[midPoint] LDAP role/group inducement
Ivan Noris
ivan.noris at evolveum.com
Mon Jan 27 13:50:57 CET 2020
Hi Jan,
I have briefly checked your configuration and have two notes:
1. associations should work flawlessly to add/remove group membership
even with tolerant=true. We are using it in trainings, I did the last
training 2 weeks ago with OpenLDAP instead of OpenDJ. Tolerant=false is
to allow midPoint to remove the account from associations not given by
midPoint, which may or may not be the "correct" behaviour for particular
projects
2. I have seen your configuration of OpenDJ and am a little confused how
you are using "icfs:name" and "icfs:uid" attributes. This was the way
how we used them in the older LDAP connector (or legacy ICF/OpenICF
connectors). Instead we use ri:dn and whatever is the native "uid"
attribute (e.g. ri:entryuuid).
(I'm also confused that the schema is statically included in the examples.)
See
https://github.com/Evolveum/midpoint-samples/blob/master/samples/resources/opendj/opendj-resource-genericsync.xml
for an example please.
Best regards,
Ivan
On 15. 1. 2020 16:19, Jan Lievens wrote:
> Hi,
>
> I have a question related to inducement construction on a role toward
> an LDAP resource.
> I have the following situation in midPoint (see the attachment for all
> the xml files)
> - Accounts and Entitlements (intent: privileges) are imported from a
> ScriptedSQL connector.
> - These imported entitlements have multiple privileges which are
> created as roles with an "assignmentTargetSearch"
> (post-initial-objects/210-entitlement-object-template.xml)
> - I also have these privilege/roles defined with an assignment to
> (multiple) fixed technical roles (kind:entitlement/intent:group).
> - Lastly I would like for these technical roles (groups) and the
> associated accounts to get synced to LDAP in an objectToSubject
> fashion. I do this with inducements and construction tags in
> post-initial-objects/100-profiles-webidm.xml.
> - The result I get in LDAP is that accounts are synced correctly but
> the group names are not what I expect (I expect technical role names
> eg. JiraUser) but get the names of the Entitlements
> (intent:privileges) defined in the DB.
> - Additionally the associations are not synced (no uniqueMember refs
> are synced on the LDAP groups).
>
> Surely I am missing something here. I think this use case is quiet
> standard (a hierarchy of roles and only the leafs get synced to LDAP).
> I have experimented with the order of the inducement but these came
> out even more negative (no accounts or groups were created).
> I also have experimented with the tolerant setting on the association
> (since I find a lot of answers in this mailing list suggesting this)
> but to no avail.
> It is quiet frustrating to be so close to having this use-case
> implemented DB->mP->LDAP but failing in the sync to LDAP.
>
> Kind regards,
> --
> Jan Lievens
> IT Consultant
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200127/8f653a51/attachment.htm>
More information about the midPoint
mailing list