[midPoint] Importing AD groups as roles
Chris Woods
chris at cmwoods.com
Fri Jan 8 20:03:44 CET 2021
Hi Al,
You don't have a reaction defined for "unmatched". This should be "add
focus" if you want the role to be created.
Regards,
Chris
Am 8. Januar 2021 19:51:19 schrieb Al Lilianstrom via midPoint
<midpoint at lists.evolveum.com>:
> Hi Jason,
>
> It looks like this
>
> <objectSynchronization>
> <name>Group sync</name>
> <objectClass>ri:group</objectClass>
> <kind>entitlement</kind>
> <intent>group</intent>
> <focusType>RoleType</focusType>
> <enabled>true</enabled>
> <correlation>
> <q:equal>
> <q:path
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:dn</q:path>
> <expression>
> <path>$shadow/attributes/cn</path>
> </expression>
> </q:equal>
> </correlation>
> <reaction>
> <situation>linked</situation>
> <synchronize>true</synchronize>
> </reaction>
> <reaction>
> <situation>deleted</situation>
> <action>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
> </action>
> </reaction>
> <reaction>
> <situation>unlinked</situation>
> <action>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
> </action>
> </reaction>
> <reaction>
> <situation>unmatched</situation>
> </reaction>
> </objectSynchronization>
>
>
> --
> Al Lilianstrom
> Authentication Services
>
> Fermi National Accelerator Laboratory
> www.fnal.gov
> lilstrom at fnal.gov
>
>
> ________________________________________
> From: Jason Everling <jeverling at bshp.edu>
> Sent: Friday, January 8, 2021 10:41 AM
> To: midPoint General Discussion
> Cc: Al Lilianstrom
> Subject: RE: [midPoint] Importing AD groups as roles
>
> So “name” is a midpoint attribute, the association section needs attributes
> that exist in AD, so for sure “ri:name” is not valid, should be “ri:dn”,
> what is your object synchronization section for actions?
>
> From: Al Lilianstrom via midPoint<mailto:midpoint at lists.evolveum.com>
> Sent: Friday, January 8, 2021 10:27 AM
> To: midPoint General Discussion<mailto:midpoint at lists.evolveum.com>
> Cc: Al Lilianstrom<mailto:lilstrom at fnal.gov>
> Subject: Re: [midPoint] Importing AD groups as roles
>
> Hi Jason,
>
> I've tried a couple of different attributes there. Name as it's in the doc
> I referenced below and dn as it's in the same from your org in github. Same
> results. Shadow created but no role. No error that I've been able to find.
>
> This is what the shadow object looks like. Any clues there as to what I
> might be missing?
>
> <shadow
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"<https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3-2522&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=euDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc&s=x8Q2JNla1nZ8EAlQOJgb47OXDOw9TpzIDmUdl0VTupI&e=>
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> oid="ae7c73f6-82cf-4776-89a2-9cb099bbcabb" version="1">
> <name>CN=TestSync1,OU=midPoint,DC=fermistart,DC=fnal,DC=local</name>
> <resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2"
> relation="org:default" type="c:ResourceType">
> <!-- FermiStart Active Directory -->
> </resourceRef>
> <synchronizationTimestamp>2021-01-08T09:48:37.057-06:00</synchronizationTimestamp>
> <fullSynchronizationTimestamp>2021-01-08T09:48:37.057-06:00</fullSynchronizationTimestamp>
> <objectClass>ri:group</objectClass>
> <primaryIdentifierValue>4d011362-4f8e-4b77-ad8f-257bd2f9338e</primaryIdentifierValue>
> <kind>entitlement</kind>
> <exists>true</exists>
> <attributes>
> <ri:dn>cn=testsync1,ou=midpoint,dc=fermistart,dc=fnal,dc=local</ri:dn>
> <ri:objectGUID>4d011362-4f8e-4b77-ad8f-257bd2f9338e</ri:objectGUID>
> </attributes>
> </shadow>
>
>
> al
>
>
> --
> Al Lilianstrom
> Authentication Services
>
> Fermi National Accelerator Laboratory
> http://www.fnal.gov
> lilstrom at fnal.gov
>
>
> ________________________________________
> From: Jason Everling <jeverling at bshp.edu>
> Sent: Thursday, January 7, 2021 1:49 PM
> To: midPoint General Discussion; chris at cmwoods.com
> Cc: Al Lilianstrom
> Subject: RE: [midPoint] Importing AD groups as roles
>
> From what I can see so far, pretty sure you need to use ‘ri:dn’ for
> ‘shortcutValueAttribute’ and ‘valueAttribute’
>
> From: Al Lilianstrom via midPoint<mailto:midpoint at lists.evolveum.com>
> Sent: Thursday, January 7, 2021 1:20 PM
> To: chris at cmwoods.com<mailto:chris at cmwoods.com>; midPoint General
> Discussion<mailto:midpoint at lists.evolveum.com>
> Cc: Al Lilianstrom<mailto:lilstrom at fnal.gov>
> Subject: Re: [midPoint] Importing AD groups as roles
>
> Hi Chris,
>
> Thanks for the response.
