[midPoint] Mapping Org to Active Directory Groups
Ian Chen
ianchen.op at gmail.com
Thu Jul 26 08:43:16 CEST 2018
Hi Oskar,
I just find how to do this. Thanks for you help!
I post it here, in case anyone needed them. And they are much simpler them
I thought.
There is 3 inducement needed. This role is assigned to both Org and User.
1) map Org to AD group, which work before
<inducement id="1">
<construction>
<resourceRef oid="AD-connector-resource"
relation="org:default"
type="c:ResourceType"></resourceRef>
<kind>generic</kind>
<intent>organization</intent>
</construction>
<focusType>OrgType</focusType>
</inducement>
2) map Org assignment to AD group membership
<inducement id="2">
<construction>
<resourceRef oid="AD-connector-resource"
relation="org:default"
type="c:ResourceType"></resourceRef>
<kind>generic</kind>
<intent>organization</intent>
<association>
<c:ref>ri:group</c:ref>
<outbound>
<strength>strong</strength>
<expression>
<associationFromLink xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
<projectionDiscriminator>
<kind>generic</kind>
<intent>organization</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
<focusType>OrgType</focusType>
</inducement>
3) map User Accounts to AD Org group
<inducement id="3">
<construction>
<resourceRef oid="AD-connector-resource"
relation="org:default"
type="c:ResourceType"></resourceRef>
<kind>account</kind>
<intent>default</intent>
<association>
<c:ref>ri:group</c:ref>
<outbound>
<strength>strong</strength>
<expression>
<associationFromLink xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
<projectionDiscriminator>
<kind>generic</kind>
<intent>organization</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>3</order>
<focusType>UserType</focusType>
</inducement>
On Thu, Jul 26, 2018 at 2:05 PM, Ian Chen <ianchen.op at gmail.com> wrote:
> Hi Oskar,
>
> The first inducement works fine, group gets created in AD for those Org
> with Role assigned. Thanks!
>
> But second inducement has no effect, and looks like putting a Account to
> Org group.
>
> I'm trying to map Org to AD group, which should result in groups in groups.
> In my understanding Org relationship in midpoint is child to parent (child
> Org assigned to parent Org), while in AD group membership is parent to
> child (parent group has member attribute holding child group dn).
> It looks only Association provide this object to subject mapping. But I
> cannot find document or previous discussion over this beside the blog page.
>
>
> On Wed, Jul 25, 2018 at 10:46 PM, Oskar Butovič - AMI Praha a.s. <
> oskar.butovic at ami.cz> wrote:
>
>> Hi Ian.
>>
>> I suggest you use type generic instead of entitlement. (don't know why.
>> It just started working)
>>
>> I don't think that association will work in this case. You probably
>> should try construction of the DN attribute. like this:
>>
>> <inducement>
>> <construction>
>> <resourceRef oid="AD-connector-resource"
>> type="c:ResourceType"/>
>> <kind>generic</kind>
>> <intent>organization</intent>
>> </construction>
>> </inducement>
>> <inducement>
>> <construction>
>> <resourceRef oid="AD-connector-resource" type="c:ResourceType"/>
>> <kind>account</kind>
>> <intent>default</intent>
>> <attribute>
>> <c:ref>ri:dn</c:ref>
>> <outbound>
>> <strength>strong</strength>
>> <source>
>> <c:path>$immediateRole/extension/ADpath</c:path>
>> </source>
>> <source>
>> <c:path>$focus/extension/uniqueFullName</c:path>
>> </source>
>> <expression>
>> <script>
>> <code>
>> import javax.xml.namespace.QName;
>> import com.evolveum.midpoint.xml.ns._
>> public.common.common_3.OrgType;
>> import com.evolveum.midpoint.util.exc
>> eption.ObjectNotFoundException;
>>
>> result = null;
>>
>> defaultOu = "$(ADresource.defaultOuForUsers)"
>> defaultOu += ",$(ADresource.baseContext)";
>> defaultOu = 'CN=' + uniqueFullName + ',' + defaultOu;
>>
>> if(ADpath != null){
>> result = 'CN=' + uniqueFullName + ',' + ADpath;
>> }else{
>> result = defaultOu;
>> }
>>
>> log.info("org is putting user " + uniqueFullName + " into AD
>> with DN: " + result);
>> return result;
>> </code>
>> </script>
>> </expression>
>> </outbound>
>> </attribute>
>> </construction>
>> <order>2</order>
>> <focusType>UserType</focusType>
>> </inducement>
>>
>> 2018-07-25 12:34 GMT+02:00 Ian Chen <ianchen.op at gmail.com>:
>>
>>> Hi Oskar,
>>>
>>> Thanks for your reply. After many month, I get to work on this again.
>>>
>>> I tried, the following will map a midpoint user's AD account to an AD
>>> group.
