<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hello Roman,<br>
<br>
I've tried to prepare a minimalistic sample to demonstrate
synchronization of groups between AD and midPoint.<br>
<br>
I'll describe it in two steps:<br>
<br>
<u><b>Step 1: Basic synchronization of users and groups</b></u><u>
- see </u><u><b>samples/resources/ad/ad-resource-groups-basic.xml</b></u><u>.</u><br>
<br>
What it does:<br>
<br>
<b>1) </b><b>AD->midPoint</b><br>
<br>
It synchronizes AD accounts and groups from AD to midPoint - i.e.
when a new account is created in AD, it appears in midPoint as a
corresponding account shadow and a user. When new group is
created, it appears in midPoint as a new entitlement shadow and a
role.<br>
<br>
You can try it to see if it works.<br>
<br>
<b>2) midPoint->AD</b><br>
<br>
a) It is able to provision users from midPoint to AD: you just
have to add or assign a user the corresponding resource account.<br>
b) It is able to provision groups from midPoint to AD.<br>
<br>
The second point is a bit more complicated: at minimum, you have
to tell the midPoint that the role should be provisioned to AD.<br>
<br>
It is done by adding the following assignment to the role:<br>
<br>
<assignment><br>
<construction><br>
<resourceRef
oid="11111111-2222-3333-4444-000000000000"
type="ResourceType"/><br>
<kind>entitlement</kind><br>
<intent>group</intent><br>
</construction><br>
</assignment><br>
<br>
Just like a user can have assigned an account on a resource, a
role can have assigned an "account" (a group, in this case) on a
resource.<br>
<br>
---<br>
<br>
What is missing in both cases (a + b), is a rule that would say
"any user having this role has to have an account on AD with
corresponding group assigned". For this, an inducement is used. By
using inducements, you can prescribe not only that an account on a
particular resource should exist, but you can also set its
attributes and/or assignments -- and exactly that is what we are
interested in: assigning an entitlement (a group) that corresponds
to this role. You can use assignmentTargetSearch, or a less
flexible, but perhaps more straightforward way that uses a simple
object reference:<br>
<br>
<inducement><br>
<construction><br>
<resourceRef
oid="11111111-2222-3333-4444-000000000000"
type="ResourceType"/><br>
<kind>account</kind><br>
<association><br>
<ref>ri:group</ref><br>
<outbound><br>
<expression><br>
<value><br>
<shadowRef
oid="88c95eb4-f2a3-4b63-b269-18696e52c03f"/><br>
</value><br>
</expression><br>
</outbound><br>
</association><br>
</construction><br>
</inducement><br>
<br>
(note that oid="88c95eb4-f2a3-4b63-b269-18696e52c03f" points to a
shadow of this role -> i.e. the group we are talking about)<br>
<br>
Now, when you assign this role to a user, an account for him will
be created on a resource, and it will be a member of the given
group.<br>
<br>
---<br>
<br>
MidPoint allows you to avoid all these nuances by using its
sophisticated mechanisms, namely:<br>
- object templates<br>
- roles with higher-order inducements (meta roles)<br>
<br>
An object template is used to automatically assign a meta role to
any role created.<br>
Meta role is used to create all the necessary
assignments/inducements to that role.<br>
<br>
This leads us to the second step:<br>
<br>
<u><b>Step 2: Synchronizing group membership</b></u><u> - </u><u>see
</u><u><b>samples/resources/ad/ad-resource-groups-advanced.xml</b></u><u>.</u><br>
<br>
<u><b>Do not</b></u> import ad-resource-groups-advanced.xml at
this moment, as we will import things in it stepwise.<br>
<br>
First of all, we create a meta role that will do exactly the thing
we did manually in the above step:<br>
1) creates an assignment to an AD group on our resource<br>
2) creates an inducement prescribing creation of user accounts
with AD group on the resource<br>
<br>
Note that for the metarole, item #1 is an inducement (as it
creates assignments for any role that possesses this metarole) and
item #2 is an second-order inducement (as it creates first-order
inducements for any role that possesses this metarole).<br>
<br>
<role oid="11111111-2222-3333-4444-200000000001"<br>
xmlns=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:c=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:t=<a class="moz-txt-link-rfc2396E" href="http://prism.evolveum.com/xml/ns/public/types-3">"http://prism.evolveum.com/xml/ns/public/types-3"</a><br>
xmlns:ri=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a>><br>
