<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000"><br>
Hi Ivan -<br>
<br>
A quick question about returning groups :<br>
<br>
How do I return multiple groups...are they comma separated or?<br>
<br>
If I have two group DN's to return :<br>
cn=group1,ou=groups,ou=orgA<br>
cn=group2,ou=groups,ou=depts,ou=orgB<br>
<br>
can I return an array from within the script?<br>
<br>
Thank you.<br>
<blockquote style="border: 0px none;"
cite="mid:52CC29EE.3090306@evolveum.com" type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="ivan.noris@evolveum.com" photoname="Ivan Noris"
src="cid:part1.09040602.03040604@trilobytesystems.com"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:ivan.noris@evolveum.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Ivan Noris</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January 7, 2014
at 5:23 PM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div>Hi Deepak,<br><br>I'm
using the Active Directory connector to manage accounts in AD, and a<br>mapping
which assigns user to groups. I didn't have to change resource<br>schema
to use groups; it is available out of the box.<br><br>The mapping is
for the icfs:groups attribute and midPoint 2.2.x,<br>although it should
still be the same for 2.3.<br><br>I've adapted this from actual customer
configuration, removing the<br>customer-specific code, but leaving the
XML comments for you:<br><br> <attribute><br>
<ref>icfs:groups</ref><br>
<displayName>Groups</displayName><br><br>
<limitations><br> <access><br>
<create>true</create><br>
<read>true</read><br>
<update>true</update><br>
</access><br> </limitations><br><!--
tolerant=false + strength=strong removes ALL other values including<br>groups
not managed by midpoint<br><br>tolerant=true + strength=strong removes
old group when the condition<br>changes, keeping groups managed outside
of midpoint --><br><br>
<tolerant>true</tolerant><!-- See above --><br>
<matchingRule>mr:stringIgnoreCase</matchingRule><br>
<outbound><br>
<strength>strong</strength><!-- See above --><br>
<source><br>
<path>$user/employeeType</path><br>
</source><br> <expression><br>
<script><br>
<code><br>if (employeeType == 'FTE')<br>{<br> return
'CN=group1,.........................'<br>}<br><br></code><br>
</script><br>
</expression><br> </outbound><br>
</attribute><br><br>You may need to use our versions of
Connector Server and Active<br>Directory connector, there were some
case-sensitivity issues in the<br>original versions (causing groups like
"cn=group1,... and CN=group1" to<br>cause problems):<br><br><a class="moz-txt-link-freetext" href="http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/ActiveDirectory.Connector/1.0.0.20069/">http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/ActiveDirectory.Connector/1.0.0.20069/</a><br><br><a class="moz-txt-link-freetext" href="http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/openicf-dotnet/1.4.0.20081/">http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/openicf-dotnet/1.4.0.20081/</a><br><br>And
update your resource configuration:<br><br>
<icfc:resultsHandlerConfiguration><br>
<!-- currently this requires latest Evolveum<br>version of .net
connector server --><br> <br><icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler><br>
</icfc:resultsHandlerConfiguration><br><br>
<!-- Configuration specific for the Active Directory<br>connector
--><br><br> <icfc:configurationProperties<br>. . .<br><br>This
is the combination I currently use and seems to work well.<br><br>Hope
this helps,<br>regards,<br>Ivan<br></div><div><!----><br></div></div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="dnataraj@trilobytesystems.com" photoname="Deepak
Natarajan" src="cid:part1.09040602.03040604@trilobytesystems.com"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true"
href="mailto:dnataraj@trilobytesystems.com" style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Deepak Natarajan</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January 7, 2014
at 4:55 PM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div>Hi -<br><br>I'm trying to
figure out how to implement group membership for an Active<br>Directory
resource.<br><br>We are using Midpoint 2.3-SNAPSHOT.<br><br>Is it still
possible to execute this using the idea of LDAP groups<br>described
here :<br><a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/LDAP+Groups+HOWTO">https://wiki.evolveum.com/display/midPoint/LDAP+Groups+HOWTO</a>
(since AD<br>supports LDAPv3)?<br><br>Does anyone have any working
configuration they can share that they use<br>against Active Directory
to provision users and also set up group<br>memberships?<br><br>Thanks
in advance!<br>BR/Deepak<br><br></div></div>
</blockquote>
</body></html>