel at wiu.edu> wrote:
> The process right now is a Perl script we wrote 15+ years ago, but you're
> right. If I get this working correctly, Midpoint would create the
> usernames instead, so this will be fine. When the import from CSV does an
> add, the object template would generate the UID. I need to get all the
> users imported from LDAP first though before I implement that.
>
> I'd love to see your template, if just to have a real world example to
> refer to. If you don't want to share it here feel free to email me
> directly, or put it in a private gist on Github or something.
>
> Thanks!
>
> On Tue, Aug 23, 2016 at 12:45 PM, Jason Everling <jeverling at bshp.edu>
> wrote:
>
>> Does it have to wait for username from ldap or can you generate them in
>> midpoint or have you just gotten that far yet? Maybe someone else can jump
>> in on which route to take, in reverse order, our CSV is also
>> authoritative , BUT if no account found it will generate the username
>> based on an object template in midpoint and then it provisions that account
>> to the different resources the user should have access to.
>>
>> Have you gotten around to object templates in midpoint? You can attach a
>> template to each resource, and also make a default gui one, for example,
>>
>> on the resource it is
>>
>> <reaction>
>> <!-- Users will be ENABLED and moved into the correct Org Unit -->
>> <situation>unlinked</situation>
>> <objectTemplateRef oid="10000000-0000-0000-0000-000000000302"/>
>> <action>
>> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model
>> /action-3#linkAccount</handlerUri>
>> </action>
>> </reaction>
>> <reaction>
>> <situation>unmatched</situation>
>> <objectTemplateRef oid="10000000-0000-0000-0000-0
>> 00000000203"/>
>> <action>
>> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model
>> /action-3#addUser</handlerUri>
>> </action>
>> </reaction>
>>
>> and then my object template relating to the 'unmatched' situation will
>> generate a username based on different user 'types' or their affiliated
>> status, you know, faculty/staff like to have better looking usernames,
>> hah.. I can share some of the template if needed
>>
>>
>>
>>
>>
>> JASON
>>
>> On Tue, Aug 23, 2016 at 12:32 PM, Mencel, Matt <mr-mencel at wiu.edu> wrote:
>>
>>> The CSV is the authoritative source. When an account is first sent in
>>> that file I don't have an LDAP entry for it yet, so no username can be
>>> assigned yet. So ideally what would happen...
>>>
>>> - New user created from the CSV with the ID as it's name for the time
>>> being...
>>> - An LDAP account is then provisioned based on the info and I get the
>>> username back from the LDAP resource
>>> - "Rename" the object in midpoint with the username set as name and ID
>>> would be in the employeeID attribute.
>>>
>>> I haven't done anything with the name attribute yet because I wasn't
>>> sure what I needed to do. So right now it just picks up the ID from the
>>> CSV I think because that is what is set as the "uniqueIdentifier" in that
>>> resource.
>>>
>>> <attribute>
>>> <ref>icfs:name</ref>
>>> <displayName>Name</displayName>
>>> <outbound>
>>> <strength>weak</strength>
>>> <source>
>>> <path>$user/name</path>
>>> </source>
>>> </outbound>
>>> <inbound>
>>> <target>
>>> <path>$user/name</path>
>>> </target>
>>> </inbound>
>>> </attribute>
>>>
>>> On Tue, Aug 23, 2016 at 12:22 PM, Jason Everling <jeverling at bshp.edu>
>>> wrote:
>>>
>>>> In one of our resources, we also use the ID as the unique identifier.
>>>> Do the users already exist in midpoint that the CSV accounts belong too? If
>>>> so, then you would match based on your extension attribute, what do you
>>>> have for icfs:name mapping? like our CSV for example,
>>>>
>>>> <attribute>
>>>> <ref>icfs:name</ref>
>>>> <displayName>Name</displayName>
>>>> <limitations>
>>>> <minOccurs>0</minOccurs>
>>>> <access>
>>>> <read>true</read>
>>>> </access>
>>>> </limitations>
>>>> <inbound>
>>>> <target>
>>>> <path>
>>>> $c:user/c:extension/bshp:uniqueID
>>>> </path>
>>>> </target>
>>>> </inbound>
>>>> </attribute>
>>>>
>>>> <correlation>
>>>> <q:equal>
>>>> <q:path>c:user/c:extension/bsh
>>>> p:unqiueID</q:path>
>>>> <expression>
>>>> <path>
>>>> declare namespace icfs="http://midpoint.evolveum
>>>> .com/xml/ns/public/connector/icf-1/resource-schema-3";
>>>> $account/attributes/icfs:name
>>>> </path>
>>>> </expression>
>>>> </q:equal>
>>>> </correlation>
>>>>
>>>> This way, if it is an existing user with the same value, it will match
>>>> and link accounts, if not, then the object template will generate a new
>>>> user based on what we have defined as a 'username'
>>>>
>>>> JASON
>>>>
>>>> On Tue, Aug 23, 2016 at 10:50 AM, Mencel, Matt <mr-mencel at wiu.edu>
>>>> wrote:
>>>>
>>>>> I meant to include this screenshot in my reply....
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Aug 23, 2016 at 10:37 AM, Mencel, Matt <mr-mencel at wiu.edu>
>>>>> wrote:
>>>>>
>>>>>> So I have a followup question. In my CSV resource the unique
>>>>>> attribute is an ID number. It's getting imported to the "Name" field in
>>>>>> Midpoint. It's just odd that the "Name" appears as the id number. Can I
>>>>>> rename that field or should I import that ID attribute to a new custom
>>>>>> field that I put in my custom schema file? Is there a way to present a
>>>>>> custom schema attribute in that top bar?
