[midPoint] Importing AD groups as roles

Al Lilianstrom lilstrom at fnal.gov
Fri Jan 8 21:07:14 CET 2021


Thanks Chris. Still not seeing a role.

Looking at the example that Jason has in github I see

<objectTemplateRef oid="template-defaultDomainGroup" relation="org:default" type="c:ObjectTemplateType">
    <targetName>Role Template - Domain Groups</targetName>
</objectTemplateRef>

as part of the reaction for the addFocus to an unmatched group.

Do I need a template defined for the role to be added?

  al

--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
www.fnal.gov
lilstrom at fnal.gov


________________________________________
From: Chris Woods <chris at cmwoods.com>
Sent: Friday, January 8, 2021 1:03 PM
To: midPoint General Discussion; Jason Everling
Cc: Al Lilianstrom
Subject: Re: [midPoint] Importing AD groups as roles

Hi Al,

You don't have a reaction defined for "unmatched". This should be "add focus" if you want the role to be created.

Regards,
Chris

Am 8. Januar 2021 19:51:19 schrieb Al Lilianstrom via midPoint <midpoint at lists.evolveum.com>:

Hi Jason,

It looks like this

<objectSynchronization>
        <name>Group sync</name>
        <objectClass>ri:group</objectClass>
        <kind>entitlement</kind>
        <intent>group</intent>
        <focusType>RoleType</focusType>
        <enabled>true</enabled>
        <correlation>
                <q:equal>
                        <q:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:dn</q:path>
                        <expression>
                                <path>$shadow/attributes/cn</path>
                        </expression>
                </q:equal>
        </correlation>
        <reaction>
                <situation>linked</situation>
                <synchronize>true</synchronize>
        </reaction>
        <reaction>
                <situation>deleted</situation>
                <action>
                        <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri><https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_action-2D3-23unlink-253C_handlerUri-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rDhWNbPBTyQNH1zYxdIcJ9sWfQD1cf743X4svkJGf9Y&s=PKcb0uS1nFjsvdDI-ha0L5n1SLNLPCCBtl0TbDLYdMM&e=>
                </action>
        </reaction>
        <reaction>
                <situation>unlinked</situation>
                <action>
                        <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri><https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_action-2D3-23link-253C_handlerUri-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rDhWNbPBTyQNH1zYxdIcJ9sWfQD1cf743X4svkJGf9Y&s=FuMl3KrVHz97v2dqZJUodTn-m5Ee5os63_9ftvy8_Ek&e=>
                </action>
        </reaction>
        <reaction>
                <situation>unmatched</situation>
        </reaction>
</objectSynchronization>


--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
http://www.fnal.gov
lilstrom at fnal.gov


________________________________________
From: Jason Everling <jeverling at bshp.edu>
Sent: Friday, January 8, 2021 10:41 AM
To: midPoint General Discussion
Cc: Al Lilianstrom
Subject: RE: [midPoint] Importing AD groups as roles

So “name” is a midpoint attribute, the association section needs attributes that exist in AD, so for sure “ri:name” is not valid, should be “ri:dn”, what is your object synchronization section for actions?

From: Al Lilianstrom via midPoint<mailto:midpoint at lists.evolveum.com>
Sent: Friday, January 8, 2021 10:27 AM
To: midPoint General Discussion<mailto:midpoint at lists.evolveum.com>
Cc: Al Lilianstrom<mailto:lilstrom at fnal.gov>
Subject: Re: [midPoint] Importing AD groups as roles

Hi Jason,

I've tried a couple of different attributes there. Name as it's in the doc I referenced below and dn as it's in the same from your org in github. Same results. Shadow created but no role. No error that I've been able to find.

This is what the shadow object looks like. Any clues there as to what I might be missing?

<shadow xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"<https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3-2522&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=euDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc&s=x8Q2JNla1nZ8EAlQOJgb47OXDOw9TpzIDmUdl0VTupI&e=><https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3-2522-253Chttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttp-2D3A-5F-5Fmidpoint.evolveum.com-5Fxml-5Fns-5Fpublic-5Fcommon-5Fcommon-2D2D3-2D2522-26d-3DDwQFaQ-26c-3DgRgGjJ3BkIsb5y6s49QqsA-26r-3DCcoy53oEM8wW3-2DvUAuZFE1kez-2D3vbV9LOfLVoaEsm3A-26m-3DeuDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc-26s-3Dx8Q2JNla1nZ8EAlQOJgb47OXDOw9TpzIDmUdl0VTupI-26e-3D-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rDhWNbPBTyQNH1zYxdIcJ9sWfQD1cf743X4svkJGf9Y&s=ps574C9I8an89xVIvicrRcGjfy5DLSl1SVMXKwibfeM&e=> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="ae7c73f6-82cf-4776-89a2-9cb099bbcabb" version="1">
    <name>CN=TestSync1,OU=midPoint,DC=fermistart,DC=fnal,DC=local</name>
    <resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2" relation="org:default" type="c:ResourceType">
        <!-- FermiStart Active Directory -->
    </resourceRef>
    <synchronizationTimestamp>2021-01-08T09:48:37.057-06:00</synchronizationTimestamp>
    <fullSynchronizationTimestamp>2021-01-08T09:48:37.057-06:00</fullSynchronizationTimestamp>
    <objectClass>ri:group</objectClass>
    <primaryIdentifierValue>4d011362-4f8e-4b77-ad8f-257bd2f9338e</primaryIdentifierValue>
    <kind>entitlement</kind>
    <exists>true</exists>
    <attributes>
        <ri:dn>cn=testsync1,ou=midpoint,dc=fermistart,dc=fnal,dc=local</ri:dn>
        <ri:objectGUID>4d011362-4f8e-4b77-ad8f-257bd2f9338e</ri:objectGUID>
    </attributes>
</shadow>


