[midPoint] Importing AD groups as roles
Chris Woods
chris at cmwoods.com
Fri Jan 8 21:33:44 CET 2021
Hi Al,
It's not a prerequisite. The only mandatory field would be name which you
were setting in the inbound mapping from ri:cn if I remember correctly.
You can use the template to set other values for the role that may not be
coming directly from the resource (we are actually using archetypes to set
these kind of values). Actually, we copy ri:cn to $focus/identifier and
then generate a name for the role in the archetype - but this is all stuff
to do after the creation of the role is working.
I take it you're not getting any error messages?
Regards,
Chris
Am 8. Januar 2021 21:07:24 schrieb Al Lilianstrom <lilstrom at fnal.gov>:
> Thanks Chris. Still not seeing a role.
>
> Looking at the example that Jason has in github I see
>
> <objectTemplateRef oid="template-defaultDomainGroup" relation="org:default"
> type="c:ObjectTemplateType">
> <targetName>Role Template - Domain Groups</targetName>
> </objectTemplateRef>
>
> as part of the reaction for the addFocus to an unmatched group.
>
> Do I need a template defined for the role to be added?
>
> al
>
> --
> Al Lilianstrom
> Authentication Services
>
> Fermi National Accelerator Laboratory
> www.fnal.gov
> lilstrom at fnal.gov
>
>
> ________________________________________
> From: Chris Woods <chris at cmwoods.com>
> Sent: Friday, January 8, 2021 1:03 PM
> To: midPoint General Discussion; Jason Everling
> Cc: Al Lilianstrom
> Subject: Re: [midPoint] Importing AD groups as roles
>
> Hi Al,
>
> You don't have a reaction defined for "unmatched". This should be "add
> focus" if you want the role to be created.
>
> Regards,
> Chris
>
> Am 8. Januar 2021 19:51:19 schrieb Al Lilianstrom via midPoint
> <midpoint at lists.evolveum.com>:
>
> Hi Jason,
>
> It looks like this
>
> <objectSynchronization>
> <name>Group sync</name>
> <objectClass>ri:group</objectClass>
> <kind>entitlement</kind>
> <intent>group</intent>
> <focusType>RoleType</focusType>
> <enabled>true</enabled>
> <correlation>
> <q:equal>
> <q:path
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:dn</q:path>
> <expression>
> <path>$shadow/attributes/cn</path>
> </expression>
> </q:equal>
> </correlation>
> <reaction>
> <situation>linked</situation>
> <synchronize>true</synchronize>
> </reaction>
> <reaction>
> <situation>deleted</situation>
> <action>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri><https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_action-2D3-23unlink-253C_handlerUri-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rDhWNbPBTyQNH1zYxdIcJ9sWfQD1cf743X4svkJGf9Y&s=PKcb0uS1nFjsvdDI-ha0L5n1SLNLPCCBtl0TbDLYdMM&e=>
> </action>
> </reaction>
> <reaction>
> <situation>unlinked</situation>
> <action>
> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri><https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_action-2D3-23link-253C_handlerUri-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rDhWNbPBTyQNH1zYxdIcJ9sWfQD1cf743X4svkJGf9Y&s=FuMl3KrVHz97v2dqZJUodTn-m5Ee5os63_9ftvy8_Ek&e=>
> </action>
> </reaction>
> <reaction>
> <situation>unmatched</situation>
> </reaction>
> </objectSynchronization>
>
>
> --
> Al Lilianstrom
> Authentication Services
>
> Fermi National Accelerator Laboratory
> http://www.fnal.gov
> lilstrom at fnal.gov
>
>
> ________________________________________
> From: Jason Everling <jeverling at bshp.edu>
> Sent: Friday, January 8, 2021 10:41 AM
> To: midPoint General Discussion
> Cc: Al Lilianstrom
> Subject: RE: [midPoint] Importing AD groups as roles
>
> So “name” is a midpoint attribute, the association section needs attributes
> that exist in AD, so for sure “ri:name” is not valid, should be “ri:dn”,
> what is your object synchronization section for actions?
