[midPoint] Organizational Unit attribute mapping to User attribute
Jason Everling
jeverling at bshp.edu
Mon Apr 8 21:57:36 CEST 2019
If your extension/adOUContainer = OU=TEHNISKAIS
CENTRS,OU=ANOTHER1,DC=EXAMPLE,DC=COM you would want to use the below,
description.tokenize("OU=")[0].split(",")[0];
which would yeild,
TEHNISKAIS CENTRS
check
https://ideone.com/RUoDgB
On Mon, Apr 8, 2019 at 12:14 PM Jason Everling <jeverling at bshp.edu> wrote:
> What is the value for the Org 'name' attribute ?
>
>
> On Mon, Apr 8, 2019 at 9:03 AM Vladislavs Filipciks <
> vladislavs.filipciks at csolutions.lv> wrote:
>
>> Hi.
>> I was looking on OrgSync Story Test, esecialy part when
>> assignmentTargetSearch is used to assign first Org from orgpath.
>> So I've tried to implement it in my scenario:
>> <mapping>
>> <name>Org mapping</name>
>> <authoritative>true</authoritative>
>> <source>
>> <path>extension/adOUContainer</path>
>> </source>
>> <expression>
>> <assignmentTargetSearch>
>> <targetType>OrgType</targetType>
>> <filter>
>> <q:equal>
>> <q:path>name</q:path>
>> <expression>
>> <script>
>> <code>
>> adOUContainer.tokenize(',OU=')[0]
>> </code>
>> </script>
>> </expression>
>> </q:equal>
>> </filter>
>> </assignmentTargetSearch>
>> </expression>
>> <target>
>> <path>assignment</path>
>> </target>
>> </mapping>
>>
>> But no assignment is returned (i think so), because user is not getting
>> the proper assignment of OrgType.
>>
>> I've tried "Mapping playground", and here's what I get:
>>
>> <mapping>
>> <name>Org mapping</name>
>> <authoritative>true</authoritative>
>> <source>
>> <path>description</path>
>> </source>
>> <expression>
>> <assignmentTargetSearch>
>> <targetType>OrgType</targetType>
>> <filter>
>> <equal>
>> <path>name</path>
>> <expression>
>> <script>
>> <code>
>> description.tokenize(',OU=')[0]
>> </code>
>> </script>
>> </expression>
>> </equal>
>> </filter>
>> </assignmentTargetSearch>
>> </expression>
>> <target>
>> <path>assignment</path>
>> </target>
>> </mapping>
>>
>> With request of:
>>
>> <mappingExecutionRequest>
>> <sourceContext>
>> <user>
>> <description>OU=TEHNISKAIS CENTRS</description>
>>
>> </user>
>> </sourceContext>
>> </mappingExecutionRequest>
>>
>> and the result will be:
>>
>> Output triple:
>> DeltaSetTriple:
>> zero:
>> id=null
>> targetRef: oid=756c807e-b01b-44ff-a750-13f004599859(OrgType)
>> plus:
>> minus:
>>
>> Condition output triple:
>> DeltaSetTriple:
>> zero:
>> true
>> plus:
>> minus:
>>
>> Time constraint valid: true
>> Next recompute time: null
>>
>> Evaluation time: 18 ms
>>
>> So, if I'm right, this assignmentTargetSearch returned the right OrgType
>> (oid in result refer to Org that I'm trying to assign).
>> Any suggestions?
>>
>> ------------------------------
>> *From: *"Jason Everling" <jeverling at bshp.edu>
>> *To: *"midpoint" <midpoint at lists.evolveum.com>
>> *Sent: *Tuesday, 2 April, 2019 16:56:50
>> *Subject: *Re: [midPoint] Organizational Unit attribute mapping to
>> User attribute
>>
>> Its a 3 part configuration, one to assign the org based on the user
>> attribute within the default user template and then a metarole to create
>> the focus mappings to the user that gets assigned to all orgs of the
>> specified type, I used orgType in the example because that is what is used
>> mainly on midpoint samples as well,
>>
>>
>>
>>
>>
>>
>> On Tue, Apr 2, 2019 at 3:09 AM Vladislavs Filipciks <
>> vladislavs.filipciks at csolutions.lv> wrote:
>>
>>> Basically, right now what I need is that MidPoint Org attribute is
>>> mapped to all users organization attribute, that are assigned to that Org.
