[midPoint] midPoint Digest, Vol 93, Issue 8

Keith LeValley klevalley2 at davenport.edu
Wed Jan 15 16:45:50 CET 2020 

Not sure if this is what you're looking for but the name of the group in
LDAP should be handled in the schema handling section of the connector.  I
assume you have two entitlements, one for groups and one for users.

Below is the code I use to map the name of my groups (I found it online and
sorry I do not remember where from).  The mapping is from dn to name

<script xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3">
    <code>
                                import javax.naming.ldap.Rdn
                                import javax.naming.ldap.LdapName

                                dn = new
LdapName('ou=Groups,dc=example,dc=com')
                                dn.add(new Rdn('cn', name.toString()))
                                return dn.toString()
                            </code>
</script>

This should take the name of the role in midPoint and use it when forming
the dn of the group in LDAP.

On Wed, Jan 15, 2020 at 10:20 AM <midpoint-request at lists.evolveum.com>
wrote:

> Send midPoint mailing list submissions to
>         midpoint at lists.evolveum.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
>         midpoint-request at lists.evolveum.com
>
> You can reach the person managing the list at
>         midpoint-owner at lists.evolveum.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
>
>
> Today's Topics:
>
>    1. LDAP role/group inducement (Jan Lievens)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 15 Jan 2020 16:19:46 +0100
> From: Jan Lievens <jan.lievens at biggerfish.be>
> To: midpoint at lists.evolveum.com
> Subject: [midPoint] LDAP role/group inducement
> Message-ID:
>         <CALKj1oZCvscGEB2jKrv9Me0=
> nutLxefwB1taq+w8ysgq2E8G-w at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> I have a question related to inducement construction on a role toward an
> LDAP resource.
> I have the following situation in midPoint (see the attachment for all the
> xml files)
> - Accounts and Entitlements (intent: privileges) are imported from a
> ScriptedSQL connector.
> - These imported entitlements have multiple privileges which are created as
> roles with an "assignmentTargetSearch"
> (post-initial-objects/210-entitlement-object-template.xml)
> - I also have these privilege/roles defined with an assignment to
> (multiple) fixed technical roles (kind:entitlement/intent:group).
> - Lastly I would like for these technical roles (groups) and the associated
> accounts to get synced to LDAP in an objectToSubject fashion. I do this
> with inducements and construction tags in
> post-initial-objects/100-profiles-webidm.xml.
> - The result I get in LDAP is that accounts are synced correctly but the
> group names are not what I expect (I expect technical role names
> eg. JiraUser) but get the names of the Entitlements (intent:privileges)
> defined in the DB.
> - Additionally the associations are not synced (no uniqueMember refs are
> synced on the LDAP groups).
>
> Surely I am missing something here. I think this use case is quiet standard
> (a hierarchy of roles and only the leafs get synced to LDAP).
> I have experimented with the order of the inducement but these came out
> even more negative (no accounts or groups were created).
> I also have experimented with the tolerant setting on the association
> (since I find a lot of answers in this mailing list suggesting this) but to
> no avail.
> It is quiet frustrating to be so close to having this use-case implemented
> DB->mP->LDAP but failing in the sync to LDAP.
>
> Kind regards,
> --
> Jan Lievens
> IT Consultant
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.evolveum.com/pipermail/midpoint/attachments/20200115/6cf601c2/attachment.html
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: midpoint-home.zip
> Type: application/zip
> Size: 25085 bytes
> Desc: not available
> URL: <
> http://lists.evolveum.com/pipermail/midpoint/attachments/20200115/6cf601c2/attachment.zip
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> ------------------------------
>
> End of midPoint Digest, Vol 93, Issue 8
> ***************************************
>


-- 
Keith LeValley
Identity Services Architect, Davenport University
phone:  (616) 732-1102
klevalley2 at davenport.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200115/4e485571/attachment.htm>

More information about the midPoint mailing list