>>>>>>
>>>>>> I'm assuming the Name field in Midpoint really should be a username
>>>>>> as that seems to be the intent for that. When I get my LDAP resource
>>>>>> working I will be able to add the username data, but I'm not that far yet.
>>>>>> So just trying to figure out how to handle it with the data coming from the
>>>>>> CSV import.
>>>>>>
>>>>>> Thanks,
>>>>>> Matt
>>>>>>
>>>>>> On Mon, Aug 22, 2016 at 5:20 PM, Mencel, Matt <mr-mencel at wiu.edu>
>>>>>> wrote:
>>>>>>
>>>>>>> Figured it out. Have to call $user/extention/major in the attribute
>>>>>>> mapping.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Aug 22, 2016 at 5:17 PM, Mencel, Matt <mr-mencel at wiu.edu>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Ah, of course...thanks for that link. I created the xsd file with
>>>>>>>> my new attributes...
>>>>>>>>
>>>>>>>> <xsd:element name="major" type="xsd:string" minOccurs="0"
>>>>>>>> maxOccurs="unbounded">
>>>>>>>> <xsd:annotation>
>>>>>>>> <xsd:appinfo>
>>>>>>>> <a:indexed>true</a:indexed>
>>>>>>>> <a:displayName>Major</a:displayName>
>>>>>>>> <a:displayOrder>130</a:displayOrder>
>>>>>>>> </xsd:appinfo>
>>>>>>>> </xsd:annotation>
>>>>>>>> </xsd:element>
>>>>>>>>
>>>>>>>> I see the empty fields now in the user entry (Extension section),
>>>>>>>> but I must still be missing something because I'm still not getting it
>>>>>>>> during the import. Do I have to do anything different in the
>>>>>>>> schemaHandling section of my resource in order to use it?
>>>>>>>>
>>>>>>>> <schemaHandling>
>>>>>>>> ...
>>>>>>>> <attribute>
>>>>>>>> <ref>ri:major</ref>
>>>>>>>> <displayName>Major</displayName>
>>>>>>>> <outbound>
>>>>>>>> <strength>weak</strength>
>>>>>>>> <source>
>>>>>>>> <path>$user/major</path>
>>>>>>>> </source>
>>>>>>>> </outbound>
>>>>>>>> <inbound>
>>>>>>>> <target>
>>>>>>>> <path>$user/major</path>
>>>>>>>> </target>
>>>>>>>> </inbound>
>>>>>>>> </attribute>
>>>>>>>> ...
>>>>>>>>
>>>>>>>> On Mon, Aug 22, 2016 at 4:56 PM, Brad Fardig <
>>>>>>>> brad.fardig at cogitogroup.com.au> wrote:
>>>>>>>>
>>>>>>>>> Hi Matt,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This doc provides an example of how to add the schema extensions
>>>>>>>>> that you require: https://wiki.evolveum.com/disp
>>>>>>>>> lay/midPoint/Custom+Schema+Extension
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hope this helps
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Brad
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *From:* midPoint [mailto:midpoint-bounces at lists.evolveum.com] *On
>>>>>>>>> Behalf Of *Mencel, Matt
>>>>>>>>> *Sent:* Tuesday, 23 August 2016 7:39 AM
>>>>>>>>> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
>>>>>>>>> *Subject:* [midPoint] Adding Custom Attributes to Midpoint
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have lots of custom attributes in my different resources (e.g.
>>>>>>>>> studentId, major, minor, etc....). I'd like to add this and many others to
>>>>>>>>> Midpoint so I can sync them between resources. I see there is an
>>>>>>>>> objectTemplate that can be used, but the examples I've seen only only show
>>>>>>>>> using that to do actions like create fullName from givenName and
>>>>>>>>> familyName.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Do I also use objectTemplate when I just want to sync a new
>>>>>>>>> attribute in from a resource? Or should it be picking that up from the
>>>>>>>>> schema?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I get errors like this when attempting to import an account with a
>>>>>>>>> custom attribute.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2016-08-22 16:35:45,425 [] [http-nio-8080-exec-4] WARN
>>>>>>>>> (com.evolveum.midpoint.provisioning.impl.ResourceManager): Schema
>>>>>>>>> error while processing schemaHandling section of
>>>>>>>>> resource:0d6babea-6896-11e6-9d38-0050569aa9d2(CSV TEADVS):
>>>>>>>>> Definition of attribute studentmajor not found in object class {
>>>>>>>>> http://midpoint.evolveum.com/xml/ns/public/resource/instanc
>>>>>>>>> e-3}AccountObjectClass as defined in definition of
>>>>>>>>> resource:0d6babea-6896-11e6-9d38-0050569aa9d2(CSV TEADVS)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *This email, and any attachment, is confidential and also
>>>>>>>>> privileged. If you have received it in error, please notify me immediately
>>>>>>>>> and delete it from your system along with any attachments. You should not
>>>>>>>>> copy or use it for any purpose, nor disclose its contents to any other
>>>>>>>>> person. *
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> midPoint mailing list
>>>>>>>>> midPoint at lists.evolveum.com
>>>>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
--
CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential;
intended for only the recipient(s) named above and may contain information
that is privileged. You should not retain, copy or use this e-mail or any
attachments for any purpose, or disclose all or any part of the contents to
any person. Any views or opinions expressed in this e-mail are those of the
author and do not represent those of the Baptist School of Health
Professions. If you have received this e-mail in error, or are not the
named recipient(s), you are hereby notified that any review, dissemination,
distribution or copying of this communication is prohibited by the sender
and to do so might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160823/c576c895/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-08-23 at 10.28.56 AM.png
Type: image/png
Size: 36370 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160823/c576c895/attachment.png>
More information about the midPoint
mailing list