[midPoint] Issue with account-entitlement associations (users in groups sync to LDAP)
chris at cmwoods.com
chris at cmwoods.com
Wed Jun 17 20:00:22 CEST 2020
Hi Frédéric,
I had the same issue. What fixed it for me was adding 1
This is our associationFromLink:
entitlement Group 1
before that I had exactly the same behaviour that you are describing.
Regards,
Chris
June 17, 2020 6:57 PM, "Frédéric Lohier" wrote:
Hello,
I am trying to setup the outbound synchronization of users and roles and their association from Midpoint to an openLDAP.
Everything is working except for the association between account shadows and entitlements that is working only under a strange condition : the meta-role “LDAP Role” inducing the construction of the account and the association of the entitlement to the account has to be DIRECTLY assigned to the midpoint roles I want to synchronize to the LDAP.
If I INDIRECTLY assign this meta-role through an Archetype, I can see the indirect assignment in the role assignment tab, but when I reconcile a user assigned to a role with this (indirect) meta-role, the association between the account and entitlement is removed and the account is removed from the group in the LDAP. The account and the group are still on the LDAP and properly synced.
Any idea why my meta-role works OK when directly assigned and not when indirectly assigned?
Below is a simplified version of my meta-role and archetype :
LDAP group meta-role
entitlement
group
1
account
default
ri:group
entitlement
group
strong
2
false
Group
enabled
RoleType
Induction of the “LDAP group meta-role” role to all role assigned to this archetype
0
enabled
Group
Groups
#4a148c
fe fe-role_icon
#4a148c
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200617/3bdbee94/attachment.htm>
More information about the midPoint
mailing list