<name>Metarole for groups</name><br>
<br>
<!-- This inducement causes creation of AD group for
any role that possesses this metarole --><br>
<inducement><br>
<construction><br>
<resourceRef
oid="11111111-2222-3333-4444-000000000000"
type="c:ResourceType"/><br>
<kind>entitlement</kind><br>
<intent>group</intent><br>
</construction><br>
</inducement><br>
<br>
<!-- This inducement causes creation of AD account that
is in AD group for any USER that possesses any role that possesses
this metarole --><br>
<!-- That's why this is called second-order inducement
--><br>
<inducement><br>
<construction><br>
<resourceRef
oid="11111111-2222-3333-4444-000000000000"
type="c:ResourceType"/><br>
<kind>account</kind><br>
<intent>default</intent><br>
<association><br>
<ref>ri:group</ref><br>
<outbound><br>
<expression><br>
<associationFromLink><br>
<projectionDiscriminator><br>
<kind>entitlement</kind><br>
<intent>group</intent><br>
</projectionDiscriminator><br>
</associationFromLink><br>
</expression><br>
</outbound><br>
</association><br>
</construction><br>
<order>2</order><br>
</inducement><br>
<br>
</role><br>
<br>
Now, if you import this metarole and create a role (e.g. "r1")
having this metarole assigned, you'll see that on AD a group r1
has been created, and a midPoint shadow for it has been created as
well, and linked to group r1.<br>
<br>
Moreover, if you now create a new midPoint user, and assign him
role r1, his account on AD will be created and it will be a member
of r1 AD group.<br>
<br>
--- <br>
<br>
Now, what is missing?<br>
<br>
If you create a role in midPoint, you have to manually assign it
our metarole.<br>
In a similar way, if a group is created in AD, the corresponding
role in midPoint is again without the metarole.<br>
<br>
Here, an object template is going to help us.<br>
<br>
<objectTemplate oid="11111111-2222-3333-4444-300000000001"<br>
xmlns:xsi='<a class="moz-txt-link-freetext" href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>'<br>
xmlns='<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>'<br>
xmlns:c='<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>'<br>
xmlns:q=<a class="moz-txt-link-rfc2396E" href="http://prism.evolveum.com/xml/ns/public/query-3">"http://prism.evolveum.com/xml/ns/public/query-3"</a>><br>
<name>Role Template</name><br>
<br>
<mapping><br>
<name>Metarole assignment</name><br>
<authoritative>true</authoritative><br>
<expression><br>
<assignmentTargetSearch><br>
<targetType>c:RoleType</targetType><br>
<oid>11111111-2222-3333-4444-200000000001</oid>
<!-- our meta role --><br>
</assignmentTargetSearch><br>
</expression><br>
<target><br>
<path>assignment</path><br>
</target><br>
</mapping><br>
<br>
</objectTemplate><br>
<br>
Besides creating the template, we have to tell midPoint to use it
for roles.<br>
We have to include the following to the system configuration:<br>
<br>
<objectTemplate><br>
<type>c:RoleType</type><br>
<objectTemplateRef
oid="11111111-2222-3333-4444-300000000001"/><br>
</objectTemplate><br>
<br>
Now, when you create a role (let's say r2), it will get
automatically assigned the metarole, what causes creation of AD
group and automatic assignment of this group to any user that has
this "r2" role.<br>
In a similar way, when you create a group (let's say r3) in AD, a
role r3 will be created in midPoint and it will be assigned this
metarole.<br>
<br>
For more information:<br>
<ul>
<li><a
href="https://wiki.evolveum.com/display/midPoint/Entitlements">https://wiki.evolveum.com/display/midPoint/Entitlements</a></li>
<li><a
href="https://wiki.evolveum.com/display/midPoint/Assignment+Configuration">https://wiki.evolveum.com/display/midPoint/Assignment+Configuration</a>
(namely section "Entitlements Association")</li>
<li><a
href="https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test">https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test</a>
(namely section about Responsibility synchronizing - what is
presented here is basically a simplification of the
responsibility synchronization of this story test)<br>
</li>
</ul>
Hope this helps. If you would have any questions, just let me
know.<br>
<br>
Best regards,<br>
Pavol<br>
<br>
<br>
On 23. 6. 2014 21:24, Roman Pudil - AMI Praha a.s. wrote:<br>
</div>
<blockquote cite="mid:53A87ED8.1050705@ami.cz" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Hello Pavol,<br>
<br>
how about the reconciliation groups sample in Active Directory?
