[midPoint] midpoint group synchronization with ldap

Mon Nov 25 15:22:49 CET 2019

Hello Jarosław,

you'd need to configure "synchronization" section for your LDAP 
resource. MidPoint needs to know how to link existing (conflicting) LDAP 
object with midPoint role.

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 14.11.2019 13:59, Skrzek Jaroslaw wrote:
>
> Hi,
>
> I’d like to add users to an existing ldap group using midpoint.
>
> I have a metarole
>
> <role 
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" 
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" 
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" 
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" 
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" 
> oid="8dc821c4-b7ef-4092-a1b3-1a6ff437b0ed" version="11">
>
> <name>Metarole for groups</name>
>
> <inducement id="5">
>
> <construction>
>
> <resourceRef oid="8a83b1a4-be18-11e6-ae84-7301fdab1d7c" 
> relation="org:default" type="c:ResourceType">
>
> <!-- OpenLDAP TEST -->
>
> </resourceRef>
>
> <kind>entitlement</kind>
>
> <intent>Group</intent>
>
> </construction>
>
> </inducement>
>
> <inducement id="6">
>
> <construction>
>
> <resourceRef oid="8a83b1a4-be18-11e6-ae84-7301fdab1d7c" 
> relation="org:default" type="c:ResourceType">
>
> <!-- OpenLDAP TEST -->
>
> </resourceRef>
>
> <kind>account</kind>
>
> <intent>default</intent>
>
> <association id="7">
>
> <c:ref>ri:group</c:ref>
>
> <outbound>
>
> <expression>
>
>                    <associationFromLink 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
>
> <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
>
>                   <kind>entitlement</kind>
>
> <intent>Group</intent>
>
> </projectionDiscriminator>
>
> </associationFromLink>
>
> </expression>
>
> </outbound>
>
> </association>
>
> </construction>
>
> <order>2</order>
>
> </inducement>
>
> </role>
>
> The association in the resource config:
>
> <association id="15">
>
> <c:ref>ri:group</c:ref>
>
> <displayName>LDAP Group Membership</displayName>
>
> <kind>entitlement</kind>
>
> <intent>Group</intent>
>
> <direction>objectToSubject</direction>
>
> <associationAttribute>ri:member</associationAttribute>
>
> <valueAttribute>ri:dn</valueAttribute>
>
> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
>
> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>
> </association>
>
> And a corresponding object type:
>
> <objectType id="16">
>
> <kind>entitlement</kind>
>
>      <intent>Group</intent>
>
> <default>true</default>
>
> <objectClass>ri:groupOfNames</objectClass>
>
> <baseContext>
>
> <objectClass>ri:organizationalUnit</objectClass>
>
> <filter>
>
> <q:equal>
>
> <q:path>attributes/dn</q:path>
>
> <q:value>ou=groups,dc=test1,dc=test2,dc=test3,dc=test4</q:value>
>
> </q:equal>
>
> </filter>
>
> </baseContext>
>
> <attribute id="21">
>
> <c:ref>ri:member</c:ref>
>
> <matchingRule 
> xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:distinguishedName</matchingRule>
>
> <outbound>
>
> <strength>strong</strength>
>
> <expression>
>
> <value>cn=dummy,o=whatever</value>
>
> </expression>
>
> </outbound>
>
> </attribute>
>
> <attribute id="22">
>
> <c:ref>ri:cn</c:ref>
>
>         <matchingRule 
> xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
>
> <outbound>
>
> <strength>weak</strength>
>
> <source>
>
> <c:path>$focus/identifier</c:path>
>
> </source>
>
> </outbound>
>
> </attribute>
>
> <attribute id="23">
>
> <c:ref>ri:description</c:ref>
>
> <outbound>
>
> <source>
>
>               <c:path>description</c:path>
