[midPoint] associationTargetSearch + createOnDemand Possible? How to?

Alcides Moraes alcides.neto at gmail.com
Mon Mar 6 23:22:40 CET 2023 

Following up on this, I'm still not able to createOnDemand with associationTargetSearch.

So I decided to replace this with an assignmenttTargetSearch with createOnDemand role in midPoint that maps to the group in AD.
But doing this, I faced another problem.

This assignment is created in an inbound mapping from another resource, so it’s a secondary change.
Doing this, the association to the AD group is not done until I recompute the user again.
This wouldn’t be such a problem if the assignment removal worked, however it does not.
If the inbound mapping removes this assignment, the group association is not removed, even after recomputing.

If the assignment is created and removed manually directly in midpoint, it works fine.

Here’s what I’m trying to achieve:

Inbound mapping from Resource A creates user assignment to a role, with some context value on it

User —context:999—> Role R

I want this to map to an AD group R_999

so first I tried with associationTargetSearch and createOnDemand , could not make it work.
(context values are not fixed, I need to create on demand)

So I tried this

User —context:999 —> Role R —> focusMapping assignmentTargetSearch createOnDemand —> Role R_999 —> AD group R_999

This does not ‘finish’, it stops at Role R_999 creation and assignment, but the association is not made. I guess it’s too long a chain of events for midpoint.
Since the context is dynamic, I cannot create beforehand the groups. 
Is there a better way to achieve this?


Thanks in advance for any help on this

> Em 27 de fev. de 2023, à(s) 20:43, Alcides Moraes <alcides.neto at gmail.com> escreveu:
> 
> Hello list,
> 
> I’m attempting to use createOnDemand with associationTargetSearch with Active Directory groups, is this possible?
> I have not seen any example or documentation on this.
> 
> The associationTargetSearch works if the group exists, but I cannot seem to create a group with createOnDemand.
> I’ve created roles with createOnDemand with no problem, but since this is a resource object, is this supported? According to the schema, it should.
> 
> I’m getting this error, there is a single populateItem trying to write do the DN attribute:
> 
> Error evaluating mapping for association {.../resource/instance-3}group in construction for (resource:xxxx(AD)/ACCOUNT/default/null) in role:xxx(Metarole): No target item that would conform to the path attributes/dn in expression in mapping in outbound mapping for association
> 
> I have tried “dn”, “ri:dn”, “attributes/ri:dn”  on the <path> element, none of them worked.
> 
> My code:
> <associationTargetSearch>
>     <filter>
>         <q:equal>
>             <q:path>attributes/ri:dn</q:path>
>             <expression>
>                 <script>
>                     <code>
>                         // my logic here
>                     </code>
>                 </script>
>             </expression>
>         </q:equal>
>     </filter>
>     <searchStrategy>onResourceIfNeeded</searchStrategy>
>     <createOnDemand>true</createOnDemand>
>     <populateObject>
>         <populateItem>
>             <expression>
>                 <script>
>                     <code>
>                         // my logic here
>                     </code>
>                 </script>
>             </expression>
>             <target>
>                 <path>attributes/dn</path>
>             </target>
>         </populateItem>
>     </populateObject>
> </associationTargetSearch>
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230306/db506948/attachment.htm>

More information about the midPoint mailing list