[midPoint] Role and Metarole with Existing AD Group

Rod Holman rholman at oaisd.org
Tue Apr 16 19:28:37 CEST 2019


I should add that the existing AD group has members that are not users in Midpoint.

--Rod

From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of Rod Holman
Sent: Tuesday, April 16, 2019 12:43 PM
To: midPoint at lists.evolveum.com
Subject: [midPoint] Role and Metarole with Existing AD Group

Greetings,

We are using Metaroles and Roles as described in "Active Directory Group Sync" in the HOWTO section of the documentation.  This works great as long as the group does not already exist in AD.  When we create a role and assign the metarole the group is created in AD and any user assigned that role is added to the group.  Works great.  We're trying, however, to create a role with the name of a group that already exists in AD and has members.  When we assign the metarole to this role it appears to link OK, but when the role is assigned to a user nothing happens.  The user is not added to the group.  When we look at the shadow record the "intent" field has a value that is not what we put in the Construction section of the inducement.  Is there something different that has to be done to use metaroles with previously existing and populated AD groups?

If any of our definitions are needed for review please let me know.

Thanks,

Rod Holman
Ottawa Area ISD

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190416/fcea13d2/attachment.htm>


More information about the midPoint mailing list