[midPoint] distinguishedName Support in API Search

Crowe, Jared jmcrowe at uillinois.edu
Fri Aug 2 14:55:37 CEST 2024 

Thank you very much for this detailed feedback, Kamil. We are in the process of implementing 4.8.3 at our organization, and I look forward to trying this out when we get that done. It’s also very nice to see this working in the demo instance. Very helpful!

Thanks,
Jared

From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of Kamil Jires via midPoint
Sent: Thursday, July 25, 2024 6:47 PM
To: midpoint at lists.evolveum.com
Cc: Kamil Jires <kamil.jires at evolveum.com>
Subject: Re: [midPoint] distinguishedName Support in API Search


Hi Jared,

it is possible to search shadow object using Distinguished Name attribute with the current LTS 4.8.3. I have also tried on 4.4.8 but without success.



The DistinguishedName is available with path *attributes/ri:dn* in the shadow object.



Let me note that shadow is specific object as it is representing real object (usually account or group) located on the resource - external system. In case, you show the content of the shadow (e.g. user - projection, resource - accounts ) you see the information which is updated / merged with the current information on the resource. In the midPoint's repository there is not stored all the information you see in GUI (except the case you show the raw object or list repository objects directly). By default there is stored only identifiers (both primary and secondaries) from the resource's attributes on the shadow object in the repository.



You can search also over the attributes which is not stored in midPoint's shadow object but in that case there is utilized communication with the resource and the resulting time may be impacted. In case you want to search over the attribute stored in the repository you can use options *raw* or *noFetch* to keep searching (and also result) only on the content stored in the midPoint's repository - the benefit could be response time. It is design question on your implementation what you prefer / need. One of the options could be also adding the additional secondary identifier in the resource setting.



With midPoint release 4.9+ there will be introduced caching feature on resource. This may help you also reduce communication with the resource and related response time.



OK, back to your question... You can try yourself with our demo - https://demo.evolveum.com/<https://urldefense.com/v3/__https:/demo.evolveum.com/__;!!DZ3fjg!-HgJM_1xzNoqahXxhzUNuumEF-7JSQ4KemuDNY7TXhpQtANzWlri4YbUpLEohcWGVViUOTpI2ZEM4JtSJqdiodv4ALw$> (credentials are visible on the login page) .



example of the call with the filter:

 - query causing communication with relevant resource :
curl -u administrator:<password> -H "Content-Type: application/json" -H "Accept: application/json"  -X POST https://demo.evolveum.com/midpoint/ws/rest/shadows/search<https://urldefense.com/v3/__https:/demo.evolveum.com/midpoint/ws/rest/shadows/search__;!!DZ3fjg!-HgJM_1xzNoqahXxhzUNuumEF-7JSQ4KemuDNY7TXhpQtANzWlri4YbUpLEohcWGVViUOTpI2ZEM4JtSJqdiRs6yw2U$> --data-binary @filter-file



 - query limited to the midPoint's repository content :
curl -u administrator:<password> -H "Content-Type: application/json" -H "Accept: application/json"  -X POST https://demo.evolveum.com/midpoint/ws/rest/shadows/search?options=raw<https://urldefense.com/v3/__https:/demo.evolveum.com/midpoint/ws/rest/shadows/search?options=raw__;!!DZ3fjg!-HgJM_1xzNoqahXxhzUNuumEF-7JSQ4KemuDNY7TXhpQtANzWlri4YbUpLEohcWGVViUOTpI2ZEM4JtSJqdif1W2D5k$> --data-binary @filter-file



where the content of the filter-file is:

{
  "query": {
    "filter": {
      "text": "resourceRef matches (oid = \"ebd0bf7b-7e80-4175-ba5e-4fd5de2ecd62\") and kind = \"account\" and intent = \"default\" and attributes/dn = \"uid=raphael,ou=people,dc=example,dc=com\" "
    },
    "paging": {
      "maxSize": 5
    }
  }
}



Please note that the kind and intent are required to be able to match proper schema.



I hope this information will help you to solve the issue.



Relevant links to the docs:

 - https://docs.evolveum.com/midpoint/reference/support-4.8/concepts/query/midpoint-query-language/search-using-shadow-attributes/#free-form-search<https://urldefense.com/v3/__https:/docs.evolveum.com/midpoint/reference/support-4.8/concepts/query/midpoint-query-language/search-using-shadow-attributes/*free-form-search__;Iw!!DZ3fjg!-HgJM_1xzNoqahXxhzUNuumEF-7JSQ4KemuDNY7TXhpQtANzWlri4YbUpLEohcWGVViUOTpI2ZEM4JtSJqdi4YR64cc$>

 - https://docs.evolveum.com/midpoint/reference/support-4.8/interfaces/rest/operations/get-op-rest/<https://urldefense.com/v3/__https:/docs.evolveum.com/midpoint/reference/support-4.8/interfaces/rest/operations/get-op-rest/__;!!DZ3fjg!-HgJM_1xzNoqahXxhzUNuumEF-7JSQ4KemuDNY7TXhpQtANzWlri4YbUpLEohcWGVViUOTpI2ZEM4JtSJqdivwhAdkw$>