  al


--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
http://www.fnal.gov
lilstrom at fnal.gov


________________________________________
From: Jason Everling <jeverling at bshp.edu>
Sent: Thursday, January 7, 2021 1:49 PM
To: midPoint General Discussion; chris at cmwoods.com
Cc: Al Lilianstrom
Subject: RE: [midPoint] Importing AD groups as roles

>From what I can see so far, pretty sure you need to use ‘ri:dn’ for ‘shortcutValueAttribute’ and ‘valueAttribute’

From: Al Lilianstrom via midPoint<mailto:midpoint at lists.evolveum.com>
Sent: Thursday, January 7, 2021 1:20 PM
To: chris at cmwoods.com<mailto:chris at cmwoods.com>; midPoint General Discussion<mailto:midpoint at lists.evolveum.com>
Cc: Al Lilianstrom<mailto:lilstrom at fnal.gov>
Subject: Re: [midPoint] Importing AD groups as roles

Hi Chris,

Thanks for the response.

I have the inbound mapping and association defined.

<association>
        <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:group</c:ref>
        <displayName>AD Group Membership</displayName>
        <kind>entitlement</kind>
        <intent>group</intent>
        <direction>objectToSubject</direction>
        <associationAttribute>ri:member</associationAttribute>
        <valueAttribute>ri:name</valueAttribute>
        <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
        <shortcutValueAttribute>ri:name</shortcutValueAttribute>
        <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>

<objectType>
        <kind>entitlement</kind>
        <intent>group</intent>
        <displayName>AD Group</displayName>
        <default>true</default>
        <objectClass>ri:group</objectClass>
        <attribute>
                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn</c:ref>
                <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
                <inbound>
                        <target>
                                <c:path>$focus/name</c:path>
                        </target>
                </inbound>
        </attribute>
...

I'd really appreciate an example. Please send it when you have a chance on Monday.

  al


--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
http://www.fnal.gov
lilstrom at fnal.gov


________________________________________
From: chris at cmwoods.com <chris at cmwoods.com>
Sent: Thursday, January 7, 2021 11:44 AM
To: midPoint General Discussion
Cc: Al Lilianstrom
Subject: Re: [midPoint] Importing AD groups as roles

Hi Al,

the importing as a role is not defined in the task. You have to define that in an inbound mapping in an association in your resource schema handling. For AD it also gets more complicated due to nested groups - if you want roles as members of roles in midpoint.

I am back at work on Monday and can send you an example if you like.

Regards,
Chris

January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint" <midpoint at lists.evolveum.com> wrote:

Still struggling with this. Given up on importing the existing groups as roles for now. Using
https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2BGroup-2BSynchronization-2BHOWTO&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=qzlO4VhAsDjofkMBBzEIVXfh548pEhTobTb4-k4Iw8A&e=  as a guide
I verified that my configuration for the AD resource matched the guide. I then created the task for
syncing groups

<task xmlns="https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=A-QjjPWUuFgmB5_adbMwnoSDeMofyb4hVVFNEdFgPSQ&e= "
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
<name>Synchronization: Active Directory Groups</name>
<extension>
<mext:kind
xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">entitlement</mext:kind>
</extension>
<executionStatus>runnable</executionStatus>
<handlerUri>https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_synchronization_task_live-2Dsync_handler-2D&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=Pq5GOOAao17jRFm3GE-ojdVS-MYluBMNYXFDy_DHQvk&e=
</handlerUri>
<objectRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2" type="c:ResourceType"/>
<recurrence>recurring</recurrence>
<binding>tight</binding>
<schedule>
<interval>5</interval>
</schedule>
</task>

Task runs without errors.

I then created a group. The task picked up the group and added it as a shadow.

