[midPoint] Organizational Unit attribute mapping to User attribute
Jason Everling
jeverling at bshp.edu
Mon Apr 8 22:21:27 CEST 2019
Here is another one I crated, this one is using the ad attribute of
canonicalName, you can see how each variable is contructed
https://ideone.com/uNZhus
On Mon, Apr 8, 2019 at 2:57 PM Jason Everling <jeverling at bshp.edu> wrote:
> If your extension/adOUContainer = OU=TEHNISKAIS
> CENTRS,OU=ANOTHER1,DC=EXAMPLE,DC=COM you would want to use the below,
>
> description.tokenize("OU=")[0].split(",")[0];
>
> which would yeild,
>
> TEHNISKAIS CENTRS
>
> check
> https://ideone.com/RUoDgB
>
> On Mon, Apr 8, 2019 at 12:14 PM Jason Everling <jeverling at bshp.edu> wrote:
>
>> What is the value for the Org 'name' attribute ?
>>
>>
>> On Mon, Apr 8, 2019 at 9:03 AM Vladislavs Filipciks <
>> vladislavs.filipciks at csolutions.lv> wrote:
>>
>>> Hi.
>>> I was looking on OrgSync Story Test, esecialy part when
>>> assignmentTargetSearch is used to assign first Org from orgpath.
>>> So I've tried to implement it in my scenario:
>>> <mapping>
>>> <name>Org mapping</name>
>>> <authoritative>true</authoritative>
>>> <source>
>>> <path>extension/adOUContainer</path>
>>> </source>
>>> <expression>
>>> <assignmentTargetSearch>
>>> <targetType>OrgType</targetType>
>>> <filter>
>>> <q:equal>
>>> <q:path>name</q:path>
>>> <expression>
>>> <script>
>>> <code>
>>> adOUContainer.tokenize(',OU=')[0]
>>> </code>
>>> </script>
>>> </expression>
>>> </q:equal>
>>> </filter>
>>> </assignmentTargetSearch>
>>> </expression>
>>> <target>
>>> <path>assignment</path>
>>> </target>
>>> </mapping>
>>>
>>> But no assignment is returned (i think so), because user is not getting
>>> the proper assignment of OrgType.
>>>
>>> I've tried "Mapping playground", and here's what I get:
>>>
>>> <mapping>
>>> <name>Org mapping</name>
>>> <authoritative>true</authoritative>
>>> <source>
>>> <path>description</path>
>>> </source>
>>> <expression>
>>> <assignmentTargetSearch>
>>> <targetType>OrgType</targetType>
>>> <filter>
>>> <equal>
>>> <path>name</path>
>>> <expression>
>>> <script>
>>> <code>
>>> description.tokenize(',OU=')[0]
>>> </code>
>>> </script>
>>> </expression>
>>> </equal>
>>> </filter>
>>> </assignmentTargetSearch>
>>> </expression>
>>> <target>
>>> <path>assignment</path>
>>> </target>
>>> </mapping>
>>>
>>> With request of:
>>>
>>> <mappingExecutionRequest>
>>> <sourceContext>
>>> <user>
>>> <description>OU=TEHNISKAIS CENTRS</description>
>>>
>>> </user>
>>> </sourceContext>
>>> </mappingExecutionRequest>
>>>
>>> and the result will be:
>>>
>>> Output triple:
>>> DeltaSetTriple:
>>> zero:
>>> id=null
>>> targetRef: oid=756c807e-b01b-44ff-a750-13f004599859(OrgType)
>>> plus:
>>> minus:
>>>
>>> Condition output triple:
>>> DeltaSetTriple:
>>> zero:
>>> true
>>> plus:
>>> minus:
>>>
>>> Time constraint valid: true
>>> Next recompute time: null
>>>
>>> Evaluation time: 18 ms
>>>
>>> So, if I'm right, this assignmentTargetSearch returned the right OrgType
>>> (oid in result refer to Org that I'm trying to assign).
>>> Any suggestions?
>>>
>>> ------------------------------
>>> *From: *"Jason Everling" <jeverling at bshp.edu>
>>> *To: *"midpoint" <midpoint at lists.evolveum.com>
>>> *Sent: *Tuesday, 2 April, 2019 16:56:50
>>> *Subject: *Re: [midPoint] Organizational Unit attribute mapping to
>>> User attribute
>>>
>>> Its a 3 part configuration, one to assign the org based on the user
>>> attribute within the default user template and then a metarole to create
>>> the focus mappings to the user that gets assigned to all orgs of the
>>> specified type, I used orgType in the example because that is what is used
>>> mainly on midpoint samples as well,
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Apr 2, 2019 at 3:09 AM Vladislavs Filipciks <
>>> vladislavs.filipciks at csolutions.lv> wrote:
>>>
>>>> Basically, right now what I need is that MidPoint Org attribute is
>>>> mapped to all users organization attribute, that are assigned to that Org.
