<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000"><br>
Hi Ivan -<br>
<br>
A quick (hopefully last) question about this issue - is it necessary
that the group should exist in AD already..or will Midpoint be able to
create them using the connector if they are not present? (I assumed the
latter and am running into an error...)<br>
<br>
Thanks!<br>
<br>
BR/Deepak<br>
<blockquote style="border: 0px none;"
cite="mid:52CD4261.4070207@evolveum.com" type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="ivan.noris@evolveum.com" photoname="Ivan Noris"
src="cid:part1.07030200.09000904@trilobytesystems.com"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:ivan.noris@evolveum.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Ivan Noris</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January 8, 2014
at 1:19 PM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Hi Deepak,<br>
<br>
I'm doing it with the code based on the following (Groovy):<br>
<br>
tmpOut = []<br>
tmpOut.add('cn=group1,ou=groups,ou=orgA')<br>
tmpOut.add('cn=group2,ou=groups,ou=depts,ou=orgB')<br>
return tmpOut<br>
<br>
Just be sure you are using the latest connector and connector server
(from our Nexus) and the setup mentioned earlier or you can have
problems when specifying the group name as "cn=group1,ou=..." and
the group is actually stored in AD and returned from its LDAP as
"CN=group1,OU=..."<br>
<br>
Regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 01/08/2014 01:04 PM, Deepak
Natarajan wrote:<br>
</div>
<br>
<div>-- <br> Ing. Ivan Noris<br> Consultant<br> Evolveum, s.r.o<br>
___________________________________________________<br> "Semper
cautus - semper paratus - semper idem Vix."<br></div>
<div>_______________________________________________<br>midPoint
mailing list<br><a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br><a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br></div></div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="dnataraj@trilobytesystems.com" photoname="Deepak
Natarajan" src="cid:part1.07030200.09000904@trilobytesystems.com"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true"
href="mailto:dnataraj@trilobytesystems.com" style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Deepak Natarajan</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January 8, 2014
at 1:04 PM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<br>
Hi Ivan -<br>
<br>
A quick question about returning groups :<br>
<br>
How do I return multiple groups...are they comma separated or?<br>
<br>
If I have two group DN's to return :<br>
cn=group1,ou=groups,ou=orgA<br>
cn=group2,ou=groups,ou=depts,ou=orgB<br>
<br>
can I return an array from within the script?<br>
<br>
Thank you.<br>
</div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="ivan.noris@evolveum.com" photoname="Ivan Noris"
src="cid:part1.07030200.09000904@trilobytesystems.com"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:ivan.noris@evolveum.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Ivan Noris</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January 7, 2014
at 5:23 PM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div>Hi Deepak,<br><br>I'm
using the Active Directory connector to manage accounts in AD, and a<br>mapping
which assigns user to groups. I didn't have to change resource<br>schema
to use groups; it is available out of the box.<br><br>The mapping is
for the icfs:groups attribute and midPoint 2.2.x,<br>although it should
still be the same for 2.3.<br><br>I've adapted this from actual customer
configuration, removing the<br>customer-specific code, but leaving the
XML comments for you:<br><br> <attribute><br>
<ref>icfs:groups</ref><br>
<displayName>Groups</displayName><br><br>
<limitations><br> <access><br>
<create>true</create><br>
<read>true</read><br>
<update>true</update><br>
</access><br> </limitations><br><!--
tolerant=false + strength=strong removes ALL other values including<br>groups
not managed by midpoint<br><br>tolerant=true + strength=strong removes
old group when the condition<br>changes, keeping groups managed outside
of midpoint --><br><br>
<tolerant>true</tolerant><!-- See above --><br>
<matchingRule>mr:stringIgnoreCase</matchingRule><br>
<outbound><br>
<strength>strong</strength><!-- See above --><br>
<source><br>
<path>$user/employeeType</path><br>
</source><br> <expression><br>
<script><br>
<code><br>if (employeeType == 'FTE')<br>{<br> return
'CN=group1,.........................'<br>}<br><br></code><br>
</script><br>
</expression><br> </outbound><br>
</attribute><br><br>You may need to use our versions of
Connector Server and Active<br>Directory connector, there were some
case-sensitivity issues in the<br>original versions (causing groups like
"cn=group1,... and CN=group1" to<br>cause problems):<br><br><a class="moz-txt-link-freetext" href="http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/ActiveDirectory.Connector/1.0.0.20069/">http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/ActiveDirectory.Connector/1.0.0.20069/</a><br><br><a class="moz-txt-link-freetext" href="http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/openicf-dotnet/1.4.0.20081/">http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/openicf-dotnet/1.4.0.20081/</a><br><br>And
update your resource configuration:<br><br>
<icfc:resultsHandlerConfiguration><br>
<!-- currently this requires latest Evolveum<br>version of .net
connector server --><br> <br><icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler><br>
</icfc:resultsHandlerConfiguration><br><br>
<!-- Configuration specific for the Active Directory<br>connector
--><br><br> <icfc:configurationProperties<br>. . .<br><br>This
is the combination I currently use and seems to work well.<br><br>Hope
this helps,<br>regards,<br>Ivan<br></div><div><!----><br></div></div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="dnataraj@trilobytesystems.com" photoname="Deepak
Natarajan" src="cid:part1.07030200.09000904@trilobytesystems.com"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true"
href="mailto:dnataraj@trilobytesystems.com" style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Deepak Natarajan</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January 7, 2014
at 4:55 PM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div>Hi -<br><br>I'm trying to
figure out how to implement group membership for an Active<br>Directory
resource.<br><br>We are using Midpoint 2.3-SNAPSHOT.<br><br>Is it still
possible to execute this using the idea of LDAP groups<br>described
here :<br><a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/LDAP+Groups+HOWTO">https://wiki.evolveum.com/display/midPoint/LDAP+Groups+HOWTO</a>
(since AD<br>supports LDAPv3)?<br><br>Does anyone have any working
configuration they can share that they use<br>against Active Directory
to provision users and also set up group<br>memberships?<br><br>Thanks
in advance!<br>BR/Deepak<br><br></div></div>
</blockquote>
</body></html>