[midPoint] LDAP role/group inducement

Jan Lievens jan.lievens at biggerfish.be
Wed Jan 15 16:19:46 CET 2020 

Hi,

I have a question related to inducement construction on a role toward an
LDAP resource.
I have the following situation in midPoint (see the attachment for all the
xml files)
- Accounts and Entitlements (intent: privileges) are imported from a
ScriptedSQL connector.
- These imported entitlements have multiple privileges which are created as
roles with an "assignmentTargetSearch"
(post-initial-objects/210-entitlement-object-template.xml)
- I also have these privilege/roles defined with an assignment to
(multiple) fixed technical roles (kind:entitlement/intent:group).
- Lastly I would like for these technical roles (groups) and the associated
accounts to get synced to LDAP in an objectToSubject fashion. I do this
with inducements and construction tags in
post-initial-objects/100-profiles-webidm.xml.
- The result I get in LDAP is that accounts are synced correctly but the
group names are not what I expect (I expect technical role names
eg. JiraUser) but get the names of the Entitlements (intent:privileges)
defined in the DB.
- Additionally the associations are not synced (no uniqueMember refs are
synced on the LDAP groups).

Surely I am missing something here. I think this use case is quiet standard
(a hierarchy of roles and only the leafs get synced to LDAP).
I have experimented with the order of the inducement but these came out
even more negative (no accounts or groups were created).
I also have experimented with the tolerant setting on the association
(since I find a lot of answers in this mailing list suggesting this) but to
no avail.
It is quiet frustrating to be so close to having this use-case implemented
DB->mP->LDAP but failing in the sync to LDAP.

Kind regards,
-- 
Jan Lievens
IT Consultant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200115/6cf601c2/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: midpoint-home.zip
Type: application/zip
Size: 25085 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200115/6cf601c2/attachment.zip>

More information about the midPoint mailing list