>>>>
>>>> ------------------------------
>>>> *From: *"Jason Everling" <jeverling at bshp.edu>
>>>> *To: *"midpoint" <midpoint at lists.evolveum.com>
>>>> *Sent: *Monday, 1 April, 2019 17:03:07
>>>> *Subject: *Re: [midPoint] Organizational Unit attribute mapping to
>>>> User attribute
>>>>
>>>> There are some examples and such on github but nothing really complete
>>>> for AD itself, you can start here to get an idea,
>>>> https://github.com/Evolveum/midpoint/tree/master/testing/story/src/test/resources/orgsync
>>>>
>>>> Give me sometime and I can send you a complete working set for AD,
>>>> also, it would be easier to extend your schema with some extensions for
>>>> easier management and future use. The 'origanization' attribute is
>>>> PolyString, it is up to you.
>>>>
>>>> For example, each type, (UserTypeExtensionType, RoleTypeExtensionType,
>>>> OrgTypeExtensionType) in ours we have an extension attribute 'adLdapPath'
>>>> and 'odLdapPath' since we use both AD and OpenLDAP which gets filled in
>>>> using the sample I first sent for each in the resource definition
>>>>
>>>> <xsd:element name=" adLdapPath" type="xsd:string" minOccurs="0"
>>>> maxOccurs="1">
>>>> <xsd:annotation>
>>>> <xsd:appinfo>
>>>> <a:indexed>true</a:indexed>
>>>> <a:displayName>Active Directory Path</a:displayName>
>>>> <a:displayOrder>1041</a:displayOrder>
>>>> <a:help>Path to object in Active Directory</a:help>
>>>> </xsd:appinfo>
>>>> </xsd:annotation>
>>>> </xsd:element>
>>>> <xsd:element name=" odLdapPath" type="xsd:string" minOccurs="0"
>>>> maxOccurs="1">
>>>> <xsd:annotation>
>>>> <xsd:appinfo>
>>>> <a:indexed>true</a:indexed>
>>>> <a:displayName>OpenLDAP Path</a:displayName>
>>>> <a:displayOrder>1042</a:displayOrder>
>>>> <a:help>Path to object in OpenLDAP</a:help>
>>>> </xsd:appinfo>
>>>> </xsd:annotation>
>>>> </xsd:element>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Apr 1, 2019 at 3:58 AM Vladislavs Filipciks <
>>>> vladislavs.filipciks at csolutions.lv> wrote:
>>>>
>>>>> Thanks for reply. This sync works fine for inbound mapping from AD
>>>>> resource - organizations in midpoint are being created on demand.
>>>>>
>>>>> What I'm trying to achieve is:
>>>>> 1. Import organization structure from AD resource. Your mapping works
>>>>> fine if the user in AD is placed in any OU in AD. But how can I import OU's
>>>>> from AD to midpoint organization structure if there are no any users in
>>>>> that OU in AD? I got group import from AD, when AD groups being synced to
>>>>> midpoint roles, but I was not able to sync OU's from AD to Organizations in
>>>>> midpoint. Here's my object type (taken from OrgSync Story example):
>>>>> <objectType>
>>>>> <kind>generic</kind>
>>>>> <intent>ou</intent>
>>>>> <displayName>Organizational Unit</displayName>
>>>>> <objectClass>ri:organizationalUnit</objectClass>
>>>>> <attribute>
>>>>> <ref>ri:ou</ref>
>>>>> <inbound>
>>>>> <strength>weak</strength>
>>>>> <target>
>>>>> <path>$focus/name</path>
>>>>> </target>
>>>>> </inbound>
>>>>> </attribute>
>>>>> <attribute>
>>>>> <ref>ri:description</ref>
>>>>> <inbound>,
>>>>> <strength>weak</strength>
>>>>> <target>
>>>>> <path>$focus/description</path>
>>>>> </target>
>>>>> </inbound>
>>>>> </attribute>
>>>>> </objectType>
>>>>>
>>>>> With this object type I don't see any record in resource for Generic
>>>>> kind.
