[midPoint] schema handling vs object template
Ivan Noris
ivan.noris at evolveum.com
Mon Jul 29 09:23:44 CEST 2019
Hi Gabriel,
object template and schema handling are similar, but different concepts.
Schema handling is the place to define how to map the attributes from
midPoint to the resource account (outbound) or vice-versa (inbound).
Object template is the place to define how midPoint attributes (e.g.
User's fullName) should be defined from other user attributes (e.g. the
same User's givenName and familyName).
Object template can be also used with the resource, but in a different
context. If you have a resource which is a source resource (contains
inbounds and unmatched->addFocus reaction for example), you can specify
an arbitrary object template instead of the global object template which
is specified in the System configuration.
That said, you should not attempt to define account attributes in the
template but in the schema handling.
Best regards,
Ivan
On 23. 7. 2019 16:41, Guckenbiehl, Gabriel wrote:
> Hello all,
>
> in my LDAP-scheme I have a field which should be set by an mapping from an
> object template. The template is called in the synchronization oft he
> LDAP-Ressource. Because the LDAP field is a necessary one I get error
> messages, when there is no additional outbound mapping in the schema
> handling itself.
> But even though I set the dummy-mapping in the ldap-scheme as weak as
> possible it still is not overridden by the mapping in the object template.
> Maybe anyone here can give me a hint or two, how to enforce the correct
> values?
> I can not put the correct mapping in schema handling itself, because the
> iteration there is already used for other context.
>
> Some experimenting led me to believe that no code in the object-template is
> executet, but surely this can't be correct, am I right?
>
> Code below. Best regards and thanks fort he help
>
> Gabriel
>
> Gabriel Guckenbiehl, M.Sc.
> Zentrum für Informations- und Mediendienste (ZIM)
> Universität Duisburg Essen
> Schützenbahn 70
> 45127 Essen
> Telefon: +49 (201) 183-3346
>
>
> <objectTemplate
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resou
> rce-schema-3"
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> oid="ea0f69ae-b5e6-4ef9-a206-8421814b977f" version="89">
> <name>LDAP Template</name>
> <iteration>
> <maxIterations>100000</maxIterations>
> <postIterationCondition>
> <variable>
> <name>uidnummer</name>
> <c:path>$shadow/attributes/ri:uidNumber</c:path>
> </variable>
> <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="c:ScriptExpressionEvaluatorType">
> <trace>true</trace>
> <code>
> tmpUniqueLogin = midpoint.isUniqueAccountValue(resource,
> shadow, 'uidNumber', uidnummer)
> return tmpUniqueLogin
> </code>
> </script>
> </postIterationCondition>
> </iteration>
> <mapping id="18">
> <authoritative>true</authoritative>
> <exclusive>false</exclusive>
> <strength>strong</strength>
> <expression>
> <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="c:ScriptExpressionEvaluatorType">
> <code>
> return 10000+iteration
> </code>
> </script>
> </expression>
> <target>
> <c:path>ri:uidNumber</c:path>
> </target>
> </mapping>
> </objectTemplate>
>
>
> <resource xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resou
> rce-schema-3"
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> oid="7ea21d36-6438-425c-b81c-8be810210000" version="273">
> <name>LDAP_2_with_Template</name>
> <connectorRef oid="a4f34827-e130-4d54-8b48-7b4b2c52f51c"
> relation="org:default" type="c:ConnectorType"/>
> <connectorConfiguration
> xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/conne
> ctor-schema-3">
> [...]
