[midPoint] Sync Virtual Identities and AD Groups using roles
Jason Everling
jeverling at bshp.edu
Tue Dec 20 22:41:21 CET 2016
It ok, I tested it out anyways with memberOf, but it still does not work
during livesync, only reconcile :( . Which is ok for now
JASON
On Tue, Dec 20, 2016 at 1:29 PM, Marco Benucci <m.benucci at nsr.it> wrote:
> Oh, I'm very sorry...
> Theese days I'm working with 2 ldap and I frequently refer to ad groups
> using the ldap memberof...
> So, I have done what I have described previously using the icfs:groups
> from the ad connector.
>
> For a quick and dirty work, you could use an inbound mapping on the
> employeeType attribute without have to restart the application. I have used
> a simple inbound mapping, no expression.
>
> Inviato da BlueMail <http://www.bluemail.me/r>
> Il giorno 20 dic 2016, alle ore 20:17, Jason Everling <jeverling at bshp.edu>
> ha scritto:
>>
>> hmm... so, I am guessing then you added memberOf to the .net xml? I am
>> using icfs:groups and that maybe could be why then it doesn't work on
>> livesync, I didn't think to just add the virtual attribute,
>>
>> So did you use the below?
>>
>> <AttributeInfo name="memberOf" type="String">
>> <AttributeInfoFlag value="MULTIVALUED"/>
>> </AttributeInfo>
>>
>> JASON
>>
>> On Tue, Dec 20, 2016 at 12:30 PM, Marco Benucci <m.benucci at nsr.it> wrote:
>>
>>> Hi, I was using the old ad connector because we are on midpoint 3.3.1...
>>>
>>> Moreover, I have only tested it during a reconciliation, because from
>>> now we are managing ad groups with midpoint....but I think it should work
>>> during livesync. Have you got troubles?
>>>
>>> Inviato da BlueMail <http://www.bluemail.me/r>
>>> Il giorno 20 dic 2016, alle ore 15:44, Jason Everling <
>>> jeverling at bshp.edu> ha scritto:
>>>>
>>>> Quick question, I am assuming you are using the AD-LDAP connector
>>>> (ri:memberOf), does inbound work during live sync or just during reconcile?
>>>>
>>>> Thanks!
>>>> JASON
>>>>
>>>>
>>>>
>>>> On Tue, Dec 20, 2016 at 4:10 AM, Marco Benucci <m.benucci at nsr.it>
>>>> wrote:
>>>>
>>>>> I have successfully aligned AD entitlement on midpoint users using a 2
>>>>> step approach.
>>>>>
>>>>>
>>>>> Firstly I have made an inbound mapping of the attribute memberOf in an
>>>>> extension and multivalue attribute.
>>>>>
>>>>> Then, with an object template I have used the assignmentTargetSearch
>>>>> to assign midpoint roles (my AD entitlement) to the user based on the
>>>>> attribute mentioned above. I thought it could be possible to use the
>>>>> assignmentTargetSearch even in inbound mapping on the resource, but I
>>>>> did not tested it.
>>>>>
>>>>> Thank you,
>>>>> Marco
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>> ------------------------------
>>>>
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>> ------------------------------
>>
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161220/483f02f3/attachment.htm>
More information about the midPoint
mailing list