[midPoint] Import AD group membership

Ivan Noris ivan.noris at evolveum.com
Mon May 23 20:29:40 CEST 2016


Hi Martin,

AFAIK the (old) .NET AD connector has a special account attribute
icfs:groups which is a list of groups where the account is member of.

So I can imagine something like this (not tried):

1) First you need to import the groups from AD - and create midPoint
roles from them.

2) Then you need a AD resource - mapping for storing user-account-groups
relation:
...
   <attribute>
     <ref>icfs:groups</ref>
     <displayName>Groups</displayName>
     <inbound>
<!-- FIXME expression here if needed to filter the groups -->
       <target>
   *      <path>$user/extension/adGroups</path>*
       </target>
     </attribute>
...
The extension attribute adGroups must be defined for UserType as
multivalue and it will store the list of groups from AD when you run
import from that resource.

3) Then you need object template for UserType which will automatically
assign the roles (created by 1) based on the value of extension/adGroups
attribute.


Very similar (and working) example for SAP system is here:
https://github.com/Evolveum/midpoint/blob/master/samples/resources/sap/assignment/object-template-user.xml

The task for importing roles is
https://github.com/Evolveum/midpoint/blob/master/samples/resources/sap/assignment/task-import-roles.xml,
using kind:entitlement, intent:roles schema handling expressions from
the SAP resource.

The SAP resource
https://github.com/Evolveum/midpoint/blob/master/samples/resources/sap/assignment/sap-advanced.xml
is used for organization creation (from SAP activity groups) as well as
for user provisioning and synchronization.

The SAP account attribute with group list is
<c:ref>ri:ACTIVITYGROUPS.AGR_NAME</c:ref>.

The User extension attribute is extension/sapRoles.

The object template for users is
https://github.com/Evolveum/midpoint/blob/master/samples/resources/sap/assignment/object-template-user.xml,
mapping "User - SAP Role mapping". The SAP groups are represented by
midPoint organizations and assigned using this template.

Best regards
Ivan

On 05/23/2016 04:54 PM, Martin Herbert wrote:
>
> Hi Radovan,
>
>  
>
> Appreciate this is not currently supported but do you happen to have
> any examples or documentation on how we can get this to work?  From
> what I can see, it should just be a case of adding a script expression
> to populate the group membership within Midpoint but have as of yet
> not found any examples of that.
>
>  
>
> What we’re trying to achieve is migrating all of our existing user
> base from an older AD environment to a new one, and wanted to do that
> via Midpoint itself instead of manually creating all the users with
> group assignments.
>
>  
>
> Please do note though this is using the AD .Net connector, not the
> newer LDAP connector.
>
>  
>
> Thanks
>
> Martin
>
>  
>
> *From: *midPoint <midpoint-bounces at lists.evolveum.com> on behalf of
> Radovan Semancik <radovan.semancik at evolveum.com>
> *Reply-To: *midPoint General Discussion <midpoint at lists.evolveum.com>
> *Date: *Thursday, 19 May 2016 at 11:16
> *To: *"midpoint at lists.evolveum.com" <midpoint at lists.evolveum.com>
> *Subject: *Re: [midPoint] Import AD group membership
>
>  
>
> Hi,
>
> MidPoint has strong and quite convenient way how to manage group
> membership in the outbound direction. Which means that midPoint is the
> source of the membership information (e.g. defined by roles or orgs)
> and that information is propagated to the resources.
>
> The inbound direction is also possible. But currently it is not very
> convenient and you have to use a lot of tricks. The reason that this
> is not so convenient is simple: the existing use-cases of midPoint
> subscribers and sponsors focused on the outbound direction. None of
> the midPoint subscribers or sponsors indicated the inbound direction
> as a priority. Maybe my colleagues may provide some hints how to work
> around this. But it might be a bit scary.
>
> Implementing a convenient way also for the inbound direction is
> something that I would really love to do. Currently this is one of the
> missing pieces in the puzzle. But, as usual, this is a question of
> funding. And, as usual, see here:
> https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature
>
> However, if I remember correctly, I have seen this question several
> times during last couple of months. So maybe if there are several
> people willing to donate a small sum to have this feature implemented
> then together it can be enough to fund the development of this
> feature? Are there any midPoint subscribers that would like to endorse
> this feature as a priority? Or any non-subscribers willing to
> partially sponsor this feature?
>
>
> -- 
> Radovan Semancik
> Software Architect
> evolveum.com
>
>
>
> On 05/19/2016 11:33 AM, Dick Muller wrote:
>
>     Hi,
>
>      
>
>     I already saw some mails about importing AD Group membership with
>     Aivo Kuhlberg , but I still have problems to get this running.
>
>     Users and Groups created in Midpoint are successfully synced to
>     the AD domain, including group membership.
>
>      
>
>     But I have a resource domain with a lot of groups and users that I
>     want to import including the group membership. That is working,
>     with exception for the group membership.
>
>     That is not configured during import.
>
>      
>
>     If I understand correctly I need to change the User Template. That
>     is what I did, I modified the User template that has a reference
>     with the AD resource and added a mapping for Group membership. I
>     used the object-template in the SAP story as example.
>
>     But still I have no group membership.
>
>      
>
>     Is there somebody that can help me on this?
>
>      
>
>     Kind regards,
>
>      
>
>     Dick
>
>
>
>
>     _______________________________________________
>
>     midPoint mailing list
>
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>  
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper ID(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160523/6cff9234/attachment.htm>


More information about the midPoint mailing list