[midPoint] Weak construction and associations support for AD computers

Yakov Revyakin yrevyakin at gmail.com
Thu Mar 2 19:25:43 CET 2023 

Hi again,

I have found the cause.
As I said in the beginning I am trying to apply the role to user's AD
computer accounts.
There is a requirement that a user can have more than one computer. So,
multiplicity is in place.
I have found that weak construction stops working as soon as I'm adding
multiplicity support for computers.

Is there any way to overcome this problem?



On Mon, 27 Feb 2023 at 16:45, Yakov Revyakin <yrevyakin at gmail.com> wrote:

> Hi Ivan,
> Thank you for the answer.
> I checked weak construction for associations in another project and it
> works, at least for another resource (Keycloak).
> Currently I have no idea what is the cause.
> I will create simplified project with AD and test again.
>
>
> On Mon, 27 Feb 2023 at 10:11, Ivan Noris via midPoint <
> midpoint at lists.evolveum.com> wrote:
>
>> Hi,
>>
>> I was certainly usign weak constructions with associations.
>>
>> The following is a fragment from metarole from our Advanced training
>> (4.0-based, but I tested it on 4.4.x).
>>
>> Resource is OpenLDAP (nor AD).
>>
>> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3> xmlns:c=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3> xmlns:t=
>> "http://prism.evolveum.com/xml/ns/public/types-3"
>> <http://prism.evolveum.com/xml/ns/public/types-3> xmlns:ri=
>> "http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>
>> oid="ed3e5df8-2217-11e8-9d57-9793344c7aa6">
>>     <name>LDAP Org Group Metarole</name>
>>     <description>If assigning this metarole, organization name (numeric)
>> prefixed with 'org-' will be used for group name.</description>
>>     <inducement>
>>         <description>Inducement to create a group as a projection of
>> midPoint organization</description>
>>         <construction>
>>             <description>Creates an object (group) for
>> organization</description>
>>             <resourceRef oid="3961ffc8-2209-11e8-8018-7738b0ea3fa2"
>> type="c:ResourceType"/>
>>             <kind>entitlement</kind>
>>             <intent>ldapOrgGroup</intent>
>>         </construction>
>>     </inducement>
>>     <inducement>
>>         <description>Inducement to create an account as a projection of
>> user having assigned an organization with this metarole.</description>
>>         <construction>
>>             <description>Creates an account for user, and associates with
>> group created for the organization assigned to the user.</description>
>>             <resourceRef oid="3961ffc8-2209-11e8-8018-7738b0ea3fa2"
>> type="c:ResourceType"/>
>>             <kind>account</kind>
>>             <intent>default</intent>
>>             <association>
>>                 <ref>ri:ldapOrgGroup</ref>
>>                 <outbound>
>>                     <strength>strong</strength>
>>                     <source>
>>                         <path>$focusAssignment/targetRef</path>
>>                         <!-- XXX to get relation -->
>>                     </source>
>>                     <expression>
>>                         <associationFromLink>
>>                             <projectionDiscriminator>
>>                                 <kind>entitlement</kind>
>>                                 <intent>ldapOrgGroup</intent>
>>                             </projectionDiscriminator>
>>                         </associationFromLink>
>>                     </expression>
>>                 </outbound>
>>             </association>
>>             <strength>weak</strength>
>>             <!-- Will not create account unless it already exists -->
>>         </construction>
>>         <order>2</order>
>>         <focusType>UserType</focusType>
>>     </inducement>
>> </role>
>>
>> Hope this helps. If it does not work with newer midPoint, either there is
>> something different in the configuration since then (I doubt it) or you
>> have encountered a regression bug.
>>
>> Best regards,
>>
>> Ivan
>> On 26. 2. 2023 22:16, Yakov Revyakin via midPoint wrote:
>>
>> As I understood there is no chance to add association via weak
>> construction. We can modify plain attributes using this type of
>> construction but it doesn't cover associations. Even association mapping is
>> strong. We even can't see an indirect resource assignment among
>> assignments.
>> This is a bit strange.
>>
>>
>> On Fri, 24 Feb 2023 at 08:56, Yakov Revyakin <yrevyakin at gmail.com> wrote:
>>
>>> I use mp4.4.3
>>> I have metarole-role assign/revoke working for AD user accounts. I have
>>> no any specific logic in group object definition
>>> I also checked my case with  outbound mapping for associations set to
>>> strong. Nothing happens.
>>> Some posts ago I could see that weak construction with associations
>>> working for someone - "LDAP Role not unassigned when validTo is reached".
>>> He used mp4.6. Can it be the cause?
>>>
>>>
>>> On Thu, 23 Feb 2023 at 23:12, Yakov Revyakin <yrevyakin at gmail.com>
>>> wrote:
>>>
>>>> Hi again,
>>>> I'm trying to apply weak construction described here
>>>>
>>>> https://docs.evolveum.com/midpoint/reference/roles-policies/assignment/configuration/#strong-and-weak-constructions
>>>> for AD computer objects.
>>>> I simply sync existing computer objects linking them with a user and
>>>> after that apply some policies on them. The solution must work only with
>>>> existing objects. So, computer creation/deletion is forbidden.
>>>>
>>>> The first policy is to control a computer's DN - this works fine.
>>>> The second is to add the computer to a group applying role+metarole to
>>>> a user who owns this computer.
>>>>
>>>> I'm not sure how to arrange this. I write a weak construction with
>>>> association but I can't see any influence on computer membership. Could you
>>>> help to complete this task?
>>>>
>>>> My meta-role computer's groups:
>>>>
>>>> <role>    <name>Meta IT Computer</name>    <costCenter>managed</costCenter>    <inducement>        <construction>            <strength>weak</strength>            <resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2" relation="org:default" type="c:ResourceType"/>            <kind>account</kind>            <intent>computer</intent>            <association>                <ref>ri:group</ref>                <outbound>                    <authoritative>true</authoritative>                    <expression>                        <associationFromLink>                            <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">                                <kind>entitlement</kind>                                <intent>group</intent>                            </projectionDiscriminator>                        </associationFromLink>                    </expression>                </outbound>            </association>        </construction>        <order>2</order>        <focusType>UserType</focusType>    </inducement></role>
>>>>
>>>>
>>>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ivan Noris
>> Expert Identity Engineerevolveum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230302/db180fb3/attachment.htm>

More information about the midPoint mailing list