[midPoint] OpenLDAP Group Member Error
Oleksandr Nekriach
o.nekriach at dynatech.lv
Fri May 17 18:20:30 CEST 2019
Okey, try to move mapping section of dummy user from Resource to MetaRole
Example:
<inducement>
<construction>
<resourceRef oid="00000000-0000-0000-0000-23423423123"
relation="org:default"
type="c:ResourceType"><!-- LDAP --></resourceRef>
<kind>entitlement</kind>
<intent>Group</intent>
<attribute>
<c:ref>ri:member</c:ref>
<outbound>
<strength>weak</strength>
<expression>
<value>uid=dummy,ou=Test,dc=example,dc=org</value>
</expression>
</outbound>
</attribute>
</construction>
</inducement>
On Fri, 17 May 2019 at 19:08, Brad Firestone <bhotrock at gmail.com> wrote:
> Hi Oleksandr,
> Thanks for the response!!
> I guess I should have posted the connectorConfiguration section too. I've
> already included memberOf. Here's that section of the LDAP Resource:
>
> <connectorConfiguration
> xmlns:icfc=
> "http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
> <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3>
> xmlns:icfcldap=
> "http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector"
> <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector>
> >
> <icfc:configurationProperties>
> <icfcldap:port>636</icfcldap:port>
> <icfcldap:host>ldap02.example.com</icfcldap:host>
>
> <icfcldap:baseContext>ou=users,ou=accounts,dc=example,dc=com</icfcldap:baseContext>
> <icfcldap:bindDn>cn=admin,dc=example,dc=com</icfcldap:bindDn>
>
> <icfcldap:bindPassword><t:clearValue>secret</t:clearValue></icfcldap:bindPassword>
> <icfcldap:connectionSecurity>ssl</icfcldap:connectionSecurity>
>
> <icfcldap:usePermissiveModify>always</icfcldap:usePermissiveModify>
> <icfcldap:pagingStrategy>auto</icfcldap:pagingStrategy>
>
> <icfcldap:passwordHashAlgorithm>SSHA</icfcldap:passwordHashAlgorithm>
> <icfcldap:vlvSortAttribute>cn</icfcldap:vlvSortAttribute>
>
> <icfcldap:vlvSortOrderingRule>2.5.13.3</icfcldap:vlvSortOrderingRule>
>
> <icfcldap:operationalAttributes>memberOf</icfcldap:operationalAttributes>
>
> <icfcldap:operationalAttributes>createTimestamp</icfcldap:operationalAttributes>
> </icfc:configurationProperties>
> <icfc:resultsHandlerConfiguration>
>
> <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
>
> <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
>
> <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
> </icfc:resultsHandlerConfiguration>
> </connectorConfiguration>
>
> Do you see anything else that I might be missing?
> Thanks again!
>
> Oleksandr Nekriach wrote on 5/17/19 10:53 AM:
>
> Hi Brad,
> Try to add value "memberOf" into configuration settings
> operationalAttributes on your LDAP resource in IDM
>
> Best regards,
> Oleksandr
>
> On Fri, 17 May 2019 at 18:34, Brad Firestone <bhotrock at gmail.com> wrote:
>
>> I'm running midPoint 3.9 with LDAP connector 2.0 Connecting to OpenLDAP
>> version 2.4.45+dfsg-1ubuntu1 memberOf, refInt, lastBind, and sssvlv
>> overlays are installed.
>>
>> I've been trying to setup LDAP group management according to the Wiki and
>> other docs I've found. Automatic groupOfNames creation in
>> "ou=roles,ou=accounts,dc=example,dc=com" is working fine when I create a
>> Role with an Assignment of the LDAP Group Metarole. So that seems like
>> most of the connection is working correctly.
>>
>> But I'm getting the following error message when I try to add a user to a
>> Role that should put them in the LDAP Group.
