[midPoint] Adding user as member to existing group in AD

Ivan Noris Ivan.Noris at evolveum.com
Wed Oct 12 09:45:04 CEST 2016 

Hi Saule, 

ok great. There is also other way how to use "manually created groups": by using <associationTargetSearch> in the roles, e.g.: 
... 
<inducement> 
<construction> 
<resourceRef oid="00000000-dc00-dc00-0001-100000000002" type="c:ResourceType"/> 
<kind>account</kind> 
<intent>default</intent> 
<association> 
<ref>ri:adGroups</ref> 
<outbound> 
<strength>strong</strength> 
<expression> 
<associationTargetSearch> 
<filter> 
<q:equal> 
<q:path> 
declare namespace icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"; 
declare namespace ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"; 
attributes/icfs:name 
</q:path> 
<q:value>cn=my manual group1,ou=my groups,dc=win,dc=example,dc=com</q:value> 
</q:equal> 
</filter> 
<searchStrategy>onResourceIfNeeded</searchStrategy> 
</associationTargetSearch> 
</expression> 
</outbound> 
</association> 

</construction> 
</inducement> 
... 
this assumes the association is configured for "ri:adGroups" attribute in the resource. 

Regards, 
Ivan 

----- Original Message -----

> From: "Мамаева Сауле Сериковна" <s.mamayeva at ktg.kz>
> To: "midPoint General Discussion" <midpoint at lists.evolveum.com>
> Sent: Wednesday, October 12, 2016 6:00:24 AM
> Subject: Re: [midPoint] Adding user as member to existing group in AD

> Hi, Ivan

> I have already solved this problem. The group was created manually in Active
> Directory. I just assigned Metarole for groups(that has 2 inducement: for
> entitlement and for account) to my role with same name as in group in Active
> Directory. Then after group synchronization Existing Group in Active
> Directory was linked with my role.

> Best regards,

> Saule Mamayeva

> s.mamayeva at ktg.kz

> From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Ivan
> Noris
> Sent: Tuesday, October 11, 2016 5:05 PM
> To: midpoint at lists.evolveum.com
> Subject: Re: [midPoint] Adding user as member to existing group in AD

> Hi Saule,

> is this "existing group" created by midPoint, or it was created manually in
> Active Directory and you wish to put accounts there using midPoint?

> Regards,

> Ivan

> On 10/07/2016 11:54 AM, Мамаева Сауле Сериковна wrote:

> > Hello,
> 

> > I’m trying to assign role to user that will add user as a member to
> > existing
> > group in Active Directory. I created role with inducement and add to
> > resource schema handling object type for my existing group in AD. But after
> > assigning role to user, my user will not become member of existing group in
> > Active Directory. What did I miss?
> 

> > The name of group in AD: free_mail_all
> 

> > This is inducement for my role:
> 

> > <inducement id="1">
> 

> > <construction>
> 

> > <resourceRef oid="ef2bc95b-76e0-11e2-86d6-3d4f02d30001"
> > type="c:ResourceType"></resourceRef>
> 

> > <kind>account</kind>
> 

> > <intent>default</intent>
> 

> > <association>
> 

> > <c:ref>ri:group</c:ref>
> 

> > <outbound>
> 

> > <expression>
> 

> > <associationFromLink>
> 

> > <projectionDiscriminator>
> 

> > <kind>entitlement</kind>
> 

> > <intent>free_mail_all</intent>
> 

> > </projectionDiscriminator>
> 

> > </associationFromLink>
> 

> > </expression>
> 

> > </outbound>
> 

> > </association>
> 

> > </construction>
> 

> > <order>1</order>
> 

> > </inducement>
> 

> > This is a new object type in my Resource schema handling:
> 

> > <objectType>
> 

> > <kind>entitlement</kind>
> 

> > <intent>free_mail_all</intent>
> 

> > <displayName>AD free_mail_all Group</displayName>
> 

> > <objectClass>ri:group</objectClass>
> 

> > <attribute>
> 

> > <c:ref>ri:dn</c:ref>
> 

> > <matchingRule xmlns:mr=
> > "http://prism.evolveum.com/xml/ns/public/matching-rule-3"
> > >mr:stringIgnoreCase</matchingRule>
> 

> > <tolerant>true</tolerant>
> 

> > <exclusiveStrong>false</exclusiveStrong>
> 

> > <outbound>
> 

> > <authoritative>false</authoritative>
> 

> > <exclusive>false</exclusive>
> 

> > <strength>normal</strength>
> 

> > <expression>
> 

> > <script>
> 

> > <code>
> 

> > 'cn=Free_mail_all,ou=Groups,ou=City,DC=wso,DC=kz'
> 

> > </code>
> 

> > </script>
> 

> > </expression>
> 

> > </outbound>
> 

> > </attribute>
> 

> > </objectType>
> 

> > This is Association part for Account object in Resource xml:
> 

> > <association>
> 

> > <c:ref>ri:group</c:ref>
> 

> > <displayName>AD Group Membership</displayName>
> 

> > <kind>entitlement</kind>
> 

> > <intent>group</intent>
> 

> > <intent>free_mail_all</intent>
> 

> > <direction>objectToSubject</direction>
> 

> > <associationAttribute>ri:member</associationAttribute>
> 

> > <valueAttribute>ri:dn</valueAttribute>
> 

> > <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
> 

> > <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
> 

> > </association>
> 

> > Best regards,
> 

> > Saule
> 

> > s.mamayeva at ktg.kz
> 

> > _______________________________________________
> 
> > midPoint mailing list
> 
> > midPoint at lists.evolveum.com
> 
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> 

> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com

> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris 
Senior Identity Engineer 
evolveum.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161012/c4f6f1b2/attachment.htm>

More information about the midPoint mailing list