[midPoint] LDAP attributes from inducement

Radovan Semancik radovan.semancik at evolveum.com
Fri Aug 17 11:12:09 CEST 2018 

Hi,

Setting the attribute to non-tolerant is one of the possible solutions. 
This will work fine if all the values of that attribute are generated by 
midPoint, i.e. no external changes are expected. In that case you simply 
need to set the attribute to non-tolerant in schemaHandling.

We also support more tricky setups where values from midPoint are 
combined with external changes. For that you need to use mapping "range" 
mechanism.

Please see 
https://wiki.evolveum.com/display/midPoint/Mapping#Mapping-ReplacingValues 
for more details.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 08/16/2018 05:12 PM, Brad Firestone wrote:
> Hi All,
>
> I'm running into something strange and I'm sure I just have something 
> configured wrong.  Hopefully someone can point me in the right 
> direction.  I'm working with midPoint 3.7.2.
>
> I am inducing some Services (using Services rather than Roles, but 
> think I understand they should work similarly) for certain 
> Organizations.  I do that by adding the Service as an inducement when 
> editing the Organization.  The Service places a set value into a 
> multi-valued attribute (authServices) in the LDAP resource.  The "Add" 
> part works just fine.  The attribute is added to both the mP User and 
> to the LDAP Account.  "Show all Assignments" does show the indirect 
> assignment of the Service.  At this point, everything is as expected.
>
> However, if I then remove the Induced Service from the Organization 
> and Reconcile a User, the reconciliation shows 0 Primary Changes and 0 
> Secondary changes.  It won't remove the related attribute value from 
> the mP User or from the LDAP account.  However, "Show all Assignments" 
> no longer shows the indirect assignment of the Service.
>
> Directly Assigning and then Unassigning this Service to a user adds 
> and removes the attribute as expected.  I only have the problem 
> removing the attribute if the Service is Induced.
>
> Based on other email threads and documentation, I've set the following 
> in both the Resource definition and the Service definition for 
> Outbound mapping:
> <tolerant>false</tolerant>
> <strength>strong</strength>
> <authoritative>true</authoritative>
>
> I started without these tolerant, strength and authoritative settings 
> and added them one by one hoping that would fix the problem.
>
> Here is the XML from a test Service:
>
> <service 
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>          xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>          oid="c4144a0c-7fca-4666-a5d4-8f64050c3b58"
>          version="8">
> <name>Cloud-via-LDAP</name>
>
> <inducement id="1">
> <construction>
> <resourceRef oid="d0811790-1d80-11e4-86b2-3c970e467873"
>                       relation="org:default"
>                       type="c:ResourceType"><!-- GnLDAP --></resourceRef>
> <attribute id="3">
> <c:ref>authServices</c:ref>
> <tolerant>false</tolerant>
> <outbound>
> <authoritative>true</authoritative>
> <strength>strong</strength>
> <expression>
> <value>cloud</value>
> </expression>
> </outbound>
> </attribute>
> </construction>
> </inducement>
> </service>
>
> Here is the mapping for that attribute in the LDAP Resource:
>
> <attribute id="7">
> <c:ref>ri:authServices</c:ref>
> <displayName>Authorized Services</displayName>
> <limitations>
> <minOccurs>0</minOccurs>
> <maxOccurs>unbounded</maxOccurs>
> </limitations>
> <outbound>
> <authoritative>true</authoritative>
> <tolerant>false</tolerant>
> <strength>strong</strength>
> <source>
> <c:path>$user/extension/authServices</c:path>
> </source>
> </outbound>
> <inbound id="11">
> <strength>normal</strength>
> <target>
> <c:path>$user/extension/authServices</c:path>
> </target>
> </inbound>
> </attribute>
>
> Can anyone point me in the right direction to fix this?  I would 
> really appreciate the help!
> Brad
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

More information about the midPoint mailing list