[midPoint] Mapping Org to Active Directory Groups
Ian Chen
ianchen.op at gmail.com
Thu Jul 26 08:05:20 CEST 2018
Hi Oskar,
The first inducement works fine, group gets created in AD for those Org
with Role assigned. Thanks!
But second inducement has no effect, and looks like putting a Account to
Org group.
I'm trying to map Org to AD group, which should result in groups in groups.
In my understanding Org relationship in midpoint is child to parent (child
Org assigned to parent Org), while in AD group membership is parent to
child (parent group has member attribute holding child group dn).
It looks only Association provide this object to subject mapping. But I
cannot find document or previous discussion over this beside the blog page.
On Wed, Jul 25, 2018 at 10:46 PM, Oskar Butovič - AMI Praha a.s. <
oskar.butovic at ami.cz> wrote:
> Hi Ian.
>
> I suggest you use type generic instead of entitlement. (don't know why. It
> just started working)
>
> I don't think that association will work in this case. You probably should
> try construction of the DN attribute. like this:
>
> <inducement>
> <construction>
> <resourceRef oid="AD-connector-resource"
> type="c:ResourceType"/>
> <kind>generic</kind>
> <intent>organization</intent>
> </construction>
> </inducement>
> <inducement>
> <construction>
> <resourceRef oid="AD-connector-resource" type="c:ResourceType"/>
> <kind>account</kind>
> <intent>default</intent>
> <attribute>
> <c:ref>ri:dn</c:ref>
> <outbound>
> <strength>strong</strength>
> <source>
> <c:path>$immediateRole/extension/ADpath</c:path>
> </source>
> <source>
> <c:path>$focus/extension/uniqueFullName</c:path>
> </source>
> <expression>
> <script>
> <code>
> import javax.xml.namespace.QName;
> import com.evolveum.midpoint.xml.ns._
> public.common.common_3.OrgType;
> import com.evolveum.midpoint.util.exception.
> ObjectNotFoundException;
>
> result = null;
>
> defaultOu = "$(ADresource.defaultOuForUsers)"
> defaultOu += ",$(ADresource.baseContext)";
> defaultOu = 'CN=' + uniqueFullName + ',' + defaultOu;
>
> if(ADpath != null){
> result = 'CN=' + uniqueFullName + ',' + ADpath;
> }else{
> result = defaultOu;
> }
>
> log.info("org is putting user " + uniqueFullName + " into AD with
> DN: " + result);
> return result;
> </code>
> </script>
> </expression>
> </outbound>
> </attribute>
> </construction>
> <order>2</order>
> <focusType>UserType</focusType>
> </inducement>
>
> 2018-07-25 12:34 GMT+02:00 Ian Chen <ianchen.op at gmail.com>:
>
>> Hi Oskar,
>>
>> Thanks for your reply. After many month, I get to work on this again.
>>
>> I tried, the following will map a midpoint user's AD account to an AD
>> group.
>> <inducement>
>> <construction>
>> <resourceRef oid="AD-resource"
>> relation="org:default"
>> type="c:ResourceType"></resourceRef>
>> <kind>account</kind>
>> <intent>default</intent>
>>
>> I'm trying to map ORG to AD groups with parents/member correctly set as
>> in https://evolveum.com/blog/practical-organization-structure-
>> in-active-directory/
>>
>> <objectType>
>> <kind>entitlement</kind>
>> <intent>ou</intent>
>> <default>false</default>
>> <objectClass>ri:group</objectClass>
>> <attribute>
>> ...
