[midPoint] Condition for Role and MetaRole

Thu Sep 23 11:35:58 CEST 2021

Good morning!
We have some users who are standard midpoint users and we have some users pulled from Active Directory.  When I want to give a Role to a user, I have to use one MetaRole to write standard users to LDAP and I have to use another MetaRole to write the AD users to LDAP.  The reason is the AD users require SASL Passthrough on the LDAP server, so the password data written is different between the two user groups.

Right now I have two Roles - Role_Standard.xml and Role_AD.xml.  It would be nice to have one Role with a condition that uses the proper MetaRole to write to LDAP.  

All AD users have “ad-user” in the organization attribute in midPoint, so it should be fairly straightforward (I would think).  But it isn’t working.

I am trying to use an assignment to call the proper MetaRole.  Here is what I have:

<!-- If user is AD, then this role is used to put them in the proper groups and 
configure SASL Passthrough -->
      <assignment>
         <targetRef oid="68e686f4-df63-11eb-a318-00ff83f6b50b" type="RoleType"/>
           <condition>
            <script>
              <code>basic.stringify(organization) == “ad-user"</code>
            </script>
           </condition>
   	</assignment> 
</role>
</objects>

I am fairly new to MidPoint.  I have googled and searched, but haven’t been able to find a solution.  The Role will not import.  Trying to import this particular version, I get “script has no definition.” 

Do you have any suggestions for how to do the condition properly in a Role?

Thank you for your time.

Josh