[midPoint] LDAP Role not unassigned when validTo is reached

Patrik Sidler patrik.sidler at itconcepts.ch
Wed Dec 7 08:58:38 CET 2022


Hi All,

I am having a problem with a LDAP Role that not gets unassigned when the validTo is reached.
The role assignment on the particular user changes its effectiveStatus to disabled (because validTo is reached), but the role will not be unassigned and therefore the user is still member of the LDAP Group.

What do I have to configure that the Role will be unassigned when validTo is reached?
I am working with midPoint 4.6 by the way.


My LDAP Role:
<role xmlns=http://midpoint.evolveum.com/xml/ns/public/common/common-3 xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3 xmlns:icfs=http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3 xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3 xmlns:q=http://prism.evolveum.com/xml/ns/public/query-3 xmlns:ri=http://midpoint.evolveum.com/xml/ns/public/resource/instance-3 xmlns:t=http://prism.evolveum.com/xml/ns/public/types-3 xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance oid="f2906bc1-4b33-4bf1-9233-981614e70195" version="8">
    <name>cn=biouser,cn=groups,cn=accounts,dc=dsone-dev,dc=aspectra,dc=net</name>
    <assignment id="1">
        <metadata>
            <createChannel>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#import</createChannel>
            <originMappingName>Metarole LDAP Group Assignment</originMappingName>
        </metadata>
        <targetRef oid="ed3e5df8-2217-11e8-9d57-9793344c7aa6" relation="org:default" type="c:RoleType">
            <!-- Metarole LDAP Group Assignment -->
        </targetRef>
        <activation>
            <effectiveStatus>enabled</effectiveStatus>
        </activation>
    </assignment>
    <assignment id="2">
        <metadata>
            <createChannel>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#import</createChannel>
            <originMappingName>Metarole Line Manager Approval</originMappingName>
        </metadata>
        <targetRef oid="cee649ee-8764-47e3-847b-c9f7155bcfe3" relation="org:default" type="c:RoleType">
            <!-- Metarole Line Manager Approval -->
        </targetRef>
        <activation>
            <effectiveStatus>enabled</effectiveStatus>
        </activation>
    </assignment>
    <roleMembershipRef oid="ed3e5df8-2217-11e8-9d57-9793344c7aa6" relation="org:default" type="c:RoleType">
        <!-- Metarole LDAP Group Assignment -->
    </roleMembershipRef>
    <roleMembershipRef oid="cee649ee-8764-47e3-847b-c9f7155bcfe3" relation="org:default" type="c:RoleType">
        <!-- Metarole Line Manager Approval -->
    </roleMembershipRef>
    <linkRef oid="a7e0ac25-cd8c-4387-9ebb-6fc961549d7a" relation="org:default" type="c:ShadowType">
        <!-- cn=defaultuser,cn=groups,cn=accounts,dc=env-dev,dc=customer,dc=net -->
    </linkRef>
    <activation>
        <effectiveStatus>enabled</effectiveStatus>
        <enableTimestamp>2022-11-23T16:26:51.664+01:00</enableTimestamp>
    </activation>
    <displayName>defaultuser</displayName>
    <identifier>jira-notification</identifier>
    <requestable>true</requestable>
</role>

My LDAP Group Add MetaRole:
<role xmlns=http://midpoint.evolveum.com/xml/ns/public/common/common-3 xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3 xmlns:icfs=http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3 xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3 xmlns:q=http://prism.evolveum.com/xml/ns/public/query-3 xmlns:ri=http://midpoint.evolveum.com/xml/ns/public/resource/instance-3 xmlns:t=http://prism.evolveum.com/xml/ns/public/types-3 xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance oid="ed3e5df8-2217-11e8-9d57-9793344c7aa6" version="21">
    <name>Metarole LDAP Group Assignment</name>
    <description>Assign this Meta Role to all LDAP Group Roles, that can be assigned to users.</description>
    <activation>
        <effectiveStatus>enabled</effectiveStatus>
        <enableTimestamp>2022-11-15T11:23:42.723+01:00</enableTimestamp>
    </activation>
    <displayName>Metarole: assign Users to LDAP Group</displayName>
    <inducement id="12">
        <description>Inducement to add the User to the correct LDAP Group and to create an account as a projection of user having assigned a LDAP Group Role with this metarole.</description>
        <construction>
            <description>Creates an account for user, and associates with group created for the Role assigned to the user.</description>
            <strength>weak</strength>
            <resourceRef oid="31f3b90c-7b4d-4320-9964-3f46a3e75cf2" relation="org:default" type="c:ResourceType">
                <!-- LDAP -->
            </resourceRef>
            <kind>account</kind>
            <intent>ldapAccount</intent>
            <association id="14">
                <ref>ri:ldapGroupMember</ref>
                <outbound>
                    <strength>strong</strength>
                    <source>
                        <path>$focusAssignment/targetRef</path>
                    </source>
                    <expression>
                        <associationFromLink>
                            <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
                                <kind>entitlement</kind>
                                <intent>ldapGroup</intent>
                            </projectionDiscriminator>
                        </associationFromLink>
                    </expression>
                </outbound>
            </association>
        </construction>
        <order>2</order>
        <focusType>UserType</focusType>
    </inducement>
    <inducement id="11">
        <description>Inducement to add the User to the correct LDAP Group</description>
        <construction>
            <description>Creates an object (group) for organization</description>
            <resourceRef oid="31f3b90c-7b4d-4320-9964-3f46a3e75cf2" relation="org:default" type="c:ResourceType">
                <!-- LDAP -->
            </resourceRef>
            <kind>entitlement</kind>
            <intent>ldapGroup</intent>
        </construction>
    </inducement>
</role>

Thank you in advance for your help.

Regards
Patrik Sidler ITConcepts


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20221207/26924429/attachment-0001.htm>


More information about the midPoint mailing list