[midPoint] Solution - Re: role to role (group to group) association error
Jason Everling
jeverling at bshp.edu
Tue Feb 26 21:11:28 CET 2019
I meant to reply earlier, It was because of the 2nd order inducement from a
metarole, it was trying to create a user account for the role when a role
was assigned to another role. I just had to
add <focusType>c:UserType</focusType> to the 2nd order inducement.
Thanks!
On Tue, Feb 26, 2019 at 11:38 AM Jason Everling <jeverling at bshp.edu> wrote:
> I was trying to create an association for inbound role assignment for the
> entitlement kind using
>
> <association>
> <c:ref>ri:group</c:ref>
> <matchingRule>mr:stringIgnoreCase</matchingRule>
> <displayName>Domain Groups</displayName>
> <inbound>
> <authoritative>true</authoritative>
> <tolerant>false</tolerant>
> <strength>strong</strength>
> <expression>
> <assignmentTargetSearch>
> <targetType>c:RoleType</targetType>
> <filter>
> <q:equal>
> <q:path>extension/bshp:ldapDn</q:path>
> <expression>
> <script>
> <code>
> entitlement1 = midpoint.resolveEntitlement(input);
> log.info("### entitlementName: " + entitlement?.getName())
> return entitlement?.getName();
> </code>
> </script>
> </expression>
> </q:equal>
> </filter>
> </assignmentTargetSearch>
> </expression>
> <target>
> <path>assignment</path>
> </target>
> </inbound>
> <kind>entitlement</kind>
> <intent>group</intent>
> <direction>objectToSubject</direction>
> <associationAttribute>ri:member</associationAttribute>
> <valueAttribute>ri:dn</valueAttribute>
> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
> </association>
>
>
> The user has one, creates inbound group to role mapping and works like a
> charm, using the above for an entitlement itself, which are roles members
> of other roles, results in an error,
>
> Couldn't add object. Schema violation: Schema violation during processing
> shadow: shadow: null (OID:null): Invalid attribute:
> org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Wrong
> DN 'CN=null,null': ERR_04201 No more characters available at position
> 12)->org.apache.directory.api.ldap.model.exception.LdapInvalidDnException(ERR_04201
> No more characters available at position 12): Couldn't add object. Schema
> violation: Schema violation during processing shadow: shadow: null
> (OID:null): Invalid attribute:
> org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Wrong
> DN 'CN=null,null': ERR_04201 No more characters available at position
> 12)->org.apache.directory.api.ldap.model.exception.LdapInvalidDnException(ERR_04201
> No more characters available at position 12): Couldn't add object. Schema
> violation: Schema violation during processing shadow: shadow: null
> (OID:null): Invalid attribute:
> org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Wrong
> DN 'CN=null,null': ERR_04201 No more characters available at position
> 12)->org.apache.directory.api.ldap.model.exception.LdapInvalidDnException(ERR_04201
> No more characters available at position 12): Couldn't add object. Schema
> violation: Schema violation during processing shadow: shadow: null
> (OID:null): Invalid attribute:
> org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException(Wrong
> DN 'CN=null,null': ERR_04201 No more characters available at position
> 12)->org.apache.directory.api.ldap.model.exception.LdapInvalidDnException(ERR_04201
> No more characters available at position 12)
>
> When looking from the GUI the associations show up correctly for the role
> but the error happens when trying to apply the assignment
>
> Any ideas?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190226/e9b5f285/attachment.htm>
More information about the midPoint
mailing list