>>>>>
>>>>> 2. I would like to make MidPoint central management system, so I would
>>>>> like to be able to create new Organization in MidPoint, then when user is
>>>>> assigned this organization, this user will be created in AD Resource in
>>>>> Organization's container in AD resource. I've tried to specify DN for
>>>>> Organization in midpoint in description attribute and then construct user's
>>>>> DN:
>>>>>
>>>>> <inducement id="10">
>>>>> <construction>
>>>>> <strength>weak</strength>
>>>>> <resourceRef oid="be74efc9-6df3-470c-bfcf-c6d4f4165772"
>>>>> relation="org:default" type="c:ResourceType">
>>>>> <!-- CS AD User outbound Resource 19.26 -->
>>>>> </resourceRef>
>>>>> <attribute id="12">
>>>>> <c:ref>ri:dn</c:ref>
>>>>> <displayName>Distinguished Name</displayName>
>>>>> <outbound>
>>>>> <source>
>>>>> <c:path>$user/fullName</c:path>
>>>>> </source>
>>>>> <source>
>>>>> <c:path>description</c:path>
>>>>> </source>
>>>>> <expression>
>>>>> <script xmlns:xsi="
>>>>> http://www.w3.org/2001/XMLSchema-instance"
>>>>> xsi:type="c:ScriptExpressionEvaluatorType">
>>>>> <code>
>>>>> 'CN=' + fullName + ',' + description
>>>>> </code>
>>>>> </script>
>>>>> </expression>
>>>>> </outbound>
>>>>> </attribute>
>>>>> </construction>
>>>>> </inducement>
>>>>>
>>>>> But user is not created in resource.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------
>>>>> *From: *"Jason Everling" <jeverling at bshp.edu>
>>>>> *To: *"midpoint" <midpoint at lists.evolveum.com>
>>>>> *Sent: *Thursday, 28 March, 2019 20:18:13
>>>>> *Subject: *Re: [midPoint] Organizational Unit attribute mapping to
>>>>> User attribute
>>>>>
>>>>> Now when organization is updated with a new value it will re-build the
>>>>> users DN which of course will them in the OU based on the attribute. You
>>>>> can also use org sync to create your AD structure in midpoint then map the
>>>>> organization assignment to the user's attribute so you can use assignment
>>>>> based placement. Just make sure to use a specific org type in the template
>>>>> so it doesn't try to update the attribute with values of orgs that are not
>>>>> really AD ou's. I was using Rdn but it wasn;t working right for AD
>>>>> containers, so a raw script, works great though.
>>>>>
>>>>> <attribute>
>>>>> <c:ref>ri:dn</c:ref>
>>>>> <outbound>
>>>>> <source>
>>>>> <c:path>$focus/organization</c:path>
>>>>> </source>
>>>>> <source>
>>>>> <c:path>$focus/name</c:path>
>>>>> </source>
>>>>> <expression>
>>>>> <script>
>>>>> <code>'CN=' + name + iterationToken + ',' +
>>>>> organization</code>
>>>>> </script>
>>>>> </expression>
>>>>> </outbound>
>>>>> <inbound>
>>>>> <expression>
>>>>> <script>
>>>>> <code>
>>>>> tmpdn = basic.uc(input);
>>>>> cn = tmpdn.substring(tmpdn.indexOf(",CN=") + 1);
>>>>> ou = tmpdn.substring(tmpdn.indexOf(",OU=") + 1);
>>>>> if (tmpdn.contains(",CN=")) {
>>>>> log.info("-- DN Path " + cn + "is a container")
>>>>> return basic.uc(cn);
>>>>> }
>>>>> if (tmpdn.contains(",OU=") &&
>>>>> !tmpdn.contains(",CN=")) {
>>>>> log.info("-- DN Path " + ou + "is a orgunit")
>>>>> return basic.uc(ou);
>>>>> }
>>>>> </code>
>>>>> </script>
>>>>> </expression>
>>>>> <target>
>>>>> <c:path>$focus/organization</c:path>
>>>>> </target>
>>>>> </inbound>
>>>>> </attribute>
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Mar 28, 2019 at 10:57 AM Vladislavs Filipciks <
>>>>> vladislavs.filipciks at csolutions.lv> wrote:
>>>>>
>>>>>> Hello.
>>>>>>
>>>>>> Is it possible to take attribute from organizational unit and map it
>>>>>> to users attribute?
>>>>>> For example I would like to create extended attribute for
>>>>>> organizational unit - DN (Distinguished Name), then map it to user's
>>>>>> "Organization" attribute, so then I'll be able to create user in AD in
>>>>>> specific OU container.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190408/9e270f87/attachment.htm>
More information about the midPoint
mailing list