[midPoint] custom name in resource

Ivan Noris ivan.noris at evolveum.com
Mon Dec 18 13:12:16 CET 2017


Hi,

first of all, to have more than one accounts for the same user on the
same resource, you need to use multiple intents. One intent will be for
standard accounts and the other one (e.g. named "admin") will be for
admin accounts. All intents need to have separate schema handling
configuration, in the same resouce. This also implies that the naming
conventions must be different.

You can start with
https://wiki.evolveum.com/display/midPoint/Kind%2C+Intent+and+ObjectClass

I can't find a sample with configuration of two account intents right
now, but I'm sure there is something. We are also teaching this during
the midPoint training.

Regarding the NPE you should post information from idm.log with the
stack trace to the list.

Best regards,

Ivan


On 18.12.2017 05:29, Jan Kaspar wrote:
> Hi all,
>
> I have a questions about admin accounts. I have a user populated from
> HR system to MidPoint and to AD.
>
> I would liket o to create for him admin account on some unix systems.
> Basicaly it works with __NAME__.
>
> i need to change his logon name in unix, because of naming convention
> for admin accounts. It have to be in 
> format admin.lastname.
>
> I tryed to build short script:
>
>         $oldName = name.toString()
>         $adminPrefix = "admin"
>         $adminName = $oldName.substring($oldName.lastIndexOf(".")+1)
>         $outName = $adminPrefix + '.' + $adminName
>         return $outName  
>
> It return correct values but during provisioning i get error:
>
>  Add object failed
>  <http://192.168.2.103:8080/midpoint/admin/user/265b6984-20de-4698-be59-e00b7f1e1ab0?45-1.ILinkListener-feedbackContainer-feedback-list-0-message-detailsBox-details-type-subresults-0-subresult-detailsBox-details-type-subresults-1-subresult-detailsBox-details-type-subresults-2-subresult-detailsBox-details-type-subresults-0-subresult-detailsBox-details-type-subresults-2-subresult-detailsBox-details-type-subresults-0-subresult-detailsBox-details-type-subresults-2-subresult-detailsBox-downloadXml>
> Operation
>     Add object (Ucf)
> Message
>     Add object failed
> Parameters
>     additionalOperations 	[[ ]]
>     resourceObject 	[shadow:null(null)]
>
>
>  Create (Icf)
>  <http://192.168.2.103:8080/midpoint/admin/user/265b6984-20de-4698-be59-e00b7f1e1ab0?45-1.ILinkListener-feedbackContainer-feedback-list-0-message-detailsBox-details-type-subresults-0-subresult-detailsBox-details-type-subresults-1-subresult-detailsBox-details-type-subresults-2-subresult-detailsBox-details-type-subresults-0-subresult-detailsBox-details-type-subresults-2-subresult-detailsBox-details-type-subresults-0-subresult-detailsBox-details-type-subresults-2-subresult-detailsBox-details-type-subresults-0-subresult-detailsBox-downloadXml>
> Operation
>     Create (Icf)
> Parameters
>     objectClass 	[ObjectClass: __ACCOUNT__]
>     options 	[OperationOptions: {}]
>     attributes 	[Attribute: {Name=uid, Value=[16]}, Attribute:
>     {Name=__PASSWORD__,
>     Value=[org.identityconnectors.common.security.GuardedString at e71c9d98]},
>     Attribute: {Name=homeDir, Value=[/home/admin.wright]}, Attribute:
>     {Name=shell, Value=[/bin/bash]}, Attribute: {Name=__NAME__,
>     Value=[admin.wright]}, Attribute: {Name=comment, Value=[Hector
>     Wright]}, Attribute: {Name=__ENABLE__, Value=[true]}]
>     auxiliaryObjectClasses 	[]
>
> Context
>     connector 	[class
>     org.identityconnectors.framework.impl.api.local.LocalConnectorFacadeImpl]
>
>
> Error
>
>     show
>     java.lang.NullPointerException
>
>
>
>
>
>      <objectType id="2">
>          <kind>account</kind>
>          <displayName>Normal Account</displayName>
>          <default>true</default>
>          <objectClass>ri:AccountObjectClass</objectClass>
>          <attribute id="4">
>             <c:ref>icfs:name</c:ref>
>             <displayName>Distinguished Name</displayName>
>             <limitations>
>                <minOccurs>0</minOccurs>
>                <access>
>                   <read>true</read>
>                   <add>true</add>
>                   <modify>true</modify>
>                </access>
>             </limitations>
>             <tolerant>false</tolerant>
>             <exclusiveStrong>false</exclusiveStrong>
>             <outbound>
>                <authoritative>false</authoritative>
>                <exclusive>false</exclusive>
>                <strength>normal</strength>
>                <source>
>                   <c:path>$user/name</c:path>
>                </source>
>                <expression>
>                   <script