Have You any simple example?<br>
<br>
Thanks!<br>
Regards<br>
Roman
<div class="moz-signature">
<title></title>
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<p> </p>
<table style="border-collapse:collapse;">
<tbody>
<tr>
<td colspan="2" style="font-family:Arial, sans-serif;
font-size:11px; color:#000000; vertical-align:bottom;">
<p> <span style="font-size:14px; font-weight:bold;">Roman
Pudil</span><br>
solution architect<br>
<br>
gsm: [+420] 775 663 666<br>
e-mail: <a moz-do-not-send="true"
href="mailto:roman.pudil@ami.cz">roman.pudil@ami.cz</a>
</p>
</td>
<td style="border-right:1px solid #cccccc;"> </td>
<td> </td>
<td style="font-family:Arial, sans-serif;
font-size:11px; color:#000000; vertical-align:bottom;">
<p> AMI Praha a.s.<br>
Pláničkova 11<br>
162 00 Praha 6<br>
tel./fax: [+420] 274 783 239<br>
web: <a moz-do-not-send="true"
href="http://www.ami.cz">www.ami.cz</a> </p>
</td>
<td style="border-right:1px solid #cccccc;"> </td>
<td> </td>
<td style="font-family:Arial, sans-serif;
font-size:11px; color:#000000;">
<p> <img
src="cid:part6.02030506.01060807@evolveum.com"
alt="AMI Praha a.s." title="AMI Praha a.s."> </p>
</td>
</tr>
<tr>
<td colspan="8"><br>
<a moz-do-not-send="true"
href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management"><img
src="cid:part7.02090200.07040803@evolveum.com"
alt=""></a></td>
</tr>
<tr>
<td colspan="8" style="font-family:Arial, sans-serif;
font-size:11px; color:#808080;"> <br>
Textem tohoto e-mailu podepisující neslibuje uzavřít
ani neuzavírá za společnost AMI Praha a.s.<br>
jakoukoliv smlouvu. Každá smlouva, pokud bude
uzavřena, musí mít výhradně písemnou formu.</td>
</tr>
</tbody>
</table>
</div>
Dne 12.6.2014 23:35, Pavol Mederly napsal(a):<br>
</div>
<blockquote cite="mid:539A1D1A.7050205@evolveum.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Hello Roman,<br>
<br>
both Ivan and me are planning to prepare such a sample for
group synchronization in next few days.<br>
<br>
Unfortunately, both of us have some critical tasks to be done
immediately, so it could take maybe<br>
a week until we'll be able to prepare the sample.<br>
<br>
Best regards,<br>
Pavol Mederly<br>
<br>
</div>
<blockquote cite="mid:539A133B.7060906@ami.cz" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Hi Radovan,<br>
thanks for inspiration.<br>
I tried 3 days to find right combination of AD group schema
definition, schema handling etc. - with no success.<br>
Somebody tried it with success?<br>
<br>
Thanks!<br>
Roman Pudil<br>
<br>
<div class="moz-signature">
<table style="border-collapse:collapse;">
<tbody>
<tr>
<td colspan="2" style="font-family:Arial,
sans-serif; font-size:11px; color:#000000;
vertical-align:bottom;">
<p><span style="font-size:14px; font-weight:bold;">Roman
Pudil</span><br>
solution architect<br>
<br>
gsm: [+420] 775 663 666<br>
e-mail: <a moz-do-not-send="true"
href="mailto:roman.pudil@ami.cz">roman.pudil@ami.cz</a>
</p>
</td>
<td style="border-right:1px solid #cccccc;"> </td>
<td> </td>
<td style="font-family:Arial, sans-serif;
font-size:11px; color:#000000;
vertical-align:bottom;">
<p> AMI Praha a.s.<br>
Pláničkova 11<br>
162 00 Praha 6<br>
tel./fax: [+420] 274 783 239<br>
web: <a moz-do-not-send="true"
href="http://www.ami.cz">www.ami.cz</a> </p>
</td>
<td style="border-right:1px solid #cccccc;"> </td>
<td> </td>
<td style="font-family:Arial, sans-serif;
font-size:11px; color:#000000;">
<p> <img
src="cid:part11.05090905.07010408@evolveum.com"