 - https://docs.evolveum.com/midpoint/reference/support-4.8/interfaces/rest/operations/shadow-op-rest/<https://urldefense.com/v3/__https:/docs.evolveum.com/midpoint/reference/support-4.8/interfaces/rest/operations/shadow-op-rest/__;!!DZ3fjg!-HgJM_1xzNoqahXxhzUNuumEF-7JSQ4KemuDNY7TXhpQtANzWlri4YbUpLEohcWGVViUOTpI2ZEM4JtSJqdij6iwSKs$>

 - https://docs.evolveum.com/midpoint/demo/<https://urldefense.com/v3/__https:/docs.evolveum.com/midpoint/demo/__;!!DZ3fjg!-HgJM_1xzNoqahXxhzUNuumEF-7JSQ4KemuDNY7TXhpQtANzWlri4YbUpLEohcWGVViUOTpI2ZEM4JtSJqdij5iVCys$>



Best Regards,

Kamil Jires | Identity Engineer

[Image removed by sender.]<https://urldefense.com/v3/__https:/evolveum.com/__;!!DZ3fjg!-HgJM_1xzNoqahXxhzUNuumEF-7JSQ4KemuDNY7TXhpQtANzWlri4YbUpLEohcWGVViUOTpI2ZEM4JtSJqdi7INE6Zs$>
kamil.jires at evolveum.com<mailto:kamil.jires at evolveum.com> | www.evolveum.com<https://urldefense.com/v3/__http:/www.evolveum.com/__;!!DZ3fjg!-HgJM_1xzNoqahXxhzUNuumEF-7JSQ4KemuDNY7TXhpQtANzWlri4YbUpLEohcWGVViUOTpI2ZEM4JtSJqdicBtFpP4$>
[Image removed by sender. Evolveum LinkedIn]<https://urldefense.com/v3/__https:/www.linkedin.com/company/evolveum__;!!DZ3fjg!-HgJM_1xzNoqahXxhzUNuumEF-7JSQ4KemuDNY7TXhpQtANzWlri4YbUpLEohcWGVViUOTpI2ZEM4JtSJqdik0qf9LQ$>[Image removed by sender. Evolveum Twitter]<https://urldefense.com/v3/__https:/twitter.com/evolveum__;!!DZ3fjg!-HgJM_1xzNoqahXxhzUNuumEF-7JSQ4KemuDNY7TXhpQtANzWlri4YbUpLEohcWGVViUOTpI2ZEM4JtSJqdiZglHtPA$>[Image removed by sender. Evolveum Facebook]<https://urldefense.com/v3/__https:/www.facebook.com/evolveum__;!!DZ3fjg!-HgJM_1xzNoqahXxhzUNuumEF-7JSQ4KemuDNY7TXhpQtANzWlri4YbUpLEohcWGVViUOTpI2ZEM4JtSJqdiGKD5vi0$>

Disclaimer: The contents of this e-mail and attachment(s) thereto are confidential and intended for the named recipient(s) only. It shall not attach any liability on the originator or Evolveum s.r.o. or its affiliates. Any views or opinions presented in this email are solely those of the author and may not necessarily reflect the opinions of Evolveum s.r.o. or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately.
On 7/15/24 15:04, Crowe, Jared via midPoint wrote:
Hello.

I'd like to use the distinguishedName matching rule to search shadow data via the REST API. Is this supported in 4.4.8 (or in some later version)? If so, does anyone have a working example they could share?

E.g. (what I'm trying)


{

    "@ns": "http://prism.evolveum.com/xml/ns/public/query-3"<https://urldefense.com/v3/__http:/prism.evolveum.com/xml/ns/public/query-3__;!!DZ3fjg!-HgJM_1xzNoqahXxhzUNuumEF-7JSQ4KemuDNY7TXhpQtANzWlri4YbUpLEohcWGVViUOTpI2ZEM4JtSJqdiEo5dBfo$>,

    "query": {

        "filter": {

            "text": "resourceRef matches (oid = \"11111111-1111-1111-111-111111100001\") and name equal [distinguishedName] \"uid=user,ou=Production, ou=People, dc=someorg, dc=edu\""

        },

        "paging": {

            "maxSize": 5

        }

    }

}

Thanks in advance!


JARED CROWE
ASSISTANT DIRECTOR INTEGRATIONS

Administrative Information Technology Services (AITS)
University of Illinois System
50 Gerty Dr. #133d | M/C 673 | Champaign, IL 61820
217.333.2098 | jmcrowe at illinois.edu<mailto:jmcrowe at illinois.edu>
www.aits.uillinois.edu<http://www.aits.uillinois.edu/>



[cid:image001.png at 01DAE4AC.C687FE40]<https://www.uillinois.edu/>

Under the Illinois Freedom of Information Act any written communication to or from university employees regarding university business is a public record and may be subject to public disclosure.





_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.com/v3/__https:/lists.evolveum.com/mailman/listinfo/midpoint__;!!DZ3fjg!-HgJM_1xzNoqahXxhzUNuumEF-7JSQ4KemuDNY7TXhpQtANzWlri4YbUpLEohcWGVViUOTpI2ZEM4JtSJqdiPR95OC8$>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240802/cc976632/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ~WRD0001.jpg
Type: image/jpeg
Size: 823 bytes
Desc: ~WRD0001.jpg
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240802/cc976632/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 10795 bytes
Desc: image001.png
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240802/cc976632/attachment-0001.png>

More information about the midPoint mailing list