[midPoint] Importing AD groups as roles

chris at cmwoods.com chris at cmwoods.com
Thu Jan 7 18:44:19 CET 2021


Hi Al,

the importing as a role is not defined in the task. You have to define that in an inbound mapping in an association in your resource schema handling. For AD it also gets more complicated due to nested groups - if you want roles as members of roles in midpoint.

I am back at work on Monday and can send you an example if you like.

Regards,
Chris

January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint" <midpoint at lists.evolveum.com> wrote:

> Still struggling with this. Given up on importing the existing groups as roles for now. Using
> https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO as a guide
> I verified that my configuration for the AD resource matched the guide. I then created the task for
> syncing groups
> 
> <task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" 
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" 
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" 
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" 
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
> <name>Synchronization: Active Directory Groups</name>
> <extension>
> <mext:kind
> xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">entitlement</mext:kind>
> </extension>
> <executionStatus>runnable</executionStatus>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/live-sync/handler-
> </handlerUri>
> <objectRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2" type="c:ResourceType"/>
> <recurrence>recurring</recurrence>
> <binding>tight</binding>
> <schedule>
> <interval>5</interval>
> </schedule>
> </task>
> 
> Task runs without errors.
> 
> I then created a group. The task picked up the group and added it as a shadow.
> 
> From this line in the document "When new group is created, it appears in midPoint as a new
> entitlement shadow and a role." I expected a role to be created.
> 
> Am I misunderstanding the document or missing something in the task?
> 
> --
> Al Lilianstrom
> Authentication Services
> 
> Fermi National Accelerator Laboratory
> www.fnal.gov
> lilstrom at fnal.gov
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint


More information about the midPoint mailing list