<div dir="ltr">Wow! Thank you for this, I had no idea so much was involved just to pull the name. I am glad I asked because after much searching I couldn't understand where to start, I think I am reading too much all over too fast. I have just now started playing with the scripts more and more and I am noticing how powerful it could be making it easier to fill in redundant mandatory fields in AD from using MidPoint. Even using the regular expressions not just for the distinguishedName but I worked some other expressions into other fields/attributes.<div><br></div><div>Yes, the attribute eduPersonEntitlement is a multi-valued string. We use this attribute for many other applications including Microsoft ADFS and for Shibboleth SSO so I was wanting to see if later on we could get the roles assigned in Midpoint into AD so that we could use the information in other applications or at least standardize the names across applications and it looks to be possible.</div><div><br></div><div>Thanks Again!</div><div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 17, 2014 at 4:31 PM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hello Jason,<br>
<br>
yes, there is a way to do it. Conceptually, you need to create a
mapping<br>
<br>
assignment -> target attribute<br>
<br>
However, there are three facts to bear in mind:<br>
<br>
(1) there can be many roles the user has been assigned -> so
either you choose one of them (how?) or the target attribute has
to be multi-valued; let's assume the latter<br>
(2) assignments can be not only roles, but also accounts and orgs
-> so there should be some filter based on the kind of
assignment<br>
(3) in the assignment there is only a OID of target roles, and you
want to have its name -> so there has to be a getObject(...)
operation in the process to get the name<br>
<br>
Conceptually, the solution could look like this:<br>
(This is a direct mapping from the user roles to a "l" attribute
in LDAP resource - tailor this to your needs. E.g. if you have to
map to a user property, you have to put this mapping into a user
template.)<br>
<br>
<attribute><br>
<ref
xmlns:ri=<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a>>ri:l</ref><br>
<outbound><br>
<source><br>
<path>assignment</path><br>
</source><br>
<expression><br>
<script><br>
<code><br>
<br>
import
com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType<br>
if (assignment != null) {<br>
target = assignment.getTargetRef()<br>
if (target != null &&
"RoleType".equals(target.getType().getLocalPart())) {
// filtering, mentioned in (2)<br>
role = midpoint.getObject(RoleType.class, target.getOid(),
null) // getting the object,
mentioned in (3)<br>
return role.getName()<br>
}<br>
}<br>
return null<br>
<br>
</code><br>
</script><br>
</expression><br>
</outbound><br>
</attribute><br>
<br>
Unfortunately, life's not that easy ... because of a limitation in
midPoint (<a href="https://jira.evolveum.com/browse/MID-2064" target="_blank">MID-2064</a>)
we cannot process individual container values, only the container
as a whole - so we have to rewrite the mapping to process not item
after item, but to process all assignments as a whole. It's called
absolute mode of evaluation.<br>
<br>
The solution is then as follows:<br>
<br>
<attribute><br>
<ref
xmlns:ri=<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a>>ri:l</ref><br>
<outbound><br>
<source><br>
<name>assignmentContainer</name>
<!-- just to provide meaningful name to the source
--><br>
<path>assignment</path><br>
</source><br>
<expression><br>
<script><br>
<relativityMode>absolute</relativityMode><br>
<code><br>
import
com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType<br>
rv = new ArrayList()<br>
if (assignmentContainer != null) {<br>
for (assignment in
assignmentContainer.getValues()) {<br>
target =
assignment.asContainerable().getTargetRef()<br>
if (target != null
&&
"RoleType".equals(target.getType().getLocalPart())) {<br>
role =
midpoint.getObject(RoleType.class, target.getOid(), null)<br>
rv.add(role.getName().getOrig())<br>
}<br>
}<br>
}<br>
return rv<br>
</code><br>
</script><br>
</expression><br>
</outbound><br>
</attribute><br>
<br>
Of course, there should be some error handling around getObject
method, because the role that the user has might have been already
deleted - so a simple try {...} catch {...} should be there. <br>
<br>
But I hope you get an overall idea from this sample.<br>
<br>
Best regards,<br>
Pavol<div><div class="h5"><br>
<br>
<br>
On 17. 10. 2014 21:43, Jason Everling wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">Ok thanks again, I still have a lot of testing with
incoming and outgoing attributes, trying to get them just right
before I move onto Roles/Orgs and such..
<div><br>
</div>
<div>Quick question,</div>
<div><br>
</div>
<div>Is there a way to get the assigned role name, like the
default role "end user" into a user attribute field? For
instance, the user is assigned the role "end user" and I
wanted to get the role name "end user" into the attribute
eduPersonEntitlement in AD. as long as I can get that name
"end user" into a field on the user details page I can move it
into AD.</div>
<div><br>
</div>
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Oct 17, 2014 at 5:28 AM, Ivan
Noris <span dir="ltr"><<a href="mailto:Ivan.Noris@evolveum.com" target="_blank">Ivan.Noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div style="font-family:times new roman,new york,times,serif;font-size:12pt;color:#000000">
<div>Hi Jason,<br>
</div>
<div><br>
</div>
<div>I'm not sure if I understand, but if you are asking
if you can create (import) organization structure in
midPoint according to your existing AD structure, the
answer is yes.<br>
</div>
<div><br>
</div>
<div>If you are asking if you can provision your
existing midPoint organization structure to AD, the
answer is double-yes. You can actually see this in our
generic-sync scenarios. For more simple cases where
organization structure is maintained in midPoint (and
not in some kind of authoritative source such as CSV)
this is very simple and I'm using this just now in
current projects.<br>
</div>
<div><br>
</div>
<div>It's all just configuration in midPoint (resource,
roles, object templates). The inbound (from AD to
midPoint) organization synchronization is a little
more difficult than the outbound (midPoint to AD), but
certainly doable.<br>
</div>
<div><br>
</div>
<div>Regards,<br>
</div>
<div>Ivan<br>
</div>
<div><br>
</div>
<hr>
<blockquote style="border-left:2px solid #1010ff;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><span><b>From: </b>"Jason Everling" <<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>><br>
<b>To: </b>"midPoint General Discussion" <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>><br>
</span><b>Sent: </b>Thursday, October 16, 2014
10:07:34 PM<span><br>
<b>Subject: </b>Re: [midPoint] Existing Active
Directory Users<br>
<div><br>
</div>
</span>
<div>
<div>
<div dir="ltr">That is great! I was testing this
and it seems to be working. I was thinking about
this more also and down the road once I move
into Orgs and such.
