[midPoint] Extra Associations under Projections account
Radovan Semancik
radovan.semancik at evolveum.com
Thu Jun 16 17:40:09 CEST 2016
Hi Florin,
The two associations that you see are in fact just two images of the
same group membership. MidPoint will process the same association twice
and therefore display it twice. The question is why it is processed
twice. My guess would be that you have two association definitions in
the account type definition in schemaHandling ("Service groups" and
"POSIX memebership"). These two definitions most likely point to the
entitlements that have the same association attribute (most likely
"member") and the same object class. Therefore when midPoint finds that
the account is a member of "cpe_services" group it matches both
definition and therefore it is processed by both of them and therefore
it appears twice.
To resolve this issue you need to define some information that will tell
midPoint how to distinguish the associations. I can only guess here, but
if the groups live in a different parts of the LDAP tree you need a
baseContext specification. Like this:
<schemaHandling>
<objectType>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<displayName>LDAP Group</displayName>
<objectClass>ri:groupOfNames</objectClass>
<baseContext>
<objectClass>ri:organizationalUnit</objectClass>
<filter>
<q:equal>
<q:path>attributes/dn</q:path>
<q:value>ou=groups,dc=example,dc=com</q:value>
</q:equal>
</filter>
</baseContext>
....
See here:
https://github.com/Evolveum/midpoint/blob/master/samples/evolveum/resource-openldap.xml
and here:
https://github.com/Evolveum/midpoint/blob/master/testing/story/src/test/resources/unix/resource-opendj.xml
Or maybe you have wrong specification of <objectClass> in the
entitlement definitions? Maybe one of them should have "groupOfNames"
and the other "posixGroup"?
--
Radovan Semancik
Software Architect
evolveum.com
On 06/07/2016 09:15 PM, Florin. Stingaciu wrote:
> Hello,
>
> So I have this user which has only one assignment, to role
> cpe_services. This role was created using the following metarole:
> http://pastebin.com/uMtwyfCV
>
> This metarole has five different inducements:
>
> * the first inducement is an order one inducement that creates an
> LDAP group with intent 'serviceGroup'
> * the second inducement is an order two inducement that create a
> 'default' account if the employee type is equal to 'user'
> * the third inducement is an order two inducement that create a
> 'service' account if the employee type is equal to 'service'
> * the fourth and fifth are both second order inducements that
> generate a gid and uid for the user
>
> The assignment of cpe_services to the metarole creates the
> cpe_services group in LDAP. The assignment of the user to
> cpe_services, creates an LDAP 'service' account, however when I look
> under projections, click on the account, and look at associations, I
> see the following: http://imgur.com/CUEH7uw
>
> The only association there should be the "Service Group" association.
> The posixMembership is an entitlement that the serviceAccount can
> have, however it is not defined within this metarole. Also, as you can
> see, the dn for the association is the same in both.
>
> This problem is not only limited to my serviceGroups entitlement but
> all entitlements. It also happens for different types of accounts as
> well.
>
> Please let me know if I can provide with anything further that would
> help debug this issue.
>
> Thanks,
> -F
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160616/d3dadae3/attachment.htm>
More information about the midPoint
mailing list