[midPoint] Role and Metarole with Existing AD Group

Rod Holman rholman at oaisd.org
Fri Apr 19 14:50:26 CEST 2019


Thanks Ivan.  I did that and it still wouldn’t work.  I decided to create a new Metarole and role using your suggestion and got everything working.  Looking at the shadow record in the database I noticed that the new one had the correct intent in the shadow whereas the first one still showed an incorrect intent.  I went into Repository Objects and changed the intent in the shadow record and magically the group began populating correctly.  This probably could have been fixed if I’d just deleted and recreated the original role.

I don’t know why the shadow record had the wrong intent.  I must have created the one way and when I changed it, the shadow record didn’t update.

Anyway, all is working now.  Thanks for your help.

--Rod

From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of Ivan Noris
Sent: Wednesday, April 17, 2019 3:31 AM
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Role and Metarole with Existing AD Group


Hi Rod,

I would recommend to double-check the synchronization settings for the groups in AD resource. If the intent you get while synchronizing ("already exists -> link) this is probably the correct place. midPoint must be able to detect that the group you try to create is actually the one which already exists - and will create a linkRef between the role and the group object.

Best regards,

Ivan
On 16. 4. 2019 18:43, Rod Holman wrote:
Greetings,

We are using Metaroles and Roles as described in "Active Directory Group Sync" in the HOWTO section of the documentation.  This works great as long as the group does not already exist in AD.  When we create a role and assign the metarole the group is created in AD and any user assigned that role is added to the group.  Works great.  We're trying, however, to create a role with the name of a group that already exists in AD and has members.  When we assign the metarole to this role it appears to link OK, but when the role is assigned to a user nothing happens.  The user is not added to the group.  When we look at the shadow record the “intent” field has a value that is not what we put in the Construction section of the inducement.  Is there something different that has to be done to use metaroles with previously existing and populated AD groups?

If any of our definitions are needed for review please let me know.

Thanks,

Rod Holman
Ottawa Area ISD




_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint

--

Ivan Noris

Senior Identity Engineer

evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190419/6cda5188/attachment.htm>


More information about the midPoint mailing list