>
> </source>
>
> </outbound>
>
> </attribute>
>
> <attribute id="20">
>
> <c:ref>ri:dn</c:ref>
>
> <matchingRule 
> xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:distinguishedName</matchingRule>
>
> <tolerant>true</tolerant>
>
> <exclusiveStrong>false</exclusiveStrong>
>
> <outbound>
>
> <source>
>
> <c:path>$focus/identifier</c:path>
>
> </source>
>
> <expression>
>
> <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="c:ScriptExpressionEvaluatorType">
>
>                         <code>
>
>                                                  import 
> javax.naming.ldap.Rdn
>
>                                                  import 
> javax.naming.ldap.LdapName
>
> dn = new LdapName('ou=groups,dc=test1,dc=test2,dc=test3,dc=test4')
>
>                                                  dn.add(new Rdn('cn', 
> identifier.toString()))
>
>                                                  return dn.toString()
>
>                                     </code>
>
> </script>
>
> </expression>
>
> </outbound>
>
> </attribute>
>
> <activation>
>
> <administrativeStatus>
>
>    <outbound id="9">
>
> <strength>weak</strength>
>
> <expression>
>
> <c:path xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> xsi:type="t:ItemPathType">$focusExists</c:path>
>
>               </expression>
>
> </outbound>
>
> </administrativeStatus>
>
> </activation>
>
> </objectType>
>
> The metarole is assigned to a custom role and the custom role is 
> assigned to an user. Unfortunately that works only if a group doesn’t 
> exist in LDAP. When it does exist, I get the error:
>
> com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException: 
> Error processing account(no ID, type 'Group', 
> resource:8a83b1a4-be18-11e6-ae84-7301fdab1d7c(OpenLDAP TEST)): 
> constraint violation: Found conflicting existing object with attribute 
> {.../resource/instance-3}dn = [ cn=pre-test3,ou=groups,dc=test1,dc= 
> test2,dc= test3,dc= test4 ]: 
> shadow:f14ebe2c-61f6-4069-8ca2-1b41324fed3b(cn=pre-test3,ou=groups,dc= 
> test1,dc= test2,dc= test3,dc= test4)
>
> What can be wrong with that?
>
> Pozdrawiam / Best regards
> /
> /*/Jarosław Skrzek/**//*
>
> /Senior Software Engineer///
>
> //
>
> /GSM: +48 601 308 901 /
>
> /e-mail: //jaroslaw.skrzek at exence.com/ 
> <mailto:jaroslaw.skrzek at exence.com>//
>
> *Exence S.A. *| ul. Szwedzka 5, Bielany Wrocławskie |55-040 Kobierzyce
>
> tel.: +48 71 782 06 00 | fax: +48 71 782 06 01
>
> https://www.exence.com <https://www.exence.com/>| e-mail: 
> office at exence.com <mailto:office at exence.com>
>
> Sąd Rejonowy we Wrocławiu dla Wrocławia-Fabrycznej, VI Wydział 
> Gospodarczy KRS nr 0000413027
>
> Kapitał zakładowy: 208.400,00 zł, opłacony w całości;  NIP: 
> 899-273-40-56, REGON: 021834967
>
> /Niniejsza wiadomość może zawierać informacje poufne i/lub prawnie 
> chronione. Jeśli nie są Państwo właściwym jej adresatem (lub otrzymali 
> Państwo tą wiadomość przez pomyłkę) prosimy poinformować o tym fakcie 
> nadawcę i usunąć otrzymaną wiadomość. Kopiowanie, ujawnianie lub 
> rozpowszechnianie informacji bez zgody jej nadawcy jest zabronione. /
>
> /This e-mail may contain confidential and/or privileged information. 
> If you are not the intended recipient (or have received this e-mail by 
> mistake) please notify the sender immediately and destroy this e-mail. 
> Any unauthorized copying, disclosure or distribution of the material 
> in this e-mail is strictly forbidden. ///
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20191125/69f8d3c2/attachment.htm>