[midPoint] Discovering Custom objectClasses
Radovan Semancik
radovan.semancik at evolveum.com
Thu Sep 15 12:11:37 CEST 2016
Hi,
I have realized that there is some confusion about the use of auxiliary
object classes. Therefore I have added a bit of new documentation to
fill the gap:
https://wiki.evolveum.com/display/midPoint/Auxiliary+Object+Classes
--
Radovan Semancik
Software Architect
evolveum.com
On 09/14/2016 07:37 PM, Keith Hazelton wrote:
>
> Pavel,
>
> I think I understand the changes needed to support auxiliary object
> classes and their attributes in midPoint resource definitions. You
> provide an example using curl to PUT a revised resource definition xml
> file via midPoint’s RESTful API.
>
> My question is would it work equally well to use the midPoint Admin
> GUI, browse to the ‘localhost OpenDJ’ resource and directly edit the
> xml there?
>
> Regards, --Keith
>
> ___________________________________
>
> email & jabber: keith.hazelton at wisc.edu <mailto:keith.hazelton at wisc.edu>
>
> calendar: http://go.wisc.edu/i6zxx0
>
> *From: *midPoint <midpoint-bounces at lists.evolveum.com> on behalf of
> Pavol Mederly <pavol.mederly at evolveum.com>
> *Reply-To: *midPoint General Discussion <midpoint at lists.evolveum.com>
> *Date: *Friday, August 19, 2016 at 13:04
> *To: *midPoint General Discussion <midpoint at lists.evolveum.com>
> *Subject: *Re: [midPoint] Discovering Custom objectClasses
>
> Matt,
>
> as for your second question,
>
> Also, my resource XML that I edit and put in my source control
> system.... Is there a place to put that in midpoint.home that
> gets imported automatically (midpoint.home/import)? Or do I
> need to manually import that every time I make a change to it?
>
> We do not recommend such auto-import feature, although it could be
> implemented quite easily. We prefer importing the resource after a
> change instead. It is not necessary to do that via GUI, however.
> You could prepare simple scripts that would do the same: an
> example is this one:
>
> curl.exe --user administrator:5ecr3t -H "Content-Type:
> application/xml" -X PUT
> http://localhost:8080/midpoint/ws/rest/resources/*ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a2*
> -d @*resource.xml* -v
>
> Note that *ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a2*is OID of the
> object to be imported or re-imported. (And, as of 3.4, it has to
> be present also in the resource.xml file that is being imported:
> in oid attribute of the resource object.)
>
> I'd suggest creating a simple .bat (.sh) file containing the above
> command and invoking it after you make a change in the resource
> XML file.
>
> Also, if time permits, we hope to prepare an Eclipse plugin that
> would allow uploading such XML files by clicking of a key. (See
> MID-3358 <https://jira.evolveum.com/browse/MID-3358>.)
>
> Best regards,
>
> Pavol
>
> ------------------------------------------------------------------------
>
> *From: *"Jason Everling" <jeverling at bshp.edu>
> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
> *Sent: *Friday, August 19, 2016 6:49:15 PM
> *Subject: *Re: [midPoint] Discovering Custom objectClasses
>
> I can answer the first question, 2 options, taken from ours ,
>
> Add a protected section for everything you do not want to sync,
> https://github.com/Evolveum/midpoint/blob/master/samples/resources/opendj/opendj-localhost-resource-sync-advanced.xml#L309
>
> <protected>
>
> <filter>
>
> <q:substring
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
>
> <q:matching>stringIgnoreCase</q:matching>
>
> <q:path>attributes/name</q:path>
>
> <q:value>OU=TEMPLATE,DC=TEST,DC=LOCAL</q:value>
>
> <q:anchorEnd>true</q:anchorEnd>
>
> </q:substring>
>
> </filter>
>
> </protected>
>
>
> you could also instead add into the objectSynchronization section.
> Not necessarily based on a query but more of specific attribute
> values. In the below (..... ....... 'info') is the ad attribute
> and values are mpSecurity or mpDistribution . This keeps midPoint
> from syncing all AD groups and only the ones we want to sync.
>
> <objectSynchronization>
>
> <objectClass>ri:CustomGroupObjectClass</objectClass>
>
> <kind>entitlement</kind>
>
> <intent>group</intent>
>
> <focusType>c:RoleType</focusType>
>
> <enabled>true</enabled>
>
> <!-- Only Sync Groups from AD that have info set
> as either "mpSecurity" or "mpDistribution" -->
>
> <condition>
>
> <script>
>
> <code>
>
> tmp = basic.getAttributeValue(shadow,
> 'http://midpoint.evolveum.com/xml/ns/public/resource/instance-3',
> 'info');
>
> return (tmp == 'mpSecurity' || tmp ==
> 'mpDistribution')
>
> </code>
>
> </script> </condition>
>
>
> JASON
>
> On Fri, Aug 19, 2016 at 11:35 AM, Mencel, Matt <mr-mencel at wiu.edu
> <mailto:mr-mencel at wiu.edu>> wrote:
>
> OK. I think it's correct in the XML. It's just throwing the
> warning in the UI. I'll try a sync and see how it goes.