<div><br>
</div>
<div>I am almost certain, correct me if I am
wrong, but I could also base the DN by pulling
information from the Orgs in Midpoint. I would
pretty much be building out the Orgs in the
same manner that our AD orgs are setup.</div>
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Oct 16, 2014 at
10:27 AM, Ivan Noris <span dir="ltr"><<a href="mailto:Ivan.Noris@evolveum.com" target="_blank">Ivan.Noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div style="font-family:times new roman,new york,times,serif;font-size:12pt;color:#000000">
<div>Hi Jason,<br>
</div>
<div><br>
</div>
<blockquote style="border-left:2px solid #1010ff;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt">
<div dir="ltr">
<div><br>
</div>
<div>AD only needs to be
authoritative during the initial
deployment since we have thousands
of accounts in AD, after that, all
accounts will be modified/added
using midpoint.</div>
<div><br>
</div>
<div>I think using the method I
outlined last to build the DN is
more or less what I am moving
towards. I have looked through AD
attributes and the attribute, "ou"
in AD is not used and would make
sense to populate that attribute
with the actual OU. I can simply
use a powershell script to add the
correct value to this attribute
based on the users current ou and
then build the DN in midpoint off
this value.</div>
<div><br>
</div>
<div>Using the "ou" attribute in AD
might also be the best way since
later on I can use the attribute
in roles and orgs, I have been
looking to the orgsync story test
on github for inspiration.</div>
</div>
</blockquote>
<div><br>
</div>
<div>You can use PS script in AD to fill
"ou" attribute in accounts and then
import it to midPoint, but you can
construct the value directly during
initial import in inbound expression
with no changes in AD. Roughly -
something like this:<br>
</div>
<div><br>
</div>
<div><span>
<attribute><br>
<ref>icfs:name</ref><br>
</span>
<displayName>Distinguished
Name</displayName><br>
<inbound><br>
<expression><br>
<script><br>
<code><br>
//
parse OU value from variable named <strong>input</strong>
(represents DN) using groovy regular
expressions<br>
</div>
<div> //
e.g. from OU=The
Student,DC=TEST,DC=LOCAL take "The
Student" value<br>
</div>
<div>
<div>
// please fix the regular expression
according to your setup, this is
just a rough example</div>
<div><br>
</div>
</div>
<div> re
= /(?i)^.*OU=(.*),DC=TEST,DC=LOCAL$/</div>
<div>
matcher = (input =~ re)<br>
</div>
<div> if
(matcher.matches()) return
matcher[0][1]<br>
<div><br>
</div>
</div>
<div> //
will be stored in <strong>user/organization</strong>
attribute, modify as needed<br>
</code><br>
</script><br>
</expression><br>
<target><br>
<path>$user/organization</path><br>
</target><br>
</inbound><br>
</attribute><br>
<div><br>
</div>
</div>
<div>This is also to show you the power
of the expressions in the mappings.<br>
</div>
<div><br>
</div>
<div>Regards,<br>
</div>
<div>Ivan<br>
</div>
<div><br>
</div>
<div>-- <br>
</div>
<div><span></span> Ing. Ivan Noris<br>
Senior Identity Management Engineer<br>
<a href="http://evolveum.com" target="_blank">evolveum.com</a><br>
___________________________________________<br>
"Idem per idem - semper
idem Vix."<span></span><br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<span style="font-size:small" size="2"><span style="font-size:small" size="2"><br>
</span></span>
<div><br>
</div>
</div>
</div>
<span><span style="font-size:small" size="2">CONFIDENTIALITY
NOTICE:<br>
This e-mail together with any attachments is
proprietary and confidential; intended for only
the recipient(s) named above and may contain
information that is privileged. You should not
retain, copy or use this e-mail or any attachments
for any purpose, or disclose all or any part of
the contents to any person. Any views or opinions
expressed in this e-mail are those of the author
and do not represent those of the Baptist School
of Health Professions. If you have received this
e-mail in error, or are not the named
recipient(s), you are hereby notified that any
review, dissemination, distribution or copying of
this communication is prohibited by the sender and
to do so might constitute a violation of the
Electronic Communications Privacy Act, 18 U.S.C.
section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments
from your computer. </span><br>
<div><br>
</div>
</span><span>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</span></blockquote>
<span>
<div><br>
<br>
</div>
<div><br>
</div>
<div>-- <br>
</div>
<div><span name="x"></span> Ing. Ivan Noris<br>
Senior Identity Management Engineer<br>
<a href="http://evolveum.com" target="_blank">evolveum.com</a><br>
___________________________________________<br>
"Idem per idem - semper idem Vix."<span name="x"></span><br>
</div>
</span></div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>