[midPoint] AD User-Group Association

Ivan Noris ivan.noris at evolveum.com
Mon May 2 10:56:55 CEST 2016


Hi,

the association configuration should be like this for AdLdap connector:

            <association>
                <ref>ri:group</ref>
                <displayName>AD Group Membership</displayName>
                <kind>entitlement</kind>
                <intent>group</intent>
                <direction>objectToSubject</direction>
                <associationAttribute>ri:member</associationAttribute>
                <valueAttribute>ri:dn</valueAttribute>
               
<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
                <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
            </association>
          
or for old .NET AD connector:

            <association>
                <ref>ri:group</ref>
                <matchingRule>mr:stringIgnoreCase</matchingRule>
                <kind>entitlement</kind>
                <intent>group</intent>
                <direction>objectToSubject</direction>
                <associationAttribute>ri:member</associationAttribute>
                <valueAttribute>icfs:name</valueAttribute>
               
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
               
<shortcutAssociationAttribute>icfs:groups</shortcutAssociationAttribute>
                <shortcutValueAttribute>icfs:name</shortcutValueAttribute>
            </association>

One or another should work (both are copy/pastes from resources in
samples/projects). It only depends on the connector used.

Regards,
Ivan

On 04/29/2016 10:18 AM, LECOMTE ANTOINE wrote:
>
> Hello,
>
>  
>
> we’re still evaluating Midpoint (3.3.1) and we achieve the midpoint-AD
> synchronization for accounts.
>
> We can see them in MidPoint GUI and Active Directory.
>
>  
>
> We are following the HOWTO for synchronize AD Groups and they are
> correctly created in Midpoint (roles).
>
> We removed the outbound rules in the group schema handling.
>
>  
>
>  
>
> But, assignments between users and roles are not created.
>
> We don't have errors or warning messages.
>
>  
>
> If we link them manually in midpoint, the membership is added to the
> group in AD.
>
>  
>
>  
>
> We tried multiples valueAttribute without success : icfs:name and
> ri:distinguishedName.
>
> You can see below our current schemaHandling.
>
>  
>
> <objectType>
>
>                                                <kind>account</kind>
>
>                                                <intent>default</intent>
>
>                                               
> <displayName>AD_Account</displayName>
>
>                                                <default>true</default>
>
>                                               
> <objectClass>ri:AccountObjectClass</objectClass>
>
>  
>
>                                                ....
>
>                                               
>
>                                                <association>
>
>                                                               
> <ref>ri:group</ref>
>
>                                                               
> <displayName>AD Group Membership</displayName>
>
>                                                               
> <kind>entitlement</kind>
>
>                                                               
> <intent>group</intent>
>
>                                                               
> <direction>objectToSubject</direction>
>
>                                                               
> <associationAttribute>ri:member</associationAttribute>
>
>                                                               
> <valueAttribute>ri:distinguishedName</valueAttribute>
>
>                                                               
> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
>
>                                                </association>
>
> </objectType>
>
>  
>
>  
>
> Thanks !
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper ID(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160502/94bbf247/attachment.htm>


More information about the midPoint mailing list