[midPoint] Active Directory + associations - different behavior between Midpoint 4.8 and Midpoint 4.1

Carlos Ferreira carlos18619 at gmail.com
Mon Apr 29 15:59:53 CEST 2024 

Hi Lubomir,

I did as you mentioned (explicitReferentialIntegrity=false), but the
behavior is still the same.

And, as I said before, in Midpoint 4.1 the same scenarios worked perfectly.

Thks

Em seg., 29 de abr. de 2024 às 06:00, Lubomir Marton <lmarton at evolveum.com>
escreveu:

> Hi Carlos,
>
> We recommend turning off explicitReferentialIntegrity for associations
> with groups. Please see related documentation
> https://docs.evolveum.com/connectors/resources/active-directory/group-synchronization-howto/
> and
> https://docs.evolveum.com/connectors/resources/active-directory/active-directory-ldap/
> .
>
> Best regards
>
> Lubomir Marton
>
> ------------------------------
> *From: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
> *Cc: *"Carlos Ferreira" <carlos18619 at gmail.com>
> *Sent: *Thursday, April 25, 2024 6:33:11 PM
> *Subject: *[midPoint] Active Directory + associations - different
> behavior between Midpoint 4.8 and Midpoint 4.1
>
> Hi everyone,
>
>
> Here is a snippet of a resource that connects with Active Directory and
> deals with associations:
>
>             <association id="2800">
>                 <ref>ldapGroups</ref>
>                 <displayName>Group Membership</displayName>
>                 <inbound id="2809">
>                     <strength>strong</strength>
>                     <expression>
>                         <assignmentTargetSearch>
>                             <targetType>RoleType</targetType>
>                             <filter>
>                                 <q:equal>
>                                     <q:path>name</q:path>
>                                     <expression>
>                                         <script>
>                                             <code>
>
>  basic.getAttributeValue(entitlement, 'cn')
>                                             </code>
>                                         </script>
>                                     </expression>
>                                 </q:equal>
>                             </filter>
>
>                         </assignmentTargetSearch>
>                     </expression>
>                     <target>
>                         <path>assignment</path>
>                     </target>
>                 </inbound>
>                 <kind>entitlement</kind>
>                 <intent>ListaAD</intent>
>                 <intent>GrupoAD</intent>
>                 <direction>objectToSubject</direction>
>                 <associationAttribute>ri:member</associationAttribute>
>                 <valueAttribute>dn</valueAttribute>
>
> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
>                 <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>
> <explicitReferentialIntegrity>true</explicitReferentialIntegrity>
>             </association>
>
> And here is the specific configuration in a metarole that sums up with the
> previous one to populate groups in Active Directory:
>
>     <inducement id="2">
>         <construction>
>             <resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e3"
> relation="org:default" type="c:ResourceType">
>                 <!-- Active Directory 10.x.x.x -  -->
>             </resourceRef>
>             <kind>account</kind>
>             <intent>default</intent>
>             <association id="3">
>                 <ref>ri:ldapGroups</ref>
>                 <outbound>
>                     <strength>strong</strength>
>                     <expression>
>                         <associationFromLink>
>                             <projectionDiscriminator
> xsi:type="c:ShadowDiscriminatorType">
>                                 <kind>entitlement</kind>
>                                 <intent>GrupoAD</intent>
>                             </projectionDiscriminator>
>                         </associationFromLink>
>                     </expression>
>                 </outbound>
>             </association>
>         </construction>
>         <order>2</order>
>         <focusType>c:UserType</focusType>
>     </inducement>
>
> Scenarios (for a specific user):
>
> a) Assignment of a role
>   1. Select the user;
>   2. Click "assignment->role->"Just a test role";
>   3. Click the "save" button;
>
>    -> result:
>          Midpoint 4.1:the role is assigned to the user and the association
> is correctly created on AD.
>          Midpoint 4.8:the role is assigned to the user and the association
> is correctly created on AD.
>
> b) Unassignment of a role
>   1. Select the user;
>   2. Click "assignment->role->"Just a test role";
>   3. Click on the "-" icon;
>   4. Click the "save" button;
>
>    -> result:
>          Midpoint 4.1:the role is unassigned from the user and the
> association is correctly removed from AD.        <- expected behavior
>          Midpoint 4.8:the role is *NOT* unassigned from the user *BUT*
> the association is correctly removed from AD.    <- unexpected behavior
>
> Is there any configuration (in Midpoint 4.8) missing on the resource or
> metarole?
>
> Thks.
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240429/e0db6235/attachment.htm>

More information about the midPoint mailing list