[midPoint] Importing AD groups as roles
Chris Woods
Chris.Woods at rohde-schwarz.com
Wed Jan 13 15:31:27 CET 2021
Hi Al,
you could try commenting out the outbound mappings if this is a one-time import. What strength is set for ri:dn?
Regards,
Chris
-----Original Message-----
From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of Al Lilianstrom via midPoint
Sent: Monday, January 11, 2021 7:47 PM
To: Jason Everling <jeverling at bshp.edu>; midPoint General Discussion <midpoint at lists.evolveum.com>
Cc: Al Lilianstrom <lilstrom at fnal.gov>
Subject: *EXT* [Newsletter] Re: [midPoint] Importing AD groups as roles
Hi Jason,
Thank you for the explanation and the sample. Cleared some things up in my head.
Huge step forward. I was able to get a small number of groups to import as roles. Next error to resolve is midPoint wanting to move all of the groups to the same OU rather than leave them where they exist in AD.
No doubt it's in the outbound expression for the group - just need to understand what I need to do.
Thanks again, al
--
Al Lilianstrom
Authentication Services
Fermi National Accelerator Laboratory
www.fnal.gov
lilstrom at fnal.gov
________________________________________
From: Jason Everling <jeverling at bshp.edu>
Sent: Monday, January 11, 2021 10:06 AM
To: Al Lilianstrom; midPoint General Discussion
Subject: RE: [midPoint] Importing AD groups as roles
Since you had these types of values mixed before,
Anything with “c:” in the attribute name will be an attribute that is part of midpoints built-in schema, on the other hand, “ri:” will be an attribute that is part of your resource. You might use the below for correlation, the midpoint schema “name” field will match your AD “cn” attribute
<q:equal>
<q:path>c:name</q:path>
<expression>
<path>$shadow/attributes/ri:cn</path>
</expression>
</q:equal>
From: Jason Everling<mailto:jeverling at bshp.edu>
Sent: Monday, January 11, 2021 9:14 AM
To: Al Lilianstrom<mailto:lilstrom at fnal.gov>; midPoint General Discussion<mailto:midpoint at lists.evolveum.com>
Subject: RE: [midPoint] Importing AD groups as roles
I think it might be your correlation, you are specifying c:dn but that’s not a valid midpoint attribute, I don’t know how you are using it, everyone has it setup, naming, differently, but the <q:path> needs to be a midpoint attribute, like maybe if you are mapping “cn” to the role “name” field you would use “c:name”
From: Al Lilianstrom<mailto:lilstrom at fnal.gov>
Sent: Friday, January 8, 2021 12:51 PM
To: Jason Everling<mailto:jeverling at bshp.edu>; midPoint General Discussion<mailto:midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Importing AD groups as roles
Hi Jason,
It looks like this
<objectSynchronization>
<name>Group sync</name>
<objectClass>ri:group</objectClass>
<kind>entitlement</kind>
<intent>group</intent>
<focusType>RoleType</focusType>
<enabled>true</enabled>
<correlation>
<q:equal>
<q:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:dn</q:path>
<expression>
<path>$shadow/attributes/cn</path>
</expression>
</q:equal>
</correlation>
<reaction>
<situation>linked</situation>
<synchronize>true</synchronize>
</reaction>
<reaction>
<situation>deleted</situation>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri><https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_action-2D3-23unlink-253C_handlerUri-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=q1o58LXVvwg27C2D0EnVpRY2J9y0ezmGGkegI_CTTJ8&s=I9tyFaT6El2xtPtmw4HYIq-78aaj_vvVHT6htVjCR6I&e=>
</action>
</reaction>
<reaction>
<situation>unlinked</situation>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri><https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_action-2D3-23link-253C_handlerUri-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=q1o58LXVvwg27C2D0EnVpRY2J9y0ezmGGkegI_CTTJ8&s=4XeCBy6u_td-RD2Zf8F9-U4nzGHUlt7K7xtiXX5XTwU&e=>
</action>
</reaction>
<reaction>
<situation>unmatched</situation>
</reaction>
</objectSynchronization>
--
Al Lilianstrom
Authentication Services
Fermi National Accelerator Laboratory
http://www.fnal.gov
lilstrom at fnal.gov
________________________________________
From: Jason Everling <jeverling at bshp.edu>
Sent: Friday, January 8, 2021 10:41 AM
To: midPoint General Discussion
Cc: Al Lilianstrom
Subject: RE: [midPoint] Importing AD groups as roles
So “name” is a midpoint attribute, the association section needs attributes that exist in AD, so for sure “ri:name” is not valid, should be “ri:dn”, what is your object synchronization section for actions?
