[midPoint] Having trouble with LDAP connector
Pavol Mederly
mederly at evolveum.com
Mon Jul 29 20:10:28 CEST 2019
Hello Keith,
you are on the right track. But it's not a simple mapping of a property
to group "members" attribute. In fact, midPoint worked this way in
versions before 3.0. But since that, a very flexible and powerful
mechanism was introduced: generic synchronization
<https://wiki.evolveum.com/display/midPoint/Generic+Synchronization>.
To understand it, first you need to get acquainted with the concept of
entitlements <https://wiki.evolveum.com/display/midPoint/Entitlements>
and their associations to user accounts. Then please see something about
configuring assignments for entitlements
<https://wiki.evolveum.com/display/midPoint/Assignment+Configuration#AssignmentConfiguration-EntitlementAssociations>.
Unfortunately I am not sure if there's a description where it's all
collected in a single place. You can have a look at e.g.:
* https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test
* https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO
(a bit outdated - uses now obsolete AD connector)
Or maybe someone other can point you (and me) to more appropriate sample
or description.
Best regards,
Pavol Mederly
Software developer
evolveum.com
On 29.07.2019 18:44, Keith LeValley wrote:
> I am creating a demo to show off Midpoint to some other IT members and
> I really would like to show how roles map to LDAP groups. I am not
> sure if I'm taking the right approach (if not please let me know).
>
> I started by copying much of the live demo site, where it has a CSV
> file that is used to import users into Midpoint and then an ldap
> server that does a live sync with users. This works well, but I
> really want to also live sync groups.
>
> So I created an org chart with some basic orgs and gave those orgs
> inducements to roles. This allows me to group several roles into an
> org, for instance (yes I am a big nerd) my user cbarton ("Hawkeye")
> has both roles "shield agent" and "Avenger". This is working well,
> but the last piece that I cannot seem to get to work is how to map
> those roles to ldap groups.
>
> So I have created a schema handling that scripts the dn of the group,
> but I do not know what attribute to use for the source when mapping
> the member field in ldap (what attribute in Midpoint defines the
> members in a role). I apologize if this is a really long email asking
> for a very simple answer, but I wanted to explain my approach in-case
> this is not how I should be doing this.
>
> --
> Keith LeValley
> Identity Services Architect, Davenport University
> klevalley2 at davenport.edu
> <mailto:klevalley2 at davenport.edu>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190729/4a1530a9/attachment.htm>
More information about the midPoint
mailing list