[midPoint] Role and Metarole with Existing AD Group

Ivan Noris ivan.noris at evolveum.com
Wed Apr 17 09:30:45 CEST 2019


Hi Rod,

I would recommend to double-check the synchronization settings for the
groups in AD resource. If the intent you get while synchronizing
("already exists -> link) this is probably the correct place. midPoint
must be able to detect that the group you try to create is actually the
one which already exists - and will create a linkRef between the role
and the group object.

Best regards,

Ivan

On 16. 4. 2019 18:43, Rod Holman wrote:
>
> Greetings,
>
>  
>
> We are using Metaroles and Roles as described in "Active Directory
> Group Sync" in the HOWTO section of the documentation.  This works
> great as long as the group does not already exist in AD.  When we
> create a role and assign the metarole the group is created in AD and
> any user assigned that role is added to the group.  Works great. 
> We're trying, however, to create a role with the name of a group that
> already exists in AD and has members.  When we assign the metarole to
> this role it appears to link OK, but when the role is assigned to a
> user nothing happens.  The user is not added to the group.  When we
> look at the shadow record the “intent” field has a value that is not
> what we put in the Construction section of the inducement.  Is there
> something different that has to be done to use metaroles with
> previously existing and populated AD groups?
>
>  
>
> If any of our definitions are needed for review please let me know.
>
>  
>
> Thanks,
>
>  
>
> Rod Holman
>
> Ottawa Area ISD
>
>  
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190417/3503ebb0/attachment.htm>


More information about the midPoint mailing list