[midPoint] Org. Structure

Pavol Mederly mederly at evolveum.com
Sat Dec 9 09:10:54 CET 2017 

Hello Jan,

I am not sure what demo you watched and what specific configuration you 
use, but when looking at our sample 
https://github.com/Evolveum/midpoint/blob/38a0a4dcc03334f2fbda0ef8fce9a0bcfd43c190/samples/demo/projects-metaRole.xml 
I think that the inducement number 2 would deserve the focusType 
specification limiting it to users (see red text):

     <inducement id="2">
         <construction>
             <resourceRef oid="ebd0bf7b-7e80-4175-ba5e-4fd5de2ecd62" 
type="c:ResourceType"><!-- LDAP Server (OpenDJ) --></resourceRef>
             <kind>account</kind>
             <intent>default</intent>
             <association>
                 <c:ref>ri:ldapGroups</c:ref>
                 <outbound>
                     <expression>
                         <associationFromLink>
<projectionDiscriminator>
<kind>entitlement</kind>
<intent>ldapProject</intent>
</projectionDiscriminator>
                         </associationFromLink>
                     </expression>
                 </outbound>
             </association>
         </construction>
*<focusType>UserType</focusType>*
         <order>2</order>
     </inducement>

I have no time to try that but it should stop creation of user accounts 
for child Orgs.

As for the following

> Other problem is that when i add someone to child Org. it is added to 
> correcsponding group. But not to AD group of root Org.
This is because it is not configured to do so. You would need an 
inducement that has the following:

 1. a <construction> element telling midPoint that an account should be
    created (i.e. kind=account, intent=default) - just like the one in
    the code sample above
 2. the construction should have <association> element with some
    expression that would generate the correct value: I am not sure how
    exactly to specify it. I would try the following:
    <associationFromLink>
    <projectionDiscriminator>
             <kind>entitlement</kind>
             <intent>ldapProject</intent>
         </projectionDiscriminator>
    *    <**assignmentPathIndex>-1</**assignmentPathIndex>*
    </associationFromLink>
    but the assignmentPathIndex element requires the latest master
    (3.7-SNAPSHOT). And I have no time to try it ... take it as a pure
    guess.
 3. <focusType> should be set to UserType
 4. <order> should tell something like "use this for any order: 1, 2,
    ... or N". This is done by replacing <order>2</order> by:
    <orderConstraint>
         <orderMax>unbounded</orderMax>
    </orderConstraint>

Please have a look at the following (besides The midPoint book 
<https://evolveum.com/midpoint/midpoint-guide-about-practical-identity-management/> 
which is a must-read!):

 1. https://wiki.evolveum.com/display/midPoint/Generic+Synchronization
    (and pages linked from it)
 2. https://wiki.evolveum.com/display/midPoint/Usual+Troubleshooting+Steps
 3. https://wiki.evolveum.com/display/midPoint/Troubleshooting+Mappings

Also, when posting to this list, please attach your specific 
configuration files, and probably log files (when logging levels are set 
appropriately) as well. Screenshots (as you attached) are OK as well.

Hope this helps,

Pavol Mederly
Software developer
evolveum.com

On 08.12.2017 20:02, Jan Kaspar wrote:
> Hi All,
>
> I need help with setup of Org. Structure. First of all i have prepared 
> demo Active Directory with hundrets of users and groups.
> User are synced to MidPoint and also Roles are synced to AD as Groups. 
> So it works.
>
> I would like to try also Org Structure. I watched demo online and 
> after some adjustments I was able to create Orgs:
> 'functional as OU' and 'projects as Groups'.
>
> I am having multiple issues:
>
> If I create root Org for project, everything is OK. Security Group is 
> created in AD. If I try to assign user, then user is added to 
> corresponding Group.
> But if I try to create child Org type project. I got error:
>
> Can't process shadow: null (OID:null): Generic error in connector: 
> Invalid credentials: 
> org.identityconnectors.framework.common.exceptions.InvalidPasswordException(0000052D: 
> SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0??: 
> PASSWORD_RESTRICTION: Unable to update the password. The value 
> provided for the new password does not meet the length, complexity, or 
> history requirement of the domain): Can't process shadow: null 
> (OID:null): Generic error in connector: Invalid credentials: 
> org.identityconnectors.framework.common.exceptions.InvalidPasswordException(0000052D: 
> SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0??: 
> PASSWORD_RESTRICTION: Unable to update the password. The value 
> provided for the new password does not meet the length, complexity, or 
> history requirement of the domain): Can't process shadow: null 
> (OID:null): Generic error in connector: Invalid credentials: 
> org.identityconnectors.framework.common.exceptions.InvalidPasswordException(0000052D: 
> SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0??: 
> PASSWORD_RESTRICTION: Unable to update the password. The value 
> provided for the new password does not meet the length, complexity, or 
> history requirement of the domain): Can't process shadow: null 
> (OID:null): Generic error in connector: Invalid credentials: 
> org.identityconnectors.framework.common.exceptions.InvalidPasswordException(0000052D: 
> SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0??: 
> PASSWORD_RESTRICTION: Unable to update the password. The value 
> provided for the new password does not meet the length, complexity, or 
> history requirement of the domain)
>
> I see that it is creating object type account :
>
> Activity 	Status 	Resource object (if applicable)
> Computing projections of the focus object 	
> 	
> Operation on focus object (repository) 	
> 	
> Account (default) on Hell Active Directory (LDAP) 	
> 	Add:Fatal error -> CN=A2,OU=Users,OU=CZ,DC=hell,DC=local
> Considering or starting approval workflows 	
> 	
>
> I see that it tryes to use correct meta role.
>
> Successfully finished evaluation of mapping mapping in for association 
> {.../resource/instance-3}group in 
> role:3154fafb-9f9f-4c3b-93ae-7fffd43796bf(LDAP Projects MetaRole) in 7 ms.
>
> When i add manualy metarole to child Org. I got error:
>
> Activity 	Status 	Resource object (if applicable)
> Computing projections of the focus object 	
> 	
> Operation on focus object (repository) 	
> 	
> Account (default) on Hell Active Directory (LDAP) 	
> 	Add:Fatal error -> CN=A2,OU=Users,OU=CZ,DC=hell,DC=local
> Entitlement (ldapProject) on Hell Active Directory (LDAP) 	
> 	Add:Success -> cn=A2,ou=Projects,dc=hell,dc=local
> Considering or starting approval workflows 	
> 	
>
> In the end groups is created but it is not correct behaviour.
>
> Other problem is that when i add someone to child Org. it is added to 
> correcsponding group. But not to AD group of root Org.
>
> Hope I described it clearly. Can Someone please help me with correct 
> settings?
>
> Thank you
>
> Jan
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171209/3e368b76/attachment.htm>

More information about the midPoint mailing list