>
> From: Al Lilianstrom via midPoint<mailto:midpoint at lists.evolveum.com>
> Sent: Friday, January 8, 2021 10:27 AM
> To: midPoint General Discussion<mailto:midpoint at lists.evolveum.com>
> Cc: Al Lilianstrom<mailto:lilstrom at fnal.gov>
> Subject: Re: [midPoint] Importing AD groups as roles
>
> Hi Jason,
>
> I've tried a couple of different attributes there. Name as it's in the doc
> I referenced below and dn as it's in the same from your org in github. Same
> results. Shadow created but no role. No error that I've been able to find.
>
> This is what the shadow object looks like. Any clues there as to what I
> might be missing?
>
> <shadow
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"<https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3-2522&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=euDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc&s=x8Q2JNla1nZ8EAlQOJgb47OXDOw9TpzIDmUdl0VTupI&e=><https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3-2522-253Chttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttp-2D3A-5F-5Fmidpoint.evolveum.com-5Fxml-5Fns-5Fpublic-5Fcommon-5Fcommon-2D2D3-2D2522-26d-3DDwQFaQ-26c-3DgRgGjJ3BkIsb5y6s49QqsA-26r-3DCcoy53oEM8wW3-2DvUAuZFE1kez-2D3vbV9LOfLVoaEsm3A-26m-3DeuDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc-26s-3Dx8Q2JNla1nZ8EAlQOJgb47OXDOw9TpzIDmUdl0VTupI-26e-3D-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rDhWNbPBTyQNH1zYxdIcJ9sWfQD1cf743X4svkJGf9Y&s=ps574C9I8an89xVIvicrRcGjfy5DLSl1SVMXKwibfeM&e=>
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> oid="ae7c73f6-82cf-4776-89a2-9cb099bbcabb" version="1">
> <name>CN=TestSync1,OU=midPoint,DC=fermistart,DC=fnal,DC=local</name>
> <resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2"
> relation="org:default" type="c:ResourceType">
> <!-- FermiStart Active Directory -->
> </resourceRef>
> <synchronizationTimestamp>2021-01-08T09:48:37.057-06:00</synchronizationTimestamp>
> <fullSynchronizationTimestamp>2021-01-08T09:48:37.057-06:00</fullSynchronizationTimestamp>
> <objectClass>ri:group</objectClass>
> <primaryIdentifierValue>4d011362-4f8e-4b77-ad8f-257bd2f9338e</primaryIdentifierValue>
> <kind>entitlement</kind>
> <exists>true</exists>
> <attributes>
> <ri:dn>cn=testsync1,ou=midpoint,dc=fermistart,dc=fnal,dc=local</ri:dn>
> <ri:objectGUID>4d011362-4f8e-4b77-ad8f-257bd2f9338e</ri:objectGUID>
> </attributes>
> </shadow>
>
>
> al
>
>
> --
> Al Lilianstrom
> Authentication Services
>
> Fermi National Accelerator Laboratory
> http://www.fnal.gov
> lilstrom at fnal.gov
>
>
> ________________________________________
> From: Jason Everling <jeverling at bshp.edu>
> Sent: Thursday, January 7, 2021 1:49 PM
> To: midPoint General Discussion; chris at cmwoods.com
> Cc: Al Lilianstrom
> Subject: RE: [midPoint] Importing AD groups as roles
>
> From what I can see so far, pretty sure you need to use ‘ri:dn’ for
> ‘shortcutValueAttribute’ and ‘valueAttribute’
>
> From: Al Lilianstrom via midPoint<mailto:midpoint at lists.evolveum.com>
> Sent: Thursday, January 7, 2021 1:20 PM
> To: chris at cmwoods.com<mailto:chris at cmwoods.com>; midPoint General
> Discussion<mailto:midpoint at lists.evolveum.com>
> Cc: Al Lilianstrom<mailto:lilstrom at fnal.gov>
> Subject: Re: [midPoint] Importing AD groups as roles
>
> Hi Chris,
>
> Thanks for the response.
>
> I have the inbound mapping and association defined.
