[midPoint] Mapping problems
Pertti Kellomäki
pertti.kellomaki at datactica.fi
Wed Nov 23 12:06:49 CET 2016
Forgot to explain that this is not a meta-role situation where the role
would be assigned in another role. Rather the setup is:
role 'ServiceName viewer' induces role 'viewer'
role 'viewer' induces construction of the appropriately named ldap group
When role 'ServiceName viewer' is assigned to a user, the assignment
includes an orgRef, which is used in calculating the dn of the group.
It seems I cannot use a meta-role in the same way as done in the
examples, as calculating the dn of the group needs the orgRef, which is
only available when role 'Service viewer' gets assigned to a user.
Pertti
23.11.2016, 12:57, Pertti Kellomäki kirjoitti:
>
> Hi,
>
>
> Sorry in advance for the amount of inline xml below.
>
>
> I am trying to create a setup, where midPoint roles create ldap groups
> in a tree of ou's. I am able to create the hierarchy and groups, but I
> am unable to actually make users be members of those groups.
>
> Studying the unix-ldap story leads me to think that group name
> calculation should best be performed in the resource configuration xml
> file so that it is easily usable in the membership inducement.
> Currently I do the name calculation in a role as follows:
>
>
> <inducement>
> <construction>
> <resourceRef oid="..." type="c:ResourceType"/>
> <kind>entitlement</kind>
> <intent>OrgServiceRoleLdapGroup</intent>
> <attribute>
> <ref>ri:dn</ref>
> <matchingRule>mr:stringIgnoreCase</matchingRule>
> <outbound>
> <source>
> <path>$assignment/orgRef</path>
> </source>
> <source>
> <path>$immediateRole/name</path>
> </source>
> <expression>
> <script>
> <code>
> import
> com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
> import javax.naming.ldap.Rdn;
> import javax.naming.ldap.LdapName;
>
> org = midpoint.getObject(OrgType.class, orgRef.getOid());
> dn = new LdapName('ou=Roles,dc=kapa,dc=local');
> dn.add(new Rdn('ou', org.getName().getOrig()));
> dn.add(new Rdn('ou', name.toString().split(' ')[0]));
> dn.add(new Rdn('cn', 'viewer'));
> return dn.toString();
> </code>
> </script>
> </expression>
> </outbound>
> </attribute>
> </construction>
> </inducement>
>
>
> The corresponding (kind,intent) pair in the resource configuration is
>
> <objectType>
> <kind>entitlement</kind>
> <intent>OrgServiceRoleLdapGroup</intent>
> <displayName>LDAP Group</displayName>
> <objectClass>ri:groupOfNames</objectClass>
>
> <attribute>
> <ref>ri:member</ref>
> <matchingRule>mr:distinguishedName</matchingRule>
> <fetchStrategy>minimal</fetchStrategy>
> <outbound>
> <strength>strong</strength>
> <!-- Workaround - groupOfNames MUST have at least one member.
> Even non-existent DN. -->
> <expression>
> <value>cn=dummy,o=whatever</value>
> </expression>
> </outbound>
> </attribute>
> <attribute>
> <ref>ri:description</ref>
> <outbound>
> <source>
> <path>description</path>
> </source>
> </outbound>
> </attribute>
> <configuredCapabilities>
> <cap:pagedSearch>
> <cap:defaultSortField>ri:uid</cap:defaultSortField>
> </cap:pagedSearch>
> </configuredCapabilities>
> <dependency>
> <kind>generic</kind>
> <intent>serviceOu</intent>
> <strictness>relaxed</strictness>
> </dependency>
> </objectType>
>
> If I naively cut the ri:dn attribute from the inducement in the role
> and paste it as an attribute in the above objectType, I get an error
> message complaining:
>
> "No variable with name assignment in source definition in mapping in
> outbound mapping for {.../resource/instance-3}dn in
> resource:46515c38-7fd3-41ec-bbef-42756fa19845(LDAP)"
>
> My question is, can I somehow access the assignment from an outbound
> mapping in the resource configuration? Or do I maybe need some kind of
> mediating mapping in the role?
>
>
> Thanks, Pertti
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
More information about the midPoint
mailing list