[midPoint] midpoint group synchronization with ldap
Skrzek Jaroslaw
Jaroslaw.Skrzek at exence.com
Thu Nov 14 13:59:45 CET 2019
Hi,
I'd like to add users to an existing ldap group using midpoint.
I have a metarole
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="8dc821c4-b7ef-4092-a1b3-1a6ff437b0ed" version="11">
<name>Metarole for groups</name>
<inducement id="5">
<construction>
<resourceRef oid="8a83b1a4-be18-11e6-ae84-7301fdab1d7c" relation="org:default" type="c:ResourceType">
<!-- OpenLDAP TEST -->
</resourceRef>
<kind>entitlement</kind>
<intent>Group</intent>
</construction>
</inducement>
<inducement id="6">
<construction>
<resourceRef oid="8a83b1a4-be18-11e6-ae84-7301fdab1d7c" relation="org:default" type="c:ResourceType">
<!-- OpenLDAP TEST -->
</resourceRef>
<kind>account</kind>
<intent>default</intent>
<association id="7">
<c:ref>ri:group</c:ref>
<outbound>
<expression>
<associationFromLink xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
<projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
<kind>entitlement</kind>
<intent>Group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
</inducement>
</role>
The association in the resource config:
<association id="15">
<c:ref>ri:group</c:ref>
<displayName>LDAP Group Membership</displayName>
<kind>entitlement</kind>
<intent>Group</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
<shortcutValueAttribute>ri:dn</shortcutValueAttribute>
</association>
And a corresponding object type:
<objectType id="16">
<kind>entitlement</kind>
<intent>Group</intent>
<default>true</default>
<objectClass>ri:groupOfNames</objectClass>
<baseContext>
<objectClass>ri:organizationalUnit</objectClass>
<filter>
<q:equal>
<q:path>attributes/dn</q:path>
<q:value>ou=groups,dc=test1,dc=test2,dc=test3,dc=test4</q:value>
</q:equal>
</filter>
</baseContext>
<attribute id="21">
<c:ref>ri:member</c:ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:distinguishedName</matchingRule>
<outbound>
<strength>strong</strength>
<expression>
<value>cn=dummy,o=whatever</value>
</expression>
</outbound>
</attribute>
<attribute id="22">
<c:ref>ri:cn</c:ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<c:path>$focus/identifier</c:path>
</source>
</outbound>
</attribute>
<attribute id="23">
<c:ref>ri:description</c:ref>
<outbound>
<source>
<c:path>description</c:path>
</source>
</outbound>
</attribute>
<attribute id="20">
<c:ref>ri:dn</c:ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:distinguishedName</matchingRule>
<tolerant>true</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<outbound>
<source>
<c:path>$focus/identifier</c:path>
</source>
<expression>
<script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:ScriptExpressionEvaluatorType">
<code>
import javax.naming.ldap.Rdn
import javax.naming.ldap.LdapName
dn = new LdapName('ou=groups,dc=test1,dc=test2,dc=test3,dc=test4')
dn.add(new Rdn('cn', identifier.toString()))
return dn.toString()
</code>
</script>
</expression>
</outbound>
</attribute>
<activation>
<administrativeStatus>
<outbound id="9">
<strength>weak</strength>
<expression>
<c:path xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="t:ItemPathType">$focusExists</c:path>
</expression>
</outbound>
</administrativeStatus>
</activation>
</objectType>
The metarole is assigned to a custom role and the custom role is assigned to an user. Unfortunately that works only if a group doesn't exist in LDAP. When it does exist, I get the error:
com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException: Error processing account(no ID, type 'Group', resource:8a83b1a4-be18-11e6-ae84-7301fdab1d7c(OpenLDAP TEST)): constraint violation: Found conflicting existing object with attribute {.../resource/instance-3}dn = [ cn=pre-test3,ou=groups,dc=test1,dc= test2,dc= test3,dc= test4 ]: shadow:f14ebe2c-61f6-4069-8ca2-1b41324fed3b(cn=pre-test3,ou=groups,dc= test1,dc= test2,dc= test3,dc= test4)
What can be wrong with that?
Pozdrawiam / Best regards
Jarosław Skrzek
Senior Software Engineer
GSM: +48 601 308 901
e-mail: jaroslaw.skrzek at exence.com<mailto:jaroslaw.skrzek at exence.com>
Exence S.A. | ul. Szwedzka 5, Bielany Wrocławskie | 55-040 Kobierzyce
tel.: +48 71 782 06 00 | fax: +48 71 782 06 01
https://www.exence.com<https://www.exence.com/> | e-mail: office at exence.com<mailto:office at exence.com>
Sąd Rejonowy we Wrocławiu dla Wrocławia-Fabrycznej, VI Wydział Gospodarczy KRS nr 0000413027
Kapitał zakładowy: 208.400,00 zł, opłacony w całości; NIP: 899-273-40-56, REGON: 021834967
Niniejsza wiadomość może zawierać informacje poufne i/lub prawnie chronione. Jeśli nie są Państwo właściwym jej adresatem (lub otrzymali Państwo tą wiadomość przez pomyłkę) prosimy poinformować o tym fakcie nadawcę i usunąć otrzymaną wiadomość. Kopiowanie, ujawnianie lub rozpowszechnianie informacji bez zgody jej nadawcy jest zabronione.
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail by mistake) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20191114/c169988e/attachment.htm>
More information about the midPoint
mailing list