>From this line in the document "When new group is created, it appears in midPoint as a new
entitlement shadow and a role." I expected a role to be created.

Am I misunderstanding the document or missing something in the task?

--
Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory
http://www.fnal.gov
lilstrom at fnal.gov

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=ZJ5Xkl5mnRIijyiycMv8NSCIutNVsI7Ms85zGDzPAGk&e=
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=E-pS5lDMr22Ozzbxu9moDTQHzshMdKpMAufR3KF8y34&s=KuFK2U5lkSCpx4JT2YEr0QxMaN-R0_isO6GM5HZ5SG4&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint-253Chttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttps-2D3A-5F-5Flists.evolveum.com-5Fmailman-5Flistinfo-5Fmidpoint-26d-3DDwQFaQ-26c-3DgRgGjJ3BkIsb5y6s49QqsA-26r-3DCcoy53oEM8wW3-2DvUAuZFE1kez-2D3vbV9LOfLVoaEsm3A-26m-3DE-2DpS5lDMr22Ozzbxu9moDTQHzshMdKpMAufR3KF8y34-26s-3DKuFK2U5lkSCpx4JT2YEr0QxMaN-2DR0-5FisO6GM5HZ5SG4-26e-3D-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=euDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc&s=4Sif4_8r35Tu-5d6RLHErZJYO0Wp0DfMEqfRsmcevjQ&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint-253Chttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttps-2D3A-5F-5Flists.evolveum.com-5Fmailman-5Flistinfo-5Fmidpoint-26d-3DDwQFaQ-26c-3DgRgGjJ3BkIsb5y6s49QqsA-26r-3DCcoy53oEM8wW3-2DvUAuZFE1kez-2D3vbV9LOfLVoaEsm3A-26m-3DE-2DpS5lDMr22Ozzbxu9moDTQHzshMdKpMAufR3KF8y34-26s-3DKuFK2U5lkSCpx4JT2YEr0QxMaN-2DR0-5FisO6GM5HZ5SG4-26e-3D-253E-253Chttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttps-2D3A-5F-5Flists.evolveum.com-5Fmailman-5Flistinfo-5Fmidpoint-2D253Chttps-2D3A-5F-5Furldefense.proofpoint.com-5Fv2-5Furl-2D3Fu-2D3Dhttps-2D2D3A-2D5F-2D5Flists.evolveum.com-2D5Fmailman-2D5Flistinfo-2D5Fmidpoint-2D26d-2D3DDwQFaQ-2D26c-2D3DgRgGjJ3BkIsb5y6s49QqsA-2D26r-2D3DCcoy53oEM8wW3-2D2DvUAuZFE1kez-2D2D3vbV9LOfLVoaEsm3A-2D26m-2D3DE-2D2DpS5lDMr22Ozzbxu9moDTQHzshMdKpMAufR3KF8y34-2D26s-2D3DKuFK2U5lkSCpx4JT2YEr0QxMaN-2D2DR0-2D5FisO6GM5HZ5SG4-2D26e-2D3D-2D253E-26d-3DDwQFaQ-26c-3DgRgGjJ3BkIsb5y6s49QqsA-26r-3DCcoy53oEM8wW3-2DvUAuZFE1kez-2D3vbV9LOfLVoaEsm3A-26m-3DeuDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc-26s-3D4Sif4-5F8r35Tu-2D5d6RLHErZJYO0Wp0DfMEqfRsmcevjQ-26e-3D-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rDhWNbPBTyQNH1zYxdIcJ9sWfQD1cf743X4svkJGf9Y&s=H6Mj7SCiYZ3k-mqmBjLLdbqwM7lNaR-7xSFh6VZMuEY&e=>

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=euDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc&s=W_8Al5vdpwLO-vVwofRE1pfHGM1x1LgN80lmZ82BOB0&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint-253Chttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttps-2D3A-5F-5Flists.evolveum.com-5Fmailman-5Flistinfo-5Fmidpoint-26d-3DDwQFaQ-26c-3DgRgGjJ3BkIsb5y6s49QqsA-26r-3DCcoy53oEM8wW3-2DvUAuZFE1kez-2D3vbV9LOfLVoaEsm3A-26m-3DeuDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc-26s-3DW-5F8Al5vdpwLO-2DvVwofRE1pfHGM1x1LgN80lmZ82BOB0-26e-3D-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rDhWNbPBTyQNH1zYxdIcJ9sWfQD1cf743X4svkJGf9Y&s=YGfQPF-rBGsguH-Qmdxo0xvXVU3B8PfPVbiO2cJ13r4&e=>

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rDhWNbPBTyQNH1zYxdIcJ9sWfQD1cf743X4svkJGf9Y&s=5JgXFHF78qsiBJmaNwey1gDnmYhI6zMJwWJS66pjdEc&e=>



More information about the midPoint mailing list