[midPoint] Integrating existing LDAP

Fri Sep 15 09:14:55 CEST 2023

Hi

Got it working!
Found another documentation source (https://docs.evolveum.com/midpoint/reference/expressions/mappings/inbound-mapping/) I've probably read it earlier, but forgotten.

Anyway: thank you for "listening" and pointing to the association over and over :D

Markus
------- Original Message -------
On Friday, September 15th, 2023 at 08:36, Markus Calmius <markus.calmius at proton.ch> wrote:

> Hi Fabian,
>
> associations work, I think.
> But as far as I can tell, you don't really see them.
> As an end-user they don't show up in "All Accesses" I have to click on Projections and the FreeIPA account to see them.
>
> And if you cannot see the entitlements in an easy way, how can you remove them?
>
> So I'm been trying this (it is the "one-off" import that I'm after)
>
> <
>
> attribute
>
>>
>
> <
>
> ref
>
>>
>
> ri:memberof_group
>
> </
>
> ref
>
>>
>
> <
>
> inbound
>
>>
>
> <
>
> strength
>
>>
>
> strong
>
> </
>
> strength
>
>>
>
> <
>
> expression
>
>>
>
> <
>
> trace
>
>>
>
> true
>
> </
>
> trace
>
>>
>
> <
>
> assignmentTargetSearch
>
>>
>
> <
>
> targetType
>
>>
>
> RoleType
>
> </
>
> targetType
>
>>
>
> <
>
> filter
>
>>
>
> <
>
> q
>
> :equal
>
>>
>
> <
>
> q
>
> :path
>
>>
>
> name
>
> </
>
> q
>
> :path
>
>>
>
> <
>
> expression
>
>>
>
> <
>
> value
>
>>
>
> $input
>
> </
>
> value
>
>>
>
> </
>
> expression
>
>>
>
> </
>
> q
>
> :equal
>
>>
>
> </
>
> filter
>
>>
>
> </
>
> assignmentTargetSearch
>
>>
>
> </
>
> expression
>
>>
>
> <
>
> target
>
>>
>
> <
>
> path
>
>>
>
> assignment
>
> </
>
> path
>
>>
>
> </
>
> target
>
>>
>
> </
>
> inbound
>
>>
>
> </
>
> attribute
>
>>
>
> And I see this from the trace:
>
>> Sources:
>> Source {.../common/common-3}input
>> old:
>> memberof_group: [ ipausers, group1, group2 ]
>> delta: null
>> new:
>> memberof_group: [ ipausers, group1, group2 ]
>
> I don't get any errors, but something is not quite working...
>
> Markus Calmius
> Proton AG
>
> ------- Original Message -------
> On Thursday, September 14th, 2023 at 19:09, Fabian Noll-Dukiewicz <fabian.noll-dukiewicz at veryfy.gmbh> wrote:
>
>> Hi Markus,
>>
>> for Active Directory this is done by Association on the user account object and on these association is set an inbound mapping to “assignment”. Please see the midpoint samples for a more detailed view. ([some like this](https://github.com/Evolveum/midpoint-samples/blob/master/samples/resources/ad-ldap/ad-ldap-medusa-medium.xml))
>>
>> [Ein Bild, das Text, Screenshot, Schrift enthält.
>>
>> Automatisch generierte Beschreibung]
>>
>> Kind regards,
>>
>> Fabian
>>
>> --
>>
>> Fabian Noll-Dukiewicz
>>
>> Spezialist Identity & Access Management | Geschäftsführer
>>
>> Tel.: +49 152 244 63 211
>>
>> Email: fabian.noll-dukiewicz at veryfy.gmbh
>>
>> Web: https://veryfy.gmbh
>>
>> Von: midPoint <midpoint-bounces at lists.evolveum.com> im Auftrag von Markus Calmius via midPoint <midpoint at lists.evolveum.com>
>> Datum: Donnerstag, 14. September 2023 um 16:23
>> An: midpoint at lists.evolveum.com <midpoint at lists.evolveum.com>
>> Cc: Markus Calmius <markus.calmius at proton.ch>
>> Betreff: Re: [midPoint] Integrating existing LDAP
>>
>> Hi again,
>>
>> not quite working.
>>
>> Creating a role in midPoint creates the corresponding group in LDAP.
>>
>> Actually, it's not LDAP, but FreeIPA, so I'm using https://github.com/artinsolutions/midpoint-connector-freeipa/tree/master.
>>
>> Assigning the role to a user, creates and/or updates FreeIPA with the membership.
>>
>> So the "next step" is working fine.
>>
>> But before I get there, it's the reverse I would like to do:
>>
>> -  create roles for all freeipa groups: done
>>
>> -  I am also assigning an archetype to differentiate them from other roles
>>
>> -  assign the midPoint role(s) to all users that are member of the group
>>
>> -  this is not working, I'm probably missing something, but when I read everything and check the xml-files all I see is outbound. And I guess I need something inbound. And, since it's related to the user, would it mean a user object template that could do this?
>>
>> Thanks in advance
>>
>> Markus Calmius
>> Proton AG
>>
>> ------- Original Message -------
>> On Monday, September 11th, 2023 at 14:34, Markus Calmius <markus.calmius at proton.ch> wrote:
>>
>>> Thank you Fabian and David for the information.
>>>
>>> I will read the pages you've linked to and see if I can figure it out .
>>>
>>> Markus Calmius
>>> Proton AG
>>>
>>> ------- Original Message -------
>>> On Monday, September 11th, 2023 at 09:46, Markus Calmius <markus.calmius at proton.ch> wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm trying to figure out how to best integrate an existing LDAP server that contains users and groups. The users is not a difficult problem to solve, but the groups and mainly the group-membership eats up quite some time for me.
>>>>
>>>> To be fair, I am quite new to midPoint (although I have taken the fundamentals training), and I am still wrapping my head around everything.
>>>>
>>>> What I want to achieve, in the long run, is for midPoint to be the authoritative source for the LDAP directory, but before getting there, I need to import everything.
>>>>
>>>> Using various pages from the mailing-list and docs.evovleum.com I have managed to import all groups as roles. Which is the first step I guess, but since the midPoint Role doesn't contains "members" I got a bit stuck. The problem with searching things online is that there isn't a "best before" note on the information you find. So sometimes the information is old and dated.
>>>>
>>>> So, I basically have two questions:
>>>>
>>>> -  is there a better way to do this?
>>>> -  if not, how do I also get the midPoint roles to include the ldap group membership
>>>>
>>>> If you can point me in the right direction I will much appreciate it.
>>>>
>>>> Thanks in advance!
>>>>
>>>> Markus Calmius
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230915/fdc094c9/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 49142 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230915/fdc094c9/attachment-0001.png>