[midPoint] Delete LDAP associations in unassign inducement operation.

Ivan Noris ivan.noris at evolveum.com
Fri Oct 27 15:04:22 CEST 2017


Hi,

does it work in the common scenario when

1) you edit existing user, assign role and save - is the LDAP account
put into correct group(s)?

2) you then edit the same user, unassign role and save - is the LDAP
account removed from correct group(s)?

If this works normally, then provisioning works.

If you wish to be able to remove accounts from the groups after you
re-define your roles (using recompute), you probably need to mark the
association for groups as "tolerant=false" in the schema hadling. This
setting means that if there are any other associations (group
memberships) than given by midPoint mappings, they will be removed and
the account will be removed from such groups.

Best regards,

Ivan


On 27.10.2017 14:34, IDM wrote:
> We have defined a role association in Schema Handling of LDAP for
> UserTpes, that is a group in LDAP.     When we assign an inducement
> role    to  organization and recompute the users, the role is given to
> users, and the association on the LDAP group too, but when we unassign
> the same inducement role, and recompute the users, the association in
> users are not deleted. 
>
> We have checked the user XML and we do not see roleMembershipRef of
> this role. We have tried several configurations and we do not get to
> delete the association.
>
> The defition of the asociation in the resource xml is this : 
>
> ===
> Entitlement
> Object to Subject
> member
> Value :  dn
> Explicit ref. integrity: true
> ===
> Exclusive Strong: true   Tolerant: true
> Fetch Strategy : choose one
> Matching Rule: StringIgnoreCase
>
>
>  Is There some parameters or configuration to fix this problem?
>
> Thanks a lot and regards
>
> Segun el Articulo 5 de la L.O.P.D, le informamos que sus datos constan
> en un fichero titularidad de CORE NETWORKS, S.L., cuya finalidad es la
> gestion administrativa. Podra ejercer su derecho de acceso,
> rectificacion, cancelacion y oposicion mediante correo postal a C/
> Serrano Galvache, 56, Edificio Olmo, 1 Planta - C.P. 28033 (MADRID), o
> enviando un correo electrónico a info at corenetworks.es
> <mailto:info at corenetworks.es>.
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171027/004b0046/attachment.htm>


More information about the midPoint mailing list