>
> I have the inbound mapping and association defined.
>
> <association>
> <c:ref
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:group</c:ref>
> <displayName>AD Group Membership</displayName>
> <kind>entitlement</kind>
> <intent>group</intent>
> <direction>objectToSubject</direction>
> <associationAttribute>ri:member</associationAttribute>
> <valueAttribute>ri:name</valueAttribute>
> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
> <shortcutValueAttribute>ri:name</shortcutValueAttribute>
> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
> </association>
>
> <objectType>
> <kind>entitlement</kind>
> <intent>group</intent>
> <displayName>AD Group</displayName>
> <default>true</default>
> <objectClass>ri:group</objectClass>
> <attribute>
> <c:ref
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn</c:ref>
> <matchingRule
> xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
> <inbound>
> <target>
> <c:path>$focus/name</c:path>
> </target>
> </inbound>
> </attribute>
> ...
>
> I'd really appreciate an example. Please send it when you have a chance on
> Monday.
>
> al
>
>
> --
> Al Lilianstrom
> Authentication Services
>
> Fermi National Accelerator Laboratory
> http://www.fnal.gov
> lilstrom at fnal.gov
>
>
> ________________________________________
> From: chris at cmwoods.com <chris at cmwoods.com>
> Sent: Thursday, January 7, 2021 11:44 AM
> To: midPoint General Discussion
> Cc: Al Lilianstrom
> Subject: Re: [midPoint] Importing AD groups as roles
>
> Hi Al,
>
> the importing as a role is not defined in the task. You have to define that
> in an inbound mapping in an association in your resource schema handling.
> For AD it also gets more complicated due to nested groups - if you want
> roles as members of roles in midpoint.
>
> I am back at work on Monday and can send you an example if you like.
>
> Regards,
> Chris
>
> January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint"
> <midpoint at lists.evolveum.com> wrote:
>
>> Still struggling with this. Given up on importing the existing groups as
>> roles for now. Using
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2BGroup-2BSynchronization-2BHOWTO&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=qzlO4VhAsDjofkMBBzEIVXfh548pEhTobTb4-k4Iw8A&e=
>> as a guide
>> I verified that my configuration for the AD resource matched the guide. I
>> then created the task for
>> syncing groups
>>
>> <task
>> xmlns="https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=A-QjjPWUuFgmB5_adbMwnoSDeMofyb4hVVFNEdFgPSQ&e=
>> "
>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
>> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
>> <name>Synchronization: Active Directory Groups</name>
>> <extension>
>> <mext:kind
>> xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">entitlement</mext:kind>
>> </extension>
>> <executionStatus>runnable</executionStatus>
>> <handlerUri>https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_synchronization_task_live-2Dsync_handler-2D&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=Pq5GOOAao17jRFm3GE-ojdVS-MYluBMNYXFDy_DHQvk&e=
>> </handlerUri>
>> <objectRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2" type="c:ResourceType"/>
>> <recurrence>recurring</recurrence>
>> <binding>tight</binding>
>> <schedule>
>> <interval>5</interval>
>> </schedule>
>> </task>
>>
>> Task runs without errors.
>>
>> I then created a group. The task picked up the group and added it as a shadow.
>>
>> From this line in the document "When new group is created, it appears in
>> midPoint as a new
>> entitlement shadow and a role." I expected a role to be created.
>>
>> Am I misunderstanding the document or missing something in the task?
>>
>> --
>> Al Lilianstrom
>> Authentication Services
>>
>> Fermi National Accelerator Laboratory
>> http://www.fnal.gov
>> lilstrom at fnal.gov
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=ZJ5Xkl5mnRIijyiycMv8NSCIutNVsI7Ms85zGDzPAGk&e=
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=E-pS5lDMr22Ozzbxu9moDTQHzshMdKpMAufR3KF8y34&s=KuFK2U5lkSCpx4JT2YEr0QxMaN-R0_isO6GM5HZ5SG4&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint-253Chttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttps-2D3A-5F-5Flists.evolveum.com-5Fmailman-5Flistinfo-5Fmidpoint-26d-3DDwQFaQ-26c-3DgRgGjJ3BkIsb5y6s49QqsA-26r-3DCcoy53oEM8wW3-2DvUAuZFE1kez-2D3vbV9LOfLVoaEsm3A-26m-3DE-2DpS5lDMr22Ozzbxu9moDTQHzshMdKpMAufR3KF8y34-26s-3DKuFK2U5lkSCpx4JT2YEr0QxMaN-2DR0-5FisO6GM5HZ5SG4-26e-3D-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=euDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc&s=4Sif4_8r35Tu-5d6RLHErZJYO0Wp0DfMEqfRsmcevjQ&e=>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=euDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc&s=W_8Al5vdpwLO-vVwofRE1pfHGM1x1LgN80lmZ82BOB0&e=>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210108/745923b6/attachment-0001.htm>
More information about the midPoint
mailing list