[midPoint] Organizational Unit attribute mapping to User attribute
Jason Everling
jeverling at bshp.edu
Tue Apr 9 14:32:54 CEST 2019
can you paste the whole mapping for assignment? Also in the system config section, what do you have for assignment policy enforcement?
On Apr 9, 2019, 02:04, at 02:04, Vladislavs Filipciks <vladislavs.filipciks at csolutions.lv> wrote:
>Thanks for suggestions.
>So, code right now in my User Template:
>
><assignmentTargetSearch>
><targetType>OrgType</targetType>
><filter>
><q:equal>
><q:path>name</q:path>
><expression>
><script>
><code>
>dn = adOUContainer.substring(0, adOUContainer.indexOf(",DC="-4));
>log.info("DN is: "+ dn);
>firstOU = dn.tokenize(",OU=")[0];
>log.info("First OU:" + firstOU);
>return firstOU.trim();
></code>
></script>
></expression>
></q:equal>
></filter>
></assignmentTargetSearch>
></expression>
><target>
><path>assignment</path>
></target>
>
>Here's the log:
>2019-04-09 06:55:58,184 [] [http-nio-8080-exec-8] INFO
>(com.evolveum.midpoint.expression): DN is: OU=TEHNISKAIS
>CENTRS,OU=INZENIERTEHNISKO RISINAJUMU UN PAKALPOJUMU BIZNESA
>DEPARTAMENTS,OU=CS_GROUP_USERS
>2019-04-09 06:55:58,184 [] [http-nio-8080-exec-8] INFO
>(com.evolveum.midpoint.expression): First OU:TEHNISKAIS CENTRS
>2019-04-09 06:55:58,235 [] [http-nio-8080-exec-8] INFO
>(com.evolveum.midpoint.repo.common.task.AbstractSearchIterativeResultHandler):
>Import object shadow:274abf21-d5a3-4c35-80c3-6791852c8589(CN=midpoint
>test,OU=Tehniskais centrs,OU=Inzeniertehnisko risinajumu un pakalpojumu
>biznesa departaments,OU=CS_group_users,DC=corp,DC=csolutions,DC=lv)
>from resource:36f05668-82bf-4586-ac1d-56760cd48e8d(CS AD User source
>Resource 19.26) done with status SUCCESS (this one: 239 ms, avg: 239
>ms) (total progress: 1, wall clock avg: 239 ms)
>
>Here's the Org name attribute value:
>
>But user still doesn't receive the proper assignment:)
>
>By the way, it's pretty long time that I'm trying to get
>assignmentTargetSearch to work in my test env., but all the time with
>no success.
>Earlier I was trying to assign Groups based on extension attributes
>both in Role and User that was the same and assignment was not placed.
>Log file aslo looks clear all the time.
>
>Maybe I lack some global MidPoint configuration for assignments to
>normally fucntion? I've MidPoint 3.9 with H2 embeded DB for test env.
>
>TY in advance.
>
>From: "Jason Everling" <jeverling at bshp.edu>
>To: "midpoint" <midpoint at lists.evolveum.com>
>Sent: Monday, 8 April, 2019 23:21:27
>Subject: Re: [midPoint] Organizational Unit attribute mapping to User
>attribute
>
>Here is another one I crated, this one is using the ad attribute of
>canonicalName, you can see how each variable is contructed
>[ https://ideone.com/uNZhus | https://ideone.com/uNZhus ]
>
>
>
>
>On Mon, Apr 8, 2019 at 2:57 PM Jason Everling < [
>mailto:jeverling at bshp.edu | jeverling at bshp.edu ] > wrote:
>
>
>
>If your extension/adOUContainer = OU=TEHNISKAIS
>CENTRS,OU=ANOTHER1,DC=EXAMPLE,DC=COM you would want to use the below,
>description.tokenize("OU=")[0].split(",")[0];
>
>which would yeild,
>
>TEHNISKAIS CENTRS
>
>check
>[ https://ideone.com/RUoDgB | https://ideone.com/RUoDgB ]
>
>On Mon, Apr 8, 2019 at 12:14 PM Jason Everling < [
>mailto:jeverling at bshp.edu | jeverling at bshp.edu ] > wrote:
>
>BQ_BEGIN
>
>What is the value for the Org 'name' attribute ?
