<div dir="ltr">Wow! Thank you for this, I had no idea so much was involved just to pull the name. I am glad I asked because after much searching I couldn't understand where to start, I think I am reading too much all over too fast. I have just now started playing with the scripts more and more and I am noticing how powerful it could be making it easier to fill in redundant mandatory fields in AD from using MidPoint. Even using the regular expressions not just for the distinguishedName but I worked some other expressions into other fields/attributes.<div><br></div><div>Yes, the attribute eduPersonEntitlement is a multi-valued string. We use this attribute for many other applications including Microsoft ADFS and for Shibboleth SSO so I was wanting to see if later on we could get the roles assigned in Midpoint into AD so that we could use the information in other applications or at least standardize the names across applications and it looks to be possible.</div><div><br></div><div>Thanks Again!</div><div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 17, 2014 at 4:31 PM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>Hello Jason,<br>
      <br>
      yes, there is a way to do it. Conceptually, you need to create a
      mapping<br>
      <br>
              assignment -> target attribute<br>
      <br>
      However, there are three facts to bear in mind:<br>
      <br>
      (1) there can be many roles the user has been assigned -> so
      either you choose one of them (how?) or the target attribute has
      to be multi-valued; let's assume the latter<br>
      (2) assignments can be not only roles, but also accounts and orgs
      -> so there should be some filter based on the kind of
      assignment<br>
      (3) in the assignment there is only a OID of target roles, and you
      want to have its name -> so there has to be a getObject(...)
      operation in the process to get the name<br>
      <br>
      Conceptually, the solution could look like this:<br>
      (This is a direct mapping from the user roles to a "l" attribute
      in LDAP resource - tailor this to your needs. E.g. if you have to
      map to a user property, you have to put this mapping into a user
      template.)<br>
      <br>
      <attribute><br>
          <ref
xmlns:ri=<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a>>ri:l</ref><br>
          <outbound><br>
              <source><br>
                  <path>assignment</path><br>
              </source><br>
              <expression><br>
                  <script><br>
                      <code><br>
      <br>
      import
      com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType<br>
      if (assignment != null) {<br>
          target = assignment.getTargetRef()<br>
          if (target != null &&
      "RoleType".equals(target.getType().getLocalPart())) {           
              // filtering, mentioned in (2)<br>
              role = midpoint.getObject(RoleType.class, target.getOid(),
      null)                                 // getting the object,
      mentioned in (3)<br>
              return role.getName()<br>
          }<br>
      }<br>
      return null<br>
      <br>
                      </code><br>
                  </script><br>
              </expression><br>
          </outbound><br>
      </attribute><br>
      <br>
      Unfortunately, life's not that easy ... because of a limitation in
      midPoint (<a href="https://jira.evolveum.com/browse/MID-2064" target="_blank">MID-2064</a>)
      we cannot process individual container values, only the container
      as a whole - so we have to rewrite the mapping to process not item
      after item, but to process all assignments as a whole. It's called
      absolute mode of evaluation.<br>
      <br>
      The solution is then as follows:<br>
      <br>
               <attribute><br>
                  <ref
xmlns:ri=<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a>>ri:l</ref><br>
                  <outbound><br>
                     <source><br>
                        <name>assignmentContainer</name>   
                  <!-- just to provide meaningful name to the source
      --><br>
                        <path>assignment</path><br>
                     </source><br>
                     <expression><br>
                        <script><br>
                          
      <relativityMode>absolute</relativityMode><br>
                           <code><br>
                                 import
      com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType<br>
                                 rv = new ArrayList()<br>
                                 if (assignmentContainer != null) {<br>
                                     for (assignment in
      assignmentContainer.getValues()) {<br>
                                         target =
      assignment.asContainerable().getTargetRef()<br>
                                         if (target != null
      &amp;&amp;
      "RoleType".equals(target.getType().getLocalPart())) {<br>
                                              role =
      midpoint.getObject(RoleType.class, target.getOid(), null)<br>
                                             