>>> <inducement>
>>> <construction>
>>> <resourceRef oid="AD-resource"
>>> relation="org:default"
>>> type="c:ResourceType"></resourceRef>
>>> <kind>account</kind>
>>> <intent>default</intent>
>>>
>>> I'm trying to map ORG to AD groups with parents/member correctly set as
>>> in https://evolveum.com/blog/practical-organization-structure-i
>>> n-active-directory/
>>>
>>> <objectType>
>>> <kind>entitlement</kind>
>>> <intent>ou</intent>
>>> <default>false</default>
>>> <objectClass>ri:group</objectClass>
>>> <attribute>
>>> ...
>>> </attribute>
>>> <association>
>>> <c:ref>ri:group</c:ref>
>>> <displayName>OU Group</displayName>
>>> <tolerant>true</tolerant>
>>> <exclusiveStrong>true</exclusiveStrong>
>>> <kind>entitlement</kind>
>>> <intent>ou</intent>
>>> <direction>objectToSubject</direction>
>>> <associationAttribute>ri:member</associationAttribute>
>>> <valueAttribute>ri:dn</valueAttribute>
>>> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociati
>>> onAttribute>
>>> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>>> <explicitReferentialIntegrity>false</explicitReferentialInte
>>> grity>
>>> </association>
>>> </objectType>
>>>
>>> <inducement id="1">
>>> <construction>
>>> <resourceRef oid="OID"
>>> relation="org:default"
>>> type="c:ResourceType"></resourceRef>
>>> <kind>entitlement</kind>
>>> <intent>ou</intent>
>>> <association>
>>> <c:ref>ri:group</c:ref>
>>> <outbound>
>>> <strength>strong</strength>
>>> <expression>
>>> <associationFromLink xmlns:xsi="http://www.w3.org/2
>>> 001/XMLSchema-instance"
>>> xsi:type="c:AssociationFromLin
>>> kExpressionEvaluatorType">
>>> <projectionDiscriminator>
>>> <kind>entitlement</kind>
>>> <intent>ou</intent>
>>> </projectionDiscriminator>
>>> </associationFromLink>
>>> </expression>
>>> </outbound>
>>> </association>
>>> </construction>
>>> </inducement>
>>>
>>> Assigning this role on a ORG:
>>> could not extract ResultSet
>>>
>>> Caused by: java.sql.SQLException: You have an error in your SQL syntax;
>>> check the manual that corresponds to your MariaDB server version for the
>>> right syntax to use near ')) and rshadow0_.resourceRef_targetOid='OID'
>>> an' at line 1 Query is: select count(rshadow0_.oid) as col_0_0_ from
>>> m_shadow rshadow0_ inner join m_object rshadow0_1_ on
>>> rshadow0_.oid=rshadow0_1_.oid where (rshadow0_.oid in ()) and
>>> rshadow0_.resourceRef_targetOid=? and (rshadow0_.resourceRef_relation
>>> in (? , ?)) and rshadow0_.kind=? and rshadow0_.intent=?, parameters
>>> ['OID','#','http://midpoint.evolveum.com/xml/ns/public/commo
>>> n/org-3#default',1,'ou']
>>>
>>> Induce this role on a ORG:
>>> No error, but no group created
>>>
>>>
>>>
>>> On Tue, Oct 31, 2017 at 5:30 PM, Oskar Butovič - AMI Praha a.s. <
>>> oskar.butovic at ami.cz> wrote:
>>>
>>>> something like this inside your schema handling in your active
>>>> directory resource could do the trick.
>>>>
>>>> <objectType>
>>>> <kind>entitlement</kind>
>>>> <intent>group</intent>
>>>> <displayName>AD Group</displayName>
>>>> <default>true</default>
>>>> <objectClass>ri:group</objectClass>
>>>> ...
>>>> ...
>>>> <association>
>>>> <c:ref>ri:group</c:ref>
>>>> <displayName>AD Group Membership</displayName>
>>>> <kind>entitlement</kind>
>>>> <intent>group</intent>
>>>> <direction>objectToSubject</direction>
>>>> <associationAttribute>ri:member</associationAttribute>
>>>> <valueAttribute>ri:dn</valueAttribute>
>>>> <shortcutAssociationAttribute>
>>>> ri:memberOf</shortcutAssociationAttribute>
>>>> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>>>> <explicitReferentialIntegrity>
>>>> false</explicitReferentialIntegrity>
>>>> </association>
>>>> ...
>>>> ...
>>>> </objectType>
>>>>
>>>> next thing you need is inducement on meta-role like:
>>>> <inducement>
>>>> <construction>
>>>> <resourceRef oid="AD-resource"
>>>> relation="org:default"
>>>> type="c:ResourceType"></resourceRef>
>>>> <kind>account</kind>
>>>> <intent>default</intent>
>>>> <association>
>>>> <c:ref>ri:group</c:ref>
>>>> <outbound>
>>>> <strength>strong</strength>
>>>> <expression>
>>>> <associationFromLink xmlns:xsi="http://www.w3.org/2
>>>> 001/XMLSchema-instance"
>>>> xsi:type="c:AssociationFromLi
>>>> nkExpressionEvaluatorType">
>>>> <projectionDiscriminator>
>>>> <kind>entitlement</kind>
>>>> <intent>group</intent>
>>>> </projectionDiscriminator>
>>>> </associationFromLink>
>>>> </expression>
>>>> </outbound>
>>>> </association>
>>>> </construction>
>>>> <order>2</order>
>>>> </inducement>
>>>>
>>>> for further info look at the link to wiki I sent you.
