[midPoint] Organizational Unit attribute mapping to User attribute

Jason Everling jeverling at bshp.edu
Tue Apr 9 14:32:54 CEST 2019


can you paste the whole mapping for assignment? Also in the system config section, what do you have for assignment policy enforcement?

On Apr 9, 2019, 02:04, at 02:04, Vladislavs Filipciks <vladislavs.filipciks at csolutions.lv> wrote:
>Thanks for suggestions. 
>So, code right now in my User Template: 
>
><assignmentTargetSearch> 
><targetType>OrgType</targetType> 
><filter> 
><q:equal> 
><q:path>name</q:path> 
><expression> 
><script> 
><code> 
>dn = adOUContainer.substring(0, adOUContainer.indexOf(",DC="-4)); 
>log.info("DN is: "+ dn); 
>firstOU = dn.tokenize(",OU=")[0]; 
>log.info("First OU:" + firstOU); 
>return firstOU.trim(); 
></code> 
></script> 
></expression> 
></q:equal> 
></filter> 
></assignmentTargetSearch> 
></expression> 
><target> 
><path>assignment</path> 
></target> 
>
>Here's the log: 
>2019-04-09 06:55:58,184 [] [http-nio-8080-exec-8] INFO
>(com.evolveum.midpoint.expression): DN is: OU=TEHNISKAIS
>CENTRS,OU=INZENIERTEHNISKO RISINAJUMU UN PAKALPOJUMU BIZNESA
>DEPARTAMENTS,OU=CS_GROUP_USERS 
>2019-04-09 06:55:58,184 [] [http-nio-8080-exec-8] INFO
>(com.evolveum.midpoint.expression): First OU:TEHNISKAIS CENTRS 
>2019-04-09 06:55:58,235 [] [http-nio-8080-exec-8] INFO
>(com.evolveum.midpoint.repo.common.task.AbstractSearchIterativeResultHandler):
>Import object shadow:274abf21-d5a3-4c35-80c3-6791852c8589(CN=midpoint
>test,OU=Tehniskais centrs,OU=Inzeniertehnisko risinajumu un pakalpojumu
>biznesa departaments,OU=CS_group_users,DC=corp,DC=csolutions,DC=lv)
>from resource:36f05668-82bf-4586-ac1d-56760cd48e8d(CS AD User source
>Resource 19.26) done with status SUCCESS (this one: 239 ms, avg: 239
>ms) (total progress: 1, wall clock avg: 239 ms) 
>
>Here's the Org name attribute value: 
>
>But user still doesn't receive the proper assignment:) 
>
>By the way, it's pretty long time that I'm trying to get
>assignmentTargetSearch to work in my test env., but all the time with
>no success. 
>Earlier I was trying to assign Groups based on extension attributes
>both in Role and User that was the same and assignment was not placed.
>Log file aslo looks clear all the time. 
>
>Maybe I lack some global MidPoint configuration for assignments to
>normally fucntion? I've MidPoint 3.9 with H2 embeded DB for test env. 
>
>TY in advance. 
>
>From: "Jason Everling" <jeverling at bshp.edu> 
>To: "midpoint" <midpoint at lists.evolveum.com> 
>Sent: Monday, 8 April, 2019 23:21:27 
>Subject: Re: [midPoint] Organizational Unit attribute mapping to User
>attribute 
>
>Here is another one I crated, this one is using the ad attribute of
>canonicalName, you can see how each variable is contructed 
>[ https://ideone.com/uNZhus | https://ideone.com/uNZhus ] 
>
>
>
>
>On Mon, Apr 8, 2019 at 2:57 PM Jason Everling < [
>mailto:jeverling at bshp.edu | jeverling at bshp.edu ] > wrote: 
>
>
>
>If your extension/adOUContainer = OU=TEHNISKAIS
>CENTRS,OU=ANOTHER1,DC=EXAMPLE,DC=COM you would want to use the below, 
>description.tokenize("OU=")[0].split(",")[0]; 
>
>which would yeild, 
>
>TEHNISKAIS CENTRS 
>
>check 
>[ https://ideone.com/RUoDgB | https://ideone.com/RUoDgB ] 
>
>On Mon, Apr 8, 2019 at 12:14 PM Jason Everling < [
>mailto:jeverling at bshp.edu | jeverling at bshp.edu ] > wrote: 
>
>BQ_BEGIN
>
>What is the value for the Org 'name' attribute ? 
>
>
>On Mon, Apr 8, 2019 at 9:03 AM Vladislavs Filipciks < [
>mailto:vladislavs.filipciks at csolutions.lv |
>vladislavs.filipciks at csolutions.lv ] > wrote: 
>
>BQ_BEGIN
>
>Hi. 
