[midPoint] Problem With midpoint.searchObjects in approverExpression
Pavol Mederly
mederly at evolveum.com
Tue Sep 20 23:52:13 CEST 2016
Patrick,
a possible cause: the operation runs under the user who requests the
operation. If he has restricted rights, it might be possible he simply
does not see alice.
There is a method how to run a code "as root" (runPrivileged in
SecurityEnforcer). If this is the problem we can have a look how to
invoke it from script. (Concerning me, only tomorrow as I have to leave
now.)
Other possibilities... I don't know. The value should not be String; it
should be PolyString. But you've tried that. Also, your attempts #3 and
#4 should work. The correct matching rule is either none,
polyStringNorm, polyStringOrig or polyStringStrict.
Best regards,
Pavol Mederly
Software developer
evolveum.com
On 20.09.2016 23:43, pdbogen at cernu.us wrote:
> Howdy!
>
> I'm working approval schemas that select the approver based on the value of
> the extension attribute; the result of this is that I need to locate a User
> object based on the Name.
>
> Here's my code that I believe should accomplish this:
>
> import com.evolveum.midpoint.prism.path.ItemPath
> import com.evolveum.midpoint.prism.query.EqualFilter
> import com.evolveum.midpoint.prism.query.ObjectQuery
> import javax.xml.namespace.QName
> import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType
>
> qn = new QName("http://cernu.us/xml/ns/userSchema", "managerDn")
> dn = basic.getExtensionPropertyValue(object, qn)
>
> dn_parts = dn.split(",")
> cn_parts = dn_parts[0].split("=")
> cn = cn_parts[1]
>
> log.info('assign: searching for manager with username {}', cn)
>
> prismContext = midpoint.getPrismContext()
> filter = EqualFilter.createEqual(UserType.F_NAME, UserType.class, prismContext, null, cn)
> log.error('assign: {}', filter)
> query = ObjectQuery.createObjectQuery(filter)
> log.error('assign: {}', query)
> managers = midpoint.searchObjects(UserType.class, query)
> log.error('assign: {}', managers)
>
> if (managers.size() == 0) {
> log.warn('assign: for approval of assignment of {} to {}, no user for cn: {}', object, target, cn)
> } else {
> managers.each { m ->
> log.info('assign: for approval of assignment of {} to {}, found {} for cn: {}', object, target, m, cn)
> }
> managers.collect { it.getOid() }
> }
>
> For brevity, I've excluded some defensive programming around parsing the dn,
> etc.; please just assume that 'cn' is valid by the time we create the
> EqualFilter.
>
> The logging output of this is:
>
> INFO (com.evolveum.midpoint.expression): assign: searching for manager with username alice
> ERROR (com.evolveum.midpoint.expression): assign: EQUAL: name,PPV(String:alice)
> ERROR (com.evolveum.midpoint.expression): assign: Q{EQUAL: name,PPV(String:alice),null paging
> ERROR (com.evolveum.midpoint.expression): assign: []
> WARN (com.evolveum.midpoint.expression): assign: for approval of assignment of user:db85f122-a6fc-4a97-8a42-e37c204db5c4(bob) to role:abe7a780-3644-4b7e-a7e4-8378402ab208(foo), no user for cn: alice
>
> Is there anything obvious I've done wrong? The User 'alice' definitely exists.
> Also, I _think_ this was working on 3.4, whereas I'm now on 3.4.1. I don't
> know of anything else I might have changed that would break this.
>
> I've tried a few variations:
>
> * Making a filter with PolyString.fromOrig(cn) instead of just cn
> * The above, plus replacing the `null` matching rule with variations on new QName("origIgnoreCase")
> * Using midpoing.searchObjectByName, which very surprisingly did not work either
> * Using ObjectQueryUtil.createNameQuery to create the query
>
> Any advice on this would be quite helpful.
>
> Thanks!
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160920/0da550f3/attachment.htm>
More information about the midPoint
mailing list