>> </attribute>
>> <association>
>> <c:ref>ri:group</c:ref>
>> <displayName>OU Group</displayName>
>> <tolerant>true</tolerant>
>> <exclusiveStrong>true</exclusiveStrong>
>> <kind>entitlement</kind>
>> <intent>ou</intent>
>> <direction>objectToSubject</direction>
>> <associationAttribute>ri:member</associationAttribute>
>> <valueAttribute>ri:dn</valueAttribute>
>> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociati
>> onAttribute>
>> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>> <explicitReferentialIntegrity>false</explicitReferentialInte
>> grity>
>> </association>
>> </objectType>
>>
>> <inducement id="1">
>> <construction>
>> <resourceRef oid="OID"
>> relation="org:default"
>> type="c:ResourceType"></resourceRef>
>> <kind>entitlement</kind>
>> <intent>ou</intent>
>> <association>
>> <c:ref>ri:group</c:ref>
>> <outbound>
>> <strength>strong</strength>
>> <expression>
>> <associationFromLink xmlns:xsi="http://www.w3.org/2
>> 001/XMLSchema-instance"
>> xsi:type="c:AssociationFromLin
>> kExpressionEvaluatorType">
>> <projectionDiscriminator>
>> <kind>entitlement</kind>
>> <intent>ou</intent>
>> </projectionDiscriminator>
>> </associationFromLink>
>> </expression>
>> </outbound>
>> </association>
>> </construction>
>> </inducement>
>>
>> Assigning this role on a ORG:
>> could not extract ResultSet
>>
>> Caused by: java.sql.SQLException: You have an error in your SQL syntax;
>> check the manual that corresponds to your MariaDB server version for the
>> right syntax to use near ')) and rshadow0_.resourceRef_targetOid='OID'
>> an' at line 1 Query is: select count(rshadow0_.oid) as col_0_0_ from
>> m_shadow rshadow0_ inner join m_object rshadow0_1_ on
>> rshadow0_.oid=rshadow0_1_.oid where (rshadow0_.oid in ()) and
>> rshadow0_.resourceRef_targetOid=? and (rshadow0_.resourceRef_relation in
>> (? , ?)) and rshadow0_.kind=? and rshadow0_.intent=?, parameters
>> ['OID','#','http://midpoint.evolveum.com/xml/ns/public/commo
>> n/org-3#default',1,'ou']
>>
>> Induce this role on a ORG:
>> No error, but no group created
>>
>>
>>
>> On Tue, Oct 31, 2017 at 5:30 PM, Oskar Butovič - AMI Praha a.s. <
>> oskar.butovic at ami.cz> wrote:
>>
>>> something like this inside your schema handling in your active directory
>>> resource could do the trick.
>>>
>>> <objectType>
>>> <kind>entitlement</kind>
>>> <intent>group</intent>
>>> <displayName>AD Group</displayName>
>>> <default>true</default>
>>> <objectClass>ri:group</objectClass>
>>> ...
>>> ...
>>> <association>
>>> <c:ref>ri:group</c:ref>
>>> <displayName>AD Group Membership</displayName>
>>> <kind>entitlement</kind>
>>> <intent>group</intent>
>>> <direction>objectToSubject</direction>
>>> <associationAttribute>ri:member</associationAttribute>
>>> <valueAttribute>ri:dn</valueAttribute>
>>> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociati
>>> onAttribute>
>>> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>>> <explicitReferentialIntegrity>false</explicitReferentialInte
>>> grity>
>>> </association>
>>> ...
>>> ...
>>> </objectType>
>>>
>>> next thing you need is inducement on meta-role like:
>>> <inducement>
>>> <construction>
>>> <resourceRef oid="AD-resource"
>>> relation="org:default"
>>> type="c:ResourceType"></resourceRef>
>>> <kind>account</kind>
>>> <intent>default</intent>
>>> <association>
>>> <c:ref>ri:group</c:ref>
>>> <outbound>
>>> <strength>strong</strength>
>>> <expression>
>>> <associationFromLink xmlns:xsi="http://www.w3.org/2
>>> 001/XMLSchema-instance"
>>> xsi:type="c:AssociationFromLi
>>> nkExpressionEvaluatorType">
>>> <projectionDiscriminator>
>>> <kind>entitlement</kind>
>>> <intent>group</intent>
>>> </projectionDiscriminator>
>>> </associationFromLink>
>>> </expression>
>>> </outbound>
>>> </association>
>>> </construction>
>>> <order>2</order>
>>> </inducement>
>>>
>>> for further info look at the link to wiki I sent you.
