[midPoint] AD User-Group Association
Ivan Noris
ivan.noris at evolveum.com
Mon May 2 10:56:55 CEST 2016
Hi,
the association configuration should be like this for AdLdap connector:
<association>
<ref>ri:group</ref>
<displayName>AD Group Membership</displayName>
<kind>entitlement</kind>
<intent>group</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
<shortcutValueAttribute>ri:dn</shortcutValueAttribute>
</association>
or for old .NET AD connector:
<association>
<ref>ri:group</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<kind>entitlement</kind>
<intent>group</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>icfs:name</valueAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
<shortcutAssociationAttribute>icfs:groups</shortcutAssociationAttribute>
<shortcutValueAttribute>icfs:name</shortcutValueAttribute>
</association>
One or another should work (both are copy/pastes from resources in
samples/projects). It only depends on the connector used.
Regards,
Ivan
On 04/29/2016 10:18 AM, LECOMTE ANTOINE wrote:
>
> Hello,
>
>
>
> we’re still evaluating Midpoint (3.3.1) and we achieve the midpoint-AD
> synchronization for accounts.
>
> We can see them in MidPoint GUI and Active Directory.
>
>
>
> We are following the HOWTO for synchronize AD Groups and they are
> correctly created in Midpoint (roles).
>
> We removed the outbound rules in the group schema handling.
>
>
>
>
>
> But, assignments between users and roles are not created.
>
> We don't have errors or warning messages.
>
>
>
> If we link them manually in midpoint, the membership is added to the
> group in AD.
>
>
>
>
>
> We tried multiples valueAttribute without success : icfs:name and
> ri:distinguishedName.
>
> You can see below our current schemaHandling.
>
>
>
> <objectType>
>
> <kind>account</kind>
>
> <intent>default</intent>
>
>
> <displayName>AD_Account</displayName>
>
> <default>true</default>
>
>
> <objectClass>ri:AccountObjectClass</objectClass>
>
>
>
> ....
>
>
>
> <association>
>
>
> <ref>ri:group</ref>
>
>
> <displayName>AD Group Membership</displayName>
>
>
> <kind>entitlement</kind>
>
>
> <intent>group</intent>
>
>
> <direction>objectToSubject</direction>
>
>
> <associationAttribute>ri:member</associationAttribute>
>
>
> <valueAttribute>ri:distinguishedName</valueAttribute>
>
>
> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
>
> </association>
>
> </objectType>
>
>
>
>
>
> Thanks !
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160502/94bbf247/attachment.htm>
More information about the midPoint
mailing list