>
>
>On Mon, Apr 8, 2019 at 9:03 AM Vladislavs Filipciks < [
>mailto:vladislavs.filipciks at csolutions.lv |
>vladislavs.filipciks at csolutions.lv ] > wrote:
>
>BQ_BEGIN
>
>Hi.
>I was looking on OrgSync Story Test, esecialy part when
>assignmentTargetSearch is used to assign first Org from orgpath.
>So I've tried to implement it in my scenario:
><mapping>
><name>Org mapping</name>
><authoritative>true</authoritative>
><source>
><path>extension/adOUContainer</path>
></source>
><expression>
><assignmentTargetSearch>
><targetType>OrgType</targetType>
><filter>
><q:equal>
><q:path>name</q:path>
><expression>
><script>
><code>
>adOUContainer.tokenize(',OU=')[0]
></code>
></script>
></expression>
></q:equal>
></filter>
></assignmentTargetSearch>
></expression>
><target>
><path>assignment</path>
></target>
></mapping>
>
>But no assignment is returned (i think so), because user is not getting
>the proper assignment of OrgType.
>
>I've tried "Mapping playground", and here's what I get:
>
><mapping>
><name>Org mapping</name>
><authoritative>true</authoritative>
><source>
><path>description</path>
></source>
><expression>
><assignmentTargetSearch>
><targetType>OrgType</targetType>
><filter>
><equal>
><path>name</path>
><expression>
><script>
><code>
>description.tokenize(',OU=')[0]
></code>
></script>
></expression>
></equal>
></filter>
></assignmentTargetSearch>
></expression>
><target>
><path>assignment</path>
></target>
></mapping>
>
>With request of:
>
><mappingExecutionRequest>
><sourceContext>
><user>
><description>OU=TEHNISKAIS CENTRS</description>
>
></user>
></sourceContext>
></mappingExecutionRequest>
>
>and the result will be:
>
>Output triple:
>DeltaSetTriple:
>zero:
>id=null
>targetRef: oid=756c807e-b01b-44ff-a750-13f004599859(OrgType)
>plus:
>minus:
>
>Condition output triple:
>DeltaSetTriple:
>zero:
>true
>plus:
>minus:
>
>Time constraint valid: true
>Next recompute time: null
>
>Evaluation time: 18 ms
>
>So, if I'm right, this assignmentTargetSearch returned the right
>OrgType (oid in result refer to Org that I'm trying to assign).
>Any suggestions?
>
>
>From: "Jason Everling" < [ mailto:jeverling at bshp.edu |
>jeverling at bshp.edu ] >
>To: "midpoint" < [ mailto:midpoint at lists.evolveum.com |
>midpoint at lists.evolveum.com ] >
>Sent: Tuesday, 2 April, 2019 16:56:50
>Subject: Re: [midPoint] Organizational Unit attribute mapping to User
>attribute
>
>Its a 3 part configuration, one to assign the org based on the user
>attribute within the default user template and then a metarole to
>create the focus mappings to the user that gets assigned to all orgs of
>the specified type, I used orgType in the example because that is what
>is used mainly on midpoint samples as well,
>
>
>
>
>
>On Tue, Apr 2, 2019 at 3:09 AM Vladislavs Filipciks < [
>mailto:vladislavs.filipciks at csolutions.lv |
>vladislavs.filipciks at csolutions.lv ] > wrote:
>
>BQ_BEGIN
>
>Basically, right now what I need is that MidPoint Org attribute is
>mapped to all users organization attribute, that are assigned to that
>Org.
>
>
>From: "Jason Everling" < [ mailto:jeverling at bshp.edu |
>jeverling at bshp.edu ] >
>To: "midpoint" < [ mailto:midpoint at lists.evolveum.com |
>midpoint at lists.evolveum.com ] >
>Sent: Monday, 1 April, 2019 17:03:07
>Subject: Re: [midPoint] Organizational Unit attribute mapping to User
>attribute
>
>There are some examples and such on github but nothing really complete
>for AD itself, you can start here to get an idea, [
>https://github.com/Evolveum/midpoint/tree/master/testing/story/src/test/resources/orgsync
>|
>https://github.com/Evolveum/midpoint/tree/master/testing/story/src/test/resources/orgsync
>]
>
>Give me sometime and I can send you a complete working set for AD,
>also, it would be easier to extend your schema with some extensions for
>easier management and future use. The 'origanization' attribute is
>PolyString, it is up to you.