>>>>
>>>> Best Regards
>>>> Oskar Butovič
>>>>
>>>>
>>>> 2017-10-31 7:55 GMT+01:00 Ian Chen <ianchen.op at gmail.com>:
>>>>
>>>>> Hi Oskar,
>>>>>
>>>>> I mapped all org to Entitlement as AD groups.
>>>>> But I cannot find how to map parent org of assignment, could you share
>>>>> some details?
>>>>> Thanks.
>>>>>
>>>>> Regards,
>>>>> Ian
>>>>>
>>>>> On Wed, Oct 25, 2017 at 6:33 PM, Oskar Butovič - AMI Praha a.s. <
>>>>> oskar.butovic at ami.cz> wrote:
>>>>>
>>>>>> Hi Chen,
>>>>>>
>>>>>> I suggest mapping this as an association. https://wiki.evol
>>>>>> veum.com/display/midPoint/Entitlements#Entitlements-Associat
>>>>>> ionDefinitionExamples . Association can handle both direction of
>>>>>> membership (members in group or groups in user). So for example if you
>>>>>> assign parrent org to user or other org midpoint also modifies
>>>>>> group represented by parrent org. Hope it makes sense. :-)
>>>>>>
>>>>>> Association works with assignments. If properly assigned child
>>>>>> orgs should have parrent org in one of assignments and also in
>>>>>> parrentOrgRef element.
>>>>>>
>>>>>> Best Regards
>>>>>> Oskar Butovič
>>>>>>
>>>>>> 2017-10-25 12:23 GMT+02:00 Ian Chen <ianchen.op at gmail.com>:
>>>>>>
>>>>>>> Hi List,
>>>>>>>
>>>>>>> I'm new here are trying to solve mapping Org to AD groups as
>>>>>>> https://evolveum.com/blog/practical-organization-structure-i
>>>>>>> n-active-directory/. I'm stuck at setting member for group.
>>>>>>>
>>>>>>> It seems AD group can only have member (children), while in midpoint
>>>>>>> Org is assigned upwards (parent). As I cannot find children Org in outbound
>>>>>>> mapping, I added an extension attribute to hold parentID of parent Org. My
>>>>>>> plan is when outbound mapping, searching for any Org with parentID set to
>>>>>>> current Org ID, but I cannot find how. Please help!
>>>>>>>
>>>>>>> Also if there is better/simpler method to do this, please let me
>>>>>>> know.
>>>>>>>
>>>>>>> Thanks!
>>>>>>> Ian
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> midPoint mailing list
>>>>>>> midPoint at lists.evolveum.com
>>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Oskar Butovič
>>>>>> solution architect
>>>>>>
>>>>>> gsm: [+420] 774 480 101 <+420%20774%20480%20101>
>>>>>> e-mail: oskar.butovic at ami.cz
>>>>>>
>>>>>>
>>>>>> AMI Praha a.s.
>>>>>> Pláničkova 11
>>>>>> 162 00 Praha 6
>>>>>> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
>>>>>> web: www.ami.cz
>>>>>>
>>>>>>
>>>>>> [image: AMI Praha a.s.]
>>>>>>
>>>>>> [image: AMI Praha a.s.]
>>>>>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>>>>>
>>>>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>>>>>> společnost AMI Praha a.s.
>>>>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>>>>> výhradně písemnou formu.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Oskar Butovič
>>>> solution architect
>>>>
>>>> gsm: [+420] 774 480 101
>>>> e-mail: oskar.butovic at ami.cz
>>>>
>>>>
>>>> AMI Praha a.s.
>>>> Pláničkova 11
>>>> 162 00 Praha 6
>>>> tel.: [+420] 274 783 239
>>>> web: www.ami.cz
>>>>
>>>>
>>>> [image: AMI Praha a.s.]
>>>>
>>>> [image: AMI Praha a.s.]
>>>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>>>
>>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>>>> společnost AMI Praha a.s.
>>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>>> výhradně písemnou formu.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>> --
>>
>> Oskar Butovič
>> solution architect
>>
>> gsm: [+420] 774 480 101
>> e-mail: oskar.butovic at ami.cz
>>
>>
>> AMI Praha a.s.
>> Pláničkova 11
>> 162 00 Praha 6
>> tel.: [+420] 274 783 239
>> web: www.ami.cz
>>
>>
>> [image: AMI Praha a.s.]
>>
>> [image: AMI Praha a.s.]
>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>> společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
>> písemnou formu.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180726/1b93ae08/attachment.htm>
More information about the midPoint
mailing list