[midPoint] Integrating existing LDAP
David Coutadeur
david.coutadeur at gmail.com
Mon Sep 11 09:56:20 CEST 2023
Hello,
I was in the exact same situation some weeks ago.
Here is the explanation I have received:
groups in a LDAP directory usually are projections of midPoint roles.
For a more detailed explaination of the finer points see this blog post:
https://evolveum.com/simplifying-ldap-group-management-using-midpoint/
Usually you have some meta-role(s) that define the nature of the desired
projections, then you can manage membership to those groups via role
membership in midPoint. The metarole is assigned to all roles that
should be present in your directory and defines the properties of the
assignment to the resource.
And here is what I have done:
- import the metarole here:
https://github.com/Evolveum/midpoint-samples/blob/master/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml
- import the following object template :
<objectTemplate oid="10000000-0000-0000-0000-000000000241"
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ext="http://midpoint.evolveum.com/xml/ns/story/orgsync/ext">
<name>Role template</name>
<mapping>
<name>metarole automatic assignment</name>
<authoritative>true</authoritative>
<strength>strong</strength>
<!--<source>
<path>subType</path>
</source>-->
<expression>
<value>
<targetRef oid="1568ec1e-36cc-11e6-a052-3c970e44b9e2"
type="RoleType"/>
</value>
</expression>
<target>
<path>assignment</path>
</target>
<!--<condition>
<script>
<code>subType == 'subtype'</code>
</script>
</condition>-->
</mapping>
</objectTemplate>
- reference the object template in the global system configuration :
<defaultObjectPolicyConfiguration>
<objectTemplateRef oid="10000000-0000-0000-0000-000000000241"
type="c:ObjectTemplateType">
</objectTemplateRef>
<type>c:RoleType</type>
</defaultObjectPolicyConfiguration>
Regards,
Le 11/09/2023 à 09:46, Markus Calmius via midPoint a écrit :
> Hi,
>
> I'm trying to figure out how to best integrate an existing LDAP server
> that contains users and groups. The users is not a difficult problem
> to solve, but the groups and mainly the group-membership eats up quite
> some time for me.
>
> To be fair, I am quite new to midPoint (although I have taken the
> fundamentals training), and I am still wrapping my head around everything.
>
> What I want to achieve, in the long run, is for midPoint to be the
> authoritative source for the LDAP directory, but before getting there,
> I need to import everything.
> Using various pages from the mailing-list and docs.evovleum.com I have
> managed to import all groups as roles. Which is the first step I
> guess, but since the midPoint Role doesn't contains "members" I got a
> bit stuck. The problem with searching things online is that there
> isn't a "best before" note on the information you find. So sometimes
> the information is old and dated.
>
> So, I basically have two questions:
>
> 1. is there a better way to do this?
> 2. if not, how do I also get the midPoint roles to include the ldap
> group membership
>
>
> If you can point me in the right direction I will much appreciate it.
> Thanks in advance!
> Markus Calmius
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
--
David Coutadeur | IAM integrator
david.coutadeur at worteks.com
+33 7 88 46 85 34
16 avenue Hoche, Paris 75008
Worteks |https://www.worteks.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230911/62e07248/attachment-0001.htm>
More information about the midPoint
mailing list