[midPoint] AD User-Group Association
LECOMTE ANTOINE
antoine.lecomte at univ-lyon1.fr
Wed May 4 17:45:50 CEST 2016
Thanks !
We had no success with the association on the old .NET Connector.
We switched to the AdLdap and it’s working.
De : midPoint [mailto:midpoint-bounces at lists.evolveum.com] De la part de Ivan Noris
Envoyé : Monday, May 2, 2016 10:57 AM
À : midpoint at lists.evolveum.com
Objet : Re: [midPoint] AD User-Group Association
Hi,
the association configuration should be like this for AdLdap connector:
<association>
<ref>ri:group</ref>
<displayName>AD Group Membership</displayName>
<kind>entitlement</kind>
<intent>group</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
<shortcutValueAttribute>ri:dn</shortcutValueAttribute>
</association>
or for old .NET AD connector:
<association>
<ref>ri:group</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<kind>entitlement</kind>
<intent>group</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>icfs:name</valueAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
<shortcutAssociationAttribute>icfs:groups</shortcutAssociationAttribute>
<shortcutValueAttribute>icfs:name</shortcutValueAttribute>
</association>
One or another should work (both are copy/pastes from resources in samples/projects). It only depends on the connector used.
Regards,
Ivan
On 04/29/2016 10:18 AM, LECOMTE ANTOINE wrote:
Hello,
we’re still evaluating Midpoint (3.3.1) and we achieve the midpoint-AD synchronization for accounts.
We can see them in MidPoint GUI and Active Directory.
We are following the HOWTO for synchronize AD Groups and they are correctly created in Midpoint (roles).
We removed the outbound rules in the group schema handling.
But, assignments between users and roles are not created.
We don't have errors or warning messages.
If we link them manually in midpoint, the membership is added to the group in AD.
We tried multiples valueAttribute without success : icfs:name and ri:distinguishedName.
You can see below our current schemaHandling.
<objectType>
<kind>account</kind>
<intent>default</intent>
<displayName>AD_Account</displayName>
<default>true</default>
<objectClass>ri:AccountObjectClass</objectClass>
....
<association>
<ref>ri:group</ref>
<displayName>AD Group Membership</displayName>
<kind>entitlement</kind>
<intent>group</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:distinguishedName</valueAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
</objectType>
Thanks !
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160504/5f48a148/attachment.htm>
More information about the midPoint
mailing list