[midPoint] Organizational Unit attribute mapping to User attribute

Jason Everling jeverling at bshp.edu
Mon Apr 1 16:03:07 CEST 2019


There are some examples and such on github but nothing really complete for
AD itself, you can start here to get an idea,
https://github.com/Evolveum/midpoint/tree/master/testing/story/src/test/resources/orgsync

Give me sometime and I can send you a complete working set for AD, also, it
would be easier to extend your schema with some extensions for easier
management and future use. The 'origanization' attribute is PolyString, it
is up to you.

For example, each type, (UserTypeExtensionType, RoleTypeExtensionType,
OrgTypeExtensionType) in ours we have an extension attribute 'adLdapPath'
and 'odLdapPath' since we use both AD and OpenLDAP which gets filled in
using the sample I first sent for each in the resource definition

<xsd:element name=" adLdapPath" type="xsd:string" minOccurs="0"
maxOccurs="1">
<xsd:annotation>
<xsd:appinfo>
<a:indexed>true</a:indexed>
<a:displayName>Active Directory Path</a:displayName>
<a:displayOrder>1041</a:displayOrder>
<a:help>Path to object in Active Directory</a:help>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element name=" odLdapPath" type="xsd:string" minOccurs="0"
maxOccurs="1">
<xsd:annotation>
<xsd:appinfo>
<a:indexed>true</a:indexed>
<a:displayName>OpenLDAP Path</a:displayName>
<a:displayOrder>1042</a:displayOrder>
<a:help>Path to object in OpenLDAP</a:help>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>






On Mon, Apr 1, 2019 at 3:58 AM Vladislavs Filipciks <
vladislavs.filipciks at csolutions.lv> wrote:

> Thanks for reply. This sync works fine for inbound mapping from AD
> resource - organizations in midpoint are being created on demand.
>
> What I'm trying to achieve is:
> 1. Import organization structure from AD resource. Your mapping works fine
> if the user in AD is placed in any OU in AD. But how can I import OU's from
> AD to midpoint organization structure if there are no any users in that OU
> in AD? I got group import from AD, when AD groups being synced to midpoint
> roles, but I was not able to sync OU's from AD to Organizations in
> midpoint. Here's my object type (taken from OrgSync Story example):
> <objectType>
>             <kind>generic</kind>
>             <intent>ou</intent>
>             <displayName>Organizational Unit</displayName>
>             <objectClass>ri:organizationalUnit</objectClass>
>             <attribute>
>               <ref>ri:ou</ref>
>                 <inbound>
>                     <strength>weak</strength>
>                     <target>
>                         <path>$focus/name</path>
>                     </target>
>                 </inbound>
>             </attribute>
>             <attribute>
>                 <ref>ri:description</ref>
>                 <inbound>,
>                     <strength>weak</strength>
>                     <target>
>                         <path>$focus/description</path>
>                     </target>
>                 </inbound>
>             </attribute>
> </objectType>
>
> With this object type I don't see any record in resource for Generic kind.
>
> 2. I would like to make MidPoint central management system, so I would
> like to be able to create new Organization in MidPoint, then when user is
> assigned this organization, this user will be created in AD Resource in
> Organization's container in AD resource. I've tried to specify DN for
> Organization in midpoint in description attribute and then construct user's
> DN:
>
>  <inducement id="10">
>         <construction>
>             <strength>weak</strength>
>             <resourceRef oid="be74efc9-6df3-470c-bfcf-c6d4f4165772"
> relation="org:default" type="c:ResourceType">
>                 <!-- CS AD User outbound Resource 19.26 -->
>             </resourceRef>
>             <attribute id="12">
>                 <c:ref>ri:dn</c:ref>
>                 <displayName>Distinguished Name</displayName>
>                 <outbound>
>                     <source>
>                         <c:path>$user/fullName</c:path>
>                     </source>
>                     <source>
>                         <c:path>description</c:path>
>                     </source>
>                     <expression>
>                         <script xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="c:ScriptExpressionEvaluatorType">
>                             <code>
>                                 'CN=' + fullName + ',' + description
>                             </code>
>                         </script>
>                     </expression>
>                 </outbound>
>             </attribute>
>         </construction>
>     </inducement>
>
> But user is not created in resource.
>
>
>
>
> ------------------------------
> *From: *"Jason Everling" <jeverling at bshp.edu>
> *To: *"midpoint" <midpoint at lists.evolveum.com>
> *Sent: *Thursday, 28 March, 2019 20:18:13
> *Subject: *Re: [midPoint] Organizational Unit attribute mapping to
> User        attribute
>
> Now when organization is updated with a new value it will re-build the
> users DN which of course will them in the OU based on the attribute. You
> can also use org sync to create your AD structure in midpoint then map the
> organization assignment to the user's attribute so you can use assignment
> based placement. Just make sure to use a specific org type in the template
> so it doesn't try to update the attribute with values of orgs that are not
> really AD ou's. I was using Rdn but it wasn;t working right for AD
> containers, so a raw script, works great though.
>
>        <attribute>
>             <c:ref>ri:dn</c:ref>
>             <outbound>
>                <source>
>                   <c:path>$focus/organization</c:path>
>                </source>
>                <source>
>                   <c:path>$focus/name</c:path>
>                </source>
>                <expression>
>                   <script>
>                      <code>'CN=' + name + iterationToken + ',' +
> organization</code>
>                   </script>
>                </expression>
>             </outbound>
>             <inbound>
>                <expression>
>                   <script>
>                      <code>
> tmpdn = basic.uc(input);
> cn = tmpdn.substring(tmpdn.indexOf(",CN=") + 1);
> ou = tmpdn.substring(tmpdn.indexOf(",OU=") + 1);
> if (tmpdn.contains(",CN=")) {
> log.info("-- DN Path " + cn + "is a container")
> return basic.uc(cn);
> }
>                                 if (tmpdn.contains(",OU=") &&
> !tmpdn.contains(",CN=")) {
> log.info("-- DN Path " + ou + "is a orgunit")
> return basic.uc(ou);
>                                }
> </code>
>                   </script>
>                </expression>
>                <target>
>                   <c:path>$focus/organization</c:path>
>                </target>
>             </inbound>
>          </attribute>
>
>
>
> On Thu, Mar 28, 2019 at 10:57 AM Vladislavs Filipciks <
> vladislavs.filipciks at csolutions.lv> wrote:
>
>> Hello.
>>
>> Is it possible to take attribute from organizational unit and map it to
>> users attribute?
>> For example I would like to create extended attribute for organizational
>> unit - DN (Distinguished Name), then map it to user's "Organization"
>> attribute, so then I'll be able to create user in AD in specific OU
>> container.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190401/1d08390d/attachment.htm>


More information about the midPoint mailing list