[midPoint] Delete LDAP associations in unassign inducement operation.
IDM
proyectos_idm at corenetworks.es
Mon Nov 13 12:09:09 CET 2017
Hello Ivan.
Thanks for the reply.
It works perfectly. Thanks again.
Regards
2017-10-27 15:04 GMT+02:00 Ivan Noris <ivan.noris at evolveum.com>:
> Hi,
>
> does it work in the common scenario when
>
> 1) you edit existing user, assign role and save - is the LDAP account put
> into correct group(s)?
>
> 2) you then edit the same user, unassign role and save - is the LDAP
> account removed from correct group(s)?
>
> If this works normally, then provisioning works.
>
> If you wish to be able to remove accounts from the groups after you
> re-define your roles (using recompute), you probably need to mark the
> association for groups as "tolerant=false" in the schema hadling. This
> setting means that if there are any other associations (group memberships)
> than given by midPoint mappings, they will be removed and the account will
> be removed from such groups.
>
> Best regards,
>
> Ivan
>
> On 27.10.2017 14:34, IDM wrote:
>
> We have defined a role association in Schema Handling of LDAP for
> UserTpes, that is a group in LDAP. When we assign an inducement role
> to organization and recompute the users, the role is given to users, and
> the association on the LDAP group too, but when we unassign the same
> inducement role, and recompute the users, the association in users are not
> deleted.
>
> We have checked the user XML and we do not see roleMembershipRef of this
> role. We have tried several configurations and we do not get to delete the
> association.
>
> The defition of the asociation in the resource xml is this :
>
> ===
> Entitlement
> Object to Subject
> member
> Value : dn
> Explicit ref. integrity: true
> ===
> Exclusive Strong: true Tolerant: true
> Fetch Strategy : choose one
> Matching Rule: StringIgnoreCase
>
>
> Is There some parameters or configuration to fix this problem?
>
> Thanks a lot and regards
>
> Segun el Articulo 5 de la L.O.P.D, le informamos que sus datos constan en
> un fichero titularidad de CORE NETWORKS, S.L., cuya finalidad es la gestion
> administrativa. Podra ejercer su derecho de acceso, rectificacion,
> cancelacion y oposicion mediante correo postal a C/ Serrano Galvache, 56,
> Edificio Olmo, 1 Planta - C.P. 28033 (MADRID), o enviando un correo
> electrónico a info at corenetworks.es.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
--
Segun el Articulo 5 de la L.O.P.D, le informamos que sus datos constan en
un fichero titularidad de CORE NETWORKS, S.L., cuya finalidad es la gestion
administrativa. Podra ejercer su derecho de acceso, rectificacion,
cancelacion y oposicion mediante correo postal a C/ Serrano Galvache, 56,
Edificio Olmo, 1 Planta - C.P. 28033 (MADRID), o enviando un correo
electrónico a info at corenetworks.es.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171113/dc718bfb/attachment.htm>
More information about the midPoint
mailing list