>I was looking on OrgSync Story Test, esecialy part when
>assignmentTargetSearch is used to assign first Org from orgpath. 
>So I've tried to implement it in my scenario: 
><mapping> 
><name>Org mapping</name> 
><authoritative>true</authoritative> 
><source> 
><path>extension/adOUContainer</path> 
></source> 
><expression> 
><assignmentTargetSearch> 
><targetType>OrgType</targetType> 
><filter> 
><q:equal> 
><q:path>name</q:path> 
><expression> 
><script> 
><code> 
>adOUContainer.tokenize(',OU=')[0] 
></code> 
></script> 
></expression> 
></q:equal> 
></filter> 
></assignmentTargetSearch> 
></expression> 
><target> 
><path>assignment</path> 
></target> 
></mapping> 
>
>But no assignment is returned (i think so), because user is not getting
>the proper assignment of OrgType. 
>
>I've tried "Mapping playground", and here's what I get: 
>
><mapping> 
><name>Org mapping</name> 
><authoritative>true</authoritative> 
><source> 
><path>description</path> 
></source> 
><expression> 
><assignmentTargetSearch> 
><targetType>OrgType</targetType> 
><filter> 
><equal> 
><path>name</path> 
><expression> 
><script> 
><code> 
>description.tokenize(',OU=')[0] 
></code> 
></script> 
></expression> 
></equal> 
></filter> 
></assignmentTargetSearch> 
></expression> 
><target> 
><path>assignment</path> 
></target> 
></mapping> 
>
>With request of: 
>
><mappingExecutionRequest> 
><sourceContext> 
><user> 
><description>OU=TEHNISKAIS CENTRS</description> 
>
></user> 
></sourceContext> 
></mappingExecutionRequest> 
>
>and the result will be: 
>
>Output triple: 
>DeltaSetTriple: 
>zero: 
>id=null 
>targetRef: oid=756c807e-b01b-44ff-a750-13f004599859(OrgType) 
>plus: 
>minus: 
>
>Condition output triple: 
>DeltaSetTriple: 
>zero: 
>true 
>plus: 
>minus: 
>
>Time constraint valid: true 
>Next recompute time: null 
>
>Evaluation time: 18 ms 
>
>So, if I'm right, this assignmentTargetSearch returned the right
>OrgType (oid in result refer to Org that I'm trying to assign). 
>Any suggestions? 
>
>
>From: "Jason Everling" < [ mailto:jeverling at bshp.edu |
>jeverling at bshp.edu ] > 
>To: "midpoint" < [ mailto:midpoint at lists.evolveum.com |
>midpoint at lists.evolveum.com ] > 
>Sent: Tuesday, 2 April, 2019 16:56:50 
>Subject: Re: [midPoint] Organizational Unit attribute mapping to User
>attribute 
>
>Its a 3 part configuration, one to assign the org based on the user
>attribute within the default user template and then a metarole to
>create the focus mappings to the user that gets assigned to all orgs of
>the specified type, I used orgType in the example because that is what
>is used mainly on midpoint samples as well, 
>
>
>
>
>
>On Tue, Apr 2, 2019 at 3:09 AM Vladislavs Filipciks < [
>mailto:vladislavs.filipciks at csolutions.lv |
>vladislavs.filipciks at csolutions.lv ] > wrote: 
>
>BQ_BEGIN
>
>Basically, right now what I need is that MidPoint Org attribute is
>mapped to all users organization attribute, that are assigned to that
>Org. 
>
>
>From: "Jason Everling" < [ mailto:jeverling at bshp.edu |
>jeverling at bshp.edu ] > 
>To: "midpoint" < [ mailto:midpoint at lists.evolveum.com |
>midpoint at lists.evolveum.com ] > 
>Sent: Monday, 1 April, 2019 17:03:07 
>Subject: Re: [midPoint] Organizational Unit attribute mapping to User
>attribute 
>
>There are some examples and such on github but nothing really complete
>for AD itself, you can start here to get an idea, [
>https://github.com/Evolveum/midpoint/tree/master/testing/story/src/test/resources/orgsync
>|
>https://github.com/Evolveum/midpoint/tree/master/testing/story/src/test/resources/orgsync
>] 
>
>Give me sometime and I can send you a complete working set for AD,
>also, it would be easier to extend your schema with some extensions for
>easier management and future use. The 'origanization' attribute is
>PolyString, it is up to you. 
