[midPoint] Adding user as member to existing group in AD
Мамаева Сауле Сериковна
s.mamayeva at ktg.kz
Wed Oct 12 06:00:24 CEST 2016
Hi, Ivan
I have already solved this problem. The group was created manually in Active Directory. I just assigned Metarole for groups(that has 2 inducement: for entitlement and for account) to my role with same name as in group in Active Directory. Then after group synchronization Existing Group in Active Directory was linked with my role.
Best regards,
Saule Mamayeva
s.mamayeva at ktg.kz<mailto:s.mamayeva at ktg.kz>
From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Ivan Noris
Sent: Tuesday, October 11, 2016 5:05 PM
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Adding user as member to existing group in AD
Hi Saule,
is this "existing group" created by midPoint, or it was created manually in Active Directory and you wish to put accounts there using midPoint?
Regards,
Ivan
On 10/07/2016 11:54 AM, Мамаева Сауле Сериковна wrote:
Hello,
I’m trying to assign role to user that will add user as a member to existing group in Active Directory. I created role with inducement and add to resource schema handling object type for my existing group in AD. But after assigning role to user, my user will not become member of existing group in Active Directory. What did I miss?
The name of group in AD: free_mail_all
This is inducement for my role:
<inducement id="1">
<construction>
<resourceRef oid="ef2bc95b-76e0-11e2-86d6-3d4f02d30001" type="c:ResourceType"></resourceRef>
<kind>account</kind>
<intent>default</intent>
<association>
<c:ref>ri:group</c:ref>
<outbound>
<expression>
<associationFromLink>
<projectionDiscriminator>
<kind>entitlement</kind>
<intent>free_mail_all</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>1</order>
</inducement>
This is a new object type in my Resource schema handling:
<objectType>
<kind>entitlement</kind>
<intent>free_mail_all</intent>
<displayName>AD free_mail_all Group</displayName>
<objectClass>ri:group</objectClass>
<attribute>
<c:ref>ri:dn</c:ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3"<http://prism.evolveum.com/xml/ns/public/matching-rule-3>>mr:stringIgnoreCase</matchingRule>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<authoritative>false</authoritative>
<exclusive>false</exclusive>
<strength>normal</strength>
<expression>
<script>
<code>
'cn=Free_mail_all,ou=Groups,ou=City,DC=wso,DC=kz'
</code>
</script>
</expression>
</outbound>
</attribute>
</objectType>
This is Association part for Account object in Resource xml:
<association>
<c:ref>ri:group</c:ref>
<displayName>AD Group Membership</displayName>
<kind>entitlement</kind>
<intent>group</intent>
<intent>free_mail_all</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
<shortcutValueAttribute>ri:dn</shortcutValueAttribute>
</association>
Best regards,
Saule
s.mamayeva at ktg.kz<mailto:s.mamayeva at ktg.kz>
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161012/f7fabd66/attachment.htm>
More information about the midPoint
mailing list