[midPoint] Discovering Custom objectClasses

Keith Hazelton keith.hazelton at wisc.edu
Wed Sep 14 19:38:59 CEST 2016


Pardon my misspelling of your name in the email below, Pavol.
___________________________________
email & jabber: keith.hazelton at wisc.edu<mailto:keith.hazelton at wisc.edu>
calendar: http://go.wisc.edu/i6zxx0

From: Keith Hazelton <keith.hazelton at wisc.edu>
Date: Wednesday, September 14, 2016 at 12:37
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Discovering Custom objectClasses

Pavel,

I think I understand the changes needed to support auxiliary object classes and their attributes in midPoint resource definitions.  You provide an example using curl to PUT a revised resource definition xml file via midPoint’s RESTful API.

My question is would it work equally well to use the midPoint Admin GUI, browse to the ‘localhost OpenDJ’ resource and directly edit the xml there?

             Regards,    --Keith
___________________________________
email & jabber: keith.hazelton at wisc.edu<mailto:keith.hazelton at wisc.edu>
calendar: http://go.wisc.edu/i6zxx0

From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Pavol Mederly <pavol.mederly at evolveum.com>
Reply-To: midPoint General Discussion <midpoint at lists.evolveum.com>
Date: Friday, August 19, 2016 at 13:04
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Discovering Custom objectClasses

Matt,

as for your second question,
Also, my resource XML that I edit and put in my source control system....  Is there a place to put that in midpoint.home that gets imported automatically (midpoint.home/import)?  Or do I need to manually import that every time I make a change to it?
We do not recommend such auto-import feature, although it could be implemented quite easily. We prefer importing the resource after a change instead. It is not necessary to do that via GUI, however. You could prepare simple scripts that would do the same: an example is this one:

curl.exe --user administrator:5ecr3t -H "Content-Type: application/xml" -X PUT http://localhost:8080/midpoint/ws/rest/resources/ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a2 -d @resource.xml -v

Note that ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a2 is OID of the object to be imported or re-imported. (And, as of 3.4, it has to be present also in the resource.xml file that is being imported: in oid attribute of the resource object.)

I'd suggest creating a simple .bat (.sh) file containing the above command and invoking it after you make a change in the resource XML file.

Also, if time permits, we hope to prepare an Eclipse plugin that would allow uploading such XML files by clicking of a key. (See MID-3358<https://jira.evolveum.com/browse/MID-3358>.)

Best regards,
Pavol

________________________________
From: "Jason Everling" <jeverling at bshp.edu>
To: "midPoint General Discussion" <midpoint at lists.evolveum.com>
Sent: Friday, August 19, 2016 6:49:15 PM
Subject: Re: [midPoint] Discovering Custom objectClasses

I can answer the first question, 2 options, taken from ours ,

Add a protected section for everything you do not want to sync,
https://github.com/Evolveum/midpoint/blob/master/samples/resources/opendj/opendj-localhost-resource-sync-advanced.xml#L309


<protected>

   <filter>

    <q:substring xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">

    <q:matching>stringIgnoreCase</q:matching>

     <q:path>attributes/name</q:path>

     <q:value>OU=TEMPLATE,DC=TEST,DC=LOCAL</q:value>

      <q:anchorEnd>true</q:anchorEnd>

      </q:substring>

    </filter>

</protected>


you could also instead add into the objectSynchronization section. Not necessarily based on a query but more of specific attribute values. In the below (..... ....... 'info') is the ad attribute and values are mpSecurity or mpDistribution . This keeps midPoint from syncing all AD groups and only the ones we want to sync.


            <objectSynchronization>

                <objectClass>ri:CustomGroupObjectClass</objectClass>

                <kind>entitlement</kind>

                <intent>group</intent>

                <focusType>c:RoleType</focusType>

                <enabled>true</enabled>

                <!-- Only Sync Groups from AD that have info set as either "mpSecurity" or "mpDistribution" -->

                <condition>

                    <script>

                        <code>

                            tmp = basic.getAttributeValue(shadow, 'http://midpoint.evolveum.com/xml/ns/public/resource/instance-3', 'info');

                            return (tmp == 'mpSecurity' || tmp == 'mpDistribution')

                        </code>

                    </script>
                </condition>


JASON

On Fri, Aug 19, 2016 at 11:35 AM, Mencel, Matt <mr-mencel at wiu.edu<mailto:mr-mencel at wiu.edu>> wrote:
OK.  I think it's correct in the XML.  It's just throwing the warning in the UI.  I'll try a sync and see how it goes.