alt="AMI Praha a.s." title="AMI Praha a.s."> </p>
</td>
</tr>
<tr>
<td colspan="8"><br>
<a moz-do-not-send="true"
href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management"><img
src="cid:part12.08020004.03080504@evolveum.com" alt=""></a></td>
</tr>
<tr>
<td colspan="8" style="font-family:Arial,
sans-serif; font-size:11px; color:#808080;"> <br>
Textem tohoto e-mailu podepisující neslibuje
uzavřít ani neuzavírá za společnost AMI Praha a.s.<br>
jakoukoliv smlouvu. Každá smlouva, pokud bude
uzavřena, musí mít výhradně písemnou formu.</td>
</tr>
</tbody>
</table>
</div>
Dne 9.6.2014 18:08, Radovan Semancik napsal(a):<br>
</div>
<blockquote cite="mid:5395DC03.6030300@evolveum.com"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Hi Roman,<br>
<br>
We haven't tried group synchronization in AD yet. But we
have done it is LDAP and the principle is the same.
Perhaps the best place for inspiration is our "OrgSync"
story test. This test synchronized orgunits and groups in
the LDAP server. The configuration files are here:<br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/Evolveum/midpoint/tree/master/testing/story/src/test/resources/orgsync">https://github.com/Evolveum/midpoint/tree/master/testing/story/src/test/resources/orgsync</a><br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
On 06/05/2014 01:03 PM, Roman Pudil - AMI Praha a.s.
wrote:<br>
</div>
<blockquote cite="mid:53904E89.7060508@ami.cz" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
Hi,<br>
I need synchronize/reconcile AD Groups into midPoint as
Entitlements (Roles). Any simple example about this?<br>
Importing groups over midpoint webservices is also
acceptable solution, but when I tried Your example in
\samples\model-client-sample\ it getting error in 3.0
version.<br>
<br>
Thanks!<br>
R. Pudil<br>
<div class="moz-signature">-- <br>
<title></title>
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<p> </p>
<table style="border-collapse:collapse;">
<tbody>
<tr>
<td colspan="2" style="font-family:Arial,
sans-serif; font-size:11px; color:#000000;
vertical-align:bottom;">
<p> <span style="font-size:14px;
font-weight:bold;">Roman Pudil</span><br>
solution architect<br>
<br>
gsm: [+420] 775 663 666<br>
e-mail: <a moz-do-not-send="true"
href="mailto:roman.pudil@ami.cz">roman.pudil@ami.cz</a>
</p>
</td>
<td style="border-right:1px solid #cccccc;"> </td>
<td> </td>
<td style="font-family:Arial, sans-serif;
font-size:11px; color:#000000;
vertical-align:bottom;">
<p> AMI Praha a.s.<br>
Pláničkova 11<br>
162 00 Praha 6<br>
tel./fax: [+420] 274 783 239<br>
web: <a moz-do-not-send="true"
href="http://www.ami.cz">www.ami.cz</a> </p>
</td>
<td style="border-right:1px solid #cccccc;"> </td>
<td> </td>
<td style="font-family:Arial, sans-serif;
font-size:11px; color:#000000;">
<p> <img
src="cid:part17.05020503.04000908@evolveum.com"
alt="AMI Praha a.s." title="AMI Praha a.s.">
</p>
</td>
</tr>
<tr>
<td colspan="8"><br>
<a moz-do-not-send="true"
href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management"><img
src="cid:part18.05060307.01080108@evolveum.com" alt=""></a></td>
</tr>
<tr>
<td colspan="8" style="font-family:Arial,
sans-serif; font-size:11px; color:#808080;"> <br>
Textem tohoto e-mailu podepisující neslibuje
uzavřít ani neuzavírá za společnost AMI Praha
a.s.<br>
jakoukoliv smlouvu. Každá smlouva, pokud bude
uzavřena, musí mít výhradně písemnou formu.</td>
</tr>
</tbody>
</table>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>