From: Al Lilianstrom via midPoint<mailto:midpoint at lists.evolveum.com>
Sent: Friday, January 8, 2021 10:27 AM
To: midPoint General Discussion<mailto:midpoint at lists.evolveum.com>
Cc: Al Lilianstrom<mailto:lilstrom at fnal.gov>
Subject: Re: [midPoint] Importing AD groups as roles
Hi Jason,
I've tried a couple of different attributes there. Name as it's in the doc I referenced below and dn as it's in the same from your org in github. Same results. Shadow created but no role. No error that I've been able to find.
This is what the shadow object looks like. Any clues there as to what I might be missing?
<shadow xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"<https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3-2522&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=euDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc&s=x8Q2JNla1nZ8EAlQOJgb47OXDOw9TpzIDmUdl0VTupI&e=><https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3-2522-253Chttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttp-2D3A-5F-5Fmidpoint.evolveum.com-5Fxml-5Fns-5Fpublic-5Fcommon-5Fcommon-2D2D3-2D2522-26d-3DDwQFaQ-26c-3DgRgGjJ3BkIsb5y6s49QqsA-26r-3DCcoy53oEM8wW3-2DvUAuZFE1kez-2D3vbV9LOfLVoaEsm3A-26m-3DeuDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc-26s-3Dx8Q2JNla1nZ8EAlQOJgb47OXDOw9TpzIDmUdl0VTupI-26e-3D-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=q1o58LXVvwg27C2D0EnVpRY2J9y0ezmGGkegI_CTTJ8&s=FCuD3NUJ45tLLeu-oatnK0DGt_w0rj1JutL6nRPjOEI&e=> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="ae7c73f6-82cf-4776-89a2-9cb099bbcabb" version="1">
<name>CN=TestSync1,OU=midPoint,DC=fermistart,DC=fnal,DC=local</name>
<resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2" relation="org:default" type="c:ResourceType">
<!-- FermiStart Active Directory -->
</resourceRef>
<synchronizationTimestamp>2021-01-08T09:48:37.057-06:00</synchronizationTimestamp>
<fullSynchronizationTimestamp>2021-01-08T09:48:37.057-06:00</fullSynchronizationTimestamp>
<objectClass>ri:group</objectClass>
<primaryIdentifierValue>4d011362-4f8e-4b77-ad8f-257bd2f9338e</primaryIdentifierValue>
<kind>entitlement</kind>
<exists>true</exists>
<attributes>
<ri:dn>cn=testsync1,ou=midpoint,dc=fermistart,dc=fnal,dc=local</ri:dn>
<ri:objectGUID>4d011362-4f8e-4b77-ad8f-257bd2f9338e</ri:objectGUID>
</attributes>
</shadow>
al
--
Al Lilianstrom
Authentication Services
Fermi National Accelerator Laboratory
http://www.fnal.gov
lilstrom at fnal.gov
________________________________________
From: Jason Everling <jeverling at bshp.edu>
Sent: Thursday, January 7, 2021 1:49 PM
To: midPoint General Discussion; chris at cmwoods.com
Cc: Al Lilianstrom
Subject: RE: [midPoint] Importing AD groups as roles
From what I can see so far, pretty sure you need to use ‘ri:dn’ for ‘shortcutValueAttribute’ and ‘valueAttribute’
From: Al Lilianstrom via midPoint<mailto:midpoint at lists.evolveum.com>
Sent: Thursday, January 7, 2021 1:20 PM
To: chris at cmwoods.com<mailto:chris at cmwoods.com>; midPoint General Discussion<mailto:midpoint at lists.evolveum.com>
Cc: Al Lilianstrom<mailto:lilstrom at fnal.gov>
Subject: Re: [midPoint] Importing AD groups as roles
Hi Chris,
Thanks for the response.
