[midPoint] Having trouble with LDAP connector
Brad Firestone
bhotrock at gmail.com
Mon Jul 29 22:45:17 CEST 2019
Hi Keith,
This is a quick and probably too short answer, but maybe this will point
you in the right direction.
I've setup the LDAP Group MetaRole to take care of this automatically.
This MetaRole is ASSIGNED to the Role and should create the actual
role/group in LDAP. I have found that after I import a Role into
midPoint, AND BEFORE adding anyone to that Role, I should Reconcile the
Role. This creates the group in LDAP and populates it with a dummy
placeholder since some LDAP servers don't like groups with zero members.
Please see these pages for more info:
https://evolveum.com/simplifying-ldap-group-management-using-midpoint/
https://wiki.evolveum.com/display/midPoint/Roles,+Metaroles+and+Generic+Synchronization
Also be sure that you've setup your LDAP Resource with the
<objectType>-<kind>ENTITLEMENT, and the <association> section. These
must be configured correctly for group creation and membership to
function correctly.
(Side note: I'm not sure which LDAP server you're using, but if it's
OpenLDAP, you'll need/want to have the memberOf overlay added into
OpenLDAP.)
I hope this helps.
Brad
Keith LeValley wrote on 7/29/19 11:44 AM:
> I am creating a demo to show off Midpoint to some other IT members and
> I really would like to show how roles map to LDAP groups. I am not
> sure if I'm taking the right approach (if not please let me know).
>
> I started by copying much of the live demo site, where it has a CSV
> file that is used to import users into Midpoint and then an ldap
> server that does a live sync with users. This works well, but I
> really want to also live sync groups.
>
> So I created an org chart with some basic orgs and gave those orgs
> inducements to roles. This allows me to group several roles into an
> org, for instance (yes I am a big nerd) my user cbarton ("Hawkeye")
> has both roles "shield agent" and "Avenger". This is working well,
> but the last piece that I cannot seem to get to work is how to map
> those roles to ldap groups.
>
> So I have created a schema handling that scripts the dn of the group,
> but I do not know what attribute to use for the source when mapping
> the member field in ldap (what attribute in Midpoint defines the
> members in a role). I apologize if this is a really long email asking
> for a very simple answer, but I wanted to explain my approach in-case
> this is not how I should be doing this.
>
> --
> Keith LeValley
> Identity Services Architect, Davenport University
> klevalley2 at davenport.edu
> <mailto:klevalley2 at davenport.edu>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190729/ec14be9f/attachment.htm>
More information about the midPoint
mailing list