>
>For example, each type, (UserTypeExtensionType, RoleTypeExtensionType,
>OrgTypeExtensionType) in ours we have an extension attribute
>'adLdapPath' and 'odLdapPath' since we use both AD and OpenLDAP which
>gets filled in using the sample I first sent for each in the resource
>definition
>
><xsd:element name=" adLdapPath" type="xsd:string" minOccurs="0"
>maxOccurs="1">
><xsd:annotation>
><xsd:appinfo>
><a:indexed>true</a:indexed>
><a:displayName>Active Directory Path</a:displayName>
><a:displayOrder>1041</a:displayOrder>
><a:help>Path to object in Active Directory</a:help>
></xsd:appinfo>
></xsd:annotation>
></xsd:element>
><xsd:element name=" odLdapPath" type="xsd:string" minOccurs="0"
>maxOccurs="1">
><xsd:annotation>
><xsd:appinfo>
><a:indexed>true</a:indexed>
><a:displayName>OpenLDAP Path</a:displayName>
><a:displayOrder>1042</a:displayOrder>
><a:help>Path to object in OpenLDAP</a:help>
></xsd:appinfo>
></xsd:annotation>
></xsd:element>
>
>
>
>
>
>
>On Mon, Apr 1, 2019 at 3:58 AM Vladislavs Filipciks < [
>mailto:vladislavs.filipciks at csolutions.lv |
>vladislavs.filipciks at csolutions.lv ] > wrote:
>
>BQ_BEGIN
>
>Thanks for reply. This sync works fine for inbound mapping from AD
>resource - organizations in midpoint are being created on demand.
>
>What I'm trying to achieve is:
>1. Import organization structure from AD resource. Your mapping works
>fine if the user in AD is placed in any OU in AD. But how can I import
>OU's from AD to midpoint organization structure if there are no any
>users in that OU in AD? I got group import from AD, when AD groups
>being synced to midpoint roles, but I was not able to sync OU's from AD
>to Organizations in midpoint. Here's my object type (taken from OrgSync
>Story example):
><objectType>
><kind>generic</kind>
><intent>ou</intent>
><displayName>Organizational Unit</displayName>
><objectClass>ri:organizationalUnit</objectClass>
><attribute>
><ref>ri:ou</ref>
><inbound>
><strength>weak</strength>
><target>
><path>$focus/name</path>
></target>
></inbound>
></attribute>
><attribute>
><ref>ri:description</ref>
><inbound>,
><strength>weak</strength>
><target>
><path>$focus/description</path>
></target>
></inbound>
></attribute>
></objectType>
>
>With this object type I don't see any record in resource for Generic
>kind.
>
>2. I would like to make MidPoint central management system, so I would
>like to be able to create new Organization in MidPoint, then when user
>is assigned this organization, this user will be created in AD Resource
>in Organization's container in AD resource. I've tried to specify DN
>for Organization in midpoint in description attribute and then
>construct user's DN:
>
><inducement id="10">
><construction>
><strength>weak</strength>
><resourceRef oid="be74efc9-6df3-470c-bfcf-c6d4f4165772"
>relation="org:default" type="c:ResourceType">
><!-- CS AD User outbound Resource 19.26 -->
></resourceRef>
><attribute id="12">
><c:ref>ri:dn</c:ref>
><displayName>Distinguished Name</displayName>
><outbound>
><source>
><c:path>$user/fullName</c:path>
></source>
><source>
><c:path>description</c:path>
></source>
><expression>
><script xmlns:xsi=" [ http://www.w3.org/2001/XMLSchema-instance |
>http://www.w3.org/2001/XMLSchema-instance ] "
>xsi:type="c:ScriptExpressionEvaluatorType">
><code>
>'CN=' + fullName + ',' + description
></code>
></script>
></expression>
></outbound>
></attribute>
></construction>
></inducement>
>
>But user is not created in resource.
>
>
>
>
>
>From: "Jason Everling" < [ mailto:jeverling at bshp.edu |
>jeverling at bshp.edu ] >
>To: "midpoint" < [ mailto:midpoint at lists.evolveum.com |
>midpoint at lists.evolveum.com ] >
>Sent: Thursday, 28 March, 2019 20:18:13
>Subject: Re: [midPoint] Organizational Unit attribute mapping to User
>attribute
>
>Now when organization is updated with a new value it will re-build the
>users DN which of course will them in the OU based on the attribute.
