[midPoint] Mapping problems

Ivan Noris ivan.noris at evolveum.com
Wed Nov 23 15:32:50 CET 2016 

Ah, so you are creating groups only when you assign the role to user...?

Ivan


On 11/23/2016 12:06 PM, Pertti Kellomäki wrote:
> Forgot to explain that this is not a meta-role situation where the
> role would be assigned in another role. Rather the setup is:
>
>
>   role 'ServiceName viewer' induces role 'viewer'
>
>   role 'viewer' induces construction of the appropriately named ldap
> group
>
>
> When role 'ServiceName viewer' is assigned to a user, the assignment
> includes an orgRef, which is used in calculating the dn of the group.
>
>
> It seems I cannot use a meta-role in the same way as done in the
> examples, as calculating the dn of the group needs the orgRef, which
> is only available when role 'Service viewer' gets assigned to a user.
>
>
> Pertti
>
>
> 23.11.2016, 12:57, Pertti Kellomäki kirjoitti:
>>
>> Hi,
>>
>>
>> Sorry in advance for the amount of inline xml below.
>>
>>
>> I am trying to create a setup, where midPoint roles create ldap
>> groups in a tree of ou's. I am able to create the hierarchy and
>> groups, but I am unable to actually make users be members of those
>> groups.
>>
>> Studying the unix-ldap story leads me to think that group name
>> calculation should best be performed in the resource configuration
>> xml file so that it is easily usable in the membership inducement.
>> Currently I do the name calculation in a role as follows:
>>
>>
>>   <inducement>
>>     <construction>
>>       <resourceRef oid="..." type="c:ResourceType"/>
>>       <kind>entitlement</kind>
>>       <intent>OrgServiceRoleLdapGroup</intent>
>>       <attribute>
>>     <ref>ri:dn</ref>
>>     <matchingRule>mr:stringIgnoreCase</matchingRule>
>>     <outbound>
>>       <source>
>>         <path>$assignment/orgRef</path>
>>       </source>
>>       <source>
>>         <path>$immediateRole/name</path>
>>       </source>
>>       <expression>
>>         <script>
>>           <code>
>>         import
>> com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
>>         import javax.naming.ldap.Rdn;
>>         import javax.naming.ldap.LdapName;
>>
>>         org = midpoint.getObject(OrgType.class, orgRef.getOid());
>>         dn = new LdapName('ou=Roles,dc=kapa,dc=local');
>>          dn.add(new Rdn('ou', org.getName().getOrig()));
>>         dn.add(new Rdn('ou', name.toString().split(' ')[0]));
>>         dn.add(new Rdn('cn', 'viewer'));
>>         return dn.toString();
>>           </code>
>>         </script>
>>       </expression>
>>     </outbound>
>>       </attribute>
>>     </construction>
>>   </inducement>
>>
>>
>> The corresponding (kind,intent) pair in the resource configuration is
>>
>>     <objectType>
>>       <kind>entitlement</kind>
>>       <intent>OrgServiceRoleLdapGroup</intent>
>>       <displayName>LDAP Group</displayName>
>>       <objectClass>ri:groupOfNames</objectClass>
>>
>>       <attribute>
>>     <ref>ri:member</ref>
>>  <matchingRule>mr:distinguishedName</matchingRule>
>>     <fetchStrategy>minimal</fetchStrategy>
>>     <outbound>
>>       <strength>strong</strength>
>>       <!-- Workaround - groupOfNames MUST have at least one member.
>> Even non-existent DN. -->
>>       <expression>
>>         <value>cn=dummy,o=whatever</value>
>>       </expression>
>>     </outbound>
>>       </attribute>
>>       <attribute>
>>     <ref>ri:description</ref>
>>     <outbound>
>>       <source>
>>         <path>description</path>
>>       </source>
>>     </outbound>
>>       </attribute>
>>       <configuredCapabilities>
>>     <cap:pagedSearch>
>> <cap:defaultSortField>ri:uid</cap:defaultSortField>
>>     </cap:pagedSearch>
>>       </configuredCapabilities>
>>       <dependency>
>>     <kind>generic</kind>
>>     <intent>serviceOu</intent>
>>     <strictness>relaxed</strictness>
>>       </dependency>
>>     </objectType>
>>
>> If I naively cut the ri:dn attribute from the inducement in the role
>> and paste it as an attribute in the above objectType, I get an error
>> message complaining:
>>
>> "No variable with name assignment in source definition in mapping in
>> outbound mapping for {.../resource/instance-3}dn in
>> resource:46515c38-7fd3-41ec-bbef-42756fa19845(LDAP)"
>>
>> My question is, can I somehow access the assignment from an outbound
>> mapping in the resource configuration? Or do I maybe need some kind
>> of mediating mapping in the role?
>>
>>
>> Thanks, Pertti
>>
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

More information about the midPoint mailing list