      rv.add(role.getName().getOrig())<br>
                                         }<br>
                                      }<br>
                                  }<br>
                                  return rv<br>
                             </code><br>
                        </script><br>
                     </expression><br>
                  </outbound><br>
               </attribute><br>
      <br>
      Of course, there should be some error handling around getObject
      method, because the role that the user has might have been already
      deleted - so a simple try {...} catch {...} should be there. <br>
      <br>
      But I hope you get an overall idea from this sample.<br>
      <br>
      Best regards,<br>
      Pavol<div><div class="h5"><br>
      <br>
      <br>
      On 17. 10. 2014 21:43, Jason Everling wrote:<br>
    </div></div></div><div><div class="h5">
    <blockquote type="cite">
      <div dir="ltr">Ok thanks again, I still have a lot of testing with
        incoming and outgoing attributes, trying to get them just right
        before I move onto Roles/Orgs and such..
        <div><br>
        </div>
        <div>Quick question,</div>
        <div><br>
        </div>
        <div>Is there a way to get the assigned role name, like the
          default role "end user" into a user attribute field? For
          instance, the user is assigned the role "end user" and I
          wanted to get the role name "end user" into the attribute
          eduPersonEntitlement in AD. as long as I can get that name
          "end user" into a field on the user details page I can move it
          into AD.</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>JASON</div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Fri, Oct 17, 2014 at 5:28 AM, Ivan
          Noris <span dir="ltr"><<a href="mailto:Ivan.Noris@evolveum.com" target="_blank">Ivan.Noris@evolveum.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div>
              <div style="font-family:times new roman,new york,times,serif;font-size:12pt;color:#000000">
                <div>Hi Jason,<br>
                </div>
                <div><br>
                </div>
                <div>I'm not sure if I understand, but if you are asking
                  if you can create (import) organization structure in
                  midPoint according to your existing AD structure, the
                  answer is yes.<br>
                </div>
                <div><br>
                </div>
                <div>If you are asking if you can provision your
                  existing midPoint organization structure to AD, the
                  answer is double-yes. You can actually see this in our
                  generic-sync scenarios. For more simple cases where
                  organization structure is maintained in midPoint (and
                  not in some kind of authoritative source such as CSV)
                  this is very simple and I'm using this just now in
                  current projects.<br>
                </div>
                <div><br>
                </div>
                <div>It's all just configuration in midPoint (resource,
                  roles, object templates). The inbound (from AD to
                  midPoint) organization synchronization is a little
                  more difficult than the outbound (midPoint to AD), but
                  certainly doable.<br>
                </div>
                <div><br>
                </div>
                <div>Regards,<br>
                </div>
                <div>Ivan<br>
                </div>
                <div><br>
                </div>
                <hr>
                <blockquote style="border-left:2px solid #1010ff;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><span><b>From: </b>"Jason Everling" <<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>><br>
                    <b>To: </b>"midPoint General Discussion" <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>><br>
                  </span><b>Sent: </b>Thursday, October 16, 2014
                  10:07:34 PM<span><br>
                    <b>Subject: </b>Re: [midPoint] Existing Active
                    Directory Users<br>
                    <div><br>
                    </div>
                  </span>
                  <div>
                    <div>
                      <div dir="ltr">That is great! I was testing this
                        and it seems to be working. I was thinking about
                        this more also and down the road once I move
                        into Orgs and such.
                        <div><br>
                        </div>
                        <div>I am almost certain, correct me if I am
                          wrong, but I could also base the DN by pulling
                          information from the Orgs in Midpoint. I would
                          pretty much be building out the Orgs in the
                          same manner that our AD orgs are setup.</div>
                        <div><br>
                        </div>
                        <div>JASON</div>
                      </div>
                      <div class="gmail_extra"><br>
                        <div class="gmail_quote">On Thu, Oct 16, 2014 at
                          10:27 AM, Ivan Noris <span dir="ltr"><<a href="mailto:Ivan.Noris@evolveum.com" target="_blank">Ivan.Noris@evolveum.com</a>></span>
                          wrote:<br>
                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                            <div>
                              <div style="font-family:times new roman,new york,times,serif;font-size:12pt;color:#000000">
                                <div>Hi Jason,<br>
                                </div>
                                <div><br>
                                </div>
                                <blockquote style="border-left:2px solid #1010ff;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt">
                                  <div dir="ltr">
                                    <div><br>
                                    </div>
                                    <div>AD only needs to be
                                      authoritative during the initial
                                      deployment since we have thousands
                                      of accounts in AD, after that, all
                                      accounts will be modified/added
                                      using midpoint.</div>
                                    <div><br>
                                    </div>
                                    <div>I think using the method I
                                      outlined last to build the DN is
                                      more or less what I am moving
                                      towards. I have looked through AD
                                      attributes and the attribute, "ou"
                                      in AD is not used and would make
                                      sense to populate that attribute
                                      with the actual OU. I can simply
                                      use a powershell script to add the
                                      correct value to this attribute
                                      based on the users current ou and
                                      then build the DN in midpoint off
                                      this value.</div>
                                    <div><br>
                                    </div>
                                    <div>Using the "ou" attribute in AD
                                      might also be the best way since
                                      later on I can use the attribute
                                      in roles and orgs, I have been
                                      looking to the orgsync story test
                                      on github for inspiration.</div>
                                  </div>
                                </blockquote>
                                <div><br>
                                </div>
                                <div>You can use PS script in AD to fill
                                  "ou" attribute in accounts and then
                                  import it to midPoint, but you can
                                  construct the value directly during
                                  initial import in inbound expression
                                  with no changes in AD. Roughly -
                                  something like this:<br>
                                </div>
                                <div><br>
                                </div>
                                <div><span>               
                                    <attribute><br>
                                                       
                                    <ref>icfs:name</ref><br>
                                  </span>                   
                                  <displayName>Distinguished
                                  Name</displayName><br>
                                                      <inbound><br>
                                                         
