[midPoint] Organizational Unit attribute mapping to User attribute
Jason Everling
jeverling at bshp.edu
Tue Apr 2 15:56:50 CEST 2019
Its a 3 part configuration, one to assign the org based on the user
attribute within the default user template and then a metarole to create
the focus mappings to the user that gets assigned to all orgs of the
specified type, I used orgType in the example because that is what is used
mainly on midpoint samples as well,
On Tue, Apr 2, 2019 at 3:09 AM Vladislavs Filipciks <
vladislavs.filipciks at csolutions.lv> wrote:
> Basically, right now what I need is that MidPoint Org attribute is mapped
> to all users organization attribute, that are assigned to that Org.
>
> ------------------------------
> *From: *"Jason Everling" <jeverling at bshp.edu>
> *To: *"midpoint" <midpoint at lists.evolveum.com>
> *Sent: *Monday, 1 April, 2019 17:03:07
> *Subject: *Re: [midPoint] Organizational Unit attribute mapping to
> User attribute
>
> There are some examples and such on github but nothing really complete for
> AD itself, you can start here to get an idea,
> https://github.com/Evolveum/midpoint/tree/master/testing/story/src/test/resources/orgsync
>
> Give me sometime and I can send you a complete working set for AD, also,
> it would be easier to extend your schema with some extensions for easier
> management and future use. The 'origanization' attribute is PolyString, it
> is up to you.
>
> For example, each type, (UserTypeExtensionType, RoleTypeExtensionType,
> OrgTypeExtensionType) in ours we have an extension attribute 'adLdapPath'
> and 'odLdapPath' since we use both AD and OpenLDAP which gets filled in
> using the sample I first sent for each in the resource definition
>
> <xsd:element name=" adLdapPath" type="xsd:string" minOccurs="0"
> maxOccurs="1">
> <xsd:annotation>
> <xsd:appinfo>
> <a:indexed>true</a:indexed>
> <a:displayName>Active Directory Path</a:displayName>
> <a:displayOrder>1041</a:displayOrder>
> <a:help>Path to object in Active Directory</a:help>
> </xsd:appinfo>
> </xsd:annotation>
> </xsd:element>
> <xsd:element name=" odLdapPath" type="xsd:string" minOccurs="0"
> maxOccurs="1">
> <xsd:annotation>
> <xsd:appinfo>
> <a:indexed>true</a:indexed>
> <a:displayName>OpenLDAP Path</a:displayName>
> <a:displayOrder>1042</a:displayOrder>
> <a:help>Path to object in OpenLDAP</a:help>
> </xsd:appinfo>
> </xsd:annotation>
> </xsd:element>
>
>
>
>
>
>
> On Mon, Apr 1, 2019 at 3:58 AM Vladislavs Filipciks <
> vladislavs.filipciks at csolutions.lv> wrote:
>
>> Thanks for reply. This sync works fine for inbound mapping from AD
>> resource - organizations in midpoint are being created on demand.
>>
>> What I'm trying to achieve is:
>> 1. Import organization structure from AD resource. Your mapping works
>> fine if the user in AD is placed in any OU in AD. But how can I import OU's
>> from AD to midpoint organization structure if there are no any users in
>> that OU in AD? I got group import from AD, when AD groups being synced to
>> midpoint roles, but I was not able to sync OU's from AD to Organizations in
>> midpoint. Here's my object type (taken from OrgSync Story example):
>> <objectType>
>> <kind>generic</kind>
>> <intent>ou</intent>
>> <displayName>Organizational Unit</displayName>
>> <objectClass>ri:organizationalUnit</objectClass>
>> <attribute>
>> <ref>ri:ou</ref>
>> <inbound>
>> <strength>weak</strength>
>> <target>
>> <path>$focus/name</path>
>> </target>
>> </inbound>
>> </attribute>
>> <attribute>
>> <ref>ri:description</ref>
>> <inbound>,
>> <strength>weak</strength>
>> <target>
>> <path>$focus/description</path>
>> </target>
>> </inbound>
>> </attribute>
>> </objectType>
>>
>> With this object type I don't see any record in resource for Generic kind.
>>
>> 2. I would like to make MidPoint central management system, so I would
>> like to be able to create new Organization in MidPoint, then when user is
>> assigned this organization, this user will be created in AD Resource in
>> Organization's container in AD resource. I've tried to specify DN for
>> Organization in midpoint in description attribute and then construct user's
>> DN:
>>
>> <inducement id="10">
>> <construction>
>> <strength>weak</strength>
>> <resourceRef oid="be74efc9-6df3-470c-bfcf-c6d4f4165772"
>> relation="org:default" type="c:ResourceType">
>> <!-- CS AD User outbound Resource 19.26 -->
>> </resourceRef>
>> <attribute id="12">
>> <c:ref>ri:dn</c:ref>
>> <displayName>Distinguished Name</displayName>
>> <outbound>
>> <source>
>> <c:path>$user/fullName</c:path>
>> </source>
>> <source>
>> <c:path>description</c:path>
>> </source>
>> <expression>
>> <script xmlns:xsi="
>> http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="c:ScriptExpressionEvaluatorType">
>> <code>
>> 'CN=' + fullName + ',' + description
>> </code>
>> </script>
>> </expression>
>> </outbound>
>> </attribute>
>> </construction>
>> </inducement>
>>
>> But user is not created in resource.
