[midPoint] Integrating existing LDAP

Markus Calmius markus.calmius at proton.ch
Fri Sep 15 08:36:44 CEST 2023 

Hi Fabian,

associations work, I think.
But as far as I can tell, you don't really see them.
As an end-user they don't show up in "All Accesses" I have to click on Projections and the FreeIPA account to see them.

And if you cannot see the entitlements in an easy way, how can you remove them?

So I'm been trying this (it is the "one-off" import that I'm after)

<

attribute

>

<

ref

>

ri:memberof_group

</

ref

>

<

inbound

>

<

strength

>

strong

</

strength

>

<

expression

>

<

trace

>

true

</

trace

>

<

assignmentTargetSearch

>

<

targetType

>

RoleType

</

targetType

>

<

filter

>

<

q

:equal

>

<

q

:path

>

name

</

q

:path

>

<

expression

>

<

value

>

$input

</

value

>

</

expression

>

</

q

:equal

>

</

filter

>

</

assignmentTargetSearch

>

</

expression

>

<

target

>

<

path

>

assignment

</

path

>

</

target

>

</

inbound

>

</

attribute

>

And I see this from the trace:

> Sources:
> Source {.../common/common-3}input
> old:
> memberof_group: [ ipausers, group1, group2 ]
> delta: null
> new:
> memberof_group: [ ipausers, group1, group2 ]

I don't get any errors, but something is not quite working...

Markus Calmius
Proton AG

------- Original Message -------
On Thursday, September 14th, 2023 at 19:09, Fabian Noll-Dukiewicz <fabian.noll-dukiewicz at veryfy.gmbh> wrote:

> Hi Markus,
>
> for Active Directory this is done by Association on the user account object and on these association is set an inbound mapping to “assignment”. Please see the midpoint samples for a more detailed view. ([some like this](https://github.com/Evolveum/midpoint-samples/blob/master/samples/resources/ad-ldap/ad-ldap-medusa-medium.xml))
>
> [Ein Bild, das Text, Screenshot, Schrift enthält.
>
> Automatisch generierte Beschreibung]
>
> Kind regards,
>
> Fabian
>
> --
>
> Fabian Noll-Dukiewicz
>
> Spezialist Identity & Access Management | Geschäftsführer
>
> Tel.: +49 152 244 63 211
>
> Email: fabian.noll-dukiewicz at veryfy.gmbh
>
> Web: https://veryfy.gmbh
>
> Von: midPoint <midpoint-bounces at lists.evolveum.com> im Auftrag von Markus Calmius via midPoint <midpoint at lists.evolveum.com>
> Datum: Donnerstag, 14. September 2023 um 16:23
> An: midpoint at lists.evolveum.com <midpoint at lists.evolveum.com>
> Cc: Markus Calmius <markus.calmius at proton.ch>
> Betreff: Re: [midPoint] Integrating existing LDAP
>
> Hi again,
>
> not quite working.
>
> Creating a role in midPoint creates the corresponding group in LDAP.
>
> Actually, it's not LDAP, but FreeIPA, so I'm using https://github.com/artinsolutions/midpoint-connector-freeipa/tree/master.
>
> Assigning the role to a user, creates and/or updates FreeIPA with the membership.
>
> So the "next step" is working fine.
>
> But before I get there, it's the reverse I would like to do:
>
> -  create roles for all freeipa groups: done
>
> -  I am also assigning an archetype to differentiate them from other roles
>
> -  assign the midPoint role(s) to all users that are member of the group
>
> -  this is not working, I'm probably missing something, but when I read everything and check the xml-files all I see is outbound. And I guess I need something inbound. And, since it's related to the user, would it mean a user object template that could do this?
>
> Thanks in advance
>
> Markus Calmius
> Proton AG
>
> ------- Original Message -------
> On Monday, September 11th, 2023 at 14:34, Markus Calmius <markus.calmius at proton.ch> wrote:
>
>> Thank you Fabian and David for the information.
>>
>> I will read the pages you've linked to and see if I can figure it out .
>>
>> Markus Calmius
>> Proton AG
>>
>> ------- Original Message -------
>> On Monday, September 11th, 2023 at 09:46, Markus Calmius <markus.calmius at proton.ch> wrote:
>>
>>> Hi,
>>>
>>> I'm trying to figure out how to best integrate an existing LDAP server that contains users and groups. The users is not a difficult problem to solve, but the groups and mainly the group-membership eats up quite some time for me.
>>>
>>> To be fair, I am quite new to midPoint (although I have taken the fundamentals training), and I am still wrapping my head around everything.
>>>
>>> What I want to achieve, in the long run, is for midPoint to be the authoritative source for the LDAP directory, but before getting there, I need to import everything.
>>>
>>> Using various pages from the mailing-list and docs.evovleum.com I have managed to import all groups as roles. Which is the first step I guess, but since the midPoint Role doesn't contains "members" I got a bit stuck. The problem with searching things online is that there isn't a "best before" note on the information you find. So sometimes the information is old and dated.
>>>
>>> So, I basically have two questions:
>>>
>>> -  is there a better way to do this?
>>> -  if not, how do I also get the midPoint roles to include the ldap group membership
>>>
>>> If you can point me in the right direction I will much appreciate it.
>>>
>>> Thanks in advance!
>>>
>>> Markus Calmius
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230915/7ecc1710/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 49142 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230915/7ecc1710/attachment-0001.png>

More information about the midPoint mailing list