[midPoint] LDAP (389ds) - Accounts, groups <-> Users, roles

[Wojciech Staszewski]

Hi all!

Basing on the 389ds resource example I finaly configured the resource,
imported accounts and groups.

Accounts appeared as users in MidPoint and groups as Roles. This is ok.

But when I open a role imported from LDAP group, the role has no
members. And vice versa - when open user imported from LDAP he has no
role assigned.

1. What and where I need to configure to assign proper roles to users
according to LDAP group membership? I also want as a default to assign
"End user" role to every existing and newly created account.

2. I made a very simple organization structure. I have 5 organizations,
so I created 5 different trees. I need to assign users to proper
organization based on LDAP "o" attribute, and to correct branch of this
tree based on "departmentnumber". Departmentnumber is an integer value
and branches of organization tree have names. Is this doable? Any tips?

Thanks a lot and sorry for such beginners questions. I tried to analyze
XMLs from MidPoint examples and to read the documentation, but there is
so much of it and I actually don't know what I need to search...

WS