[midPoint] Entitlements with associations
Keith LeValley
klevalley2 at davenport.edu
Mon Oct 11 17:49:59 CEST 2021
Perfect, thank you for the help!
On Mon, Oct 11, 2021 at 11:38 AM Joshua Williams <jwilliams at globalnaz.org>
wrote:
> In my experience, no. I have LDAP users who are in dozens of groups. The
> service referencing LDAP (for example, a Nextcloud server using LDAP for
> Authentication) has filters that look for the user's name in the proper
> LDAP group. If the name is in the group, it looks for the account with
> credentials. Then it authenticates.
>
> The number of groups in LDAP and the number of groups a user is part of
> don’t impact OpenLDAP server performance.
>
> Josh
>
> On Oct 11, 2021, at 9:32 AM, Keith LeValley via midPoint <
> midpoint at lists.evolveum.com> wrote:
>
> Thank you for the response, and this works so I am starting to figure out
> what's going on a little bit. My concern is that every group inside
> openldap would then have to entitle the user to openldap. I was initially
> thinking of controlling account creation in openldap through 3 roles
> (depending on placement). I can condense this into one role using account
> naming standards (our vendor accounts always start with v_ etc). I am not
> really concerned with a user having an openldap account anytime they get
> placed in a group that is entitled to openldap.
>
> My concern though, and this is probably just a lack of understanding of
> Midpoint. If the user is placed in say 15 different openldap groups, and
> each of those groups are granting an entitlement to the user, does this
> cause any type of performance or scaling issue with the user having those
> 15 openldap entitlements?
>
> On Mon, Oct 11, 2021 at 10:35 AM Joshua Williams <
> jwilliams+list at globalnaz.org> wrote:
>
>> Hi Keith,
>> I am fairly new to midPoint, so I may be a little off base. However, I
>> have a Role that is similar to yours.
>>
>> To make the Metarole assign the account to the LDAP Posix Group, I have
>> to use <assignment> for the Metarole and <inducement> for writing the LDAP
>> account and attributes.
>>
>> <assignment>
>> <!-- This assigns the LDAP Group Metarole -->
>> <targetRef oid="10000000-0000-0000-0000-000000000003
>> </assignment>
>>
>> <inducement>
>> <!-- Sends the job to the appropriate resource -->
>> <construction>
>> <resourceRef oid="10000000-0000-0000-0000-000000000004"
>> relation="org:default"
>> type="c:ResourceType"></resourceRef>
>> <attribute>
>> <c:ref>ri:authServices</c:ref>
>> <outbound>
>> <strength>strong</strength>
>> <expression>
>> <value xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>> xmlns:xsi="
>> http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="xsd:string”>attribute</value>
>> </expression>
>> </outbound>
>> </attribute>
>> </construction>
>>
>> </inducement>
>>
>> The Metarole I assign is basically this one:
>> https://github.com/Evolveum/midpoint/blob/master/testing/story/src/test/resources/unix/role-meta-unix-group.xml
>>
>> Josh
>>
>> On Oct 11, 2021, at 7:45 AM, Keith LeValley via midPoint <
>> midpoint at lists.evolveum.com> wrote:
>>
>> I was hoping someone might be able to explain the interaction with
>> inducements using associations.
>>
>> I am using the example from the demo site, the meta role used to grant
>> group entitlements to openldap. Below is the xml of that inducements
>>
>> <inducement id="2">
>> <construction>
>> <resourceRef oid="2917a607-56a5-46cd-86a6-e8979bec7d31"
>> relation="org:default" type="c:ResourceType">
>> <!-- openldap -->
>> </resourceRef>
>> <kind>entitlement</kind>
>> <intent>group</intent>
>> </construction>
>> </inducement>
>> <inducement id="3">
>> <construction>
>> <resourceRef oid="2917a607-56a5-46cd-86a6-e8979bec7d31"
>> relation="org:default" type="c:ResourceType">
>> <!-- openldap -->
>> </resourceRef>
>> <kind>account</kind>
>> <intent>default</intent>
>> <association id="3">
>> <ref>ri:group</ref>
>> <outbound>
>> <expression>
>> <associationFromLink xmlns:xsi="
>> http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
>> <projectionDiscriminator xmlns:xsi="
>> http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="c:ShadowDiscriminatorType">
>> <kind>entitlement</kind>
>> <intent>group</intent>
>> </projectionDiscriminator>
>> </associationFromLink>
>> </expression>
>> </outbound>
>> </association>
>> </construction>
>> <order>2</order>
>> </inducement>
>>
>> This works, when I assign a user to a group, assign that group to the
>> meta role the user gets the openldap inducement and will be added to the
>> group in openldap also.
>>
>> Unfortunately this won't work for my setup, I need to split the
>> inducement to openldap and to the group. The group and the user still get
>> created but the association doesn't seem to work, the user is not assigned
>> to the group. Below is the inducement to the group that entitles the user
>> with the association
>>
>> <inducement id="2">
>> <construction>
>> <resourceRef oid="2917a607-56a5-46cd-86a6-e8979bec7d31"
>> relation="org:default" type="c:ResourceType">
>> <!-- openldap -->
>> </resourceRef>
>> <kind>account</kind>
>> <intent>default</intent>
>> <association id="9">
>> <ref>ri:group</ref>
>> <outbound>
>> <expression>
>> <associationFromLink xmlns:xsi="
>> http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
>> <projectionDiscriminator xmlns:xsi="
>> http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="c:ShadowDiscriminatorType">
>> <kind>entitlement</kind>
>> <intent>group</intent>
>> </projectionDiscriminator>
>> </associationFromLink>
>> </expression>
>> </outbound>
>> </association>
>> </construction>
>> </inducement>
>>
>> Below is the inducement used to entitle the group
>>
>> <inducement id="2">
>> <construction>
>> <resourceRef oid="2917a607-56a5-46cd-86a6-e8979bec7d31"
>> relation="org:default" type="c:ResourceType">
>> <!-- openldap -->
>> </resourceRef>
>> <kind>entitlement</kind>
>> <intent>group</intent>
>> </construction>
>> </inducement>
>>
>> This to me looks like it should work? The user still has the same
>> inducements; it's just spread between two different roles instead of on a
>> single meta role.
>>
>>
>>
>> --
>> Keith LeValley
>> Identity Services Architect, Davenport University
>> phone: (616) 732-1102
>> klevalley2 at davenport.edu
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>
> --
> Keith LeValley
> Identity Services Architect, Davenport University
> phone: (616) 732-1102
> klevalley2 at davenport.edu
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
--
Keith LeValley
Identity Services Architect, Davenport University
phone: (616) 732-1102
klevalley2 at davenport.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20211011/5e643449/attachment-0001.htm>
More information about the midPoint
mailing list