>>>
>>> Best Regards
>>> Oskar Butovič
>>>
>>>
>>> 2017-10-31 7:55 GMT+01:00 Ian Chen <ianchen.op at gmail.com>:
>>>
>>>> Hi Oskar,
>>>>
>>>> I mapped all org to Entitlement as AD groups.
>>>> But I cannot find how to map parent org of assignment, could you share
>>>> some details?
>>>> Thanks.
>>>>
>>>> Regards,
>>>> Ian
>>>>
>>>> On Wed, Oct 25, 2017 at 6:33 PM, Oskar Butovič - AMI Praha a.s. <
>>>> oskar.butovic at ami.cz> wrote:
>>>>
>>>>> Hi Chen,
>>>>>
>>>>> I suggest mapping this as an association. https://wiki.evol
>>>>> veum.com/display/midPoint/Entitlements#Entitlements-Associat
>>>>> ionDefinitionExamples . Association can handle both direction of
>>>>> membership (members in group or groups in user). So for example if you
>>>>> assign parrent org to user or other org midpoint also modifies
>>>>> group represented by parrent org. Hope it makes sense. :-)
>>>>>
>>>>> Association works with assignments. If properly assigned child
>>>>> orgs should have parrent org in one of assignments and also in
>>>>> parrentOrgRef element.
>>>>>
>>>>> Best Regards
>>>>> Oskar Butovič
>>>>>
>>>>> 2017-10-25 12:23 GMT+02:00 Ian Chen <ianchen.op at gmail.com>:
>>>>>
>>>>>> Hi List,
>>>>>>
>>>>>> I'm new here are trying to solve mapping Org to AD groups as
>>>>>> https://evolveum.com/blog/practical-organization-structure-i
>>>>>> n-active-directory/. I'm stuck at setting member for group.
>>>>>>
>>>>>> It seems AD group can only have member (children), while in midpoint
>>>>>> Org is assigned upwards (parent). As I cannot find children Org in outbound
>>>>>> mapping, I added an extension attribute to hold parentID of parent Org. My
>>>>>> plan is when outbound mapping, searching for any Org with parentID set to
>>>>>> current Org ID, but I cannot find how. Please help!
>>>>>>
>>>>>> Also if there is better/simpler method to do this, please let me know.
>>>>>>
>>>>>> Thanks!
>>>>>> Ian
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Oskar Butovič
>>>>> solution architect
>>>>>
>>>>> gsm: [+420] 774 480 101 <+420%20774%20480%20101>
>>>>> e-mail: oskar.butovic at ami.cz
>>>>>
>>>>>
>>>>> AMI Praha a.s.
>>>>> Pláničkova 11
>>>>> 162 00 Praha 6
>>>>> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
>>>>> web: www.ami.cz
>>>>>
>>>>>
>>>>> [image: AMI Praha a.s.]
>>>>>
>>>>> [image: AMI Praha a.s.]
>>>>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>>>>
>>>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>>>>> společnost AMI Praha a.s.
>>>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>>>> výhradně písemnou formu.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> Oskar Butovič
>>> solution architect
>>>
>>> gsm: [+420] 774 480 101
>>> e-mail: oskar.butovic at ami.cz
>>>
>>>
>>> AMI Praha a.s.
>>> Pláničkova 11
>>> 162 00 Praha 6
>>> tel.: [+420] 274 783 239
>>> web: www.ami.cz
>>>
>>>
>>> [image: AMI Praha a.s.]
>>>
>>> [image: AMI Praha a.s.]
>>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>>
>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>>> společnost AMI Praha a.s.
>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>> výhradně písemnou formu.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> --
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101
> e-mail: oskar.butovic at ami.cz
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz
>
>
> [image: AMI Praha a.s.]
>
> [image: AMI Praha a.s.]
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180726/6e4734c3/attachment.htm>
More information about the midPoint
mailing list