>>
>>
>>
>>
>> ------------------------------
>> *From: *"Jason Everling" <jeverling at bshp.edu>
>> *To: *"midpoint" <midpoint at lists.evolveum.com>
>> *Sent: *Thursday, 28 March, 2019 20:18:13
>> *Subject: *Re: [midPoint] Organizational Unit attribute mapping to
>> User attribute
>>
>> Now when organization is updated with a new value it will re-build the
>> users DN which of course will them in the OU based on the attribute. You
>> can also use org sync to create your AD structure in midpoint then map the
>> organization assignment to the user's attribute so you can use assignment
>> based placement. Just make sure to use a specific org type in the template
>> so it doesn't try to update the attribute with values of orgs that are not
>> really AD ou's. I was using Rdn but it wasn;t working right for AD
>> containers, so a raw script, works great though.
>>
>> <attribute>
>> <c:ref>ri:dn</c:ref>
>> <outbound>
>> <source>
>> <c:path>$focus/organization</c:path>
>> </source>
>> <source>
>> <c:path>$focus/name</c:path>
>> </source>
>> <expression>
>> <script>
>> <code>'CN=' + name + iterationToken + ',' +
>> organization</code>
>> </script>
>> </expression>
>> </outbound>
>> <inbound>
>> <expression>
>> <script>
>> <code>
>> tmpdn = basic.uc(input);
>> cn = tmpdn.substring(tmpdn.indexOf(",CN=") + 1);
>> ou = tmpdn.substring(tmpdn.indexOf(",OU=") + 1);
>> if (tmpdn.contains(",CN=")) {
>> log.info("-- DN Path " + cn + "is a container")
>> return basic.uc(cn);
>> }
>> if (tmpdn.contains(",OU=") &&
>> !tmpdn.contains(",CN=")) {
>> log.info("-- DN Path " + ou + "is a orgunit")
>> return basic.uc(ou);
>> }
>> </code>
>> </script>
>> </expression>
>> <target>
>> <c:path>$focus/organization</c:path>
>> </target>
>> </inbound>
>> </attribute>
>>
>>
>>
>> On Thu, Mar 28, 2019 at 10:57 AM Vladislavs Filipciks <
>> vladislavs.filipciks at csolutions.lv> wrote:
>>
>>> Hello.
>>>
>>> Is it possible to take attribute from organizational unit and map it to
>>> users attribute?
>>> For example I would like to create extended attribute for organizational
>>> unit - DN (Distinguished Name), then map it to user's "Organization"
>>> attribute, so then I'll be able to create user in AD in specific OU
>>> container.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190402/030a3199/attachment.htm>
-------------- next part --------------
<!-- Add to Default User Template -->
<mapping>
<name>Assign AD Org</name>
<strength>strong</strength>
<source>
<c:path>$focus/organization</c:path>
</source>
<expression>
<assignmentTargetSearch>
<targetType>c:OrgType</targetType>
<filter>
<q:equal>
<q:matching>polyStringNorm</q:matching>
<q:path>name</q:path> <!-- Find Organization based on Orgs 'name' attribute -->
<expression>
<path>$organization</path> <!-- Match with Users attribute from source path -->
</expression>
</q:equal>
</filter>
</assignmentTargetSearch>
</expression>
<evaluationPhase>afterAssignments</evaluationPhase>
<target>
<c:path>$focus/assignment</c:path>
</target>
</mapping>
<!-- Add to Default Org Template -->
<mapping>
<name>Org metarole assignment</name>
<authoritative>true</authoritative>
<strength>strong</strength>
<source>
<c:path>orgType</c:path>
</source>
<expression>
<assignmentTargetSearch>
<targetType>c:RoleType</targetType>
<oid>metarole-orgToOrgMapping</oid>
</assignmentTargetSearch>
</expression>
<target>
<c:path>assignment</c:path>
</target>
<!-- Create or use a attribute to assign this role only to those orgs that are to be an AD org unit, using orgType as an example -->
<condition>
<script>
<code>orgType == 'adOrgUnit'</code>
</script>
</condition>
</mapping>
<!-- The role definition that gets assigned above and which adds the Orgs 'name' attribute to users attribute -->
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
oid="metarole-orgToOrgMapping">
<name>Metarole: Org to Org</name>
<description>This will add, create, or update the organization attribute on the focus object</description>
<displayName>Metarole: Org to Org</displayName>
<inducement id="1">
<focusMappings>
<mapping>
<source>
<c:path>$immediateRole/name</c:path> <!-- This is the attribute on the organization to add to the users attribute defined in target attribute -->
</source>
<target>
<c:path>$focus/organization</c:path> <!-- This is the focus, a.k.a the User attribute -->
</target>
</mapping>
</focusMappings>
<order>2</order>
<focusType>c:UserType</focusType>
</inducement>
<requestable>false</requestable>
</role>
More information about the midPoint
mailing list