[midPoint] Importing AD groups as roles

Al Lilianstrom lilstrom at fnal.gov
Thu Jan 7 20:20:48 CET 2021


Hi Chris,

Thanks for the response.

I have the inbound mapping and association defined.

<association>
        <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:group</c:ref>
        <displayName>AD Group Membership</displayName>
        <kind>entitlement</kind>
        <intent>group</intent>
        <direction>objectToSubject</direction>
        <associationAttribute>ri:member</associationAttribute>
        <valueAttribute>ri:name</valueAttribute>
        <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
        <shortcutValueAttribute>ri:name</shortcutValueAttribute>
        <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>

<objectType>
        <kind>entitlement</kind>
        <intent>group</intent>
        <displayName>AD Group</displayName>
        <default>true</default>
        <objectClass>ri:group</objectClass>
        <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn</c:ref>
                <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
                <inbound>
                        <target>
                                <c:path>$focus/name</c:path>
                        </target>
                </inbound>
        </attribute>
...

I'd really appreciate an example. Please send it when you have a chance on Monday.

  al


--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
www.fnal.gov
lilstrom at fnal.gov


________________________________________
From: chris at cmwoods.com <chris at cmwoods.com>
Sent: Thursday, January 7, 2021 11:44 AM
To: midPoint General Discussion
Cc: Al Lilianstrom
Subject: Re: [midPoint] Importing AD groups as roles

Hi Al,

the importing as a role is not defined in the task. You have to define that in an inbound mapping in an association in your resource schema handling. For AD it also gets more complicated due to nested groups - if you want roles as members of roles in midpoint.

I am back at work on Monday and can send you an example if you like.

Regards,
Chris

January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint" <midpoint at lists.evolveum.com> wrote:

> Still struggling with this. Given up on importing the existing groups as roles for now. Using
> https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2BGroup-2BSynchronization-2BHOWTO&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=qzlO4VhAsDjofkMBBzEIVXfh548pEhTobTb4-k4Iw8A&e=  as a guide
> I verified that my configuration for the AD resource matched the guide. I then created the task for
> syncing groups
>
> <task xmlns="https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=A-QjjPWUuFgmB5_adbMwnoSDeMofyb4hVVFNEdFgPSQ&e= "
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
> <name>Synchronization: Active Directory Groups</name>
> <extension>
> <mext:kind
> xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">entitlement</mext:kind>
> </extension>
> <executionStatus>runnable</executionStatus>
> <handlerUri>https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_synchronization_task_live-2Dsync_handler-2D&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=Pq5GOOAao17jRFm3GE-ojdVS-MYluBMNYXFDy_DHQvk&e=
> </handlerUri>
> <objectRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2" type="c:ResourceType"/>
> <recurrence>recurring</recurrence>
> <binding>tight</binding>
> <schedule>
> <interval>5</interval>
> </schedule>
> </task>
>
> Task runs without errors.
>
> I then created a group. The task picked up the group and added it as a shadow.
>
> From this line in the document "When new group is created, it appears in midPoint as a new
> entitlement shadow and a role." I expected a role to be created.
>
> Am I misunderstanding the document or missing something in the task?
>
> --
> Al Lilianstrom
> Authentication Services
>
> Fermi National Accelerator Laboratory
> http://www.fnal.gov
> lilstrom at fnal.gov
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=ZJ5Xkl5mnRIijyiycMv8NSCIutNVsI7Ms85zGDzPAGk&e=


More information about the midPoint mailing list