[midPoint] Extra Associations under Projections account

Radovan Semancik radovan.semancik at evolveum.com
Thu Jun 16 17:40:09 CEST 2016


Hi Florin,

The two associations that you see are in fact just two images of the 
same group membership. MidPoint will process the same association twice 
and therefore display it twice. The question is why it is processed 
twice. My guess would be that you have two association definitions in 
the account type definition in schemaHandling ("Service groups" and 
"POSIX memebership"). These two definitions most likely point to the 
entitlements that have the same association attribute (most likely 
"member") and the same object class. Therefore when midPoint finds that 
the account is a member of "cpe_services" group it matches both 
definition and therefore it is processed by both of them and therefore 
it appears twice.

To resolve this issue you need to define some information that will tell 
midPoint how to distinguish the associations. I can only guess here, but 
if the groups live in a different parts of the LDAP tree you need a 
baseContext specification. Like this:

   <schemaHandling>

       <objectType>
             <kind>entitlement</kind>
             <intent>ldapGroup</intent>
             <displayName>LDAP Group</displayName>
             <objectClass>ri:groupOfNames</objectClass>
             <baseContext>
<objectClass>ri:organizationalUnit</objectClass>
                 <filter>
                     <q:equal>
                         <q:path>attributes/dn</q:path>
<q:value>ou=groups,dc=example,dc=com</q:value>
                     </q:equal>
                 </filter>
             </baseContext>
             ....


See here: 
https://github.com/Evolveum/midpoint/blob/master/samples/evolveum/resource-openldap.xml
and here: 
https://github.com/Evolveum/midpoint/blob/master/testing/story/src/test/resources/unix/resource-opendj.xml

Or maybe you have wrong specification of <objectClass> in the 
entitlement definitions? Maybe one of them should have "groupOfNames" 
and the other "posixGroup"?

-- 
Radovan Semancik
Software Architect
evolveum.com



On 06/07/2016 09:15 PM, Florin. Stingaciu wrote:
> Hello,
>
> So I have this user which has only one assignment, to role 
> cpe_services. This role was created using the following metarole: 
> http://pastebin.com/uMtwyfCV
>
> This metarole has five different inducements:
>
>   * the first inducement is an order one inducement that creates an
>     LDAP group with intent 'serviceGroup'
>   * the second inducement is an order two inducement that create a
>     'default' account if the employee type is equal to 'user'
>   * the third inducement is an order two inducement that create a
>     'service' account if the employee type is equal to 'service'
>   * the fourth and fifth are both second order inducements that
>     generate a gid and uid for the user
>
> The assignment of cpe_services to the metarole creates the 
> cpe_services group in LDAP. The assignment of the user to 
> cpe_services, creates an LDAP 'service' account, however when I look 
> under projections, click on the account, and look at associations, I 
> see the following: http://imgur.com/CUEH7uw
>
> The only association there should be the "Service Group" association. 
> The posixMembership is an entitlement that the serviceAccount can 
> have, however it is not defined within this metarole. Also, as you can 
> see, the dn for the association is the same in both.
>
> This problem is not only limited to my serviceGroups entitlement but 
> all entitlements. It also happens for different types of accounts as 
> well.
>
> Please let me know if I can provide with anything further that would 
> help debug this issue.
>
> Thanks,
> -F
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160616/d3dadae3/attachment.htm>


More information about the midPoint mailing list