[midPoint] Question about group membership management in midpoint

Sun Sep 3 23:39:14 CEST 2023

Hello Sven,

Many thanks for your help and your pointers.

I'll give a look soon and try to configure this meta-role.

Regards,

Le 01/09/2023 à 18:28, Sven Feyerabend via midPoint a écrit :
>
> Hello David,
>
>
> groups in a LDAP directory usually are projections of midPoint roles.
> For a more detailed explaination of the finer points see this blog post:
> https://evolveum.com/simplifying-ldap-group-management-using-midpoint/
>
>
> Usually you have some meta-role(s) that define the nature of the 
> desired projections, then you can manage membership to those groups 
> via role membership in midPoint. The metarole is assigned to all roles 
> that should be present in your directory and defines the properties of 
> the assignment to the resource.
>
>
> I noticed, that you have a directory with gosa schema, as I am 
> currently in the process of migrating from gosa to a midPoint based 
> system here another hint:
> To preserve the delegated administration provided by gosa, I used orgs 
> to model subtrees and some RBAC configuration with roles to allow 
> delegated administration. This is achieved by using the 
> subjectRelation mechanism in the object definition of an authorization 
> for a role.
>
>
> I hope this pointer helps.
>
>
> Kind regards,
>
> Sven
>
>
> Am 01.09.23 um 17:45 schrieb David Coutadeur via midPoint:
>>
>>
>> Hello,
>>
>>
>> Thanks Arnošt for your help.
>>
>>
>> Actually, I am not sure the metarole is what I want, and did not find 
>> any tip in the documentation. (I have been searching for 
>> associations, inducements, assignments,...)
>>
>>
>> The documentation states that group membership defined by an 
>> association like:
>>
>>
>>             <association>
>>                 <ref>ri:ldapGroup</ref>
>>                 <displayName>Appartenance aux groupes</displayName>
>>                 <kind>entitlement</kind>
>>                 <intent>ldapGroup</intent>
>> <direction>objectToSubject</direction>
>> <associationAttribute>ri:member</associationAttribute>
>> <valueAttribute>ri:dn</valueAttribute>
>>             </association>
>>
>>
>>
>> is only visible in projections.
>>
>> It is not very convenient to view these groups in the midpoint 
>> interface. And anyway it doesn't seem possible to manage group 
>> membership there.
>>
>>
>> My use case is quite simple: I'd like to have objects in the midpoint 
>> interface that represents my LDAP groups, and to be able to manage 
>> them. (including their membership)
>>
>>
>> LDAP user 1 <-> midpoint shadow account <-> midpoint user
>>
>> ^ ^
>>
>> | |
>>
>> v v
>>
>> LDAP group 1 <-> midpoint shadow group <-> midpoint object (role?)
>>
>>
>>
>> Does anyone have an idea how to achieve this? Maybe role is not the 
>> correct object?
>>
>>
>> Regards,
>>
>>
>>
>>
>> Le 29/08/2023 à 13:47, Arnošt Starosta a écrit :
>>> Hi David,
>>>
>>> regarding ldap group membership  - you may be missing the necessary 
>>> association configuration typically found in a metarole, please 
>>> check the docs or even better some examples in the sources like this one
>>>
>>> https://github.com/Evolveum/midpoint-samples/blob/dde679a9757e2f74e3761fa0feaf82ac11f1310e/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml#L31
>>>
>>> arnost
>>>
>>> Arnošt Starosta
>>> solution architect
>>>
>>> gsm: [+420] 603 794 932
>>> e-mail: arnost.starosta at ami.cz <mailto:arnost.starosta at ami.cz>
>>>
>>>
>>> AMI Praha a.s.
>>> Pernerova 697/35, 186 00 Praha 8
>>>
>>> recepce: [+420] 604 444 848 | web: www.ami.cz <https://www.ami.cz/>
>>>
>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá 
>>> za společnost AMI Praha a.s.
>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
>>> výhradně písemnou formu.
>>>
>>> Tento e-mail je určen výhradně pro potřeby jeho adresáta/ů a může 
>>> obsahovat důvěrné nebo osobní
>>> informace. Nejste-li zamýšleným příjemcem, je zakázáno jakékoliv 
>>> zveřejňování, zprostředkování
>>> nebo jiné použití těchto informací. Pokud jste obdrželi e-mail 
>>> neoprávněně, informujte o tom prosím
>>> odesílatele a vymažte neprodleně všechny kopie tohoto e-mailu včetně 
>>> všech jeho příloh. Nakládáním
>>> s neoprávněně získanými informacemi se vystavujete riziku právního 
>>> postihu.
>>> ------------------------------------------------------------------------
>>> *From:* midPoint <midpoint-bounces at lists.evolveum.com> on behalf of 
>>> David Coutadeur via midPoint <midpoint at lists.evolveum.com>
>>> *Sent:* Monday, August 28, 2023 4:13 PM
>>> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
>>> *Cc:* David Coutadeur <david.coutadeur at gmail.com>
>>> *Subject:* [midPoint] Question about group membership management in 
>>> midpoint
>>>
>>> Hello,
>>>
>>> I am working on an Openldap integration with midpoint.
>>>
>>> It starts working, but I have two questions:
>>>
>>>
>>> 1/ I have imported OpenLDAP groups into midpoint roles. But I can't
>>> figure out how to manage role membership. I'd like to be able to
>>> read/write role members in midpoint so that they keep synchronized 
>>> in LDAP.
>>>
>>> You can see my openldap-resource definition attached.
>>>
>>> Please notice that LDAP group membership is already visible in midpoint
>>> users. If I look at account shadows, I can observe shadow group
>>> membership. But I can't manage the membership from here.
>>>
>>> Does anyone know how to do this? Is there a better approach for 
>>> managing
>>> group membership in midpoint?
>>>
>>>
>>>
>>> 2/ some LDAP users are not imported in midpoint when their names are 
>>> too
>>> close to existing users. For example when their name contain a dash.
>>>
>>> I have understood that this is due to the comparison rule based on
>>> PolyString type. I have tried multiple rules:
>>>
>>> <q:path>name</q:path>
>>> <q:matching>polyStringOrig</q:matching>
>>>
>>> but I can't find any one that compares directly the strings, without
>>> normalization. Do you know what I have missed?
>>>
>>>
>>> Also, the openldap-resource I am working on is more complete that those
>>> in the docs. Would you be interrested to include it? Do you accept
>>> contributions?
>>>
>>>
>>> Thanks in advance for your help!
>>>
>>> Regards,
>>>
>>> -- 
>>> David Coutadeur | IAM integrator
>>>
>>> david.coutadeur at worteks.com
>>> +33 7 88 46 85 34
>>> 16 avenue Hoche, Paris 75008
>>>
>>> Worteks | https://www.worteks.com
>> -- 
>> David Coutadeur | IAM integrator
>>
>> david.coutadeur at worteks.com
>> +33 7 88 46 85 34
>> 16 avenue Hoche, Paris 75008
>>
>> Worteks |https://www.worteks.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
> -- 
> Sven Feyerabend
> Referent für IT-Betreuung
> stuvus – Studierendenvertretung Universität Stuttgart
> Pfaffenwaldring 5c
> 70569 Stuttgart
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230903/76964af0/attachment-0001.htm>