>
>For example, each type, (UserTypeExtensionType, RoleTypeExtensionType,
>OrgTypeExtensionType) in ours we have an extension attribute
>'adLdapPath' and 'odLdapPath' since we use both AD and OpenLDAP which
>gets filled in using the sample I first sent for each in the resource
>definition 
>
><xsd:element name=" adLdapPath" type="xsd:string" minOccurs="0"
>maxOccurs="1"> 
><xsd:annotation> 
><xsd:appinfo> 
><a:indexed>true</a:indexed> 
><a:displayName>Active Directory Path</a:displayName> 
><a:displayOrder>1041</a:displayOrder> 
><a:help>Path to object in Active Directory</a:help> 
></xsd:appinfo> 
></xsd:annotation> 
></xsd:element> 
><xsd:element name=" odLdapPath" type="xsd:string" minOccurs="0"
>maxOccurs="1"> 
><xsd:annotation> 
><xsd:appinfo> 
><a:indexed>true</a:indexed> 
><a:displayName>OpenLDAP Path</a:displayName> 
><a:displayOrder>1042</a:displayOrder> 
><a:help>Path to object in OpenLDAP</a:help> 
></xsd:appinfo> 
></xsd:annotation> 
></xsd:element> 
>
>
>
>
>
>
>On Mon, Apr 1, 2019 at 3:58 AM Vladislavs Filipciks < [
>mailto:vladislavs.filipciks at csolutions.lv |
>vladislavs.filipciks at csolutions.lv ] > wrote: 
>
>BQ_BEGIN
>
>Thanks for reply. This sync works fine for inbound mapping from AD
>resource - organizations in midpoint are being created on demand. 
>
>What I'm trying to achieve is: 
>1. Import organization structure from AD resource. Your mapping works
>fine if the user in AD is placed in any OU in AD. But how can I import
>OU's from AD to midpoint organization structure if there are no any
>users in that OU in AD? I got group import from AD, when AD groups
>being synced to midpoint roles, but I was not able to sync OU's from AD
>to Organizations in midpoint. Here's my object type (taken from OrgSync
>Story example): 
><objectType> 
><kind>generic</kind> 
><intent>ou</intent> 
><displayName>Organizational Unit</displayName> 
><objectClass>ri:organizationalUnit</objectClass> 
><attribute> 
><ref>ri:ou</ref> 
><inbound> 
><strength>weak</strength> 
><target> 
><path>$focus/name</path> 
></target> 
></inbound> 
></attribute> 
><attribute> 
><ref>ri:description</ref> 
><inbound>, 
><strength>weak</strength> 
><target> 
><path>$focus/description</path> 
></target> 
></inbound> 
></attribute> 
></objectType> 
>
>With this object type I don't see any record in resource for Generic
>kind. 
>
>2. I would like to make MidPoint central management system, so I would
>like to be able to create new Organization in MidPoint, then when user
>is assigned this organization, this user will be created in AD Resource
>in Organization's container in AD resource. I've tried to specify DN
>for Organization in midpoint in description attribute and then
>construct user's DN: 
>
><inducement id="10"> 
><construction> 
><strength>weak</strength> 
><resourceRef oid="be74efc9-6df3-470c-bfcf-c6d4f4165772"
>relation="org:default" type="c:ResourceType"> 
><!-- CS AD User outbound Resource 19.26 --> 
></resourceRef> 
><attribute id="12"> 
><c:ref>ri:dn</c:ref> 
><displayName>Distinguished Name</displayName> 
><outbound> 
><source> 
><c:path>$user/fullName</c:path> 
></source> 
><source> 
><c:path>description</c:path> 
></source> 
><expression> 
><script xmlns:xsi=" [ http://www.w3.org/2001/XMLSchema-instance |
>http://www.w3.org/2001/XMLSchema-instance ] "
>xsi:type="c:ScriptExpressionEvaluatorType"> 
><code> 
>'CN=' + fullName + ',' + description 
></code> 
></script> 
></expression> 
></outbound> 
></attribute> 
></construction> 
></inducement> 
>
>But user is not created in resource. 
>
>
>
>
>
>From: "Jason Everling" < [ mailto:jeverling at bshp.edu |
>jeverling at bshp.edu ] > 
>To: "midpoint" < [ mailto:midpoint at lists.evolveum.com |
>midpoint at lists.evolveum.com ] > 
>Sent: Thursday, 28 March, 2019 20:18:13 
>Subject: Re: [midPoint] Organizational Unit attribute mapping to User
>attribute 
>
>Now when organization is updated with a new value it will re-build the
>users DN which of course will them in the OU based on the attribute.
