<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Deepak,<br>
<br>
<div class="moz-cite-prefix">On 01/08/2014 05:29 PM, Deepak
Natarajan wrote:<br>
</div>
<blockquote cite="mid:52CD7CF6.9090803@trilobytesystems.com"
type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<br>
Hi Ivan -<br>
<br>
A quick (hopefully last) question about this issue - is it
necessary that the group should exist in AD already..or will
Midpoint be able to create them using the connector if they are
not present? (I assumed the latter and am running into an
error...)<br>
</blockquote>
<br>
the connector will not create the group automatically. But you can
create it in your before-add script, which is exactly the way I'm
doing it.<br>
My scenario:<br>
<br>
- before add (and also before modify) script:<br>
- create OU, in which the user is created (or moved to)<br>
- create group, where the user should be if it does not already
exist (the group DN is based on user's attributes)<br>
- after add (and also after modify) script:<br>
- create home directory and set ownership<br>
<br>
The icfs:groups mapping is generating the group DNs (based on user's
attributes) and expects that the before script has already created
them. Actually, I'm adding users to multiple groups, for some of
them I expect they had already existed before midPoint was installed
and others are created by our before script.<br>
<br>
Regards,<br>
Ivan<br>
<br>
<blockquote cite="mid:52CD7CF6.9090803@trilobytesystems.com"
type="cite">
<br>
Thanks!<br>
<br>
BR/Deepak<br>
<blockquote style="border: 0px none;"
cite="mid:52CD4261.4070207@evolveum.com" type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr">
<div style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px">
<div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="ivan.noris@evolveum.com" photoname="Ivan
Noris" src="cid:part1.01070905.03070408@evolveum.com"
name="compose-unknown-contact.jpg" width="25px"
height="25px"></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Ivan Noris</a></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January
8, 2014 at 1:19 PM</span></font></div>
</div>
</div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
Hi Deepak,<br>
<br>
I'm doing it with the code based on the following (Groovy):<br>
<br>
tmpOut = []<br>
tmpOut.add('cn=group1,ou=groups,ou=orgA')<br>
tmpOut.add('cn=group2,ou=groups,ou=depts,ou=orgB')<br>
return tmpOut<br>
<br>
Just be sure you are using the latest connector and connector
server (from our Nexus) and the setup mentioned earlier or you
can have problems when specifying the group name as
"cn=group1,ou=..." and the group is actually stored in AD and
returned from its LDAP as "CN=group1,OU=..."<br>
<br>
Regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 01/08/2014 01:04 PM, Deepak
Natarajan wrote:<br>
</div>
<br>
<div>-- <br>
Ing. Ivan Noris<br>
Consultant<br>
Evolveum, s.r.o<br>
___________________________________________________<br>
"Semper cautus - semper paratus - semper idem Vix."<br>
</div>
<div>_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</div>
</div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr">
<div style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px">
<div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="dnataraj@trilobytesystems.com"
photoname="Deepak Natarajan"
src="cid:part1.01070905.03070408@evolveum.com"
name="compose-unknown-contact.jpg" width="25px"
height="25px"></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true"
href="mailto:dnataraj@trilobytesystems.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Deepak Natarajan</a></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January
8, 2014 at 1:04 PM</span></font></div>
</div>
</div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<br>
Hi Ivan -<br>
<br>
A quick question about returning groups :<br>
<br>
How do I return multiple groups...are they comma separated or?<br>
<br>
If I have two group DN's to return :<br>
cn=group1,ou=groups,ou=orgA<br>
cn=group2,ou=groups,ou=depts,ou=orgB<br>
<br>
can I return an array from within the script?<br>
<br>
Thank you.<br>
</div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr">
<div style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px">
<div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="ivan.noris@evolveum.com" photoname="Ivan
Noris" src="cid:part1.01070905.03070408@evolveum.com"
name="compose-unknown-contact.jpg" width="25px"
