[midPoint] Question about group membership management in midpoint
David Coutadeur
david.coutadeur at gmail.com
Thu Aug 31 11:58:30 CEST 2023
Hi,
Thank you very much for your pointer!
I'am checking this.
Regards,
Le 29/08/2023 à 13:47, Arnošt Starosta a écrit :
> Hi David,
>
> regarding ldap group membership - you may be missing the necessary
> association configuration typically found in a metarole, please check
> the docs or even better some examples in the sources like this one
>
> https://github.com/Evolveum/midpoint-samples/blob/dde679a9757e2f74e3761fa0feaf82ac11f1310e/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml#L31
>
> arnost
>
> Arnošt Starosta
> solution architect
>
> gsm: [+420] 603 794 932
> e-mail: arnost.starosta at ami.cz <mailto:arnost.starosta at ami.cz>
>
>
> AMI Praha a.s.
> Pernerova 697/35, 186 00 Praha 8
>
> recepce: [+420] 604 444 848 | web: www.ami.cz <https://www.ami.cz/>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá
> za společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
> výhradně písemnou formu.
>
> Tento e-mail je určen výhradně pro potřeby jeho adresáta/ů a může
> obsahovat důvěrné nebo osobní
> informace. Nejste-li zamýšleným příjemcem, je zakázáno jakékoliv
> zveřejňování, zprostředkování
> nebo jiné použití těchto informací. Pokud jste obdrželi e-mail
> neoprávněně, informujte o tom prosím
> odesílatele a vymažte neprodleně všechny kopie tohoto e-mailu včetně
> všech jeho příloh. Nakládáním
> s neoprávněně získanými informacemi se vystavujete riziku právního
> postihu.
> ------------------------------------------------------------------------
> *From:* midPoint <midpoint-bounces at lists.evolveum.com> on behalf of
> David Coutadeur via midPoint <midpoint at lists.evolveum.com>
> *Sent:* Monday, August 28, 2023 4:13 PM
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
> *Cc:* David Coutadeur <david.coutadeur at gmail.com>
> *Subject:* [midPoint] Question about group membership management in
> midpoint
>
> Hello,
>
> I am working on an Openldap integration with midpoint.
>
> It starts working, but I have two questions:
>
>
> 1/ I have imported OpenLDAP groups into midpoint roles. But I can't
> figure out how to manage role membership. I'd like to be able to
> read/write role members in midpoint so that they keep synchronized in
> LDAP.
>
> You can see my openldap-resource definition attached.
>
> Please notice that LDAP group membership is already visible in midpoint
> users. If I look at account shadows, I can observe shadow group
> membership. But I can't manage the membership from here.
>
> Does anyone know how to do this? Is there a better approach for managing
> group membership in midpoint?
>
>
>
> 2/ some LDAP users are not imported in midpoint when their names are too
> close to existing users. For example when their name contain a dash.
>
> I have understood that this is due to the comparison rule based on
> PolyString type. I have tried multiple rules:
>
> <q:path>name</q:path>
> <q:matching>polyStringOrig</q:matching>
>
> but I can't find any one that compares directly the strings, without
> normalization. Do you know what I have missed?
>
>
> Also, the openldap-resource I am working on is more complete that those
> in the docs. Would you be interrested to include it? Do you accept
> contributions?
>
>
> Thanks in advance for your help!
>
> Regards,
>
> --
> David Coutadeur | IAM integrator
>
> david.coutadeur at worteks.com
> +33 7 88 46 85 34
> 16 avenue Hoche, Paris 75008
>
> Worteks | https://www.worteks.com
--
David Coutadeur | IAM integrator
david.coutadeur at worteks.com
+33 7 88 46 85 34
16 avenue Hoche, Paris 75008
Worteks |https://www.worteks.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230831/f0ab469a/attachment.htm>
More information about the midPoint
mailing list