>
> <association>
> <c:ref
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:group</c:ref>
> <displayName>AD Group Membership</displayName>
> <kind>entitlement</kind>
> <intent>group</intent>
> <direction>objectToSubject</direction>
> <associationAttribute>ri:member</associationAttribute>
> <valueAttribute>ri:name</valueAttribute>
> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
> <shortcutValueAttribute>ri:name</shortcutValueAttribute>
> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
> </association>
>
> <objectType>
> <kind>entitlement</kind>
> <intent>group</intent>
> <displayName>AD Group</displayName>
> <default>true</default>
> <objectClass>ri:group</objectClass>
> <attribute>
> <c:ref
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn</c:ref>
> <matchingRule
> xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
> <inbound>
> <target>
> <c:path>$focus/name</c:path>
> </target>
> </inbound>
> </attribute>
> ...
>
> I'd really appreciate an example. Please send it when you have a chance on
> Monday.
>
> al
>
>
> --
> Al Lilianstrom
> Authentication Services
>
> Fermi National Accelerator Laboratory
> http://www.fnal.gov
> lilstrom at fnal.gov
>
>
> ________________________________________
> From: chris at cmwoods.com <chris at cmwoods.com>
> Sent: Thursday, January 7, 2021 11:44 AM
> To: midPoint General Discussion
> Cc: Al Lilianstrom
> Subject: Re: [midPoint] Importing AD groups as roles
>
> Hi Al,
>
> the importing as a role is not defined in the task. You have to define that
> in an inbound mapping in an association in your resource schema handling.
> For AD it also gets more complicated due to nested groups - if you want
> roles as members of roles in midpoint.
>
> I am back at work on Monday and can send you an example if you like.
>
> Regards,
> Chris
>
> January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint"
> <midpoint at lists.evolveum.com> wrote:
>
> Still struggling with this. Given up on importing the existing groups as
> roles for now. Using
> https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2BGroup-2BSynchronization-2BHOWTO&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=qzlO4VhAsDjofkMBBzEIVXfh548pEhTobTb4-k4Iw8A&e=
> as a guide
> I verified that my configuration for the AD resource matched the guide. I
> then created the task for
> syncing groups
>
> <task
> xmlns="https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=A-QjjPWUuFgmB5_adbMwnoSDeMofyb4hVVFNEdFgPSQ&e=
> "
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
> <name>Synchronization: Active Directory Groups</name>
> <extension>
> <mext:kind
> xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">entitlement</mext:kind>
> </extension>
> <executionStatus>runnable</executionStatus>
> <handlerUri>https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_synchronization_task_live-2Dsync_handler-2D&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=Pq5GOOAao17jRFm3GE-ojdVS-MYluBMNYXFDy_DHQvk&e=
> </handlerUri>
> <objectRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2" type="c:ResourceType"/>
> <recurrence>recurring</recurrence>
> <binding>tight</binding>
> <schedule>
> <interval>5</interval>
> </schedule>
> </task>
>
> Task runs without errors.
>
> I then created a group. The task picked up the group and added it as a shadow.
>
> From this line in the document "When new group is created, it appears in
> midPoint as a new
> entitlement shadow and a role." I expected a role to be created.
>
> Am I misunderstanding the document or missing something in the task?
