[midPoint] AD Groups associations in MP 4.8.7
mikhail.nikolaenko
mikhail.nikolaenko at proton.me
Tue Apr 1 16:53:11 CEST 2025
Dear community,
I am trying to implement AD groups in MP v. 4.8.7 and have issues.
Our Requirements:
-
AD accounts are provisioned as users.
-
AD groups are provisioned as entitlements (Archetype - application role).
-
We’ve attempted to set up associations for account and group in resource types (following examples).
Results:
-
Provisioning and reconciliation of users and groups work correctly in both directions.
-
Assignment issues:
a. When a user is assigned to a group in AD, the corresponding role is assigned to user in MidPoint, which is correct.
b. When a user is removed from a group in AD, the role in MidPoint remains assigned. If I set the range to <predefined>all</predefined>, roles are removed, but this also deletes all roles, including non-AD roles. I also tried the "tolerate" setting, but with no success.
c. Adding or removing a role in MidPoint has no effect on AD.
Could someone provide insight into what might be going wrong? I’ve compared the configurations with different examples but haven’t identified any significant differences.
With best regards,
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250401/06accec7/attachment.htm>
More information about the midPoint
mailing list