[midPoint] Question about group membership management in midpoint

David Coutadeur david.coutadeur at gmail.com
Fri Sep 1 17:45:13 CEST 2023 

Hello,


Thanks Arnošt for your help.


Actually, I am not sure the metarole is what I want, and did not find 
any tip in the documentation. (I have been searching for associations, 
inducements, assignments,...)


The documentation states that group membership defined by an association 
like:


             <association>
                 <ref>ri:ldapGroup</ref>
                 <displayName>Appartenance aux groupes</displayName>
                 <kind>entitlement</kind>
                 <intent>ldapGroup</intent>
                 <direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
                 <valueAttribute>ri:dn</valueAttribute>
             </association>



is only visible in projections.

It is not very convenient to view these groups in the midpoint 
interface. And anyway it doesn't seem possible to manage group 
membership there.


My use case is quite simple: I'd like to have objects in the midpoint 
interface that represents my LDAP groups, and to be able to manage them. 
(including their membership)


LDAP user 1 <-> midpoint shadow account <-> midpoint user

^ ^

| |

v v

LDAP group 1 <-> midpoint shadow group <-> midpoint object (role?)



Does anyone have an idea how to achieve this? Maybe role is not the 
correct object?


Regards,




Le 29/08/2023 à 13:47, Arnošt Starosta a écrit :
> Hi David,
>
> regarding ldap group membership  - you may be missing the necessary 
> association configuration typically found in a metarole, please check 
> the docs or even better some examples in the sources like this one
>
> https://github.com/Evolveum/midpoint-samples/blob/dde679a9757e2f74e3761fa0feaf82ac11f1310e/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml#L31
>
> arnost
>
> Arnošt Starosta
> solution architect
>
> gsm: [+420] 603 794 932
> e-mail: arnost.starosta at ami.cz <mailto:arnost.starosta at ami.cz>
>
>
> AMI Praha a.s.
> Pernerova 697/35, 186 00 Praha 8
>
> recepce: [+420] 604 444 848 | web: www.ami.cz <https://www.ami.cz/>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá 
> za společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
> výhradně písemnou formu.
>
> Tento e-mail je určen výhradně pro potřeby jeho adresáta/ů a může 
> obsahovat důvěrné nebo osobní
> informace. Nejste-li zamýšleným příjemcem, je zakázáno jakékoliv 
> zveřejňování, zprostředkování
> nebo jiné použití těchto informací. Pokud jste obdrželi e-mail 
> neoprávněně, informujte o tom prosím
> odesílatele a vymažte neprodleně všechny kopie tohoto e-mailu včetně 
> všech jeho příloh. Nakládáním
> s neoprávněně získanými informacemi se vystavujete riziku právního 
> postihu.
> ------------------------------------------------------------------------
> *From:* midPoint <midpoint-bounces at lists.evolveum.com> on behalf of 
> David Coutadeur via midPoint <midpoint at lists.evolveum.com>
> *Sent:* Monday, August 28, 2023 4:13 PM
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
> *Cc:* David Coutadeur <david.coutadeur at gmail.com>
> *Subject:* [midPoint] Question about group membership management in 
> midpoint
>
> Hello,
>
> I am working on an Openldap integration with midpoint.
>
> It starts working, but I have two questions:
>
>
> 1/ I have imported OpenLDAP groups into midpoint roles. But I can't
> figure out how to manage role membership. I'd like to be able to
> read/write role members in midpoint so that they keep synchronized in 
> LDAP.
>
> You can see my openldap-resource definition attached.
>
> Please notice that LDAP group membership is already visible in midpoint
> users. If I look at account shadows, I can observe shadow group
> membership. But I can't manage the membership from here.
>
> Does anyone know how to do this? Is there a better approach for managing
> group membership in midpoint?
>
>
>
> 2/ some LDAP users are not imported in midpoint when their names are too
> close to existing users. For example when their name contain a dash.
>
> I have understood that this is due to the comparison rule based on
> PolyString type. I have tried multiple rules:
>
>                          <q:path>name</q:path>
> <q:matching>polyStringOrig</q:matching>
>
> but I can't find any one that compares directly the strings, without
> normalization. Do you know what I have missed?
>
>
> Also, the openldap-resource I am working on is more complete that those
> in the docs. Would you be interrested to include it? Do you accept
> contributions?
>
>
> Thanks in advance for your help!
>
> Regards,
>
> -- 
> David Coutadeur | IAM integrator
>
> david.coutadeur at worteks.com
> +33 7 88 46 85 34
> 16 avenue Hoche, Paris 75008
>
> Worteks | https://www.worteks.com

-- 
David Coutadeur | IAM integrator

david.coutadeur at worteks.com
+33 7 88 46 85 34
16 avenue Hoche, Paris 75008

Worteks |https://www.worteks.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230901/1f2f7113/attachment.htm>

More information about the midPoint mailing list