[midPoint] Sync Virtual Identities and AD Groups using roles

Marco Benucci m.benucci at nsr.it
Tue Dec 20 20:29:20 CET 2016


Oh, I'm very sorry... 
Theese days I'm working with 2 ldap and I frequently refer to ad groups using the ldap memberof... ⁣
So, I have done what I have described previously using the icfs:groups from the ad connector. 

For a quick and dirty work, you could use an inbound mapping on the employeeType attribute without have to restart the application. I have used a simple inbound mapping, no expression. 

Inviato da BlueMail ​

Il giorno 20 dic 2016, 20:17, alle ore 20:17, Jason Everling <jeverling at bshp.edu> ha scritto:
>hmm... so, I am guessing then you added memberOf to the .net xml? I am
>using icfs:groups and that maybe could be why then it doesn't work on
>livesync, I didn't think to just add the virtual attribute,
>
>So did you use the below?
>
>            <AttributeInfo name="memberOf" type="String">
>                <AttributeInfoFlag value="MULTIVALUED"/>
>            </AttributeInfo>
>
>JASON
>
>On Tue, Dec 20, 2016 at 12:30 PM, Marco Benucci <m.benucci at nsr.it>
>wrote:
>
>> Hi, I was using the old ad connector because we are on midpoint
>3.3.1...
>>
>> Moreover, I have only tested it during a reconciliation, because from
>now
>> we are managing ad groups with midpoint....but I think it should work
>> during livesync. Have you got troubles?
>>
>> Inviato da BlueMail <http://www.bluemail.me/r>
>> Il giorno 20 dic 2016, alle ore 15:44, Jason Everling
><jeverling at bshp.edu>
>> ha scritto:
>>>
>>> Quick question, I am assuming you are using the AD-LDAP connector
>>> (ri:memberOf), does inbound work during live sync or just during
>reconcile?
>>>
>>> Thanks!
>>> JASON
>>>
>>>
>>>
>>> On Tue, Dec 20, 2016 at 4:10 AM, Marco Benucci <m.benucci at nsr.it>
>wrote:
>>>
>>>> I have successfully aligned AD entitlement on midpoint users using
>a 2
>>>> step approach.
>>>>
>>>>
>>>> Firstly I have made an inbound mapping of the attribute memberOf in
>an
>>>> extension and multivalue attribute.
>>>>
>>>> Then, with an object template I have used the
>assignmentTargetSearch to
>>>> assign midpoint roles (my AD entitlement) to the user based on the
>>>> attribute mentioned above. I thought it could be possible to use
>the
>>>> assignmentTargetSearch even in inbound mapping on the resource, but
>I
>>>> did not tested it.
>>>>
>>>> Thank you,
>>>> Marco
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>> ------------------------------
>>>
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>midPoint mailing list
>midPoint at lists.evolveum.com
>http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/64d57bfb/attachment.htm>


More information about the midPoint mailing list