>
> --
> Al Lilianstrom
> Authentication Services
>
> Fermi National Accelerator Laboratory
> http://www.fnal.gov
> lilstrom at fnal.gov
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=ZJ5Xkl5mnRIijyiycMv8NSCIutNVsI7Ms85zGDzPAGk&e=
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=E-pS5lDMr22Ozzbxu9moDTQHzshMdKpMAufR3KF8y34&s=KuFK2U5lkSCpx4JT2YEr0QxMaN-R0_isO6GM5HZ5SG4&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint-253Chttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttps-2D3A-5F-5Flists.evolveum.com-5Fmailman-5Flistinfo-5Fmidpoint-26d-3DDwQFaQ-26c-3DgRgGjJ3BkIsb5y6s49QqsA-26r-3DCcoy53oEM8wW3-2DvUAuZFE1kez-2D3vbV9LOfLVoaEsm3A-26m-3DE-2DpS5lDMr22Ozzbxu9moDTQHzshMdKpMAufR3KF8y34-26s-3DKuFK2U5lkSCpx4JT2YEr0QxMaN-2DR0-5FisO6GM5HZ5SG4-26e-3D-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=euDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc&s=4Sif4_8r35Tu-5d6RLHErZJYO0Wp0DfMEqfRsmcevjQ&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.ev
olveum.com_mailman_listinfo_midpoint-253Chttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttps-2D3A-5F-5Flists.evolveum.com-5Fmailman-5Flistinfo-5Fmidpoint-26d-3DDwQFaQ-26c-3DgRgGjJ3BkIsb5y6s49QqsA-26r-3DCcoy53oEM8wW3-2DvUAuZFE1kez-2D3vbV9LOfLVoaEsm3A-26m-3DE-2DpS5lDMr22Ozzbxu9moDTQHzshMdKpMAufR3KF8y34-26s-3DKuFK2U5lkSCpx4JT2YEr0QxMaN-2DR0-5FisO6GM5HZ5SG4-26e-3D-253E-253Chttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttps-2D3A-5F-5Flists.evolveum.com-5Fmailman-5Flistinfo-5Fmidpoint-2D253Chttps-2D3A-5F-5Furldefense.proofpoint.com-5Fv2-5Furl-2D3Fu-2D3Dhttps-2D2D3A-2D5F-2D5Flists.evolveum.com-2D5Fmailman-2D5Flistinfo-2D5Fmidpoint-2D26d-2D3DDwQFaQ-2D26c-2D3DgRgGjJ3BkIsb5y6s49QqsA-2D26r-2D3DCcoy53oEM8wW3-2D2DvUAuZFE1kez-2D2D3vbV9LOfLVoaEsm3A-2D26m-2D3DE-2D2DpS5lDMr22Ozzbxu9moDTQHzshMdKpMAufR3KF8y34-2D26s-2D3DKuFK2U5lkSCpx4JT2YEr0QxMaN-2D2DR0-2D5FisO6GM5HZ5SG4-2D26e-2D3D-2D253E-26d-3DDwQFaQ-26c-3DgRgGjJ3BkIsb5y6s49QqsA-26r-3DCcoy53oEM8wW3-2DvUAuZFE1kez-2D3vbV9LOfLVoaEsm3A-26m-3DeuDFtQ
1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc-26s-3D4Sif4-5F8
r35Tu-2D5d6RLHErZJYO0Wp0DfMEqfRsmcevjQ-26e-3D-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rDhWNbPBTyQNH1zYxdIcJ9sWfQD1cf743X4svkJGf9Y&s=H6Mj7SCiYZ3k-mqmBjLLdbqwM7lNaR-7xSFh6VZMuEY&e=>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=euDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc&s=W_8Al5vdpwLO-vVwofRE1pfHGM1x1LgN80lmZ82BOB0&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint-253Chttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttps-2D3A-5F-5Flists.evolveum.com-5Fmailman-5Flistinfo-5Fmidpoint-26d-3DDwQFaQ-26c-3DgRgGjJ3BkIsb5y6s49QqsA-26r-3DCcoy53oEM8wW3-2DvUAuZFE1kez-2D3vbV9LOfLVoaEsm3A-26m-3DeuDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc-26s-3DW-5F8Al5vdpwLO-2DvVwofRE1pfHGM1x1LgN80lmZ82BOB0-26e-3D-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rDhWNbPBTyQNH1zYxdIcJ9sWfQD1cf743X4svkJGf9Y&s=YGfQPF-rBGsguH-Qmdxo0xvXVU3B8PfPVbiO2cJ13r4&e=>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rDhWNbPBTyQNH1zYxdIcJ9sWfQD1cf743X4svkJGf9Y&s=5JgXFHF78qsiBJmaNwey1gDnmYhI6zMJwWJS66pjdEc&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210108/ffa803e4/attachment-0001.htm>
More information about the midPoint
mailing list