[midPoint] Multiple AD accounts

Yakov Revyakin yrevyakin at gmail.com
Mon Feb 14 14:52:45 CET 2022 

Can someone help to move forward?

On Sun, 13 Feb 2022 at 19:20, Yakov Revyakin <yrevyakin at gmail.com> wrote:

> For example, I have something like this:
> (where dn is AD namingAttribute, organization O has two org assignments
> Off1 & Off2, O includes single-value "department" attribute with value "O"
> to use it as AD OU name for org O))
> I use Off1 and Off2 names as tag value.
>
> <objectType>
>     <kind>generic</kind>
>     <intent>default</intent>
>     <objectClass>ri:organizationalUnit</objectClass>
>     <multiplicity>
>         <maxOccurs>unbounded</maxOccurs>
>         <tag>
>             <outbound>
>                 <source>
>                     <path>parentOrgRef</path>
>                 </source>
>                 <expression>
>                     <script>
>                         <code>
>                             import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
>
>                             OrgType office = midpoint.getOrgByOid(parentOrgRef.oid);
>                             log.info("1.1" + String.valueOf(office.name));
>                             return office.name;
>                         </code>
>                     </script>
>                 </expression>
>             </outbound>
>         </tag>
>     </multiplicity>
>     <attribute>
>         <ref>ri:dn</ref>
>         <matchingRule>distinguishedName</matchingRule>
>         <outbound>
>             <strength>strong</strength>
>             <source>
>                 <path>extension/department</path>
>             </source>
>             <source>
>                 <path>parentOrgRef</path>
>             </source>
>             <source>
>                 <path>$projection/tag</path>
>             </source>
>             <expression>
>                 <script>
>                     <code>
>                         import com.evolveum.midpoint.schema.constants.SchemaConstants;
>                         import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
>                         import javax.naming.ldap.Rdn;
>                         import javax.naming.ldap.LdapName;
>
>                         OrgType office = midpoint.getOrgByOid(parentOrgRef.oid);
>
>                         log.info("2.1" + String.valueOf(tag));
>                         log.info("2.2" + String.valueOf(office.name));
>
>                         return basic.composeDn(
>                                 new Rdn("OU", basic.stringify(department)),
>                                 new Rdn("OU", basic.stringify(office.name)),
>                                 new LdapName("DC=example,DC=com")
>                         );
>                     </code>
>                 </script>
>             </expression>
>         </outbound>
>     </attribute>
> </objectType>
>
> For my data structure I wrote above I have the following output in log:
>
> 1.1 Off1
> 1.1 Off2
> 1.1 Off1
> 1.1 Off2
> 2.1 Off1
> 2.2 Off1
> 2.1 Off1
> 2.2 Off2
> 2.1 Off1
> 2.2 Off1
> 2.1 Off1
> 2.2 Off2
>
> Partial error while processing projection on
> resource:746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2(AD): Attempt to add 2 values
> to a single-valued item attributes/dn; values:
> [PPV(String:OU=O,OU=Off1,DC=example,DC=com),
> PPV(String:OU=O,OU=Off2,DC=example,DC=com)]
>
> How to complete my conf? I don't understand how to configure the
> multivalued account feature. Please, help
>
> On Sun, 13 Feb 2022 at 14:48, Yakov Revyakin <yrevyakin at gmail.com> wrote:
>
>> Correct, I'd like to have multiple AD accounts. How to command to create
>> them?
>>
>> On Sun, 13 Feb 2022 at 14:34, Roman Pudil - AMI Praha a.s. via midPoint <
>> midpoint at lists.evolveum.com> wrote:
>>
>>>
>>> Hi,
>>> AD schema did not allow multiple values in DN attribute. See AD schema
>>> documentation.
>>> You have ro use multiple accounts.
>>> Regards
>>> Roman Pudil
>>>
>>>
>>> Dne ne 13. 2. 2022 13:27 uživatel Yakov Revyakin via midPoint <
>>> midpoint at lists.evolveum.com> napsal:
>>>
>>>> An org (O, intent : default) is a member of two organizations (Off1 &
>>>> Off2) different by name but the same by nature (intent : office).
>>>> This structure results in AD as:
>>>> Off1 dn : OU=Off1
>>>> Off2 dn : OU=Off2
>>>> O in Off1 dn : OU=O,OU=Off1
>>>> O in Off2 dn : OU=O,OU=Off2
>>>>
>>>> I'd like to have multiple AD accounts under O created: OU=O,OU=Off1 and
>>>> OU=O,OU=Off2.
>>>>
>>>> Could someone provide schema handling with multiple accounts support
>>>> for the case? I mean TAG support.
>>>>
>>>> My configuration tries to save multiple values in dn attribute instead
>>>> of creating different accounts.
>>>>
>>>> Thanks,
>>>> J
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220214/9d04f028/attachment-0001.htm>

More information about the midPoint mailing list