[midPoint] Integrating existing LDAP

Fabian Noll-Dukiewicz fabian.noll-dukiewicz at veryfy.gmbh
Fri Sep 15 09:20:58 CEST 2023


Great work!

For completeness here is my code snippet for association with inbound mapping (AD group to midpoint Role).

[Ein Bild, das Text, Screenshot enthält.  Automatisch generierte Beschreibung]

Kind regards,
Fabian

Fabian Noll-Dukiewicz
Spezialist Identity & Access Management | Geschäftsführer
Tel.: +49 152 244 63 211
Email: fabian.noll-dukiewicz at veryfy.gmbh
Web: https://veryfy.gmbh


Von: Markus Calmius <markus.calmius at proton.ch>
Datum: Freitag, 15. September 2023 um 09:15
An: Fabian Noll-Dukiewicz <fabian.noll-dukiewicz at veryfy.gmbh>
Cc: midPoint General Discussion <midpoint at lists.evolveum.com>
Betreff: Re: AW: [midPoint] Integrating existing LDAP
Hi

Got it working!
Found another documentation source (https://docs.evolveum.com/midpoint/reference/expressions/mappings/inbound-mapping/) I've probably read it earlier, but forgotten.

Anyway: thank you for "listening" and pointing to the association over and over :D



Markus
------- Original Message -------
On Friday, September 15th, 2023 at 08:36, Markus Calmius <markus.calmius at proton.ch> wrote:


Hi Fabian,

associations work, I think.
But as far as I can tell, you don't really see them.
As an end-user they don't show up in "All Accesses" I have to click on Projections and the FreeIPA account to see them.

And if you cannot see the entitlements in an easy way, how can you remove them?

So I'm been trying this (it is the "one-off" import that I'm after)

<attribute>
    <ref>ri:memberof_group</ref>
    <inbound>
        <strength>strong</strength>
        <expression>
            <trace>true</trace>
            <assignmentTargetSearch>
                <targetType>RoleType</targetType>
                <filter>
                    <q:equal>
                        <q:path>name</q:path>
                        <expression>
                            <value>$input</value>
                        </expression>
                    </q:equal>
                </filter>
            </assignmentTargetSearch>
        </expression>
        <target>
            <path>assignment</path>
        </target>
    </inbound>
</attribute>
And I see this from the trace:
Sources:
  Source {.../common/common-3}input
    old:
      memberof_group: [ ipausers, group1, group2 ]
    delta: null
    new:
      memberof_group: [ ipausers, group1, group2 ]

I don't get any errors, but something is not quite working...



Markus Calmius
Proton AG

------- Original Message -------
On Thursday, September 14th, 2023 at 19:09, Fabian Noll-Dukiewicz <fabian.noll-dukiewicz at veryfy.gmbh> wrote:


Hi Markus,

for Active Directory this is done by Association on the user account object and on these association is set an inbound mapping to “assignment”. Please see the midpoint samples for a more detailed view. (some like this<https://github.com/Evolveum/midpoint-samples/blob/master/samples/resources/ad-ldap/ad-ldap-medusa-medium.xml>)

[Ein Bild, das Text, Screenshot, Schrift enthält.    Automatisch generierte Beschreibung]

Kind regards,
Fabian

--
Fabian Noll-Dukiewicz
Spezialist Identity & Access Management | Geschäftsführer
Tel.: +49 152 244 63 211
Email: fabian.noll-dukiewicz at veryfy.gmbh
Web: https://veryfy.gmbh


Von: midPoint <midpoint-bounces at lists.evolveum.com> im Auftrag von Markus Calmius via midPoint <midpoint at lists.evolveum.com>
Datum: Donnerstag, 14. September 2023 um 16:23
An: midpoint at lists.evolveum.com <midpoint at lists.evolveum.com>
Cc: Markus Calmius <markus.calmius at proton.ch>
Betreff: Re: [midPoint] Integrating existing LDAP
Hi again,

not quite working.
Creating a role in midPoint creates the corresponding group in LDAP.
Actually, it's not LDAP, but FreeIPA, so I'm using https://github.com/artinsolutions/midpoint-connector-freeipa/tree/master.

Assigning the role to a user, creates and/or updates FreeIPA with the membership.
So the "next step" is working fine.

But before I get there, it's the reverse I would like to do:

  *   create roles for all freeipa groups: done

     *   I am also assigning an archetype to differentiate them from other roles

  *   assign the midPoint role(s) to all users that are member of the group

     *   this is not working, I'm probably missing something, but when I read everything and check the xml-files all I see is outbound. And I guess I need something inbound. And, since it's related to the user, would it mean a user object template that could do this?

Thanks in advance

Markus Calmius
Proton AG

------- Original Message -------
On Monday, September 11th, 2023 at 14:34, Markus Calmius <markus.calmius at proton.ch> wrote:

Thank you Fabian and David for the information.
I will read the pages you've linked to and see if I can figure it out .



Markus Calmius
Proton AG

------- Original Message -------
On Monday, September 11th, 2023 at 09:46, Markus Calmius <markus.calmius at proton.ch> wrote:

Hi,

I'm trying to figure out how to best integrate an existing LDAP server that contains users and groups. The users is not a difficult problem to solve, but the groups and mainly the group-membership eats up quite some time for me.

To be fair, I am quite new to midPoint (although I have taken the fundamentals training), and I am still wrapping my head around everything.

What I want to achieve, in the long run, is for midPoint to be the authoritative source for the LDAP directory, but before getting there, I need to import everything.
Using various pages from the mailing-list and docs.evovleum.com I have managed to import all groups as roles. Which is the first step I guess, but since the midPoint Role doesn't contains "members" I got a bit stuck. The problem with searching things online is that there isn't a "best before" note on the information you find. So sometimes the information is old and dated.

So, I basically have two questions:

  1.  is there a better way to do this?
  2.  if not, how do I also get the midPoint roles to include the ldap group membership

If you can point me in the right direction I will much appreciate it.

Thanks in advance!
Markus Calmius




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230915/98ab82f1/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 49142 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230915/98ab82f1/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 102736 bytes
Desc: image002.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230915/98ab82f1/attachment-0003.png>


More information about the midPoint mailing list