Is there a way to specify an LDAP query for the sync/import?  I just want to sync for example my department '(&(objectClass=person)(department=IT))' during testing, rather than every user object in my LDAP directory.


Also, my resource XML that I edit and put in my source control system....  Is there a place to put that in midpoint.home that gets imported automatically (midpoint.home/import)?  Or do I need to manually import that every time I make a change to it?

Thanks for being patient with my questions...

Matt


On Fri, Aug 19, 2016 at 11:22 AM, Pavol Mederly <pavol.mederly at evolveum.com<mailto:pavol.mederly at evolveum.com>> wrote:
Hello Matt,

I'm afraid that the resource wizard maybe does not work 100% correctly with auxiliary classes. At least I haven't tested it in this way when preparing it for 3.4 release. I've now created MID-3359<https://jira.evolveum.com/browse/MID-3359> for it.

For the time being, I'd recommend setting schemaHandling for that particular attribute by hand (via XML editor).

Best regards,
Pavol

________________________________
From: "Matt Mencel" <mr-mencel at wiu.edu<mailto:mr-mencel at wiu.edu>>
To: "midPoint General Discussion" <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Sent: Friday, August 19, 2016 6:11:13 PM
Subject: Re: [midPoint] Discovering Custom objectClasses


Capitalization looks correct.  I notice that I cannot select wiuId on the Schema Handling tab for that attribute.  It defaults to CN.

The Atttribute drop down is only presenting attributes from the person OC, not the other auxiliary OCs.

Matt


 [cid:image001.png at 01D20E84.F697C860]

On Fri, Aug 19, 2016 at 10:47 AM, Radovan Semancik <radovan.semancik at evolveum.com<mailto:radovan.semancik at evolveum.com>> wrote:
Hi,

Yes, that should work.
Just check that you have correct lowercase/uppercase form for the attribute names. LDAP is (mostly) case insensitive, but midPoint is case sensitive. Look at the <schema> part of the resource definition. That is generated from the resource. Look for your auxiliary object class definition there. And use the same capitalization as you see in the <schema> section.

--

Radovan Semancik

Software Architect

evolveum.com<http://evolveum.com>



On 08/19/2016 05:23 PM, Mencel, Matt wrote:
Thanks Radovan,

That helps.  Do I declare the auxiliary's attributes in the same place as the default objectClass then?  I'm getting this error in the UI...

There is no attribute named '{http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}wiuId<http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7DwiuId>' in object class '{http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}person<http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7Dperson>' (defined in schema handling for 'User Account (kind: ACCOUNT, intent: person)').

 https://gist.github.com/MattMencel/2a3208371a1b0ce422e0b4923df413f7

On Fri, Aug 19, 2016 at 9:54 AM, Radovan Semancik <radovan.semancik at evolveum.com<mailto:radovan.semancik at evolveum.com>> wrote:
Hi,

On 08/19/2016 04:26 PM, Mencel, Matt wrote:
I have multiple LDAP objectclasses that contain all the attributes that make up a person's identity.  I've associated multiple OCs with the same kind/intent in midpoint and am getting a warning in the UI.

There are multiple schema handling definitions for kind/intent: ACCOUNT/person.

Should I be doing this another way?


Yes. Just one of the objectclasses is structural (primary). Other object classes are auxiliary. MidPoint fully supports auxiliary object classes, but you need to use a slightly different approach. Use something like this:




       <schemaHandling>

               <objectType>

                      <kind>account</kind>

                      <displayName>Normal Account</displayName>

                      <default>true</default>

                      <objectClass>ri:inetOrgPerson</objectClass>

                        <auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>

                        <auxiliaryObjectClass>ri:foo</auxiliaryObjectClass>

                        <auxiliaryObjectClass>ri:bar</auxiliaryObjectClass>

...



--

Radovan Semancik

Software Architect

evolveum.com<http://evolveum.com>
_______________________________________________ midPoint mailing list midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com> http://lists.evolveum.com/mailman/listinfo/midpoint

_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint





CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer.

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160914/9b9f0452/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 57213 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160914/9b9f0452/attachment.png>


More information about the midPoint mailing list