[midPoint] Organizational Unit attribute mapping to User attribute
Jason Everling
jeverling at bshp.edu
Mon Apr 8 19:14:53 CEST 2019
What is the value for the Org 'name' attribute ?
On Mon, Apr 8, 2019 at 9:03 AM Vladislavs Filipciks <
vladislavs.filipciks at csolutions.lv> wrote:
> Hi.
> I was looking on OrgSync Story Test, esecialy part when
> assignmentTargetSearch is used to assign first Org from orgpath.
> So I've tried to implement it in my scenario:
> <mapping>
> <name>Org mapping</name>
> <authoritative>true</authoritative>
> <source>
> <path>extension/adOUContainer</path>
> </source>
> <expression>
> <assignmentTargetSearch>
> <targetType>OrgType</targetType>
> <filter>
> <q:equal>
> <q:path>name</q:path>
> <expression>
> <script>
> <code>
> adOUContainer.tokenize(',OU=')[0]
> </code>
> </script>
> </expression>
> </q:equal>
> </filter>
> </assignmentTargetSearch>
> </expression>
> <target>
> <path>assignment</path>
> </target>
> </mapping>
>
> But no assignment is returned (i think so), because user is not getting
> the proper assignment of OrgType.
>
> I've tried "Mapping playground", and here's what I get:
>
> <mapping>
> <name>Org mapping</name>
> <authoritative>true</authoritative>
> <source>
> <path>description</path>
> </source>
> <expression>
> <assignmentTargetSearch>
> <targetType>OrgType</targetType>
> <filter>
> <equal>
> <path>name</path>
> <expression>
> <script>
> <code>
> description.tokenize(',OU=')[0]
> </code>
> </script>
> </expression>
> </equal>
> </filter>
> </assignmentTargetSearch>
> </expression>
> <target>
> <path>assignment</path>
> </target>
> </mapping>
>
> With request of:
>
> <mappingExecutionRequest>
> <sourceContext>
> <user>
> <description>OU=TEHNISKAIS CENTRS</description>
>
> </user>
> </sourceContext>
> </mappingExecutionRequest>
>
> and the result will be:
>
> Output triple:
> DeltaSetTriple:
> zero:
> id=null
> targetRef: oid=756c807e-b01b-44ff-a750-13f004599859(OrgType)
> plus:
> minus:
>
> Condition output triple:
> DeltaSetTriple:
> zero:
> true
> plus:
> minus:
>
> Time constraint valid: true
> Next recompute time: null
>
> Evaluation time: 18 ms
>
> So, if I'm right, this assignmentTargetSearch returned the right OrgType
> (oid in result refer to Org that I'm trying to assign).
> Any suggestions?
>
> ------------------------------
> *From: *"Jason Everling" <jeverling at bshp.edu>
> *To: *"midpoint" <midpoint at lists.evolveum.com>
> *Sent: *Tuesday, 2 April, 2019 16:56:50
> *Subject: *Re: [midPoint] Organizational Unit attribute mapping to
> User attribute
>
> Its a 3 part configuration, one to assign the org based on the user
> attribute within the default user template and then a metarole to create
> the focus mappings to the user that gets assigned to all orgs of the
> specified type, I used orgType in the example because that is what is used
> mainly on midpoint samples as well,
>
>
>
>
>
>
> On Tue, Apr 2, 2019 at 3:09 AM Vladislavs Filipciks <
> vladislavs.filipciks at csolutions.lv> wrote:
>
>> Basically, right now what I need is that MidPoint Org attribute is mapped
>> to all users organization attribute, that are assigned to that Org.
>>
>> ------------------------------
>> *From: *"Jason Everling" <jeverling at bshp.edu>
>> *To: *"midpoint" <midpoint at lists.evolveum.com>
>> *Sent: *Monday, 1 April, 2019 17:03:07
>> *Subject: *Re: [midPoint] Organizational Unit attribute mapping to
>> User attribute
>>
>> There are some examples and such on github but nothing really complete
>> for AD itself, you can start here to get an idea,
>> https://github.com/Evolveum/midpoint/tree/master/testing/story/src/test/resources/orgsync
>>
>> Give me sometime and I can send you a complete working set for AD, also,
>> it would be easier to extend your schema with some extensions for easier
>> management and future use. The 'origanization' attribute is PolyString, it
>> is up to you.
>>
>> For example, each type, (UserTypeExtensionType, RoleTypeExtensionType,
>> OrgTypeExtensionType) in ours we have an extension attribute 'adLdapPath'
>> and 'odLdapPath' since we use both AD and OpenLDAP which gets filled in
>> using the sample I first sent for each in the resource definition
>>
>> <xsd:element name=" adLdapPath" type="xsd:string" minOccurs="0"
>> maxOccurs="1">
>> <xsd:annotation>
>> <xsd:appinfo>
>> <a:indexed>true</a:indexed>
>> <a:displayName>Active Directory Path</a:displayName>
>> <a:displayOrder>1041</a:displayOrder>
>> <a:help>Path to object in Active Directory</a:help>
>> </xsd:appinfo>
>> </xsd:annotation>
>> </xsd:element>
>> <xsd:element name=" odLdapPath" type="xsd:string" minOccurs="0"
>> maxOccurs="1">
>> <xsd:annotation>
>> <xsd:appinfo>
>> <a:indexed>true</a:indexed>
>> <a:displayName>OpenLDAP Path</a:displayName>
>> <a:displayOrder>1042</a:displayOrder>
>> <a:help>Path to object in OpenLDAP</a:help>
>> </xsd:appinfo>
>> </xsd:annotation>
>> </xsd:element>
>>
>>
>>
>>
>>
>>
>> On Mon, Apr 1, 2019 at 3:58 AM Vladislavs Filipciks <
>> vladislavs.filipciks at csolutions.lv> wrote:
>>
>>> Thanks for reply. This sync works fine for inbound mapping from AD
>>> resource - organizations in midpoint are being created on demand.