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                           xsi:type="c:ScriptExpressionEvaluatorType">
>                      <code>
>         $oldName = name.toString()
>         $adminPrefix = "admin"
>         $adminName = $oldName.substring($oldName.lastIndexOf(".")+1)
>         $outName = $adminPrefix + '.' + $adminName
>         return $outName  
>     </code>
>                   </script>
>                </expression>
>             </outbound>
>          </attribute>
>          <attribute id="5">
>             <c:ref>icfs:uid</c:ref>
>             <displayName>Entry UUID</displayName>
>             <limitations>
>                <access>
>                   <read>true</read>
>                   <add>false</add>
>                   <modify>true</modify>
>                </access>
>             </limitations>
>          </attribute>
>          <attribute id="6">
>             <c:ref>ri:comment</c:ref>
>             <displayName>Comment</displayName>
>             <tolerant>false</tolerant>
>             <exclusiveStrong>false</exclusiveStrong>
>             <outbound>
>                <source>
>                   <c:path>fullName</c:path>
>                </source>
>             </outbound>
>          </attribute>
>          <attribute id="7">
>             <c:ref>ri:homeDir</c:ref>
>             <displayName>Home directory</displayName>
>             <tolerant>false</tolerant>
>             <exclusiveStrong>false</exclusiveStrong>
>             <outbound>
>                <authoritative>false</authoritative>
>                <exclusive>false</exclusive>
>                <strength>normal</strength>
>                <source>
>                   <c:path>name</c:path>
>                </source>
>                <expression>
>                   <script
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                           xsi:type="c:ScriptExpressionEvaluatorType">
>                      <code>
>         $oldName = name.toString()
>         $adminPrefix = "admin"
>         $adminName = $oldName.substring($oldName.lastIndexOf(".")+1)
>         return '/home/' + $adminPrefix + '.' + $adminName   
>     </code>
>                   </script>
>                </expression>
>             </outbound>
>          </attribute>
>          <attribute id="8">
>             <c:ref>ri:uid</c:ref>
>             <displayName>Unix UID</displayName>
>             <outbound>
>                <source>
>                   <c:path>employeeNumber</c:path>
>                </source>
>             </outbound>
>          </attribute>
>          <attribute id="9">
>             <c:ref>ri:shell</c:ref>
>             <displayName>Shell</displayName>
>             <outbound>
>                <expression>
>                   <value>/bin/bash</value>
>                </expression>
>             </outbound>
>          </attribute>
>          <association id="10">
>             <c:ref>ri:unixGroup</c:ref>
>             <displayName>LDAP Group Membership</displayName>
>             <kind>entitlement</kind>
>             <intent>unixGroup</intent>
>             <direction>subjectToObject</direction>
>             <associationAttribute>ri:groups</associationAttribute>
>             <valueAttribute>icfs:name</valueAttribute>
>          </association>
>          <protected>
>             <icfs:name>midpoint</icfs:name>
>          </protected>
>          <protected>
>             <icfs:name>root</icfs:name>
>          </protected>
>          <activation>
>             <administrativeStatus>
>                <outbound id="11">
>                   <expression>
>                      <asIs
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                            xsi:type="c:AsIsExpressionEvaluatorType"/>
>                   </expression>
>                </outbound>
>             </administrativeStatus>
>          </activation>
>          <credentials>
>             <password
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                       xsi:type="c:ResourcePasswordDefinitionType">
>                <outbound>
>                   <expression>
>                      <asIs xsi:type="c:AsIsExpressionEvaluatorType"/>
>                   </expression>
>                </outbound>
>             </password>
>          </credentials>
>       </objectType>
>
> Following question is if i am able to create two accounts to one
> resource. Reason is the same. User has his personall account and also
> admin account.
> it will be driven by assigned role. 
>
> Thanks 
>
> Jan
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171218/38494461/attachment.htm>


More information about the midPoint mailing list