[midPoint] Active Directory + associations - different behavior between Midpoint 4.8 and Midpoint 4.1
Lubomir Marton
lmarton at evolveum.com
Mon May 13 09:28:04 CEST 2024
Hi Carlos,
In this case as you described for user in midpoint couldn't be unassigned group due to strong mapping off inbound in association. To resolve it use function to omit unassigned groups from processing AD resource mapping. Please see published advanced example of LDAP resource on github.
Function:
[ https://github.com/Evolveum/midpoint-samples/blob/master/samples/resources/ad-ldap/AD%20advanced/functionLibraries/ad-library.xml | midpoint-samples/samples/resources/ad-ldap/AD advanced/functionLibraries/ad-library.xml at master · Evolveum/midpoint-samples · GitHub ]
Association in resource mapping
[ https://github.com/Evolveum/midpoint-samples/blob/30bc721a387a765444d9c2155ea33654aff78de0/samples/resources/ad-ldap/AD%20advanced/resources/ADfirststep.xml#L746C1-L790C27 | https://github.com/Evolveum/midpoint-samples/blob/30bc721a387a765444d9c2155ea33654aff78de0/samples/resources/ad-ldap/AD%20advanced/resources/ADfirststep.xml#L746C1-L790C27 ]
Best regards
Lubomir Marton
From: "Carlos Ferreira" <carlos18619 at gmail.com>
To: "Lubomir Marton" <lmarton at evolveum.com>
Cc: "midPoint General Discussion" <midpoint at lists.evolveum.com>
Sent: Monday, April 29, 2024 3:59:53 PM
Subject: Re: [midPoint] Active Directory + associations - different behavior between Midpoint 4.8 and Midpoint 4.1
Hi Lubomir,
I did as you mentioned (explicitReferentialIntegrity=false), but the behavior is still the same.
And, as I said before, in Midpoint 4.1 the same scenarios worked perfectly.
Thks
Em seg., 29 de abr. de 2024 às 06:00, Lubomir Marton < [ mailto:lmarton at evolveum.com | lmarton at evolveum.com ] > escreveu:
Hi Carlos,
We recommend turning off explicitReferentialIntegrity for associations with groups. Please see related documentation [ https://docs.evolveum.com/connectors/resources/active-directory/group-synchronization-howto/ | https://docs.evolveum.com/connectors/resources/active-directory/group-synchronization-howto/ ] and [ https://docs.evolveum.com/connectors/resources/active-directory/active-directory-ldap/ | https://docs.evolveum.com/connectors/resources/active-directory/active-directory-ldap/ ] .
Best regards
Lubomir Marton
From: "midPoint General Discussion" < [ mailto:midpoint at lists.evolveum.com | midpoint at lists.evolveum.com ] >
To: "midPoint General Discussion" < [ mailto:midpoint at lists.evolveum.com | midpoint at lists.evolveum.com ] >
Cc: "Carlos Ferreira" < [ mailto:carlos18619 at gmail.com | carlos18619 at gmail.com ] >
Sent: Thursday, April 25, 2024 6:33:11 PM
Subject: [midPoint] Active Directory + associations - different behavior between Midpoint 4.8 and Midpoint 4.1
Hi everyone,
Here is a snippet of a resource that connects with Active Directory and deals with associations:
<association id="2800">
<ref>ldapGroups</ref>
<displayName>Group Membership</displayName>
<inbound id="2809">
<strength>strong</strength>
<expression>
<assignmentTargetSearch>
<targetType>RoleType</targetType>
<filter>
<q:equal>
<q:path>name</q:path>
<expression>
<script>
<code>
basic.getAttributeValue(entitlement, 'cn')
</code>
</script>
</expression>
</q:equal>
</filter>
</assignmentTargetSearch>
</expression>
<target>
<path>assignment</path>
</target>
</inbound>
<kind>entitlement</kind>
<intent>ListaAD</intent>
<intent>GrupoAD</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>dn</valueAttribute>
<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
<shortcutValueAttribute>ri:dn</shortcutValueAttribute>
<explicitReferentialIntegrity>true</explicitReferentialIntegrity>
</association>
And here is the specific configuration in a metarole that sums up with the previous one to populate groups in Active Directory:
<inducement id="2">
<construction>
<resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e3" relation="org:default" type="c:ResourceType">
<!-- Active Directory 10.x.x.x - -->
</resourceRef>
<kind>account</kind>
<intent>default</intent>
<association id="3">
<ref>ri:ldapGroups</ref>
<outbound>
<strength>strong</strength>
<expression>
<associationFromLink>
<projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
<kind>entitlement</kind>
<intent>GrupoAD</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
<focusType>c:UserType</focusType>
</inducement>
Scenarios (for a specific user):
a) Assignment of a role
1. Select the user;
2. Click "assignment->role->"Just a test role";
3. Click the "save" button;
-> result:
Midpoint 4.1:the role is assigned to the user and the association is correctly created on AD.
Midpoint 4.8:the role is assigned to the user and the association is correctly created on AD.
b) Unassignment of a role
1. Select the user;
2. Click "assignment->role->"Just a test role";
3. Click on the "-" icon;
4. Click the "save" button;
-> result:
Midpoint 4.1:the role is unassigned from the user and the association is correctly removed from AD. <- expected behavior
Midpoint 4.8:the role is NOT unassigned from the user BUT the association is correctly removed from AD. <- unexpected behavior
Is there any configuration (in Midpoint 4.8) missing on the resource or metarole?
Thks.
_______________________________________________
midPoint mailing list
[ mailto:midPoint at lists.evolveum.com | midPoint at lists.evolveum.com ]
[ https://lists.evolveum.com/mailman/listinfo/midpoint | https://lists.evolveum.com/mailman/listinfo/midpoint ]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240513/d07e9f4b/attachment.htm>
More information about the midPoint
mailing list