<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi,<br>
<br>
This is a tricky question. For midpoint 2.2.x it is only possible
using a provisioning scripts. But there is already a functionality
in midpoint 2.3 development master that allows to do what you want
to. You can automatically create groups as a representation of
midPoint roles or org units so the groups will be created at the
same time an role/org is created - and that's guaranteed to be
before a user is assigned to any of these. Although we have only a
handful of tests for this I'm quite confident that it will work
well because it is reusing bulk of the code that works well for
users and accounts. The basic idea is described here:<br>
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Generic+Synchronization">https://wiki.evolveum.com/display/midPoint/Generic+Synchronization</a><br>
<br>
Simply speaking you need to do two things:<br>
* Define an entitlement object type and appropriate associations
in resource schema handling section<br>
* Add an *assignment* (not inducement!) to the org or role. Or
create a meta-role and assign that to the org/role for which you
want to create a group.<br>
There is an example in the tests:<br>
* resource with entitlement definition:
<a class="moz-txt-link-freetext" href="http://git.evolveum.com/view/midpoint/master/model/model-intest/src/test/resources/common/resource-dummy.xml">http://git.evolveum.com/view/midpoint/master/model/model-intest/src/test/resources/common/resource-dummy.xml</a><br>
* meta-role:
<a class="moz-txt-link-freetext" href="http://git.evolveum.com/view/midpoint/master/model/model-intest/src/test/resources/gensync/role-meta-dummygroup.xml">http://git.evolveum.com/view/midpoint/master/model/model-intest/src/test/resources/gensync/role-meta-dummygroup.xml</a><br>
<br>
I just need to document this functionality. I hope to find some
time for documentation later today.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
On 01/08/2014 05:29 PM, Deepak Natarajan wrote:<br>
</div>
<blockquote cite="mid:52CD7CF6.9090803@trilobytesystems.com"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<br>
Hi Ivan -<br>
<br>
A quick (hopefully last) question about this issue - is it
necessary that the group should exist in AD already..or will
Midpoint be able to create them using the connector if they are
not present? (I assumed the latter and am running into an
error...)<br>
<br>
Thanks!<br>
<br>
BR/Deepak<br>
<blockquote style="border: 0px none;"
cite="mid:52CD4261.4070207@evolveum.com" type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr">
<div style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px">
<div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="ivan.noris@evolveum.com" photoname="Ivan
Noris" src="cid:part1.08000307.07010307@evolveum.com"
name="compose-unknown-contact.jpg" height="25px"
width="25px"></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Ivan Noris</a></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January
8, 2014 at 1:19 PM</span></font></div>
</div>
</div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Hi Deepak,<br>
<br>
I'm doing it with the code based on the following (Groovy):<br>
<br>
tmpOut = []<br>
tmpOut.add('cn=group1,ou=groups,ou=orgA')<br>
tmpOut.add('cn=group2,ou=groups,ou=depts,ou=orgB')<br>
return tmpOut<br>
<br>
Just be sure you are using the latest connector and connector
server (from our Nexus) and the setup mentioned earlier or you
can have problems when specifying the group name as
"cn=group1,ou=..." and the group is actually stored in AD and
returned from its LDAP as "CN=group1,OU=..."<br>
<br>
Regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 01/08/2014 01:04 PM, Deepak
Natarajan wrote:<br>
</div>
<br>
<div>-- <br>
Ing. Ivan Noris<br>
Consultant<br>
Evolveum, s.r.o<br>
___________________________________________________<br>
"Semper cautus - semper paratus - semper idem Vix."<br>
</div>
<div>_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</div>
</div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr">
<div style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px">
<div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="dnataraj@trilobytesystems.com"
photoname="Deepak Natarajan"
src="cid:part1.08000307.07010307@evolveum.com"
name="compose-unknown-contact.jpg" height="25px"
width="25px"></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true"
href="mailto:dnataraj@trilobytesystems.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Deepak Natarajan</a></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January
8, 2014 at 1:04 PM</span></font></div>
</div>
</div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<br>
Hi Ivan -<br>
<br>
A quick question about returning groups :<br>
<br>
How do I return multiple groups...are they comma separated or?<br>