>You can also use org sync to create your AD structure in midpoint then
>map the organization assignment to the user's attribute so you can use
>assignment based placement. Just make sure to use a specific org type
>in the template so it doesn't try to update the attribute with values
>of orgs that are not really AD ou's. I was using Rdn but it wasn;t
>working right for AD containers, so a raw script, works great though.
><attribute>
><c:ref>ri:dn</c:ref>
><outbound>
><source>
><c:path>$focus/organization</c:path>
></source>
><source>
><c:path>$focus/name</c:path>
></source>
><expression>
><script>
><code>'CN=' + name + iterationToken + ',' + organization</code>
></script>
></expression>
></outbound>
><inbound>
><expression>
><script>
><code>
>tmpdn = basic.uc(input);
>cn = tmpdn.substring(tmpdn.indexOf(",CN=") + 1);
>ou = tmpdn.substring(tmpdn.indexOf(",OU=") + 1);
>if (tmpdn.contains(",CN=")) {
>[ http://log.info/ | log.info ] ("-- DN Path " + cn + "is a container")
>
>return basic.uc(cn);
>}
>if (tmpdn.contains(",OU=") && !tmpdn.contains(",CN=")) {
>[ http://log.info/ | log.info ] ("-- DN Path " + ou + "is a orgunit")
>return basic.uc(ou);
>}
></code>
></script>
></expression>
><target>
><c:path>$focus/organization</c:path>
></target>
></inbound>
></attribute>
>
>
>On Thu, Mar 28, 2019 at 10:57 AM Vladislavs Filipciks < [
>mailto:vladislavs.filipciks at csolutions.lv |
>vladislavs.filipciks at csolutions.lv ] > wrote:
>
>BQ_BEGIN
>
>Hello.
>
>Is it possible to take attribute from organizational unit and map it to
>users attribute?
>For example I would like to create extended attribute for
>organizational unit - DN (Distinguished Name), then map it to user's
>"Organization" attribute, so then I'll be able to create user in AD in
>specific OU container.
>
>
>_______________________________________________
>midPoint mailing list
>[ mailto:midPoint at lists.evolveum.com | midPoint at lists.evolveum.com ]
>[ http://lists.evolveum.com/mailman/listinfo/midpoint |
>http://lists.evolveum.com/mailman/listinfo/midpoint ]
>
>
>
>
>_______________________________________________
>midPoint mailing list
>[ mailto:midPoint at lists.evolveum.com | midPoint at lists.evolveum.com ]
>[ http://lists.evolveum.com/mailman/listinfo/midpoint |
>http://lists.evolveum.com/mailman/listinfo/midpoint ]
>_______________________________________________
>midPoint mailing list
>[ mailto:midPoint at lists.evolveum.com | midPoint at lists.evolveum.com ]
>[ http://lists.evolveum.com/mailman/listinfo/midpoint |
>http://lists.evolveum.com/mailman/listinfo/midpoint ]
>
>BQ_END
>
>
>_______________________________________________
>midPoint mailing list
>[ mailto:midPoint at lists.evolveum.com | midPoint at lists.evolveum.com ]
>[ http://lists.evolveum.com/mailman/listinfo/midpoint |
>http://lists.evolveum.com/mailman/listinfo/midpoint ]
>_______________________________________________
>midPoint mailing list
>[ mailto:midPoint at lists.evolveum.com | midPoint at lists.evolveum.com ]
>[ http://lists.evolveum.com/mailman/listinfo/midpoint |
>http://lists.evolveum.com/mailman/listinfo/midpoint ]
>
>BQ_END
>
>
>_______________________________________________
>midPoint mailing list
>[ mailto:midPoint at lists.evolveum.com | midPoint at lists.evolveum.com ]
>[ http://lists.evolveum.com/mailman/listinfo/midpoint |
>http://lists.evolveum.com/mailman/listinfo/midpoint ]
>_______________________________________________
>midPoint mailing list
>[ mailto:midPoint at lists.evolveum.com | midPoint at lists.evolveum.com ]
>[ http://lists.evolveum.com/mailman/listinfo/midpoint |
>http://lists.evolveum.com/mailman/listinfo/midpoint ]
>
>BQ_END
>
>
>BQ_END
>
>
>BQ_END
>
>
>_______________________________________________
>midPoint mailing list
>midPoint at lists.evolveum.com
>http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>midPoint mailing list
>midPoint at lists.evolveum.com
>http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190409/c2bf46e7/attachment.htm>
More information about the midPoint
mailing list