[midPoint] Question about group membership management in midpoint

David Coutadeur david.coutadeur at gmail.com
Thu Sep 7 16:43:07 CEST 2023 

Hello,


Thanks again for your help. With your pointers, I have successfully 
managed my members and roles from midpoint.


For information, I had to do this :


- import the metarole here: 
https://github.com/Evolveum/midpoint-samples/blob/master/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml


- import the following object template :


<objectTemplate oid="10000000-0000-0000-0000-000000000241"
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ext="http://midpoint.evolveum.com/xml/ns/story/orgsync/ext">

     <name>Role template</name>

     <mapping>
         <name>metarole automatic assignment</name>
         <authoritative>true</authoritative>
         <strength>strong</strength>
         <!--<source>
             <path>subType</path>
         </source>-->
         <expression>
           <value>
             <targetRef oid="1568ec1e-36cc-11e6-a052-3c970e44b9e2" 
type="RoleType"/>
           </value>
         </expression>
         <target>
             <path>assignment</path>
         </target>
         <!--<condition>
             <script>
                 <code>subType == 'subtype'</code>
             </script>
         </condition>-->
     </mapping>
</objectTemplate>



- reference the object template in the global system configuration :


     <defaultObjectPolicyConfiguration>
         <objectTemplateRef oid="10000000-0000-0000-0000-000000000241" 
type="c:ObjectTemplateType">
         </objectTemplateRef>
         <type>c:RoleType</type>
     </defaultObjectPolicyConfiguration>



There is still a major problem: when synchronizing from OpenLDAP to 
midpoint, the members are not created nor updated into the roles.


Do you have an idea why this is not synchronized?

Thanks in advance.