>>>
>>> What I'm trying to achieve is:
>>> 1. Import organization structure from AD resource. Your mapping works
>>> fine if the user in AD is placed in any OU in AD. But how can I import OU's
>>> from AD to midpoint organization structure if there are no any users in
>>> that OU in AD? I got group import from AD, when AD groups being synced to
>>> midpoint roles, but I was not able to sync OU's from AD to Organizations in
>>> midpoint. Here's my object type (taken from OrgSync Story example):
>>> <objectType>
>>> <kind>generic</kind>
>>> <intent>ou</intent>
>>> <displayName>Organizational Unit</displayName>
>>> <objectClass>ri:organizationalUnit</objectClass>
>>> <attribute>
>>> <ref>ri:ou</ref>
>>> <inbound>
>>> <strength>weak</strength>
>>> <target>
>>> <path>$focus/name</path>
>>> </target>
>>> </inbound>
>>> </attribute>
>>> <attribute>
>>> <ref>ri:description</ref>
>>> <inbound>,
>>> <strength>weak</strength>
>>> <target>
>>> <path>$focus/description</path>
>>> </target>
>>> </inbound>
>>> </attribute>
>>> </objectType>
>>>
>>> With this object type I don't see any record in resource for Generic
>>> kind.
>>>
>>> 2. I would like to make MidPoint central management system, so I would
>>> like to be able to create new Organization in MidPoint, then when user is
>>> assigned this organization, this user will be created in AD Resource in
>>> Organization's container in AD resource. I've tried to specify DN for
>>> Organization in midpoint in description attribute and then construct user's
>>> DN:
>>>
>>> <inducement id="10">
>>> <construction>
>>> <strength>weak</strength>
>>> <resourceRef oid="be74efc9-6df3-470c-bfcf-c6d4f4165772"
>>> relation="org:default" type="c:ResourceType">
>>> <!-- CS AD User outbound Resource 19.26 -->
>>> </resourceRef>
>>> <attribute id="12">
>>> <c:ref>ri:dn</c:ref>
>>> <displayName>Distinguished Name</displayName>
>>> <outbound>
>>> <source>
>>> <c:path>$user/fullName</c:path>
>>> </source>
>>> <source>
>>> <c:path>description</c:path>
>>> </source>
>>> <expression>
>>> <script xmlns:xsi="
>>> http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:type="c:ScriptExpressionEvaluatorType">
>>> <code>
>>> 'CN=' + fullName + ',' + description
>>> </code>
>>> </script>
>>> </expression>
>>> </outbound>
>>> </attribute>
>>> </construction>
>>> </inducement>
>>>
>>> But user is not created in resource.
>>>
>>>
>>>
>>>
>>> ------------------------------
>>> *From: *"Jason Everling" <jeverling at bshp.edu>
>>> *To: *"midpoint" <midpoint at lists.evolveum.com>
>>> *Sent: *Thursday, 28 March, 2019 20:18:13
>>> *Subject: *Re: [midPoint] Organizational Unit attribute mapping to
>>> User attribute
>>>
>>> Now when organization is updated with a new value it will re-build the
>>> users DN which of course will them in the OU based on the attribute. You
>>> can also use org sync to create your AD structure in midpoint then map the
>>> organization assignment to the user's attribute so you can use assignment
>>> based placement. Just make sure to use a specific org type in the template
>>> so it doesn't try to update the attribute with values of orgs that are not
>>> really AD ou's. I was using Rdn but it wasn;t working right for AD
>>> containers, so a raw script, works great though.
>>>
>>> <attribute>
>>> <c:ref>ri:dn</c:ref>
>>> <outbound>
>>> <source>
>>> <c:path>$focus/organization</c:path>
>>> </source>
>>> <source>
>>> <c:path>$focus/name</c:path>
>>> </source>
>>> <expression>
>>> <script>
>>> <code>'CN=' + name + iterationToken + ',' +
>>> organization</code>
>>> </script>
>>> </expression>
>>> </outbound>
>>> <inbound>
>>> <expression>
>>> <script>
>>> <code>
>>> tmpdn = basic.uc(input);
>>> cn = tmpdn.substring(tmpdn.indexOf(",CN=") + 1);
>>> ou = tmpdn.substring(tmpdn.indexOf(",OU=") + 1);
>>> if (tmpdn.contains(",CN=")) {
>>> log.info("-- DN Path " + cn + "is a container")
>>> return basic.uc(cn);
>>> }
>>> if (tmpdn.contains(",OU=") &&
>>> !tmpdn.contains(",CN=")) {
>>> log.info("-- DN Path " + ou + "is a orgunit")
>>> return basic.uc(ou);
>>> }
>>> </code>
>>> </script>
>>> </expression>
>>> <target>
>>> <c:path>$focus/organization</c:path>
>>> </target>
>>> </inbound>
>>> </attribute>
>>>
>>>
>>>
>>> On Thu, Mar 28, 2019 at 10:57 AM Vladislavs Filipciks <
>>> vladislavs.filipciks at csolutions.lv> wrote:
>>>
>>>> Hello.
>>>>
>>>> Is it possible to take attribute from organizational unit and map it to
>>>> users attribute?
>>>> For example I would like to create extended attribute for
>>>> organizational unit - DN (Distinguished Name), then map it to user's
>>>> "Organization" attribute, so then I'll be able to create user in AD in
>>>> specific OU container.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190408/8c431c73/attachment.htm>
More information about the midPoint
mailing list