[midPoint] Mapping Org to Active Directory Groups
Oskar Butovič - AMI Praha a.s.
oskar.butovic at ami.cz
Wed Jul 25 16:46:48 CEST 2018
Hi Ian.
I suggest you use type generic instead of entitlement. (don't know why. It
just started working)
I don't think that association will work in this case. You probably should
try construction of the DN attribute. like this:
<inducement>
<construction>
<resourceRef oid="AD-connector-resource" type="c:ResourceType"/>
<kind>generic</kind>
<intent>organization</intent>
</construction>
</inducement>
<inducement>
<construction>
<resourceRef oid="AD-connector-resource" type="c:ResourceType"/>
<kind>account</kind>
<intent>default</intent>
<attribute>
<c:ref>ri:dn</c:ref>
<outbound>
<strength>strong</strength>
<source>
<c:path>$immediateRole/extension/ADpath</c:path>
</source>
<source>
<c:path>$focus/extension/uniqueFullName</c:path>
</source>
<expression>
<script>
<code>
import javax.xml.namespace.QName;
import
com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
import
com.evolveum.midpoint.util.exception.ObjectNotFoundException;
result = null;
defaultOu = "$(ADresource.defaultOuForUsers)"
defaultOu += ",$(ADresource.baseContext)";
defaultOu = 'CN=' + uniqueFullName + ',' + defaultOu;
if(ADpath != null){
result = 'CN=' + uniqueFullName + ',' + ADpath;
}else{
result = defaultOu;
}
log.info("org is putting user " + uniqueFullName + " into AD with
DN: " + result);
return result;
</code>
</script>
</expression>
</outbound>
</attribute>
</construction>
<order>2</order>
<focusType>UserType</focusType>
</inducement>
2018-07-25 12:34 GMT+02:00 Ian Chen <ianchen.op at gmail.com>:
> Hi Oskar,
>
> Thanks for your reply. After many month, I get to work on this again.
>
> I tried, the following will map a midpoint user's AD account to an AD
> group.
> <inducement>
> <construction>
> <resourceRef oid="AD-resource"
> relation="org:default"
> type="c:ResourceType"></resourceRef>
> <kind>account</kind>
> <intent>default</intent>
>
> I'm trying to map ORG to AD groups with parents/member correctly set as in
> https://evolveum.com/blog/practical-organization-
> structure-in-active-directory/
>
> <objectType>
> <kind>entitlement</kind>
> <intent>ou</intent>
> <default>false</default>
> <objectClass>ri:group</objectClass>
> <attribute>
> ...
> </attribute>
> <association>
> <c:ref>ri:group</c:ref>
> <displayName>OU Group</displayName>
> <tolerant>true</tolerant>
> <exclusiveStrong>true</exclusiveStrong>
> <kind>entitlement</kind>
> <intent>ou</intent>
> <direction>objectToSubject</direction>
> <associationAttribute>ri:member</associationAttribute>
> <valueAttribute>ri:dn</valueAttribute>
> <shortcutAssociationAttribute>ri:memberOf</
> shortcutAssociationAttribute>
> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
> <explicitReferentialIntegrity>false</
> explicitReferentialIntegrity>
> </association>
> </objectType>
>
> <inducement id="1">
> <construction>
> <resourceRef oid="OID"
> relation="org:default"
> type="c:ResourceType"></resourceRef>
> <kind>entitlement</kind>
> <intent>ou</intent>
> <association>
> <c:ref>ri:group</c:ref>
> <outbound>
> <strength>strong</strength>
> <expression>
> <associationFromLink xmlns:xsi="http://www.w3.org/
> 2001/XMLSchema-instance"
> xsi:type="c:
> AssociationFromLinkExpressionEvaluatorType">
> <projectionDiscriminator>
> <kind>entitlement</kind>
> <intent>ou</intent>
> </projectionDiscriminator>
> </associationFromLink>
> </expression>
> </outbound>
> </association>
> </construction>
> </inducement>
>
> Assigning this role on a ORG:
> could not extract ResultSet
>
> Caused by: java.sql.SQLException: You have an error in your SQL syntax;
> check the manual that corresponds to your MariaDB server version for the
> right syntax to use near ')) and rshadow0_.resourceRef_targetOid='OID'
> an' at line 1 Query is: select count(rshadow0_.oid) as col_0_0_ from
> m_shadow rshadow0_ inner join m_object rshadow0_1_ on
> rshadow0_.oid=rshadow0_1_.oid where (rshadow0_.oid in ()) and
> rshadow0_.resourceRef_targetOid=? and (rshadow0_.resourceRef_relation in
> (? , ?)) and rshadow0_.kind=? and rshadow0_.intent=?, parameters
> ['OID','#','http://midpoint.evolveum.com/xml/ns/public/
> common/org-3#default',1,'ou']
>
> Induce this role on a ORG:
> No error, but no group created
>
>
>
> On Tue, Oct 31, 2017 at 5:30 PM, Oskar Butovič - AMI Praha a.s. <
> oskar.butovic at ami.cz> wrote:
>
>> something like this inside your schema handling in your active directory
>> resource could do the trick.