> </connectorConfiguration>
> <schema>
> <definition>
> <xsd:schema
> xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3"
> xmlns:ra="http://midpoint.evolveum.com/xml/ns/public/resource/annotation-3"
> xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
> targetNamespace="http://midpoint.evolveum.com/xml/ns/public/resource/instanc
> e-3">
> <xsd:import
> namespace="http://prism.evolveum.com/xml/ns/public/annotation-3"/>
> <xsd:import
> namespace="http://midpoint.evolveum.com/xml/ns/public/resource/annotation-3"
> />
> </xsd:complexType>
> <xsd:complexType name="posixAccount">
> <xsd:annotation>
> <xsd:appinfo>
> <ra:resourceObject/>
> <ra:identifier>ri:entryUUID</ra:identifier>
>
> <ra:secondaryIdentifier>ri:dn</ra:secondaryIdentifier>
>
> <ra:displayNameAttribute>ri:dn</ra:displayNameAttribute>
> <ra:namingAttribute>ri:dn</ra:namingAttribute>
>
> <ra:nativeObjectClass>posixAccount</ra:nativeObjectClass>
> <ra:auxiliary>true</ra:auxiliary>
> </xsd:appinfo>
> </xsd:annotation>
> <xsd:sequence>
> <xsd:element name="uidNumber" type="xsd:int">
> <xsd:annotation>
> <xsd:appinfo>
> <a:displayOrder>190</a:displayOrder>
>
> <ra:nativeAttributeName>uidNumber</ra:nativeAttributeName>
>
> <ra:frameworkAttributeName>uidNumber</ra:frameworkAttributeName>
> </xsd:appinfo>
> </xsd:annotation>
> </xsd:element>
> </xsd:complexType>
> </xsd:schema>
> </definition>
> </schema>
> <schemaHandling>
> <objectType id="68">
> <kind>account</kind>
> <intent>Employee</intent>
> <displayName>Employee Account</displayName>
> <default>true</default>
> <objectClass>ri:inetOrgPerson</objectClass>
> <auxiliaryObjectClass>ri:posixAccount</auxiliaryObjectClass>
> <attribute id="70">
> <c:ref>ri:mail</c:ref>
> <tolerant>false</tolerant>
> <exclusiveStrong>true</exclusiveStrong>
> <outbound>
> <authoritative>true</authoritative>
> <exclusive>false</exclusive>
> <strength>strong</strength>
> <source>
> <c:path>$user/givenName</c:path>
> </source>
> <source>
> <c:path>$user/emailAddress</c:path>
> </source>
> <source>
> <c:path>$user/familyName</c:path>
> </source>
> <expression>
> <script
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="c:ScriptExpressionEvaluatorType">
> <code>
> if (emailAddress != null) {
> return emailAddress
> } else {
> mailName =
> givenName.getNorm().tokenize()[0] + iterationToken + '.' +
> familyName.getNorm().replaceAll(" ", "_") + '@uni-due.de';
> return mailName;
> }
> </code>
> </script>
> </expression>
> </outbound>
> </attribute>
> <attribute id="131">
> <c:ref>ri:uidNumber</c:ref>
> <tolerant>true</tolerant>
> <exclusiveStrong>false</exclusiveStrong>
> <outbound>
> <authoritative>false</authoritative>
> <exclusive>false</exclusive>
> <strength>weak</strength>
> <expression>
> <value>0</value>
> </expression>
> </outbound>
> </attribute>
> <iteration>
> <maxIterations>1000</maxIterations>
> <postIterationCondition>
> <variable>
> <name>test</name>
> <c:path>$shadow/attributes/ri:mail</c:path>
> </variable>
> <script
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="c:ScriptExpressionEvaluatorType">
> <trace>true</trace>
> <code>
> tmpUniqueLogin =
> midpoint.isUniqueAccountValue(resource, shadow, 'mail', test)
> return tmpUniqueLogin
> </code>
> </script>
> </postIterationCondition>
> </iteration>
> </objectType>
> </schemaHandling>
> <capabilities>[...]
> </capabilities>
> <synchronization>
> <objectSynchronization>
> <name>Employee sync</name>
> <objectClass>inetOrgPerson</objectClass>
> <objectClass>benvwAccount</objectClass>
> <kind>account</kind>
> <intent>Employee</intent>
> <focusType>c:UserType</focusType>
> <enabled>true</enabled>
> <correlation>
> <q:equal>
> <q:path>c:name</q:path>
> <expression xmlns="">
> <path>$account/attributes/uid</path>
> </expression>
> </q:equal>
> </correlation>
> <objectTemplateRef oid="ea0f69ae-b5e6-4ef9-a206-8421814b977f"
> relation="org:default" type="c:ObjectTemplateType">
> <targetName>LDAP Template</targetName>
> </objectTemplateRef>
> <reconcile>true</reconcile>
> <opportunistic>true</opportunistic>
> [...]
> </objectSynchronization>
> </synchronization>
> </resource>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190729/2d94d1a9/attachment.htm>
More information about the midPoint
mailing list