[midPoint] Active Directory + associations - different behavior between Midpoint 4.8 and Midpoint 4.1
Carlos Ferreira
carlos18619 at gmail.com
Thu Apr 25 18:33:11 CEST 2024
Hi everyone,
Here is a snippet of a resource that connects with Active Directory and
deals with associations:
<association id="2800">
<ref>ldapGroups</ref>
<displayName>Group Membership</displayName>
<inbound id="2809">
<strength>strong</strength>
<expression>
<assignmentTargetSearch>
<targetType>RoleType</targetType>
<filter>
<q:equal>
<q:path>name</q:path>
<expression>
<script>
<code>
basic.getAttributeValue(entitlement, 'cn')
</code>
</script>
</expression>
</q:equal>
</filter>
</assignmentTargetSearch>
</expression>
<target>
<path>assignment</path>
</target>
</inbound>
<kind>entitlement</kind>
<intent>ListaAD</intent>
<intent>GrupoAD</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>dn</valueAttribute>
<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
<shortcutValueAttribute>ri:dn</shortcutValueAttribute>
<explicitReferentialIntegrity>true</explicitReferentialIntegrity>
</association>
And here is the specific configuration in a metarole that sums up with the
previous one to populate groups in Active Directory:
<inducement id="2">
<construction>
<resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e3"
relation="org:default" type="c:ResourceType">
<!-- Active Directory 10.x.x.x - -->
</resourceRef>
<kind>account</kind>
<intent>default</intent>
<association id="3">
<ref>ri:ldapGroups</ref>
<outbound>
<strength>strong</strength>
<expression>
<associationFromLink>
<projectionDiscriminator
xsi:type="c:ShadowDiscriminatorType">
<kind>entitlement</kind>
<intent>GrupoAD</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
<focusType>c:UserType</focusType>
</inducement>
Scenarios (for a specific user):
a) Assignment of a role
1. Select the user;
2. Click "assignment->role->"Just a test role";
3. Click the "save" button;
-> result:
Midpoint 4.1:the role is assigned to the user and the association
is correctly created on AD.
Midpoint 4.8:the role is assigned to the user and the association
is correctly created on AD.
b) Unassignment of a role
1. Select the user;
2. Click "assignment->role->"Just a test role";
3. Click on the "-" icon;
4. Click the "save" button;
-> result:
Midpoint 4.1:the role is unassigned from the user and the
association is correctly removed from AD. <- expected behavior
Midpoint 4.8:the role is *NOT* unassigned from the user *BUT* the
association is correctly removed from AD. <- unexpected behavior
Is there any configuration (in Midpoint 4.8) missing on the resource or
metarole?
Thks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240425/7a1b2465/attachment.htm>
More information about the midPoint
mailing list