[midPoint] distinguishedName Support in API Search
Kamil Jires
kamil.jires at evolveum.com
Fri Jul 26 01:47:03 CEST 2024
Hi Jared,
it is possible to search shadow object using Distinguished Name
attribute with the current LTS 4.8.3. I have also tried on 4.4.8 but
without success.
The DistinguishedName is available with path *attributes/ri:dn* in the
shadow object.
Let me note that shadow is specific object as it is representing real
object (usually account or group) located on the resource - external
system. In case, you show the content of the shadow (e.g. user -
projection, resource - accounts ) you see the information which is
updated / merged with the current information on the resource. In the
midPoint's repository there is not stored all the information you see in
GUI (except the case you show the raw object or list repository objects
directly). By default there is stored only identifiers (both primary and
secondaries) from the resource's attributes on the shadow object in the
repository.
You can search also over the attributes which is not stored in
midPoint's shadow object but in that case there is utilized
communication with the resource and the resulting time may be impacted.
In case you want to search over the attribute stored in the repository
you can use options *raw* or *noFetch* to keep searching (and also
result) only on the content stored in the midPoint's repository - the
benefit could be response time. It is design question on your
implementation what you prefer / need. One of the options could be also
adding the additional secondary identifier in the resource setting.
With midPoint release 4.9+ there will be introduced caching feature on
resource. This may help you also reduce communication with the resource
and related response time.
OK, back to your question... You can try yourself with our demo -
https://demo.evolveum.com/ (credentials are visible on the login page) .
example of the call with the filter:
- query causing communication with relevant resource :
curl -u administrator:<password> -H "Content-Type: application/json" -H
"Accept: application/json" -X POST
https://demo.evolveum.com/midpoint/ws/rest/shadows/search --data-binary
@filter-file
- query limited to the midPoint's repository content :
curl -u administrator:<password> -H "Content-Type: application/json" -H
"Accept: application/json" -X POST
https://demo.evolveum.com/midpoint/ws/rest/shadows/search?options=raw
--data-binary @filter-file
where the content of the filter-file is:
{
"query": {
"filter": {
"text": "resourceRef matches (oid =
\"ebd0bf7b-7e80-4175-ba5e-4fd5de2ecd62\") and kind = \"account\" and
intent = \"default\" and attributes/dn =
\"uid=raphael,ou=people,dc=example,dc=com\" "
},
"paging": {
"maxSize": 5
}
}
}
Please note that the kind and intent are required to be able to match
proper schema.
I hope this information will help you to solve the issue.
Relevant links to the docs:
-
https://docs.evolveum.com/midpoint/reference/support-4.8/concepts/query/midpoint-query-language/search-using-shadow-attributes/#free-form-search
-
https://docs.evolveum.com/midpoint/reference/support-4.8/interfaces/rest/operations/get-op-rest/
-
https://docs.evolveum.com/midpoint/reference/support-4.8/interfaces/rest/operations/shadow-op-rest/
- https://docs.evolveum.com/midpoint/demo/
Best Regards,
*Kamil Jires* | Identity Engineer
<https://evolveum.com/>
kamil.jires at evolveum.com | www.evolveum.com <http://www.evolveum.com/>
Evolveum LinkedIn <https://www.linkedin.com/company/evolveum> Evolveum
Twitter <https://twitter.com/evolveum> Evolveum Facebook
<https://www.facebook.com/evolveum>
Disclaimer: The contents of this e-mail and attachment(s) thereto are
confidential and intended for the named recipient(s) only. It shall not
attach any liability on the originator or Evolveum s.r.o. or its
affiliates. Any views or opinions presented in this email are solely
those of the author and may not necessarily reflect the opinions of
Evolveum s.r.o. or its affiliates. Any form of reproduction,
dissemination, copying, disclosure, modification, distribution and / or
publication of this message without the prior written consent of the
author of this e-mail is strictly prohibited. If you have received this
email in error please delete it and notify the sender immediately.
On 7/15/24 15:04, Crowe, Jared via midPoint wrote:
> Hello.
>
> I'd like to use the distinguishedName matching rule to search shadow
> data via the REST API. Is this supported in 4.4.8 (or in some later
> version)? If so, does anyone have a working example they could share?
>
> E.g. (what I'm trying)
>
> {
> "@ns": "http://prism.evolveum.com/xml/ns/public/query-3",
> "query": {
> "filter": {
> "text": "resourceRef matches (oid =
> \"11111111-1111-1111-111-111111100001\") and name equal
> [distinguishedName] \"uid=user,ou=Production, ou=People, dc=someorg,
> dc=edu\""
> },
> "paging": {
> "maxSize": 5
> }
> }
> }
>
> Thanks in advance!
>
> *JARED CROWE*
> /ASSISTANT DIRECTOR INTEGRATIONS/
>
> Administrative Information Technology Services (AITS)
> University of Illinois System
> 50 Gerty Dr. #133d | M/C 673 | Champaign, IL 61820
> 217.333.2098 | jmcrowe at illinois.edu <mailto:jmcrowe at illinois.edu>
> www.aits.uillinois.edu <http://www.aits.uillinois.edu/>
>
> <https://www.uillinois.edu/>
>
> /Under the Illinois Freedom of Information Act any written
> communication to or from university employees regarding university
> business is a public record and may be subject to public disclosure. /
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240726/aa7f9eb3/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-mfkg0n4e.png
Type: image/png
Size: 10795 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240726/aa7f9eb3/attachment-0001.png>
More information about the midPoint
mailing list