[midPoint] Mapping problems

Ivan Noris ivan.noris at evolveum.com
Wed Nov 23 15:29:21 CET 2016 

Hi Pertti,


On 11/23/2016 11:57 AM, Pertti Kellomäki wrote:
>
> Hi,
>
>
> Sorry in advance for the amount of inline xml below.
>
>
> I am trying to create a setup, where midPoint roles create ldap groups
> in a tree of ou's. I am able to create the hierarchy and groups, but I
> am unable to actually make users be members of those groups.
>
> Studying the unix-ldap story leads me to think that group name
> calculation should best be performed in the resource configuration xml
> file so that it is easily usable in the membership inducement.
> Currently I do the name calculation in a role as follows:
>

For 99% cases we also generate icfs:name (or other naming attributes) in
resource, so that it would work with all roles defined now and in the
future. But $assignment variable is not accessible in resource. (Imagine
your user has 10 roles assigned, from which assignment should
$assignment variable contain data?)

At least I don't know of any way how to access $assignment and related
variables in resource... :(

But thinking of group membership. Did you configure the resource and
role(s) for associations? Or what have you tried if the membership
didn't work?

Ivan

>
>   <inducement>
>     <construction>
>       <resourceRef oid="..." type="c:ResourceType"/>
>       <kind>entitlement</kind>
>       <intent>OrgServiceRoleLdapGroup</intent>
>       <attribute>
>     <ref>ri:dn</ref>
>     <matchingRule>mr:stringIgnoreCase</matchingRule>
>     <outbound>
>       <source>
>         <path>$assignment/orgRef</path>
>       </source>
>       <source>
>         <path>$immediateRole/name</path>
>       </source>
>       <expression>
>         <script>
>           <code>
>         import
> com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
>         import javax.naming.ldap.Rdn;
>         import javax.naming.ldap.LdapName;
>
>         org = midpoint.getObject(OrgType.class, orgRef.getOid());
>         dn = new LdapName('ou=Roles,dc=kapa,dc=local');
>          dn.add(new Rdn('ou', org.getName().getOrig()));
>         dn.add(new Rdn('ou', name.toString().split(' ')[0]));
>         dn.add(new Rdn('cn', 'viewer'));
>         return dn.toString();
>           </code>
>         </script>
>       </expression>
>     </outbound>
>       </attribute>
>     </construction>
>   </inducement>
>
>
> The corresponding (kind,intent) pair in the resource configuration is
>
>     <objectType>
>       <kind>entitlement</kind>
>       <intent>OrgServiceRoleLdapGroup</intent>
>       <displayName>LDAP Group</displayName>
>       <objectClass>ri:groupOfNames</objectClass>
>
>       <attribute>
>     <ref>ri:member</ref>
>     <matchingRule>mr:distinguishedName</matchingRule>
>     <fetchStrategy>minimal</fetchStrategy>
>     <outbound>
>       <strength>strong</strength>
>       <!-- Workaround - groupOfNames MUST have at least one member.
> Even non-existent DN. -->
>       <expression>
>         <value>cn=dummy,o=whatever</value>
>       </expression>
>     </outbound>
>       </attribute>            
>       <attribute>
>     <ref>ri:description</ref>
>     <outbound>
>       <source>
>         <path>description</path>
>       </source>
>     </outbound>
>       </attribute>
>       <configuredCapabilities>
>     <cap:pagedSearch>
>       <cap:defaultSortField>ri:uid</cap:defaultSortField>
>     </cap:pagedSearch>
>       </configuredCapabilities>
>       <dependency>
>     <kind>generic</kind>
>     <intent>serviceOu</intent>
>     <strictness>relaxed</strictness>
>       </dependency>
>     </objectType>
>
> If I naively cut the ri:dn attribute from the inducement in the role
> and paste it as an attribute in the above objectType, I get an error
> message complaining:
>
> "No variable with name assignment in source definition in mapping in
> outbound mapping for {.../resource/instance-3}dn in
> resource:46515c38-7fd3-41ec-bbef-42756fa19845(LDAP)"
>
> My question is, can I somehow access the assignment from an outbound
> mapping in the resource configuration? Or do I maybe need some kind of
> mediating mapping in the role?
>
>
> Thanks, Pertti
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161123/d5933d1c/attachment.htm>

More information about the midPoint mailing list