height="25px"></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Ivan Noris</a></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January
7, 2014 at 5:23 PM</span></font></div>
</div>
</div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<div>Hi Deepak,<br>
<br>
I'm using the Active Directory connector to manage accounts
in AD, and a<br>
mapping which assigns user to groups. I didn't have to
change resource<br>
schema to use groups; it is available out of the box.<br>
<br>
The mapping is for the icfs:groups attribute and midPoint
2.2.x,<br>
although it should still be the same for 2.3.<br>
<br>
I've adapted this from actual customer configuration,
removing the<br>
customer-specific code, but leaving the XML comments for
you:<br>
<br>
<attribute><br>
<ref>icfs:groups</ref><br>
<displayName>Groups</displayName><br>
<br>
<limitations><br>
<access><br>
<create>true</create><br>
<read>true</read><br>
<update>true</update><br>
</access><br>
</limitations><br>
<!-- tolerant=false + strength=strong removes ALL other
values including<br>
groups not managed by midpoint<br>
<br>
tolerant=true + strength=strong removes old group when the
condition<br>
changes, keeping groups managed outside of midpoint --><br>
<br>
<tolerant>true</tolerant><!-- See above
--><br>
<matchingRule>mr:stringIgnoreCase</matchingRule><br>
<outbound><br>
<strength>strong</strength><!-- See above
--><br>
<source><br>
<path>$user/employeeType</path><br>
</source><br>
<expression><br>
<script><br>
<code><br>
if (employeeType == 'FTE')<br>
{<br>
return 'CN=group1,.........................'<br>
}<br>
<br>
</code><br>
</script><br>
</expression><br>
</outbound><br>
</attribute><br>
<br>
You may need to use our versions of Connector Server and
Active<br>
Directory connector, there were some case-sensitivity issues
in the<br>
original versions (causing groups like "cn=group1,... and
CN=group1" to<br>
cause problems):<br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/ActiveDirectory.Connector/1.0.0.20069/">http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/ActiveDirectory.Connector/1.0.0.20069/</a><br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/openicf-dotnet/1.4.0.20081/">http://nexus.evolveum.com/nexus/content/repositories/openicf-releases/org/forgerock/openicf/dotnet/openicf-dotnet/1.4.0.20081/</a><br>
<br>
And update your resource configuration:<br>
<br>
<icfc:resultsHandlerConfiguration><br>
<!-- currently this requires latest Evolveum<br>
version of .net connector server --><br>
<br>
<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler><br>
</icfc:resultsHandlerConfiguration><br>
<br>
<!-- Configuration specific for the Active Directory<br>
connector --><br>
<br>
<icfc:configurationProperties<br>
. . .<br>
<br>
This is the combination I currently use and seems to work
well.<br>
<br>
Hope this helps,<br>
regards,<br>
Ivan<br>
</div>
<div><!----><br>
</div>
</div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr">
<div style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px">
<div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="dnataraj@trilobytesystems.com"
photoname="Deepak Natarajan"
src="cid:part1.01070905.03070408@evolveum.com"
name="compose-unknown-contact.jpg" width="25px"
height="25px"></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true"
href="mailto:dnataraj@trilobytesystems.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Deepak Natarajan</a></div>
<div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">January
7, 2014 at 4:55 PM</span></font></div>
</div>
</div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<div>Hi -<br>
<br>
I'm trying to figure out how to implement group membership
for an Active<br>
Directory resource.<br>
<br>
We are using Midpoint 2.3-SNAPSHOT.<br>
<br>
Is it still possible to execute this using the idea of LDAP
groups<br>
described here :<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://wiki.evolveum.com/display/midPoint/LDAP+Groups+HOWTO">https://wiki.evolveum.com/display/midPoint/LDAP+Groups+HOWTO</a>
(since AD<br>
supports LDAPv3)?<br>
<br>
Does anyone have any working configuration they can share
that they use<br>
against Active Directory to provision users and also set up
group<br>
memberships?<br>
<br>
Thanks in advance!<br>
BR/Deepak<br>
<br>
</div>
</div>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Consultant
Evolveum, s.r.o
___________________________________________________
"Semper cautus - semper paratus - semper idem Vix."
</pre>
</body>
</html>