I have the inbound mapping and association defined.
<association>
<c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:group</c:ref>
<displayName>AD Group Membership</displayName>
<kind>entitlement</kind>
<intent>group</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:name</valueAttribute>
<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
<shortcutValueAttribute>ri:name</shortcutValueAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
<objectType>
<kind>entitlement</kind>
<intent>group</intent>
<displayName>AD Group</displayName>
<default>true</default>
<objectClass>ri:group</objectClass>
<attribute>
<c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn</c:ref>
<matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
<inbound>
<target>
<c:path>$focus/name</c:path>
</target>
</inbound>
</attribute>
...
I'd really appreciate an example. Please send it when you have a chance on Monday.
al
--
Al Lilianstrom
Authentication Services
Fermi National Accelerator Laboratory
http://www.fnal.gov
lilstrom at fnal.gov
________________________________________
From: chris at cmwoods.com <chris at cmwoods.com>
Sent: Thursday, January 7, 2021 11:44 AM
To: midPoint General Discussion
Cc: Al Lilianstrom
Subject: Re: [midPoint] Importing AD groups as roles
Hi Al,
the importing as a role is not defined in the task. You have to define that in an inbound mapping in an association in your resource schema handling. For AD it also gets more complicated due to nested groups - if you want roles as members of roles in midpoint.
I am back at work on Monday and can send you an example if you like.
Regards,
Chris
January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint" <midpoint at lists.evolveum.com> wrote:
> Still struggling with this. Given up on importing the existing groups
> as roles for now. Using
> https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com
> _display_midPoint_Active-2BDirectory-2BGroup-2BSynchronization-2BHOWTO
> &d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LO
> fLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=qzlO4VhAsDj
> ofkMBBzEIVXfh548pEhTobTb4-k4Iw8A&e= as a guide I verified that my
> configuration for the AD resource matched the guide. I then created
> the task for syncing groups
>
> <task xmlns="https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=A-QjjPWUuFgmB5_adbMwnoSDeMofyb4hVVFNEdFgPSQ&e= "
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
> <name>Synchronization: Active Directory Groups</name> <extension>
> <mext:kind
> xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension
> -3">entitlement</mext:kind>
> </extension>
> <executionStatus>runnable</executionStatus>
> <handlerUri>https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoi
> nt.evolveum.com_xml_ns_public_model_synchronization_task_live-2Dsync_h
> andler-2D&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1ke
> z-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=Pq
> 5GOOAao17jRFm3GE-ojdVS-MYluBMNYXFDy_DHQvk&e=
> </handlerUri>
> <objectRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2"
> type="c:ResourceType"/> <recurrence>recurring</recurrence>
> <binding>tight</binding>
> <schedule>
> <interval>5</interval>
> </schedule>
> </task>
>
> Task runs without errors.
>
> I then created a group. The task picked up the group and added it as a shadow.
>
> From this line in the document "When new group is created, it appears
> in midPoint as a new entitlement shadow and a role." I expected a role to be created.
>
> Am I misunderstanding the document or missing something in the task?