                                  <expression><br>
                                                             
                                  <script><br>
                                                                 
                                  <code><br>
                                                                   //
                                  parse OU value from variable named <strong>input</strong>
                                  (represents DN) using groovy regular
                                  expressions<br>
                                </div>
                                <div>                                 //
                                  e.g. from OU=The
                                  Student,DC=TEST,DC=LOCAL take "The
                                  Student" value<br>
                                </div>
                                <div>
                                  <div>                                
                                    // please fix the regular expression
                                    according to your setup, this is
                                    just a rough example</div>
                                  <div><br>
                                  </div>
                                </div>
                                <div>                                 re
                                  = /(?i)^.*OU=(.*),DC=TEST,DC=LOCAL$/</div>
                                <div>                                
                                  matcher = (input =~ re)<br>
                                </div>
                                <div>                                 if
                                  (matcher.matches()) return
                                  matcher[0][1]<br>
                                  <div><br>
                                  </div>
                                </div>
                                <div>                                 //
                                  will be stored in <strong>user/organization</strong>
                                  attribute, modify as needed<br>
                                                                 
                                  </code><br>
                                                             
                                  </script><br>
                                                         
                                  </expression><br>
                                                          <target><br>
                                                                 
                                  <path>$user/organization</path><br>
                                                         
                                  </target><br>
                                                      </inbound><br>
                                                  </attribute><br>
                                  <div><br>
                                  </div>
                                </div>
                                <div>This is also to show you the power
                                  of the expressions in the mappings.<br>
                                </div>
                                <div><br>
                                </div>
                                <div>Regards,<br>
                                </div>
                                <div>Ivan<br>
                                </div>
                                <div><br>
                                </div>
                                <div>-- <br>
                                </div>
                                <div><span></span>  Ing. Ivan Noris<br>
                                    Senior Identity Management Engineer<br>
                                    <a href="http://evolveum.com" target="_blank">evolveum.com</a><br>
  ___________________________________________<br>
                                             "Idem per idem - semper
                                  idem Vix."<span></span><br>
                                </div>
                              </div>
                            </div>
                            <br>
_______________________________________________<br>
                            midPoint mailing list<br>
                            <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
                            <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
                            <br>
                          </blockquote>
                        </div>
                        <br>
                      </div>
                      <br>
                      <span style="font-size:small" size="2"><span style="font-size:small" size="2"><br>
                        </span></span>
                      <div><br>
                      </div>
                    </div>
                  </div>
                  <span><span style="font-size:small" size="2">CONFIDENTIALITY
                      NOTICE:<br>
                      This e-mail together with any attachments is
                      proprietary and confidential; intended for only
                      the recipient(s) named above and may contain
                      information that is privileged. You should not
                      retain, copy or use this e-mail or any attachments
                      for any purpose, or disclose all or any part of
                      the contents to any person. Any views or opinions
                      expressed in this e-mail are those of the author
                      and do not represent those of the Baptist School
                      of Health Professions. If you have received this
                      e-mail in error, or are not the named
                      recipient(s), you are hereby notified that any
                      review, dissemination, distribution or copying of
                      this communication is prohibited by the sender and
                      to do so might constitute a violation of the
                      Electronic Communications Privacy Act, 18 U.S.C.
                      section 2510-2521. Please immediately notify the
                      sender and delete this e-mail and any attachments
                      from your computer. </span><br>
                    <div><br>
                    </div>
                  </span><span>_______________________________________________<br>
                    midPoint mailing list<br>
                    <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
                    <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
                  </span></blockquote>
                <span>
                  <div><br>
                    <br>
                  </div>
                  <div><br>
                  </div>
                  <div>-- <br>
                  </div>
                  <div><span name="x"></span>  Ing. Ivan Noris<br>
                      Senior Identity Management Engineer<br>
                      <a href="http://evolveum.com" target="_blank">evolveum.com</a><br>
                      ___________________________________________<br>
                               "Idem per idem - semper idem Vix."<span name="x"></span><br>
                  </div>
                </span></div>
            </div>
            <br>
            _______________________________________________<br>
            midPoint mailing list<br>
            <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
            <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <font><br>
        <br>
        CONFIDENTIALITY NOTICE:<br>
        This e-mail together with any attachments is proprietary and
        confidential; intended for only the recipient(s) named above and
        may contain information that is privileged. You should not
        retain, copy or use this e-mail or any attachments for any
        purpose, or disclose all or any part of the contents to any
        person. Any views or opinions expressed in this e-mail are those
        of the author and do not represent those of the Baptist School
        of Health Professions. If you have received this e-mail in
        error, or are not the named recipient(s), you are hereby
        notified that any review, dissemination, distribution or copying
        of this communication is prohibited by the sender and to do so
        might constitute a violation of the Electronic Communications
        Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
        notify the sender and delete this e-mail and any attachments
        from your computer. </font><br>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>

<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>