>>
>> <objectType>
>> <kind>entitlement</kind>
>> <intent>group</intent>
>> <displayName>AD Group</displayName>
>> <default>true</default>
>> <objectClass>ri:group</objectClass>
>> ...
>> ...
>> <association>
>> <c:ref>ri:group</c:ref>
>> <displayName>AD Group Membership</displayName>
>> <kind>entitlement</kind>
>> <intent>group</intent>
>> <direction>objectToSubject</direction>
>> <associationAttribute>ri:member</associationAttribute>
>> <valueAttribute>ri:dn</valueAttribute>
>> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociati
>> onAttribute>
>> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>> <explicitReferentialIntegrity>false</explicitReferentialInte
>> grity>
>> </association>
>> ...
>> ...
>> </objectType>
>>
>> next thing you need is inducement on meta-role like:
>> <inducement>
>> <construction>
>> <resourceRef oid="AD-resource"
>> relation="org:default"
>> type="c:ResourceType"></resourceRef>
>> <kind>account</kind>
>> <intent>default</intent>
>> <association>
>> <c:ref>ri:group</c:ref>
>> <outbound>
>> <strength>strong</strength>
>> <expression>
>> <associationFromLink xmlns:xsi="http://www.w3.org/2
>> 001/XMLSchema-instance"
>> xsi:type="c:AssociationFromLi
>> nkExpressionEvaluatorType">
>> <projectionDiscriminator>
>> <kind>entitlement</kind>
>> <intent>group</intent>
>> </projectionDiscriminator>
>> </associationFromLink>
>> </expression>
>> </outbound>
>> </association>
>> </construction>
>> <order>2</order>
>> </inducement>
>>
>> for further info look at the link to wiki I sent you.
>>
>> Best Regards
>> Oskar Butovič
>>
>>
>> 2017-10-31 7:55 GMT+01:00 Ian Chen <ianchen.op at gmail.com>:
>>
>>> Hi Oskar,
>>>
>>> I mapped all org to Entitlement as AD groups.
>>> But I cannot find how to map parent org of assignment, could you share
>>> some details?
>>> Thanks.
>>>
>>> Regards,
>>> Ian
>>>
>>> On Wed, Oct 25, 2017 at 6:33 PM, Oskar Butovič - AMI Praha a.s. <
>>> oskar.butovic at ami.cz> wrote:
>>>
>>>> Hi Chen,
>>>>
>>>> I suggest mapping this as an association. https://wiki.evol
>>>> veum.com/display/midPoint/Entitlements#Entitlements-Associat
>>>> ionDefinitionExamples . Association can handle both direction of
>>>> membership (members in group or groups in user). So for example if you
>>>> assign parrent org to user or other org midpoint also modifies
>>>> group represented by parrent org. Hope it makes sense. :-)
>>>>
>>>> Association works with assignments. If properly assigned child
>>>> orgs should have parrent org in one of assignments and also in
>>>> parrentOrgRef element.
>>>>
>>>> Best Regards
>>>> Oskar Butovič
>>>>
>>>> 2017-10-25 12:23 GMT+02:00 Ian Chen <ianchen.op at gmail.com>:
>>>>
>>>>> Hi List,
>>>>>
>>>>> I'm new here are trying to solve mapping Org to AD groups as
>>>>> https://evolveum.com/blog/practical-organization-structure-i
>>>>> n-active-directory/. I'm stuck at setting member for group.
>>>>>
>>>>> It seems AD group can only have member (children), while in midpoint
>>>>> Org is assigned upwards (parent). As I cannot find children Org in outbound
>>>>> mapping, I added an extension attribute to hold parentID of parent Org. My
>>>>> plan is when outbound mapping, searching for any Org with parentID set to
>>>>> current Org ID, but I cannot find how. Please help!
>>>>>
>>>>> Also if there is better/simpler method to do this, please let me know.
>>>>>
>>>>> Thanks!
>>>>> Ian
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Oskar Butovič
>>>> solution architect
>>>>
>>>> gsm: [+420] 774 480 101 <+420%20774%20480%20101>
>>>> e-mail: oskar.butovic at ami.cz
>>>>
>>>>
>>>> AMI Praha a.s.
>>>> Pláničkova 11
>>>> 162 00 Praha 6
>>>> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
>>>> web: www.ami.cz
>>>>
>>>>
>>>> [image: AMI Praha a.s.]
>>>>
>>>> [image: AMI Praha a.s.]
>>>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>>>
>>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>>>> společnost AMI Praha a.s.
>>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>>> výhradně písemnou formu.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>> --
>>
>> Oskar Butovič
>> solution architect
>>
>> gsm: [+420] 774 480 101
>> e-mail: oskar.butovic at ami.cz
>>
>>
>> AMI Praha a.s.
>> Pláničkova 11
>> 162 00 Praha 6
>> tel.: [+420] 274 783 239
>> web: www.ami.cz
>>
>>
>> [image: AMI Praha a.s.]
>>
>> [image: AMI Praha a.s.]
>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>> společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
>> písemnou formu.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
--
Oskar Butovič
solution architect
gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz
[image: AMI Praha a.s.]
[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180725/1291fda6/attachment.htm>
More information about the midPoint
mailing list