[midPoint] Issue with account-entitlement associations (users in groups sync to LDAP)

Frédéric Lohier frederic at lohier.org
Fri Jun 19 11:46:40 CEST 2020 

Hello Chris,

Thank you so much for your help! This fixed my issue, this was very tricky
to find!

-Frederic


On Wed, Jun 17, 2020, 20:00 <chris at cmwoods.com> wrote:

> Hi Frédéric,
>
> I had the same issue. What fixed it for me was adding
> <assignmentPathIndex>1</assignmentPathIndex>
>
> This is our associationFromLink:
>
> <associationFromLink xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xsi:type="c:AssociationFromLinkExpressionEvaluatorType"> <projectionDiscriminator xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:ShadowDiscriminatorType"> <kind>entitlement</kind> <intent>Group</intent> </projectionDiscriminator> <assignmentPathIndex>1</assignmentPathIndex> </associationFromLink>
>
>
> before that I had exactly the same behaviour that you are describing.
>
> Regards,
> Chris
>
>
> June 17, 2020 6:57 PM, "Frédéric Lohier" <frederic at lohier.org
> <%22Fr%C3%A9d%C3%A9ric%20Lohier%22%20%3Cfrederic at lohier.org%3E>> wrote:
>
> Hello,
>
> I am trying to setup the outbound synchronization of users and roles and
> their association from Midpoint to an openLDAP.
>
> Everything is working except for the association between account shadows
> and entitlements that is working only under a strange condition : the
> meta-role “LDAP Role” inducing the construction of the account and the
> association of the entitlement to the account has to be DIRECTLY assigned
> to the midpoint roles I want to synchronize to the LDAP.
>
> If I INDIRECTLY assign this meta-role through an Archetype, I can see the
> indirect assignment in the role assignment tab, but when I reconcile a user
> assigned to a role with this (indirect) meta-role, the association between
> the account and entitlement is removed and the account is removed from the
> group in the LDAP. The account and the group are still on the LDAP and
> properly synced.
>
> Any idea why my meta-role works OK when directly assigned and not when
> indirectly assigned?
>
> Below is a simplified version of my meta-role and archetype :
>
> <role oid="001">
>
> <name>LDAP group meta-role</name>
>
> <inducement>
>
> <construction>
>
> <resourceRef oid="000-000-0000-0000" relation="org:default"
> type="c:ResourceType">
>
> </resourceRef>
>
> <kind>entitlement</kind>
>
> <intent>group</intent>
>
> </construction>
>
> <order>1</order>
>
> </inducement>
>
> <inducement>
>
> <construction>
>
> <resourceRef oid="000-000-0000-0000" relation="org:default"
> type="c:ResourceType">
>
> </resourceRef>
>
> <kind>account</kind>
>
> <intent>default</intent>
>
> <association>
>
> <ref>ri:group</ref>
>
> <outbound>
>
> <expression>
>
> <associationFromLink>
>
> <projectionDiscriminator>
>
> <kind>entitlement</kind>
>
> <intent>group</intent>
>
> </projectionDiscriminator>
>
> </associationFromLink>
>
> </expression>
>
> <strength>strong</strength>
>
> </outbound>
>
> </association>
>
> </construction>
>
> <order>2</order>
>
> </inducement>
>
> <requestable>false</requestable>
>
> </role>
>
> <archetype>
>
> <name>Group</name>
>
> <assignment>
>
> <activation>
>
> <effectiveStatus>enabled</effectiveStatus>
>
> </activation>
>
> <assignmentRelation>
>
> <holderType>RoleType</holderType>
>
> </assignmentRelation>
>
> </assignment>
>
> <inducement>
>
> <description>Induction of the “LDAP group meta-role” role to all role
> assigned to this archetype</description>
>
> <targetRef oid="001" relation="default" type="RoleType"/>
>
> </inducement>
>
> <iteration>0</iteration>
>
> <iterationToken/>
>
> <activation>
>
> <effectiveStatus>enabled</effectiveStatus>
>
> </activation>
>
> <archetypePolicy>
>
> <display>
>
> <label>Group</label>
>
> <pluralLabel>Groups</pluralLabel>
>
> <color>#4a148c</color>
>
> <icon>
>
> <cssClass>fe fe-role_icon</cssClass>
>
> <color>#4a148c</color>
>
> </icon>
>
> </display>
>
> </archetypePolicy>
>
> </archetype>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200619/014f0ecf/attachment.htm>

More information about the midPoint mailing list