[midPoint] OpenLDAP groups/users association (Midpoint 3.9)
LECOMTE ANTOINE
antoine.lecomte at univ-lyon1.fr
Wed Dec 5 08:55:31 CET 2018
Hi again,
I self-resolve my problem with the correct use of Metarole : https://wiki.evolveum.com/display/midPoint/Roles,+Metaroles+and+Generic+Synchronization
Antoine.
De : midPoint [mailto:midpoint-bounces at lists.evolveum.com] De la part de LECOMTE ANTOINE
Envoyé : Tuesday, December 4, 2018 2:37 PM
À : midpoint at lists.evolveum.com
Objet : [midPoint] OpenLDAP groups/users association (Midpoint 3.9)
Hello,
I am testing the management of identities and groups to populate an Active Directory and an openLDAP from a database.
In Midpoint, users are created and assigned to organizations.
In the AD resource, I achieve to create them as well and replicate the assignments with association.
But I need some help to parameter the association in the resource to openLDAP.
Users and groups (with a dummy account in member parameter) are created correctly.
The relation in openLDAP is not made : the association do not replicate the assignments between users and organizations.
How can I parameter the association to replicate this link ?
It seems as the resource is not using the association at all.
You can see below each objectType minus all the attributes.
<objectType>
<kind>account</kind>
<displayName>Normal Account</displayName>
<default>true</default>
<objectClass>ri:inetOrgPerson</objectClass>
<auxiliaryObjectClass>ri:eduPerson</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:supannPerson</auxiliaryObjectClass>
<auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>
...
...
...
<association>
<ref>ri:group</ref>
<displayName>LDAP Group Membership</displayName>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
</association>
...
...
...
<objectType>
<objectType>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<displayName>LDAP Group</displayName>
<objectClass>ri:groupOfNames</objectClass>
<baseContext>
<objectClass>ri:organizationalUnit</objectClass>
<filter>
<q:equal>
<q:path>attributes/dn</q:path>
<q:value>ou=groups,dc=univ-lyon1,dc=fr</q:value>
</q:equal>
</filter>
</baseContext>
...
...
...
<objectType>
Case 1 : I specify a dummy user into the attribute member of the entitlement objectType. The group is created but with only the dummy member.
<attribute>
<ref>ri:member</ref>
<fetchStrategy>minimal</fetchStrategy>
<outbound>
<strength>weak</strength>
<expression>
<value>cn=fake,dc=evolveum,dc=net</value>
</expression>
</outbound>
</attribute>
Case 2 : no member attribute. The group cannot be created because member is needed for the creation.
Thanks.
Antoine.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20181205/c6a9a7b2/attachment.htm>
More information about the midPoint
mailing list