Regards,

David


Le 01/09/2023 à 18:28, Sven Feyerabend via midPoint a écrit :
>
> Hello David,
>
>
> groups in a LDAP directory usually are projections of midPoint roles.
> For a more detailed explaination of the finer points see this blog post:
> https://evolveum.com/simplifying-ldap-group-management-using-midpoint/
>
>
> Usually you have some meta-role(s) that define the nature of the 
> desired projections, then you can manage membership to those groups 
> via role membership in midPoint. The metarole is assigned to all roles 
> that should be present in your directory and defines the properties of 
> the assignment to the resource.
>
>
> I noticed, that you have a directory with gosa schema, as I am 
> currently in the process of migrating from gosa to a midPoint based 
> system here another hint:
> To preserve the delegated administration provided by gosa, I used orgs 
> to model subtrees and some RBAC configuration with roles to allow 
> delegated administration. This is achieved by using the 
> subjectRelation mechanism in the object definition of an authorization 
> for a role.
>
>
> I hope this pointer helps.
>
>
> Kind regards,
>
> Sven
>
>
> Am 01.09.23 um 17:45 schrieb David Coutadeur via midPoint:
>>
>>
>> Hello,
>>
>>
>> Thanks Arnošt for your help.
>>
>>
>> Actually, I am not sure the metarole is what I want, and did not find 
>> any tip in the documentation. (I have been searching for 
>> associations, inducements, assignments,...)
>>
>>
>> The documentation states that group membership defined by an 
>> association like:
>>
>>
>>             <association>
>>                 <ref>ri:ldapGroup</ref>
>>                 <displayName>Appartenance aux groupes</displayName>
>>                 <kind>entitlement</kind>
>>                 <intent>ldapGroup</intent>
>> <direction>objectToSubject</direction>
>> <associationAttribute>ri:member</associationAttribute>
>> <valueAttribute>ri:dn</valueAttribute>
>>             </association>
>>
>>
>>
>> is only visible in projections.
>>
>> It is not very convenient to view these groups in the midpoint 
>> interface. And anyway it doesn't seem possible to manage group 
>> membership there.
>>
>>
>> My use case is quite simple: I'd like to have objects in the midpoint 
>> interface that represents my LDAP groups, and to be able to manage 
>> them. (including their membership)
>>
>>
>> LDAP user 1 <-> midpoint shadow account <-> midpoint user
>>
>> ^ ^
>>
>> | |
>>
>> v v
>>
>> LDAP group 1 <-> midpoint shadow group <-> midpoint object (role?)
>>
>>
>>
>> Does anyone have an idea how to achieve this? Maybe role is not the 
>> correct object?
>>
>>
>> Regards,
>>
>>
>>
>>
>> Le 29/08/2023 à 13:47, Arnošt Starosta a écrit :
>>> Hi David,
>>>
>>> regarding ldap group membership  - you may be missing the necessary 
>>> association configuration typically found in a metarole, please 
>>> check the docs or even better some examples in the sources like this one
>>>
>>> https://github.com/Evolveum/midpoint-samples/blob/dde679a9757e2f74e3761fa0feaf82ac11f1310e/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml#L31
>>>
>>> arnost
>>>
>>> Arnošt Starosta
>>> solution architect
>>>
>>> gsm: [+420] 603 794 932
>>> e-mail: arnost.starosta at ami.cz <mailto:arnost.starosta at ami.cz>
>>>
>>>
>>> AMI Praha a.s.
>>> Pernerova 697/35, 186 00 Praha 8
>>>
>>> recepce: [+420] 604 444 848 | web: www.ami.cz <https://www.ami.cz/>
>>>
>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá 
>>> za společnost AMI Praha a.s.
>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
>>> výhradně písemnou formu.
>>>
>>> Tento e-mail je určen výhradně pro potřeby jeho adresáta/ů a může 
>>> obsahovat důvěrné nebo osobní
>>> informace. Nejste-li zamýšleným příjemcem, je zakázáno jakékoliv 
>>> zveřejňování, zprostředkování
>>> nebo jiné použití těchto informací. Pokud jste obdrželi e-mail 
>>> neoprávněně, informujte o tom prosím
>>> odesílatele a vymažte neprodleně všechny kopie tohoto e-mailu včetně 
>>> všech jeho příloh. Nakládáním
>>> s neoprávněně získanými informacemi se vystavujete riziku právního 
>>> postihu.
>>> ------------------------------------------------------------------------
>>> *From:* midPoint <midpoint-bounces at lists.evolveum.com> on behalf of 
>>> David Coutadeur via midPoint <midpoint at lists.evolveum.com>
>>> *Sent:* Monday, August 28, 2023 4:13 PM
>>> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
>>> *Cc:* David Coutadeur <david.coutadeur at gmail.com>
>>> *Subject:* [midPoint] Question about group membership management in 
>>> midpoint
>>>
>>> Hello,
>>>
>>> I am working on an Openldap integration with midpoint.
>>>
>>> It starts working, but I have two questions:
>>>
>>>
>>> 1/ I have imported OpenLDAP groups into midpoint roles. But I can't
>>> figure out how to manage role membership. I'd like to be able to
>>> read/write role members in midpoint so that they keep synchronized 
>>> in LDAP.
>>>
>>> You can see my openldap-resource definition attached.
>>>
>>> Please notice that LDAP group membership is already visible in midpoint
>>> users. If I look at account shadows, I can observe shadow group
>>> membership. But I can't manage the membership from here.
>>>
>>> Does anyone know how to do this? Is there a better approach for 
>>> managing
>>> group membership in midpoint?
>>>
>>>
>>>
>>> 2/ some LDAP users are not imported in midpoint when their names are 
>>> too
>>> close to existing users. For example when their name contain a dash.
>>>
>>> I have understood that this is due to the comparison rule based on
>>> PolyString type. I have tried multiple rules:
>>>
>>> <q:path>name</q:path>
>>> <q:matching>polyStringOrig</q:matching>
>>>
>>> but I can't find any one that compares directly the strings, without
>>> normalization. Do you know what I have missed?
>>>
>>>
>>> Also, the openldap-resource I am working on is more complete that those
>>> in the docs. Would you be interrested to include it? Do you accept
>>> contributions?
>>>
>>>
>>> Thanks in advance for your help!
>>>
>>> Regards,
>>>
>>> -- 
>>> David Coutadeur | IAM integrator
>>>
>>> david.coutadeur at worteks.com
>>> +33 7 88 46 85 34
>>> 16 avenue Hoche, Paris 75008
>>>
>>> Worteks | https://www.worteks.com
>> -- 
>> David Coutadeur | IAM integrator
>>
>> david.coutadeur at worteks.com
>> +33 7 88 46 85 34
>> 16 avenue Hoche, Paris 75008
>>
>> Worteks |https://www.worteks.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
> -- 
> Sven Feyerabend
> Referent für IT-Betreuung
> stuvus – Studierendenvertretung Universität Stuttgart
> Pfaffenwaldring 5c
> 70569 Stuttgart
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-- 
David Coutadeur | IAM integrator

david.coutadeur at worteks.com
+33 7 88 46 85 34
16 avenue Hoche, Paris 75008

Worteks |https://www.worteks.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230907/a405590d/attachment-0001.htm>

More information about the midPoint mailing list