[midPoint] Question about group membership management in midpoint

Thu Aug 31 11:58:30 CEST 2023

Hi,

Thank you very much for your pointer!

I'am checking this.

Regards,

Le 29/08/2023 à 13:47, Arnošt Starosta a écrit :
> Hi David,
>
> regarding ldap group membership  - you may be missing the necessary 
> association configuration typically found in a metarole, please check 
> the docs or even better some examples in the sources like this one
>
> https://github.com/Evolveum/midpoint-samples/blob/dde679a9757e2f74e3761fa0feaf82ac11f1310e/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml#L31
>
> arnost
>
> Arnošt Starosta
> solution architect
>
> gsm: [+420] 603 794 932
> e-mail: arnost.starosta at ami.cz <mailto:arnost.starosta at ami.cz>
>
>
> AMI Praha a.s.
> Pernerova 697/35, 186 00 Praha 8
>
> recepce: [+420] 604 444 848 | web: www.ami.cz <https://www.ami.cz/>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá 
> za společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
> výhradně písemnou formu.
>
> Tento e-mail je určen výhradně pro potřeby jeho adresáta/ů a může 
> obsahovat důvěrné nebo osobní
> informace. Nejste-li zamýšleným příjemcem, je zakázáno jakékoliv 
> zveřejňování, zprostředkování
> nebo jiné použití těchto informací. Pokud jste obdrželi e-mail 
> neoprávněně, informujte o tom prosím
> odesílatele a vymažte neprodleně všechny kopie tohoto e-mailu včetně 
> všech jeho příloh. Nakládáním
> s neoprávněně získanými informacemi se vystavujete riziku právního 
> postihu.
> ------------------------------------------------------------------------
> *From:* midPoint <midpoint-bounces at lists.evolveum.com> on behalf of 
> David Coutadeur via midPoint <midpoint at lists.evolveum.com>
> *Sent:* Monday, August 28, 2023 4:13 PM
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
> *Cc:* David Coutadeur <david.coutadeur at gmail.com>
> *Subject:* [midPoint] Question about group membership management in 
> midpoint
>
> Hello,
>
> I am working on an Openldap integration with midpoint.
>
> It starts working, but I have two questions:
>
>
> 1/ I have imported OpenLDAP groups into midpoint roles. But I can't
> figure out how to manage role membership. I'd like to be able to
> read/write role members in midpoint so that they keep synchronized in 
> LDAP.
>
> You can see my openldap-resource definition attached.
>
> Please notice that LDAP group membership is already visible in midpoint
> users. If I look at account shadows, I can observe shadow group
> membership. But I can't manage the membership from here.
>
> Does anyone know how to do this? Is there a better approach for managing
> group membership in midpoint?
>
>
>
> 2/ some LDAP users are not imported in midpoint when their names are too
> close to existing users. For example when their name contain a dash.
>
> I have understood that this is due to the comparison rule based on
> PolyString type. I have tried multiple rules:
>
>                          <q:path>name</q:path>
> <q:matching>polyStringOrig</q:matching>
>
> but I can't find any one that compares directly the strings, without
> normalization. Do you know what I have missed?
>
>
> Also, the openldap-resource I am working on is more complete that those
> in the docs. Would you be interrested to include it? Do you accept
> contributions?
>
>
> Thanks in advance for your help!
>
> Regards,
>
> -- 
> David Coutadeur | IAM integrator
>
> david.coutadeur at worteks.com
> +33 7 88 46 85 34
> 16 avenue Hoche, Paris 75008
>
> Worteks | https://www.worteks.com

-- 
David Coutadeur | IAM integrator

david.coutadeur at worteks.com
+33 7 88 46 85 34
16 avenue Hoche, Paris 75008

Worteks |https://www.worteks.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230831/f0ab469a/attachment.htm>