<br>
If I have two group DN's to return :<br>
cn=group1,ou=groups,ou=orgA<br>
cn=group2,ou=groups,ou=depts,ou=orgB<br>
<br>
can I return an array from within the script?<br>
<br>
Thank you.<br>
</div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr">
<div style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px">
<div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="ivan.noris@evolveum.com" photoname="Ivan
Noris" src="cid:part1.08000307.07010307@evolveum.com"
name="compose-unknown-contact.jpg" height="25px"
width="25px"></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Ivan Noris</a></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January
7, 2014 at 5:23 PM</span></font></div>
</div>
</div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<div>Hi Deepak,<br>
<br>
I'm using the Active Directory connector to manage accounts
in AD, and a<br>
mapping which assigns user to groups. I didn't have to
change resource<br>
schema to use groups; it is available out of the box.<br>
<br>
The mapping is for the icfs:groups attribute and midPoint
2.2.x,<br>
although it should still be the same for 2.3.<br>
<br>
I've adapted this from actual customer configuration,
removing the<br>
customer-specific code, but leaving the XML comments for
you:<br>
<br>
<attribute><br>
<ref>icfs:groups</ref><br>
<displayName>Groups</displayName><br>
<br>
<limitations><br>
<access><br>
<create>true</create><br>
<read>true</read><br>
<update>true</update><br>
</access><br>
</limitations><br>
<!-- tolerant=false + strength=strong removes ALL other
values including<br>
groups not managed by midpoint<br>
<br>
tolerant=true + strength=strong removes old group when the
condition<br>
changes, keeping groups managed outside of midpoint --><br>
<br>
<tolerant>true</tolerant><!-- See above
--><br>
<matchingRule>mr:stringIgnoreCase</matchingRule><br>
<outbound><br>
<strength>strong</strength><!-- See above
--><br>
<source><br>
<path>$user/employeeType</path><br>
</source><br>
<expression><br>
<script><br>
<code><br>
if (employeeType == 'FTE')<br>
{<br>
return 'CN=group1,.........................'<br>
}<br>
<br>
</code><br>
</script><br>
</expression><br>
</outbound><br>
</attribute><br>
<br>
You may need to use our versions of Connector Server and
Active<br>
Directory connector, there were some case-sensitivity issues
in the<br>
original versions (causing groups like "cn=group1,... and
CN=group1" to<br>
cause problems):<br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/ActiveDirectory.Connector/1.0.0.20069/">http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/ActiveDirectory.Connector/1.0.0.20069/</a><br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/openicf-dotnet/1.4.0.20081/">http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/openicf-dotnet/1.4.0.20081/</a><br>
<br>
And update your resource configuration:<br>
<br>
<icfc:resultsHandlerConfiguration><br>
<!-- currently this requires latest Evolveum<br>
version of .net connector server --><br>
<br>
<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler><br>
</icfc:resultsHandlerConfiguration><br>
<br>
<!-- Configuration specific for the Active Directory<br>
connector --><br>
<br>
<icfc:configurationProperties<br>
. . .<br>
<br>
This is the combination I currently use and seems to work
well.<br>
<br>
Hope this helps,<br>
regards,<br>
Ivan<br>
</div>
<div><!----><br>
</div>
</div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr">
<div style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px">
<div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="dnataraj@trilobytesystems.com"
photoname="Deepak Natarajan"
src="cid:part1.08000307.07010307@evolveum.com"
name="compose-unknown-contact.jpg" height="25px"
width="25px"></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true"
href="mailto:dnataraj@trilobytesystems.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Deepak Natarajan</a></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January
7, 2014 at 4:55 PM</span></font></div>
</div>
</div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<div>Hi -<br>
<br>
I'm trying to figure out how to implement group membership
for an Active<br>
Directory resource.<br>
<br>
We are using Midpoint 2.3-SNAPSHOT.<br>
<br>
Is it still possible to execute this using the idea of LDAP
groups<br>
described here :<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://wiki.evolveum.com/display/midPoint/LDAP+Groups+HOWTO">https://wiki.evolveum.com/display/midPoint/LDAP+Groups+HOWTO</a>
(since AD<br>
supports LDAPv3)?<br>
<br>
Does anyone have any working configuration they can share
that they use<br>
against Active Directory to provision users and also set up
group<br>
memberships?<br>
<br>
Thanks in advance!<br>
BR/Deepak<br>
<br>
</div>
</div>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</body>
</html>