[midPoint] Adding user as member to existing group in AD

Мамаева Сауле Сериковна s.mamayeva at ktg.kz
Fri Oct 7 11:54:51 CEST 2016 

Hello,
I'm trying to assign role to user that will add user as a member  to existing group in Active Directory.  I created role with inducement and add to resource schema handling object type for my existing group in AD. But after assigning role to user, my user will not become member of existing group in Active Directory. What did I miss?
The name of group in AD: free_mail_all
This is inducement for my role:
   <inducement id="1">
      <construction>
         <resourceRef oid="ef2bc95b-76e0-11e2-86d6-3d4f02d30001" type="c:ResourceType"></resourceRef>
         <kind>account</kind>
         <intent>default</intent>
         <association>
            <c:ref>ri:group</c:ref>
             <outbound>
               <expression>
                  <associationFromLink>
                     <projectionDiscriminator>
                        <kind>entitlement</kind>
                        <intent>free_mail_all</intent>
                     </projectionDiscriminator>
                  </associationFromLink>
               </expression>
            </outbound>
         </association>
      </construction>
      <order>1</order>
   </inducement>

This is a new object type in my Resource schema handling:
<objectType>
         <kind>entitlement</kind>
         <intent>free_mail_all</intent>
         <displayName>AD free_mail_all Group</displayName>
         <objectClass>ri:group</objectClass>
         <attribute>
            <c:ref>ri:dn</c:ref>
            <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
            <tolerant>true</tolerant>
            <exclusiveStrong>false</exclusiveStrong>
            <outbound>
               <authoritative>false</authoritative>
               <exclusive>false</exclusive>
               <strength>normal</strength>
               <expression>
                  <script>
                     <code>
                   'cn=Free_mail_all,ou=Groups,ou=City,DC=wso,DC=kz'
            </code>
                  </script>
               </expression>
            </outbound>
         </attribute>
      </objectType>


This is Association part for Account object in Resource xml:
<association>
            <c:ref>ri:group</c:ref>
            <displayName>AD Group Membership</displayName>
            <kind>entitlement</kind>
            <intent>group</intent>
            <intent>free_mail_all</intent>
            <direction>objectToSubject</direction>
            <associationAttribute>ri:member</associationAttribute>
            <valueAttribute>ri:dn</valueAttribute>
            <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
            <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
         </association>


Best regards,
Saule
s.mamayeva at ktg.kz<mailto:s.mamayeva at ktg.kz>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161007/d3bdc5f7/attachment.htm>

More information about the midPoint mailing list