[midPoint] associationTargetSearch + createOnDemand Possible? How to?

Tue Feb 28 00:43:58 CET 2023

Hello list,

I’m attempting to use createOnDemand with associationTargetSearch with Active Directory groups, is this possible?
I have not seen any example or documentation on this.

The associationTargetSearch works if the group exists, but I cannot seem to create a group with createOnDemand.
I’ve created roles with createOnDemand with no problem, but since this is a resource object, is this supported? According to the schema, it should.

I’m getting this error, there is a single populateItem trying to write do the DN attribute:

Error evaluating mapping for association {.../resource/instance-3}group in construction for (resource:xxxx(AD)/ACCOUNT/default/null) in role:xxx(Metarole): No target item that would conform to the path attributes/dn in expression in mapping in outbound mapping for association

I have tried “dn”, “ri:dn”, “attributes/ri:dn”  on the <path> element, none of them worked.

My code:
<associationTargetSearch>
    <filter>
        <q:equal>
            <q:path>attributes/ri:dn</q:path>
            <expression>
                <script>
                    <code>
                        // my logic here
                    </code>
                </script>
            </expression>
        </q:equal>
    </filter>
    <searchStrategy>onResourceIfNeeded</searchStrategy>
    <createOnDemand>true</createOnDemand>
    <populateObject>
        <populateItem>
            <expression>
                <script>
                    <code>
                        // my logic here
                    </code>
                </script>
            </expression>
            <target>
                <path>attributes/dn</path>
            </target>
        </populateItem>
    </populateObject>
</associationTargetSearch>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230227/56019999/attachment.htm>