>
> --
> Al Lilianstrom
> Authentication Services
>
> Fermi National Accelerator Laboratory
> http://www.fnal.gov
> lilstrom at fnal.gov
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.co
> m_mailman_listinfo_midpoint&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53
> oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-
> 1BoDRZcAH_I4E&s=ZJ5Xkl5mnRIijyiycMv8NSCIutNVsI7Ms85zGDzPAGk&e=
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=E-pS5lDMr22Ozzbxu9moDTQHzshMdKpMAufR3KF8y34&s=KuFK2U5lkSCpx4JT2YEr0QxMaN-R0_isO6GM5HZ5SG4&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint-253Chttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttps-2D3A-5F-5Flists.evolveum.com-5Fmailman-5Flistinfo-5Fmidpoint-26d-3DDwQFaQ-26c-3DgRgGjJ3BkIsb5y6s49QqsA-26r-3DCcoy53oEM8wW3-2DvUAuZFE1kez-2D3vbV9LOfLVoaEsm3A-26m-3DE-2DpS5lDMr22Ozzbxu9moDTQHzshMdKpMAufR3KF8y34-26s-3DKuFK2U5lkSCpx4JT2YEr0QxMaN-2DR0-5FisO6GM5HZ5SG4-26e-3D-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=euDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc&s=4Sif4_8r35Tu-5d6RLHErZJYO0Wp0DfMEqfRsmcevjQ&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint-253Chttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttps-2D3A-5F-5Flists.evolveum.com-5Fmailman-5Flistinfo-5Fmidpoint-26d-3DDwQFaQ-26c-3DgRgGjJ3BkIsb5y6s49QqsA-26r-3DCcoy53oEM8wW3-2DvUAuZFE1kez-2D3vbV9LOfLVoaEsm3A-26m-3DE-2DpS5lDMr22Ozzbxu9moDTQHzshMdKpMAufR3KF8y34-26s-3DKuFK2U5lkSCpx4JT2YEr0QxMaN-2DR0-5FisO6GM5HZ5SG4-26e-3D-253E-253Chttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttps-2D3A-5F-5Flists.evolveum.com-5Fmailman-5Flistinfo-5Fmidpoint-2D253Chttps-2D3A-5F-5Furldefense.proofpoint.com-5Fv2-5Furl-2D3Fu-2D3Dhttps-2D2D3A-2D5F-2D5Flists.evolveum.com-2D5Fmailman-2D5Flistinfo-2D5Fmidpoint-2D26d-2D3DDwQFaQ-2D26c-2D3DgRgGjJ3BkIsb5y6s49QqsA-2D26r-2D3DCcoy53oEM8wW3-2D2DvUAuZFE1kez-2D2D3vbV9LOfLVoaEsm3A-2D26m-2D3DE-2D2DpS5lDMr22Ozzbxu9moDTQHzshMdKpMAufR3KF8y34-2D26s-2D3DKuFK2U5lkSCpx4JT2YEr0QxMaN-2D2DR0-2D5FisO6GM5HZ5SG4-2D26e-2D3D-2D253E-26d-3DDwQFaQ-26c-3DgRgGjJ3BkIsb5y6s49QqsA-26r-3DCcoy53oEM8wW3-2DvUAuZFE1kez-2D3vbV9LOfLVoaEsm3A-26m-3DeuDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc-26s-3D4Sif4-5F8r35Tu-2D5d6RLHErZJYO0Wp0DfMEqfRsmcevjQ-26e-3D-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=q1o58LXVvwg27C2D0EnVpRY2J9y0ezmGGkegI_CTTJ8&s=hDVOIRPqYm4_0gzEJwQRTAyY9U71_Jn_0SIdRokBqcs&e=>
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=euDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc&s=W_8Al5vdpwLO-vVwofRE1pfHGM1x1LgN80lmZ82BOB0&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint-253Chttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttps-2D3A-5F-5Flists.evolveum.com-5Fmailman-5Flistinfo-5Fmidpoint-26d-3DDwQFaQ-26c-3DgRgGjJ3BkIsb5y6s49QqsA-26r-3DCcoy53oEM8wW3-2DvUAuZFE1kez-2D3vbV9LOfLVoaEsm3A-26m-3DeuDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc-26s-3DW-5F8Al5vdpwLO-2DvVwofRE1pfHGM1x1LgN80lmZ82BOB0-26e-3D-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=q1o58LXVvwg27C2D0EnVpRY2J9y0ezmGGkegI_CTTJ8&s=PqQxJJZ5egcP4f6OVlqhZ_VDWjNGHv2eiPmo2O8MmKc&e=>
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
More information about the midPoint
mailing list