[midPoint] Adding user as member to existing group in AD
Ivan Noris
ivan.noris at evolveum.com
Tue Oct 11 13:04:52 CEST 2016
Hi Saule,
is this "existing group" created by midPoint, or it was created manually
in Active Directory and you wish to put accounts there using midPoint?
Regards,
Ivan
On 10/07/2016 11:54 AM, Мамаева Сауле Сериковна wrote:
>
> Hello,
>
> I’m trying to assign role to user that will add user as a member to
> existing group in Active Directory. I created role with inducement
> and add to resource schema handling object type for my existing group
> in AD. But after assigning role to user, my user will not become
> member of existing group in Active Directory. What did I miss?
>
> The name of group in AD: free_mail_all
>
> This is inducement for my role:
>
> <inducement id="1">
>
> <construction>
>
> <resourceRef oid="ef2bc95b-76e0-11e2-86d6-3d4f02d30001"
> type="c:ResourceType"></resourceRef>
>
> <kind>account</kind>
>
> <intent>default</intent>
>
> <association>
>
> <c:ref>ri:group</c:ref>
>
> <outbound>
>
> <expression>
>
> <associationFromLink>
>
> <projectionDiscriminator>
>
> <kind>entitlement</kind>
>
> <intent>free_mail_all</intent>
>
> </projectionDiscriminator>
>
> </associationFromLink>
>
> </expression>
>
> </outbound>
>
> </association>
>
> </construction>
>
> <order>1</order>
>
> </inducement>
>
>
>
> This is a new object type in my Resource schema handling:
>
> <objectType>
>
> <kind>entitlement</kind>
>
> <intent>free_mail_all</intent>
>
> <displayName>AD free_mail_all Group</displayName>
>
> <objectClass>ri:group</objectClass>
>
> <attribute>
>
> <c:ref>ri:dn</c:ref>
>
> <matchingRule
> xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
>
> <tolerant>true</tolerant>
>
> <exclusiveStrong>false</exclusiveStrong>
>
> <outbound>
>
> <authoritative>false</authoritative>
>
> <exclusive>false</exclusive>
>
> <strength>normal</strength>
>
> <expression>
>
> <script>
>
> <code>
>
> 'cn=Free_mail_all,ou=Groups,ou=City,DC=wso,DC=kz'
>
> </code>
>
> </script>
>
> </expression>
>
> </outbound>
>
> </attribute>
>
> </objectType>
>
>
>
>
>
> This is Association part for Account object in Resource xml:
>
> <association>
>
> <c:ref>ri:group</c:ref>
>
> <displayName>AD Group Membership</displayName>
>
> <kind>entitlement</kind>
>
> <intent>group</intent>
>
> <intent>free_mail_all</intent>
>
> <direction>objectToSubject</direction>
>
> <associationAttribute>ri:member</associationAttribute>
>
> <valueAttribute>ri:dn</valueAttribute>
>
>
> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
>
> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>
> </association>
>
>
>
>
>
> Best regards,
>
> Saule
>
> s.mamayeva at ktg.kz <mailto:s.mamayeva at ktg.kz>
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161011/2946e7fb/attachment.htm>
More information about the midPoint
mailing list