[midPoint] Issue with account-entitlement associations (users in groups sync to LDAP)

Frédéric Lohier frederic at lohier.org
Wed Jun 17 18:57:28 CEST 2020 

Hello,



I am trying to setup the outbound synchronization of users and roles and
their association from Midpoint to an openLDAP.



Everything is working except for the association between account shadows
and entitlements that is working only under a strange condition : the
meta-role “LDAP Role” inducing the construction of the account and the
association of the entitlement to the account has to be DIRECTLY assigned
to the midpoint roles I want to synchronize to the LDAP.



If I INDIRECTLY assign this meta-role through an Archetype, I can see the
indirect assignment in the role assignment tab, but when I reconcile a user
assigned to a role with this (indirect) meta-role, the association between
the account and entitlement is removed and the account is removed from the
group in the LDAP. The account and the group are still on the LDAP and
properly synced.



Any idea why my meta-role works OK when directly assigned and not when
indirectly assigned?



Below is a simplified version of my meta-role and archetype :



<role oid="001">

<name>LDAP group meta-role</name>

<inducement>

<construction>

<resourceRef oid="000-000-0000-0000" relation="org:default"
type="c:ResourceType">

</resourceRef>

<kind>entitlement</kind>

<intent>group</intent>

</construction>

<order>1</order>

</inducement>

<inducement>

<construction>

<resourceRef oid="000-000-0000-0000" relation="org:default"
type="c:ResourceType">

</resourceRef>

<kind>account</kind>

<intent>default</intent>

<association>

<ref>ri:group</ref>

<outbound>

<expression>

<associationFromLink>

<projectionDiscriminator>

<kind>entitlement</kind>

<intent>group</intent>

</projectionDiscriminator>

</associationFromLink>

</expression>

<strength>strong</strength>

</outbound>

</association>

</construction>

<order>2</order>

</inducement>

<requestable>false</requestable>

</role>



<archetype>

<name>Group</name>

<assignment>

<activation>

<effectiveStatus>enabled</effectiveStatus>

</activation>

<assignmentRelation>

<holderType>RoleType</holderType>

</assignmentRelation>

</assignment>

<inducement>

<description>Induction of the “LDAP group meta-role” role to all role
assigned to this archetype</description>

<targetRef oid="001" relation="default" type="RoleType"/>

</inducement>

<iteration>0</iteration>

<iterationToken/>

<activation>

<effectiveStatus>enabled</effectiveStatus>

</activation>

<archetypePolicy>

<display>

<label>Group</label>

<pluralLabel>Groups</pluralLabel>

<color>#4a148c</color>

<icon>

<cssClass>fe fe-role_icon</cssClass>

<color>#4a148c</color>

</icon>

</display>

</archetypePolicy>

</archetype>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200617/11c26957/attachment.htm>

More information about the midPoint mailing list