>>>
>>> ------------------------------
>>> *From: *"Jason Everling" <jeverling at bshp.edu>
>>> *To: *"midpoint" <midpoint at lists.evolveum.com>
>>> *Sent: *Monday, 1 April, 2019 17:03:07
>>> *Subject: *Re: [midPoint] Organizational Unit attribute mapping to
>>> User attribute
>>>
>>> There are some examples and such on github but nothing really complete
>>> for AD itself, you can start here to get an idea,
>>> https://github.com/Evolveum/midpoint/tree/master/testing/story/src/test/resources/orgsync
>>>
>>> Give me sometime and I can send you a complete working set for AD, also,
>>> it would be easier to extend your schema with some extensions for easier
>>> management and future use. The 'origanization' attribute is PolyString, it
>>> is up to you.
>>>
>>> For example, each type, (UserTypeExtensionType, RoleTypeExtensionType,
>>> OrgTypeExtensionType) in ours we have an extension attribute 'adLdapPath'
>>> and 'odLdapPath' since we use both AD and OpenLDAP which gets filled in
>>> using the sample I first sent for each in the resource definition
>>>
>>> <xsd:element name=" adLdapPath" type="xsd:string" minOccurs="0"
>>> maxOccurs="1">
>>> <xsd:annotation>
>>> <xsd:appinfo>
>>> <a:indexed>true</a:indexed>
>>> <a:displayName>Active Directory Path</a:displayName>
>>> <a:displayOrder>1041</a:displayOrder>
>>> <a:help>Path to object in Active Directory</a:help>
>>> </xsd:appinfo>
>>> </xsd:annotation>
>>> </xsd:element>
>>> <xsd:element name=" odLdapPath" type="xsd:string" minOccurs="0"
>>> maxOccurs="1">
>>> <xsd:annotation>
>>> <xsd:appinfo>
>>> <a:indexed>true</a:indexed>
>>> <a:displayName>OpenLDAP Path</a:displayName>
>>> <a:displayOrder>1042</a:displayOrder>
>>> <a:help>Path to object in OpenLDAP</a:help>
>>> </xsd:appinfo>
>>> </xsd:annotation>
>>> </xsd:element>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Apr 1, 2019 at 3:58 AM Vladislavs Filipciks <
>>> vladislavs.filipciks at csolutions.lv> wrote:
>>>
>>>> Thanks for reply. This sync works fine for inbound mapping from AD
>>>> resource - organizations in midpoint are being created on demand.
>>>>
>>>> What I'm trying to achieve is:
>>>> 1. Import organization structure from AD resource. Your mapping works
>>>> fine if the user in AD is placed in any OU in AD. But how can I import OU's
>>>> from AD to midpoint organization structure if there are no any users in
>>>> that OU in AD? I got group import from AD, when AD groups being synced to
>>>> midpoint roles, but I was not able to sync OU's from AD to Organizations in
>>>> midpoint. Here's my object type (taken from OrgSync Story example):
>>>> <objectType>
>>>> <kind>generic</kind>
>>>> <intent>ou</intent>
>>>> <displayName>Organizational Unit</displayName>
>>>> <objectClass>ri:organizationalUnit</objectClass>
>>>> <attribute>
>>>> <ref>ri:ou</ref>
>>>> <inbound>
>>>> <strength>weak</strength>
>>>> <target>
>>>> <path>$focus/name</path>
>>>> </target>
>>>> </inbound>
>>>> </attribute>
>>>> <attribute>
>>>> <ref>ri:description</ref>
>>>> <inbound>,
>>>> <strength>weak</strength>
>>>> <target>
>>>> <path>$focus/description</path>
>>>> </target>
>>>> </inbound>
>>>> </attribute>
>>>> </objectType>
>>>>
>>>> With this object type I don't see any record in resource for Generic
>>>> kind.
