[midPoint] associationTargetSearch + createOnDemand Possible? How to?
Carlos Ferreira
carlos18619 at gmail.com
Thu Apr 4 12:58:47 CEST 2024
Dear Alcides,
If you haven't solved the issue yet, here is a hint that may solve the
problem (works for Midpoint 4.1; I could not reproduce it in Midpoint 4.8
yet):
* <association id="400"> <c:ref
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
<http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>">ri:ldapGroups</c:ref>
<displayName>LDAP Group Membership</displayName>
<tolerant>true</tolerant>
<exclusiveStrong>true</exclusiveStrong> <inbound id="401">
<authoritative>true</authoritative>
<exclusive>false</exclusive>
<strength>strong</strength> <expression>
<assignmentTargetSearch
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
<http://www.w3.org/2001/XMLSchema-instance>"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
<http://midpoint.evolveum.com/xml/ns/public/common/common-3>"
xsi:type="c:AssignmentTargetSearchExpressionEvaluatorType">
<targetType>RoleType</targetType>
<filter> <q:equal>
<q:path>name</q:path>
<expression> <script>
<code>
return basic.getAttributeValue(entitlement, 'cn')
</code> </script>
</expression>
</q:equal> </filter>
<createOnDemand>true</createOnDemand>
<populateObject> <populateItem>
<expression>
<script xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
<http://midpoint.evolveum.com/xml/ns/public/common/common-3>"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
<http://www.w3.org/2001/XMLSchema-instance>"
xsi:type="c:ScriptExpressionEvaluatorType">
<code> return
basic.getAttributeValue(entitlement, 'cn')
</code> </script>
</expression> <target>
<c:path>name</c:path>
</target>
</populateItem> <populateItem>
<expression>
<script xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
<http://midpoint.evolveum.com/xml/ns/public/common/common-3>"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
<http://www.w3.org/2001/XMLSchema-instance>"
xsi:type="c:ScriptExpressionEvaluatorType">
<code> return
'Grupo do AD' </code>
</script> </expression>
<target>
<c:path>subtype</c:path>
</target> </populateItem>
<populateItem> <expression>
<assignmentTargetSearch
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
<http://midpoint.evolveum.com/xml/ns/public/common/common-3>"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
<http://www.w3.org/2001/XMLSchema-instance>"
xsi:type="c:AssignmentTargetSearchExpressionEvaluatorType">
<targetType>c:RoleType</targetType>
<filter>
<q:equal>
<q:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
<http://midpoint.evolveum.com/xml/ns/public/common/common-3>">c:name</q:path>
<expression>
<value>AD - grupos
(metarole)</value>
</expression> </q:equal>
</filter>
</assignmentTargetSearch>
</expression> <target>
<c:path>assignment</c:path>
</target> </populateItem>
</populateObject>
<assignmentProperties
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
<http://midpoint.evolveum.com/xml/ns/public/common/common-3>"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
<http://www.w3.org/2001/XMLSchema-instance>"
xsi:type="c:AssignmentPropertiesSpecificationType"/>
</assignmentTargetSearch> </expression>
<target> <c:path>assignment</c:path>
</target> </inbound>
<kind>entitlement</kind> <intent>GrupoAD</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
<shortcutValueAttribute>ri:dn</shortcutValueAttribute>
<explicitReferentialIntegrity>true</explicitReferentialIntegrity>
</association>*
Em seg., 6 de mar. de 2023 às 19:22, Alcides Moraes via midPoint <
midpoint at lists.evolveum.com> escreveu:
> Following up on this, I'm still not able to createOnDemand with
> associationTargetSearch.
>
> So I decided to replace this with an assignmenttTargetSearch with
> createOnDemand role in midPoint that maps to the group in AD.
> But doing this, I faced another problem.
>
> This assignment is created in an inbound mapping from another resource, so
> it’s a secondary change.
> Doing this, the association to the AD group is not done until I recompute
> the user again.
> This wouldn’t be such a problem if the assignment removal worked, however
> it does not.
> If the inbound mapping removes this assignment, the group association is
> not removed, even after recomputing.
>
> If the assignment is created and removed manually directly in midpoint, it
> works fine.
>
> Here’s what I’m trying to achieve:
>
> Inbound mapping from Resource A creates user assignment to a role, with
> some context value on it
>
> User —context:999—> Role R
>
> I want this to map to an AD group R_999
>
> so first I tried with associationTargetSearch and createOnDemand , could
> not make it work.
> (context values are not fixed, I need to create on demand)
>
> So I tried this
>
> User —context:999 —> Role R —> focusMapping assignmentTargetSearch
> createOnDemand —> Role R_999 —> AD group R_999
>
> This does not ‘finish’, it stops at Role R_999 creation and assignment,
> but the association is not made. I guess it’s too long a chain of events
> for midpoint.
> Since the context is dynamic, I cannot create beforehand the groups.
> Is there a better way to achieve this?
>
>
> Thanks in advance for any help on this
>
> Em 27 de fev. de 2023, à(s) 20:43, Alcides Moraes <alcides.neto at gmail.com>
> escreveu:
>
> Hello list,
>
> I’m attempting to use createOnDemand with associationTargetSearch with
> Active Directory groups, is this possible?
> I have not seen any example or documentation on this.
>
> The associationTargetSearch works if the group exists, but I cannot seem
> to create a group with createOnDemand.
> I’ve created roles with createOnDemand with no problem, but since this is
> a resource object, is this supported? According to the schema, it should.
>
> I’m getting this error, there is a single populateItem trying to write do
> the DN attribute:
>
> *Error evaluating mapping for association {.../resource/instance-3}group
> in construction for (resource:xxxx(AD)/ACCOUNT/default/null) in
> role:xxx(Metarole): No target item that would conform to the path
> attributes/dn in expression in mapping in outbound mapping for association*
>
> I have tried “dn”, “ri:dn”, “attributes/ri:dn” on the <path> element,
> none of them worked.
>
> My code:
> <associationTargetSearch>
> <filter>
> <q:equal>
> <q:path>attributes/ri:dn</q:path>
> <expression>
> <script>
> <code>
> // my logic here
> </code>
> </script>
> </expression>
> </q:equal>
> </filter>
> <searchStrategy>onResourceIfNeeded</searchStrategy>
> <createOnDemand>true</createOnDemand>
> <populateObject>
> <populateItem>
> <expression>
> <script>
> <code>
> // my logic here
> </code>
> </script>
> </expression>
> <target>
> <path>attributes/dn</path>
> </target>
> </populateItem>
> </populateObject>
> </associationTargetSearch>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240404/e7137c66/attachment-0001.htm>
More information about the midPoint
mailing list