[midPoint] Weak construction and associations support for AD computers

Yakov Revyakin yrevyakin at gmail.com
Mon Feb 27 15:45:40 CET 2023


Hi Ivan,
Thank you for the answer.
I checked weak construction for associations in another project and it
works, at least for another resource (Keycloak).
Currently I have no idea what is the cause.
I will create simplified project with AD and test again.


On Mon, 27 Feb 2023 at 10:11, Ivan Noris via midPoint <
midpoint at lists.evolveum.com> wrote:

> Hi,
>
> I was certainly usign weak constructions with associations.
>
> The following is a fragment from metarole from our Advanced training
> (4.0-based, but I tested it on 4.4.x).
>
> Resource is OpenLDAP (nor AD).
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3> xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3> xmlns:t=
> "http://prism.evolveum.com/xml/ns/public/types-3"
> <http://prism.evolveum.com/xml/ns/public/types-3> xmlns:ri=
> "http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>
> oid="ed3e5df8-2217-11e8-9d57-9793344c7aa6">
>     <name>LDAP Org Group Metarole</name>
>     <description>If assigning this metarole, organization name (numeric)
> prefixed with 'org-' will be used for group name.</description>
>     <inducement>
>         <description>Inducement to create a group as a projection of
> midPoint organization</description>
>         <construction>
>             <description>Creates an object (group) for
> organization</description>
>             <resourceRef oid="3961ffc8-2209-11e8-8018-7738b0ea3fa2"
> type="c:ResourceType"/>
>             <kind>entitlement</kind>
>             <intent>ldapOrgGroup</intent>
>         </construction>
>     </inducement>
>     <inducement>
>         <description>Inducement to create an account as a projection of
> user having assigned an organization with this metarole.</description>
>         <construction>
>             <description>Creates an account for user, and associates with
> group created for the organization assigned to the user.</description>
>             <resourceRef oid="3961ffc8-2209-11e8-8018-7738b0ea3fa2"
> type="c:ResourceType"/>
>             <kind>account</kind>
>             <intent>default</intent>
>             <association>
>                 <ref>ri:ldapOrgGroup</ref>
>                 <outbound>
>                     <strength>strong</strength>
>                     <source>
>                         <path>$focusAssignment/targetRef</path>
>                         <!-- XXX to get relation -->
>                     </source>
>                     <expression>
>                         <associationFromLink>
>                             <projectionDiscriminator>
>                                 <kind>entitlement</kind>
>                                 <intent>ldapOrgGroup</intent>
>                             </projectionDiscriminator>
>                         </associationFromLink>
>                     </expression>
>                 </outbound>
>             </association>
>             <strength>weak</strength>
>             <!-- Will not create account unless it already exists -->
>         </construction>
>         <order>2</order>
>         <focusType>UserType</focusType>
>     </inducement>
> </role>
>
> Hope this helps. If it does not work with newer midPoint, either there is
> something different in the configuration since then (I doubt it) or you
> have encountered a regression bug.
>
> Best regards,
>
> Ivan
> On 26. 2. 2023 22:16, Yakov Revyakin via midPoint wrote:
>
> As I understood there is no chance to add association via weak
> construction. We can modify plain attributes using this type of
> construction but it doesn't cover associations. Even association mapping is
> strong. We even can't see an indirect resource assignment among
> assignments.
> This is a bit strange.
>
>
> On Fri, 24 Feb 2023 at 08:56, Yakov Revyakin <yrevyakin at gmail.com> wrote:
>
>> I use mp4.4.3
>> I have metarole-role assign/revoke working for AD user accounts. I have
>> no any specific logic in group object definition
>> I also checked my case with  outbound mapping for associations set to
>> strong. Nothing happens.
>> Some posts ago I could see that weak construction with associations
>> working for someone - "LDAP Role not unassigned when validTo is reached".
>> He used mp4.6. Can it be the cause?
>>
>>
>> On Thu, 23 Feb 2023 at 23:12, Yakov Revyakin <yrevyakin at gmail.com> wrote:
>>
>>> Hi again,
>>> I'm trying to apply weak construction described here
>>>
>>> https://docs.evolveum.com/midpoint/reference/roles-policies/assignment/configuration/#strong-and-weak-constructions
>>> for AD computer objects.
>>> I simply sync existing computer objects linking them with a user and
>>> after that apply some policies on them. The solution must work only with
>>> existing objects. So, computer creation/deletion is forbidden.
>>>
>>> The first policy is to control a computer's DN - this works fine.
>>> The second is to add the computer to a group applying role+metarole to a
>>> user who owns this computer.
>>>
>>> I'm not sure how to arrange this. I write a weak construction with
>>> association but I can't see any influence on computer membership. Could you
>>> help to complete this task?
>>>
>>> My meta-role computer's groups:
>>>
>>> <role>    <name>Meta IT Computer</name>    <costCenter>managed</costCenter>    <inducement>        <construction>            <strength>weak</strength>            <resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2" relation="org:default" type="c:ResourceType"/>            <kind>account</kind>            <intent>computer</intent>            <association>                <ref>ri:group</ref>                <outbound>                    <authoritative>true</authoritative>                    <expression>                        <associationFromLink>                            <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">                                <kind>entitlement</kind>                                <intent>group</intent>                            </projectionDiscriminator>                        </associationFromLink>                    </expression>                </outbound>            </association>        </construction>        <order>2</order>        <focusType>UserType</focusType>    </inducement></role>
>>>
>>>
>>>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Expert Identity Engineerevolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230227/888af056/attachment-0001.htm>


More information about the midPoint mailing list