>> -------
>> Operation:
>> operation.org.identityconnectors.framework.api.ConnectorFacade.updateDelta
>>
>> Message: Unknown UID: LDAP entry for UID Attribute: {Name=__UID__,
>> Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
>> {Name=__NAME__, Value=[cn=test
>> role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found
>>
>> Parameters: uid [caed9d00-0c8c-1039-98e5-a53942dc29e0]
>> attributesDelta: [[Attribute: {Name=member,
>> ValuesToAdd=[cn=testuser,ou=users,ou=accounts,dc=example,dc=com],
>> ValuesToRemove=null,
>> ValuesToReplace=null}]]
>> objectClass: [crOCD ({
>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
>> }groupOfNames)]
>> options: [OperationOptions: {}]
>>
>> Context: connector [class
>> org.identityconnectors.framework.impl.api.local.LocalConnectorFacadeImpl]
>>
>> Error:
>> org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
>> entry for UID Attribute: {Name=__UID__,
>> Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
>> {Name=__NAME__, Value=[cn=test
>> role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found)
>> -------
>>
>> Here is the Association section from the LDAP Resource:
>> <association>
>> <ref>ri:ldapGroup</ref>
>> <tolerant>false</tolerant>
>> <displayName>LDAP Group Membership</displayName>
>> <kind>entitlement</kind>
>> <intent>ldapGroup</intent>
>> <direction>objectToSubject</direction>
>> <associationAttribute>ri:member</associationAttribute>
>> <valueAttribute>ri:dn</valueAttribute>
>>
>> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
>>
>> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
>> </association>
>>
>> And the Entitlement Object section from the LDAP Resource:
>> <objectType>
>> <kind>entitlement</kind>
>> <intent>ldapGroup</intent>
>> <displayName>LDAP Group</displayName>
>> <objectClass>ri:groupOfNames</objectClass>
>>
>> <attribute>
>> <ref>ri:dn</ref>
>> <matchingRule>mr:distinguishedName</matchingRule>
>> <outbound>
>> <!-- Name cannot be weak. Changes in name trigger
>> object rename. -->
>> <source>
>> <path>$focus/name</path>
>> </source>
>> <expression>
>> <script>
>> <code>
>> import javax.naming.ldap.Rdn
>> import javax.naming.ldap.LdapName
>>
>> dn = new
>> LdapName('ou=roles,ou=accounts,dc=example,dc=org')
>> dn.add(new Rdn('cn', name.toString()))
>> return dn.toString()
>> </code>
>> </script>
>> </expression>
>> </outbound>
>> </attribute>
>> <attribute>
>> <ref>ri:member</ref>
>> <matchingRule>mr:distinguishedName</matchingRule>
>> <fetchStrategy>minimal</fetchStrategy>
>> <outbound>
>> <strength>strong</strength>
>> <!-- Workaround - groupOfNames MUST have at least one
>> member. Even non-existent DN. -->
>> <expression>
>> <value>cn=dummy,o=whatever</value>
>> </expression>
>> </outbound>
>> </attribute>
>> <attribute>
>> <ref>ri:cn</ref>
>> <matchingRule>mr:stringIgnoreCase</matchingRule>
>> <outbound>
>> <strength>weak</strength>
>> <source>
>> <path>$focus/name</path>
>> </source>
>> </outbound>
>> </attribute>
>> <attribute>
>> <ref>ri:description</ref>
>> <outbound>
>> <source>
>> <path>description</path>
>> </source>
>> </outbound>
>> </attribute>
>> <configuredCapabilities>
>> <cap:pagedSearch>
>> <cap:defaultSortField>ri:cn</cap:defaultSortField>
>> </cap:pagedSearch>
>> </configuredCapabilities>
>> </objectType>
>>
>> I'm not sure if there are other important configs that would be helpful
>> to see. I'll be happy to post anything that's helpful.
>>
>> This may be a related issue that might help locate the issue: When I
>> look at the Accounts tab of the Resource in the GUI, Search In: Resource
>> gives a list of Accounts on the server. However, doing the same in the
>> Entitlements tab, with the Intent set to ldapGroup, does not display any
>> entries, even though there are groups on the server.