>>>>
>>>> 2. I would like to make MidPoint central management system, so I would
>>>> like to be able to create new Organization in MidPoint, then when user is
>>>> assigned this organization, this user will be created in AD Resource in
>>>> Organization's container in AD resource. I've tried to specify DN for
>>>> Organization in midpoint in description attribute and then construct user's
>>>> DN:
>>>>
>>>> <inducement id="10">
>>>> <construction>
>>>> <strength>weak</strength>
>>>> <resourceRef oid="be74efc9-6df3-470c-bfcf-c6d4f4165772"
>>>> relation="org:default" type="c:ResourceType">
>>>> <!-- CS AD User outbound Resource 19.26 -->
>>>> </resourceRef>
>>>> <attribute id="12">
>>>> <c:ref>ri:dn</c:ref>
>>>> <displayName>Distinguished Name</displayName>
>>>> <outbound>
>>>> <source>
>>>> <c:path>$user/fullName</c:path>
>>>> </source>
>>>> <source>
>>>> <c:path>description</c:path>
>>>> </source>
>>>> <expression>
>>>> <script xmlns:xsi="
>>>> http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="c:ScriptExpressionEvaluatorType">
>>>> <code>
>>>> 'CN=' + fullName + ',' + description
>>>> </code>
>>>> </script>
>>>> </expression>
>>>> </outbound>
>>>> </attribute>
>>>> </construction>
>>>> </inducement>
>>>>
>>>> But user is not created in resource.
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------
>>>> *From: *"Jason Everling" <jeverling at bshp.edu>
>>>> *To: *"midpoint" <midpoint at lists.evolveum.com>
>>>> *Sent: *Thursday, 28 March, 2019 20:18:13
>>>> *Subject: *Re: [midPoint] Organizational Unit attribute mapping to
>>>> User attribute
>>>>
>>>> Now when organization is updated with a new value it will re-build the
>>>> users DN which of course will them in the OU based on the attribute. You
>>>> can also use org sync to create your AD structure in midpoint then map the
>>>> organization assignment to the user's attribute so you can use assignment
>>>> based placement. Just make sure to use a specific org type in the template
>>>> so it doesn't try to update the attribute with values of orgs that are not
>>>> really AD ou's. I was using Rdn but it wasn;t working right for AD
>>>> containers, so a raw script, works great though.
>>>>
>>>> <attribute>
>>>> <c:ref>ri:dn</c:ref>
>>>> <outbound>
>>>> <source>
>>>> <c:path>$focus/organization</c:path>
>>>> </source>
>>>> <source>
>>>> <c:path>$focus/name</c:path>
>>>> </source>
>>>> <expression>
>>>> <script>
>>>> <code>'CN=' + name + iterationToken + ',' +
>>>> organization</code>
>>>> </script>
>>>> </expression>
>>>> </outbound>
>>>> <inbound>
>>>> <expression>
>>>> <script>
>>>> <code>
>>>> tmpdn = basic.uc(input);
>>>> cn = tmpdn.substring(tmpdn.indexOf(",CN=") + 1);
>>>> ou = tmpdn.substring(tmpdn.indexOf(",OU=") + 1);
>>>> if (tmpdn.contains(",CN=")) {
>>>> log.info("-- DN Path " + cn + "is a container")
>>>> return basic.uc(cn);
>>>> }
>>>> if (tmpdn.contains(",OU=") &&
>>>> !tmpdn.contains(",CN=")) {
>>>> log.info("-- DN Path " + ou + "is a orgunit")
>>>> return basic.uc(ou);
>>>> }
>>>> </code>
>>>> </script>
>>>> </expression>
>>>> <target>
>>>> <c:path>$focus/organization</c:path>
>>>> </target>
>>>> </inbound>
>>>> </attribute>
>>>>
>>>>
>>>>
>>>> On Thu, Mar 28, 2019 at 10:57 AM Vladislavs Filipciks <
>>>> vladislavs.filipciks at csolutions.lv> wrote:
>>>>
>>>>> Hello.
>>>>>
>>>>> Is it possible to take attribute from organizational unit and map it
>>>>> to users attribute?
>>>>> For example I would like to create extended attribute for
>>>>> organizational unit - DN (Distinguished Name), then map it to user's
>>>>> "Organization" attribute, so then I'll be able to create user in AD in
>>>>> specific OU container.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190408/37614262/attachment.htm>
More information about the midPoint
mailing list