[midPoint] AD Ressource - Cannot filter on DN
Carlos Ferreira
carlos18619 at gmail.com
Wed Jul 16 15:19:41 CEST 2025
Dear Hertzog,
Please, try something like this:
a) to retrieve users:
<objectType id="93">
<kind>account</kind>
<intent>usuarios</intent>
<displayName>Account</displayName>
<description>Usuarios do TRT3 no openldap</description>
<default>false</default>
<objectClass>ri:inetOrgPerson</objectClass>
<auxiliaryObjectClassMappings>
<tolerant>true</tolerant>
</auxiliaryObjectClassMappings>
<delineation>
<objectClass>ri:inetOrgPerson</objectClass>
<baseContext>
<objectClass>ri:organizationalUnit</objectClass>
<filter>
<q:equal>
<q:path>attributes/dn</q:path>
<q:value>OU=Usuarios,DC=trt</q:value>
</q:equal>
</filter>
</baseContext>
<searchHierarchyScope>sub</searchHierarchyScope>
</delineation>
<focus>
<type>c:UserType</type>
</focus>
<....>
b) to retrieve groups
<objectType id="353">
<kind>entitlement</kind>
<intent>unixgroup</intent>
<displayName>LDAP Sistemas Posixgroup</displayName>
<lifecycleState>active</lifecycleState>
<objectClass>ri:posixGroup</objectClass>
<delineation>
<objectClass>ri:posixGroup</objectClass>
<baseContext>
<objectClass>ri:organizationalUnit</objectClass>
<filter>
<q:equal>
<q:path>attributes/dn</q:path>
<q:value>ou=sistemas,dc=trt</q:value>
</q:equal>
</filter>
</baseContext>
<searchHierarchyScope>sub</searchHierarchyScope>
</delineation>
<focus>
<type>
PS: remember to define the <generationConstraints> clause as, for example,
<schema>
<cachingMetadata>
<retrievalTimestamp>2025-07-09T20:46:49.027-03:00</retrievalTimestamp>
<serialNumber>f8db8d23d47e12c5-4a144a735909e4b0</serialNumber>
</cachingMetadata>
<generationConstraints>
<generateObjectClass>ri:inetOrgPerson</generateObjectClass>
<generateObjectClass>ri:groupOfNames</generateObjectClass>
<generateObjectClass>ri:groupOfUniqueNames</generateObjectClass>
<generateObjectClass>ri:posixGroup</generateObjectClass>
<generateObjectClass>ri:organizationalUnit</generateObjectClass>
<generateObjectClass>ri:posixAccount</generateObjectClass>
<generateObjectClass>ri:sambaSamAccount</generateObjectClass>
<generateObjectClass>ri:shadowAccount</generateObjectClass>
<generateObjectClass>ri:qmailUser</generateObjectClass>
<generateObjectClass>ri:sambaGroupMapping</generateObjectClass>
<generateObjectClass>ri:sambaUnixIdPool</generateObjectClass>
</generationConstraints>
--> every objectclass defined on your resource must be informed.
Carlos
Em qua., 16 de jul. de 2025 às 05:33, HERTZOG Philippe via midPoint <
midpoint at lists.evolveum.com> escreveu:
> Hello,
>
>
>
> I’m using midPoint 4.9.3 to create a POC.
>
> I’m creating a resource connected to a LDAP server using the out of the
> box LDAP connector. The structure of my legacy LDAP is as following
>
>
>
> + DC=Acme
>
> + cn=Groups
>
> - Groups entries
>
> + cn=Users
>
> + cn=External
>
> - Several users entries create by another system
>
> + cn=Iga
>
> - Users managed from midpoint
>
>
>
> My objective is to have a resource that manages :
>
> 1. The users from the Iga branch
> 2. Add users to groups
>
>
>
> If I set the base context of my connector to cn=Iga, cn=Users,DC=Acme I
> can’t get the groups. So I set the base contxt to DC=Acme.
>
> But this way I retrieve all the users from cn=External also.
>
>
>
> I try to put a filter for the User Object Type. Th efilter I tried was
> attributes/dn contains “,cn=Iga” but it doesn’t filter as expected. I saw
> errors in the logs stating that it is not possible to use wildcards on dn.
>
>
>
> So my question is : how can I implement this kind of scenario the best way?
>
>
>
> <https://www.groupe.schmidt/>
>
>
>
> *Philippe Hertzog*
>
> *Architecte Cloud*
>
> 20 Rue Westrich - F 67600 Sélestat
>
> philippe.hertzog at groupe.schmidt
> Tél : +33 3 88 57 xx xx
> Mobile : +33 6 19 18 32 78
>
>
>
> www.groupe.schmidt I <https://fr.linkedin.com/company/schmidt-groupe> I
> <https://www.facebook.com/SchmidtGroupe>I
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250716/6b0617e8/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 452 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250716/6b0617e8/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 455 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250716/6b0617e8/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 22867 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250716/6b0617e8/attachment-0005.png>
More information about the midPoint
mailing list