>You can also use org sync to create your AD structure in midpoint then
>map the organization assignment to the user's attribute so you can use
>assignment based placement. Just make sure to use a specific org type
>in the template so it doesn't try to update the attribute with values
>of orgs that are not really AD ou's. I was using Rdn but it wasn;t
>working right for AD containers, so a raw script, works great though. 
><attribute> 
><c:ref>ri:dn</c:ref> 
><outbound> 
><source> 
><c:path>$focus/organization</c:path> 
></source> 
><source> 
><c:path>$focus/name</c:path> 
></source> 
><expression> 
><script> 
><code>'CN=' + name + iterationToken + ',' + organization</code> 
></script> 
></expression> 
></outbound> 
><inbound> 
><expression> 
><script> 
><code> 
>tmpdn = basic.uc(input); 
>cn = tmpdn.substring(tmpdn.indexOf(",CN=") + 1); 
>ou = tmpdn.substring(tmpdn.indexOf(",OU=") + 1); 
>if (tmpdn.contains(",CN=")) { 
>[ http://log.info/ | log.info ] ("-- DN Path " + cn + "is a container")
>
>return basic.uc(cn); 
>} 
>if (tmpdn.contains(",OU=") && !tmpdn.contains(",CN=")) { 
>[ http://log.info/ | log.info ] ("-- DN Path " + ou + "is a orgunit") 
>return basic.uc(ou); 
>} 
></code> 
></script> 
></expression> 
><target> 
><c:path>$focus/organization</c:path> 
></target> 
></inbound> 
></attribute> 
>
>
>On Thu, Mar 28, 2019 at 10:57 AM Vladislavs Filipciks < [
>mailto:vladislavs.filipciks at csolutions.lv |
>vladislavs.filipciks at csolutions.lv ] > wrote: 
>
>BQ_BEGIN
>
>Hello. 
>
>Is it possible to take attribute from organizational unit and map it to
>users attribute? 
>For example I would like to create extended attribute for
>organizational unit - DN (Distinguished Name), then map it to user's
>"Organization" attribute, so then I'll be able to create user in AD in
>specific OU container. 
>
>
>_______________________________________________ 
>midPoint mailing list 
>[ mailto:midPoint at lists.evolveum.com | midPoint at lists.evolveum.com ] 
>[ http://lists.evolveum.com/mailman/listinfo/midpoint |
>http://lists.evolveum.com/mailman/listinfo/midpoint ] 
>
>
>
>
>_______________________________________________ 
>midPoint mailing list 
>[ mailto:midPoint at lists.evolveum.com | midPoint at lists.evolveum.com ] 
>[ http://lists.evolveum.com/mailman/listinfo/midpoint |
>http://lists.evolveum.com/mailman/listinfo/midpoint ] 
>_______________________________________________ 
>midPoint mailing list 
>[ mailto:midPoint at lists.evolveum.com | midPoint at lists.evolveum.com ] 
>[ http://lists.evolveum.com/mailman/listinfo/midpoint |
>http://lists.evolveum.com/mailman/listinfo/midpoint ] 
>
>BQ_END
>
>
>_______________________________________________ 
>midPoint mailing list 
>[ mailto:midPoint at lists.evolveum.com | midPoint at lists.evolveum.com ] 
>[ http://lists.evolveum.com/mailman/listinfo/midpoint |
>http://lists.evolveum.com/mailman/listinfo/midpoint ] 
>_______________________________________________ 
>midPoint mailing list 
>[ mailto:midPoint at lists.evolveum.com | midPoint at lists.evolveum.com ] 
>[ http://lists.evolveum.com/mailman/listinfo/midpoint |
>http://lists.evolveum.com/mailman/listinfo/midpoint ] 
>
>BQ_END
>
>
>_______________________________________________ 
>midPoint mailing list 
>[ mailto:midPoint at lists.evolveum.com | midPoint at lists.evolveum.com ] 
>[ http://lists.evolveum.com/mailman/listinfo/midpoint |
>http://lists.evolveum.com/mailman/listinfo/midpoint ] 
>_______________________________________________ 
>midPoint mailing list 
>[ mailto:midPoint at lists.evolveum.com | midPoint at lists.evolveum.com ] 
>[ http://lists.evolveum.com/mailman/listinfo/midpoint |
>http://lists.evolveum.com/mailman/listinfo/midpoint ] 
>
>BQ_END
>
>
>BQ_END
>
>
>BQ_END
>
>
>_______________________________________________ 
>midPoint mailing list 
>midPoint at lists.evolveum.com 
>http://lists.evolveum.com/mailman/listinfo/midpoint 
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>midPoint mailing list
>midPoint at lists.evolveum.com
>http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190409/c2bf46e7/attachment.htm>


More information about the midPoint mailing list