[midPoint] Mapping Org to Active Directory Groups
Ian Chen
ianchen.op at gmail.com
Wed Jul 25 12:34:16 CEST 2018
Hi Oskar,
Thanks for your reply. After many month, I get to work on this again.
I tried, the following will map a midpoint user's AD account to an AD group.
<inducement>
<construction>
<resourceRef oid="AD-resource"
relation="org:default"
type="c:ResourceType"></resourceRef>
<kind>account</kind>
<intent>default</intent>
I'm trying to map ORG to AD groups with parents/member correctly set as in
https://evolveum.com/blog/practical-organization-structure-in-active-directory/
<objectType>
<kind>entitlement</kind>
<intent>ou</intent>
<default>false</default>
<objectClass>ri:group</objectClass>
<attribute>
...
</attribute>
<association>
<c:ref>ri:group</c:ref>
<displayName>OU Group</displayName>
<tolerant>true</tolerant>
<exclusiveStrong>true</exclusiveStrong>
<kind>entitlement</kind>
<intent>ou</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
<shortcutValueAttribute>ri:dn</shortcutValueAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
</objectType>
<inducement id="1">
<construction>
<resourceRef oid="OID"
relation="org:default"
type="c:ResourceType"></resourceRef>
<kind>entitlement</kind>
<intent>ou</intent>
<association>
<c:ref>ri:group</c:ref>
<outbound>
<strength>strong</strength>
<expression>
<associationFromLink xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
<projectionDiscriminator>
<kind>entitlement</kind>
<intent>ou</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
</inducement>
Assigning this role on a ORG:
could not extract ResultSet
Caused by: java.sql.SQLException: You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB server version for the
right syntax to use near ')) and rshadow0_.resourceRef_targetOid='OID' an'
at line 1 Query is: select count(rshadow0_.oid) as col_0_0_ from m_shadow
rshadow0_ inner join m_object rshadow0_1_ on rshadow0_.oid=rshadow0_1_.oid
where (rshadow0_.oid in ()) and rshadow0_.resourceRef_targetOid=? and
(rshadow0_.resourceRef_relation in (? , ?)) and rshadow0_.kind=? and
rshadow0_.intent=?, parameters ['OID','#','
http://midpoint.evolveum.com/xml/ns/public/common/org-3#default',1,'ou']
Induce this role on a ORG:
No error, but no group created
On Tue, Oct 31, 2017 at 5:30 PM, Oskar Butovič - AMI Praha a.s. <
oskar.butovic at ami.cz> wrote:
> something like this inside your schema handling in your active directory
> resource could do the trick.
>
> <objectType>
> <kind>entitlement</kind>
> <intent>group</intent>
> <displayName>AD Group</displayName>
> <default>true</default>
> <objectClass>ri:group</objectClass>
> ...
> ...
> <association>
> <c:ref>ri:group</c:ref>
> <displayName>AD Group Membership</displayName>
> <kind>entitlement</kind>
> <intent>group</intent>
> <direction>objectToSubject</direction>
> <associationAttribute>ri:member</associationAttribute>
> <valueAttribute>ri:dn</valueAttribute>
> <shortcutAssociationAttribute>ri:memberOf</
> shortcutAssociationAttribute>
> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
> <explicitReferentialIntegrity>false</
> explicitReferentialIntegrity>
> </association>
> ...
> ...
> </objectType>
>
> next thing you need is inducement on meta-role like:
> <inducement>
> <construction>
> <resourceRef oid="AD-resource"
> relation="org:default"
> type="c:ResourceType"></resourceRef>
> <kind>account</kind>
> <intent>default</intent>
> <association>
> <c:ref>ri:group</c:ref>
> <outbound>
> <strength>strong</strength>
> <expression>
> <associationFromLink xmlns:xsi="http://www.w3.org/
> 2001/XMLSchema-instance"
> xsi:type="c:
> AssociationFromLinkExpressionEvaluatorType">
> <projectionDiscriminator>
> <kind>entitlement</kind>
> <intent>group</intent>
> </projectionDiscriminator>
> </associationFromLink>
> </expression>
> </outbound>
> </association>
> </construction>
> <order>2</order>
> </inducement>
>
> for further info look at the link to wiki I sent you.
>
> Best Regards
> Oskar Butovič
>
>
> 2017-10-31 7:55 GMT+01:00 Ian Chen <ianchen.op at gmail.com>:
>
>> Hi Oskar,
>>
>> I mapped all org to Entitlement as AD groups.
>> But I cannot find how to map parent org of assignment, could you share
>> some details?
>> Thanks.
>>
>> Regards,
>> Ian
>>
>> On Wed, Oct 25, 2017 at 6:33 PM, Oskar Butovič - AMI Praha a.s. <
>> oskar.butovic at ami.cz> wrote:
>>
>>> Hi Chen,
>>>
>>> I suggest mapping this as an association. https://wiki.evol
>>> veum.com/display/midPoint/Entitlements#Entitlements-Associat
>>> ionDefinitionExamples . Association can handle both direction of
>>> membership (members in group or groups in user). So for example if you
>>> assign parrent org to user or other org midpoint also modifies
>>> group represented by parrent org. Hope it makes sense. :-)
>>>
>>> Association works with assignments. If properly assigned child
>>> orgs should have parrent org in one of assignments and also in
>>> parrentOrgRef element.
>>>
>>> Best Regards
>>> Oskar Butovič
>>>
>>> 2017-10-25 12:23 GMT+02:00 Ian Chen <ianchen.op at gmail.com>:
>>>
>>>> Hi List,
>>>>
>>>> I'm new here are trying to solve mapping Org to AD groups as
>>>> https://evolveum.com/blog/practical-organization-structure-i
>>>> n-active-directory/. I'm stuck at setting member for group.
>>>>
>>>> It seems AD group can only have member (children), while in midpoint
>>>> Org is assigned upwards (parent). As I cannot find children Org in outbound
>>>> mapping, I added an extension attribute to hold parentID of parent Org. My
>>>> plan is when outbound mapping, searching for any Org with parentID set to
>>>> current Org ID, but I cannot find how. Please help!
>>>>
>>>> Also if there is better/simpler method to do this, please let me know.
>>>>
>>>> Thanks!
>>>> Ian
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> Oskar Butovič
>>> solution architect
>>>
>>> gsm: [+420] 774 480 101 <+420%20774%20480%20101>
>>> e-mail: oskar.butovic at ami.cz
>>>
>>>
>>> AMI Praha a.s.
>>> Pláničkova 11
>>> 162 00 Praha 6
>>> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
>>> web: www.ami.cz
>>>
>>>
>>> [image: AMI Praha a.s.]
>>>
>>> [image: AMI Praha a.s.]
>>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>>
>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>>> společnost AMI Praha a.s.
>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>> výhradně písemnou formu.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> --
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101
> e-mail: oskar.butovic at ami.cz
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz
>
>
> [image: AMI Praha a.s.]
>
> [image: AMI Praha a.s.]
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180725/7d2c4051/attachment.htm>
More information about the midPoint
mailing list