[midPoint] Question about group membership management in midpoint

Arnošt Starosta arnost.starosta at ami.cz
Tue Aug 29 13:47:26 CEST 2023 

Hi David,

regarding ldap group membership  - you may be missing the necessary association configuration typically found in a metarole, please check the docs or even better some examples in the sources like this one

https://github.com/Evolveum/midpoint-samples/blob/dde679a9757e2f74e3761fa0feaf82ac11f1310e/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml#L31

arnost


Arnošt Starosta
solution architect



gsm: [+420] 603 794 932
e-mail: arnost.starosta at ami.cz<mailto:arnost.starosta at ami.cz>

AMI Praha a.s.
Pernerova 697/35, 186 00 Praha 8



recepce: [+420] 604 444 848 | web: www.ami.cz<https://www.ami.cz/>



[https://lh6.googleusercontent.com/7g_5fgbXMZ1ZrwCuYbH2_TsgaiZgnYwQ5dn6yNvHftbIvoJ9ZSUgStI4w_rsNz5aS6A3xSylReE54KqqzOIUFIntFF83Mp9Bled966ePlyJM7PSW37Fme_Ml5rCID2aP_OSx601ueEYa93nD_4ELU8QKiyGfXcHpY9yu83b-NTqZZl8cOiW86cY4lH09sG_-RjHudg]

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.

Tento e-mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat důvěrné nebo osobní
informace. Nejste-li zamýšleným příjemcem, je zakázáno jakékoliv zveřejňování, zprostředkování
nebo jiné použití těchto informací. Pokud jste obdrželi e-mail neoprávněně, informujte o tom prosím
odesílatele a vymažte neprodleně všechny kopie tohoto e-mailu včetně všech jeho příloh. Nakládáním
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.
________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of David Coutadeur via midPoint <midpoint at lists.evolveum.com>
Sent: Monday, August 28, 2023 4:13 PM
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Cc: David Coutadeur <david.coutadeur at gmail.com>
Subject: [midPoint] Question about group membership management in midpoint


Hello,

I am working on an Openldap integration with midpoint.

It starts working, but I have two questions:


1/ I have imported OpenLDAP groups into midpoint roles. But I can't
figure out how to manage role membership. I'd like to be able to
read/write role members in midpoint so that they keep synchronized in LDAP.

You can see my openldap-resource definition attached.

Please notice that LDAP group membership is already visible in midpoint
users. If I look at account shadows, I can observe shadow group
membership. But I can't manage the membership from here.

Does anyone know how to do this? Is there a better approach for managing
group membership in midpoint?



2/ some LDAP users are not imported in midpoint when their names are too
close to existing users. For example when their name contain a dash.

I have understood that this is due to the comparison rule based on
PolyString type. I have tried multiple rules:

                         <q:path>name</q:path>
<q:matching>polyStringOrig</q:matching>

but I can't find any one that compares directly the strings, without
normalization. Do you know what I have missed?


Also, the openldap-resource I am working on is more complete that those
in the docs. Would you be interrested to include it? Do you accept
contributions?


Thanks in advance for your help!

Regards,

--
David Coutadeur | IAM integrator

david.coutadeur at worteks.com
+33 7 88 46 85 34
16 avenue Hoche, Paris 75008

Worteks | https://www.worteks.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230829/1ecbc24b/attachment.htm>

More information about the midPoint mailing list