>
> Is there a way to specify an LDAP query for the sync/import?
> I just want to sync for example my department
> '(&(objectClass=person)(department=IT))' during testing,
> rather than every user object in my LDAP directory.
>
> Also, my resource XML that I edit and put in my source control
> system.... Is there a place to put that in midpoint.home that
> gets imported automatically (midpoint.home/import)? Or do I
> need to manually import that every time I make a change to it?
>
> Thanks for being patient with my questions...
>
> Matt
>
> On Fri, Aug 19, 2016 at 11:22 AM, Pavol Mederly
> <pavol.mederly at evolveum.com
> <mailto:pavol.mederly at evolveum.com>> wrote:
>
> Hello Matt,
>
> I'm afraid that the resource wizard maybe does not work
> 100% correctly with auxiliary classes. At least I haven't
> tested it in this way when preparing it for 3.4 release.
> I've now created MID-3359
> <https://jira.evolveum.com/browse/MID-3359> for it.
>
> For the time being, I'd recommend setting schemaHandling
> for that particular attribute by hand (via XML editor).
>
> Best regards,
>
> Pavol
>
> ------------------------------------------------------------------------
>
> *From: *"Matt Mencel" <mr-mencel at wiu.edu
> <mailto:mr-mencel at wiu.edu>>
> *To: *"midPoint General Discussion"
> <midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>>
> *Sent: *Friday, August 19, 2016 6:11:13 PM
> *Subject: *Re: [midPoint] Discovering Custom objectClasses
>
> Capitalization looks correct. I notice that I cannot
> select wiuId on the Schema Handling tab for that
> attribute. It defaults to CN.
>
> The Atttribute drop down is only presenting attributes
> from the person OC, not the other auxiliary OCs.
>
> Matt
>
> On Fri, Aug 19, 2016 at 10:47 AM, Radovan Semancik
> <radovan.semancik at evolveum.com
> <mailto:radovan.semancik at evolveum.com>> wrote:
>
> Hi,
>
> Yes, that should work.
> Just check that you have correct lowercase/uppercase
> form for the attribute names. LDAP is (mostly) case
> insensitive, but midPoint is case sensitive. Look at
> the <schema> part of the resource definition. That is
> generated from the resource. Look for your auxiliary
> object class definition there. And use the same
> capitalization as you see in the <schema> section.
>
> --
>
> Radovan Semancik
>
> Software Architect
>
> evolveum.com <http://evolveum.com>
>
>
>
> On 08/19/2016 05:23 PM, Mencel, Matt wrote:
>
> Thanks Radovan,
>
> That helps. Do I declare the auxiliary's
> attributes in the same place as the default
> objectClass then? I'm getting this error in the UI...
>
> There is no attribute named
> '{http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}wiuId
> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7DwiuId>'
> in object class
> '{http://midpoint.evolveum.com/xml/ns/public/resource/instance-3}person
> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%7Dperson>'
> (defined in schema handling for 'User Account
> (kind: ACCOUNT, intent: person)').
>
> https://gist.github.com/MattMencel/2a3208371a1b0ce422e0b4923df413f7
>
> On Fri, Aug 19, 2016 at 9:54 AM, Radovan Semancik
> <radovan.semancik at evolveum.com
> <mailto:radovan.semancik at evolveum.com>> wrote:
>
> Hi,
>
> On 08/19/2016 04:26 PM, Mencel, Matt wrote:
>
> I have multiple LDAP objectclasses that
> contain all the attributes that make up a
> person's identity. I've associated
> multiple OCs with the same kind/intent in
> midpoint and am getting a warning in the UI.
>
>
> There are multiple schema handling
> definitions for kind/intent:
> ACCOUNT/person.
>
> Should I be doing this another way?
>
>
> Yes. Just one of the objectclasses is
> structural (primary). Other object classes are
> auxiliary. MidPoint fully supports auxiliary
> object classes, but you need to use a slightly
> different approach. Use something like this:
>
>
> <schemaHandling>
>
> <objectType>
>
> <kind>account</kind>
>
> <displayName>Normal
> Account</displayName>
>
> <default>true</default>
>
>
> <objectClass>ri:inetOrgPerson</objectClass>
>
>
> <auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>
>
>
> <auxiliaryObjectClass>ri:foo</auxiliaryObjectClass>
>
>
> <auxiliaryObjectClass>ri:bar</auxiliaryObjectClass>
>
> ...
>
> --
>
> Radovan Semancik
>
> Software Architect
>
> evolveum.com <http://evolveum.com>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and
> may contain information that is privileged. You should not retain,
> copy or use this e-mail or any attachments for any purpose, or
> disclose all or any part of the contents to any person. Any views
> or opinions expressed in this e-mail are those of the author and
> do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not
> the named recipient(s), you are hereby notified that any review,
> dissemination, distribution or copying of this communication is
> prohibited by the sender and to do so might constitute a violation
> of the Electronic Communications Privacy Act, 18 U.S.C. section
> 2510-2521. Please immediately notify the sender and delete this
> e-mail and any attachments from your computer.
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160915/87493d02/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 57212 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160915/87493d02/attachment.png>
More information about the midPoint
mailing list