>>
>> One last thing that might help diagnose this: If I try to remove the
>> LDAP Group Metarole assignment from the Role, (hoping it would delete the
>> groupOfNames from the server, I get the following error:
>> --------
>> Can't delete object shadow:7a74941f-a6cb-4af4-b012-d75cd4c57af7(cn=test
>> role,ou=roles,ou=accounts,dc=example,dc=com). Reason:
>> org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
>> entry for UID Attribute: {Name=__UID__,
>> Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
>> {Name=__NAME__, Value=[cn=test
>> role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found): Can't delete
>> object shadow:7a74941f-a6cb-4af4-b012-d75cd4c57af7(cn=Test
>> Role,ou=roles,ou=accounts,dc=example,dc=com). Reason:
>> org.identityconnectors.framework.common.exceptions.UnknownUidException(LDAP
>> entry for UID Attribute: {Name=__UID__,
>> Value=[caed9d00-0c8c-1039-98e5-a53942dc29e0], NameHint=Attribute:
>> {Name=__NAME__, Value=[cn=test
>> role,ou=roles,ou=accounts,dc=example,dc=com]}} was not found)
>>
>> -------
>> I'm reasonably sure I just have something out of place somewhere.
>> Hopefully someone can spot what I've done wrong.
>> Thank you!
>> Brad
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
>
> --
> Best regards,
>
>
>
> Oleksandr Nekriach | Identity and access management engineer
>
> Dynatech, Jeruzalemes iela 1, Rīga, LV-1010, Latvia
> <https://www.google.com/maps/place/DYNATECH/@56.9575205,24.1107235,17z/data=%213m1%214b1%214m5%213m4%211s0x46eecf5753e42351:0x23b120b9745cae62%218m2%213d56.9575205%214d24.1129122>
>
> +37125314685 <+371%2025%20314%20685>
> ,
> o.nekriach at dynatech.lv
> |
> www.dynatech.lv
>
>
> Stay connected:
> <https://www.facebook.com/DynatechLatvia/?ref=br_rs>
> <https://www.linkedin.com/company-beta/17893047/>
>
>
> Confidentiality Notice: This message contains confidential information and
> is intended only for the named recipient(s). If you are not the addressee
> you may not copy, distribute or perform any other activities with this
> information. If you have received this transmission in error, please notify
> us by e-mail immediately. E-mail transmission cannot be guaranteed to be
> secure or error-free as information could be intercepted, corrupted, lost,
> destroyed, arrive late or incomplete, or contain viruses.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
--
Best regards,
Oleksandr Nekriach | Identity and access management engineer
Dynatech, Jeruzalemes iela 1, Rīga, LV-1010, Latvia
<https://www.google.com/maps/place/DYNATECH/@56.9575205,24.1107235,17z/data=!3m1!4b1!4m5!3m4!1s0x46eecf5753e42351:0x23b120b9745cae62!8m2!3d56.9575205!4d24.1129122>
+37125314685 <+371%2025%20314%20685>
,
o.nekriach at dynatech.lv
|
www.dynatech.lv
Stay connected:
<https://www.facebook.com/DynatechLatvia/?ref=br_rs>
<https://www.linkedin.com/company-beta/17893047/>
Confidentiality Notice: This message contains confidential information and
is intended only for the named recipient(s). If you are not the addressee
you may not copy, distribute or perform any other activities with this
information. If you have received this transmission in error, please notify
us by e-mail immediately. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190517/8ed41b5f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 1891 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190517/8ed41b5f/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 745 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190517/8ed41b5f/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 762 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190517/8ed41b5f/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7771
Type: image/png
Size: 790 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190517/8ed41b5f/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7770
Type: image/png
Size: 4265 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190517/8ed41b5f/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: o.nekriach at dynatech.lv1520941785292-7772
Type: image/png
Size: 786 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190517/8ed41b5f/attachment-0005.png>
More information about the midPoint
mailing list