<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
defining kind/intent is now not possible in GUI, only in XML. This
will be enhanced in the near future.<br>
<br>
Can you send the resource? Thank you.<br>
<br>
I.<br>
<br>
<div class="moz-cite-prefix">On 12/04/2014 01:40 PM, dharmendra
parakh wrote:<br>
</div>
<blockquote
cite="mid:CAKvVWqzT+9QvxMGxWtSZUriJPjZO_pQB7BgNgT9esR0g_VQgcw@mail.gmail.com"
type="cite">
<div dir="ltr">Hi
<div><br>
</div>
<div>Thanks for all the information.</div>
<div><br>
</div>
<div>I added the resource inducement to the role but kind and
indent information was not added to the role definition so i
modified the xml and added </div>
<div>
<div><br>
</div>
<div><kind>entitlement</kind></div>
<div><intent>ldapGroup</intent></div>
</div>
<div><br>
</div>
<div>in inducement construction as per my resource
configuration.</div>
<div><br>
</div>
<div>Now i assigned my role to organization, it goes and tries
to create object of groupOfNames but operation fails because
there was no member added to group and member is a required
attribute in groupOfNames objectclass.</div>
<div>So where we have to add the member dn and how can we do
that ?</div>
<div><br>
</div>
<div>Regards</div>
<div>Dharmendra</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Dec 4, 2014 at 4:29 PM, Ivan
Noris <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi Dharmendra,<br>
<br>
this is my sample role for organization (or a fragment of
it), which I assign to the organizations in midPoint. This
role will cause provisioning to LDAP:<br>
<br>
<role oid="00000000-dc00-dc00-0004-000000000010"<br>
xmlns=<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:c=<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:t=<a moz-do-not-send="true"
href="http://prism.evolveum.com/xml/ns/public/types-3"
target="_blank">"http://prism.evolveum.com/xml/ns/public/types-3"</a><br>
xmlns:piracy=<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/samples/piracy"
target="_blank">"http://midpoint.evolveum.com/xml/ns/samples/piracy"</a>><br>
<name>Role for org. structure replication to
directory</name><br>
<br>
. . .<br>
<inducement><br>
<construction><br>
<resourceRef
oid="00000000-dc00-dc00-0001-100000000002"
type="c:ResourceType"/><br>
<b> <kind>entitlement</kind></b><b><br>
</b><b>
<intent>billing-group</intent></b><br>
</construction><br>
</inducement><br>
. . .<br>
<br>
This means, that I have to have resource (my oid is
"00000000-dc00-dc00-0001-100000000002"), where I have
defined:<br>
<schemaHandling><br>
. . .<br>
<objectType><br>
<b><kind>entitlement</kind></b><b><br>
</b><b>
<intent>billing-group</intent></b><br>
<displayName>Group for
billing</displayName><br>
<default>false</default><br>
<b><objectClass>ri:GroupObjectClass</objectClass></b><br>
<attribute><br>
<ref>icfs:name</ref> <!--
required attribute on AD --><br>
<matchingRule>mr:stringIgnoreCase</matchingRule><br>
<outbound><br>
. . .<br>
rest of outbounds needed for group attributes here<br>
. . .<br>
<br>
So, if <b>role gets assigned to my organization in
midPoint (Edit organization, and add the role to
Assignments, not inducements)</b>, it will construct
object of type entitlement, kind of billing-group. The
schemaHandling associates entitlement/kind with
objectClass=GroupObjectClass. So provisioning will create
group, not account. The attributes for the group are based
on your schema handling expressions for the
entitlement/billing-group.<br>
<br>
If the role does not specify kind/intent, defaults are
used (kind=account, intent=default). So this may cause
creating accounts instead of groups ...<br>
<br>
If everything works, you may have the role automatically
assigned to all organizations in midPoint as they are
created. But I will do this only if everything works,
because it's easier to debug.<br>
<br>
Hope this helps,<br>
regards,<br>
Ivan
<div>
<div class="h5"><br>
<br>
<br>
<div>On 12/04/2014 11:46 AM, dharmendra parakh wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Ivan
<div><br>
</div>
<div>Thanks for the information. I have this
already configured in my LDAP resource.</div>
<div><br>
</div>
<div>I gone through all these documents and then i
tried to implement the same synchronization
techinique.</div>
<div><br>
</div>
<div>So I created a role MetaRole and added LDAP
resource as an inducement (I did not filled any
information in resource form)</div>
<div>Then i created another role and when i try to
add that MetaRole as assignment to this role i
am getting an error saying :</div>
<div><br>
</div>
<div><font color="#ff0000">Couldn't add object.
Schema violation: Schema violation during
processing shadow: shadow: null (OID:null):
Schema violation:
javax.naming.directory.SchemaViolationException([LDAP:
error code 65 - object class 'inetOrgPerson'
requires attribute 'sn']<br>
</font></div>
<div><br>
</div>
<div>I am confused why it is trying to create
inetOrgPerson object instead of groupOfNames.</div>
<div><br>
</div>
<div>Is it a configuration issue or i am doing
something wrong, Can you help me figuring this
out. My resource configuration is attached just
for your reference, </div>
<div><br>
</div>
<div><br>
</div>
<div>Regards</div>
<div>Dharmendra</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Dec 4, 2014 at
3:07 PM, Ivan Noris <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com"
target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi,<br>
<br>
you don't need new connector to create LDAP
groups. Just configuration in midPoint: new
schemaHandling <objectType> and
corresponding
<synchronization><objectType>
parts for kind=entitlement and intent=group.<br>
<br>
For example you may check the sample:
samples/reosurces/opendj/opendj-resource-genericsync.xml
to see how it can be configured.<br>
<br>
After you have this configured, you can
create a role which will construct the
kind=entitlement,intent=group object on the
LDAP resource.<br>
<br>
Then you assign such role to either
organization or role in midpoint and it will
provision corresponding group to LDAP.<br>
<br>
Please refer also to:<br>
<a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Generic+Synchronization"
target="_blank">https://wiki.evolveum.com/display/midPoint/Generic+Synchronization</a><br>
<a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Focus+and+Projections"
target="_blank">https://wiki.evolveum.com/display/midPoint/Focus+and+Projections</a><br>
<a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization"
target="_blank">https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization</a><br>
<br>
Regards,<br>
Ivan
<div>
<div><br>
<br>
<div>On 12/04/2014 10:28 AM, dharmendra
parakh wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">HI
<div><br>
</div>
<div>Is there any out of the box
configuration to achieve it or i
have to write a connector?</div>
<div><br>
</div>
<div>Waiting for response..</div>
<div><br>
</div>
<div>Regards</div>
<div>Dharmendra</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Dec
3, 2014 at 7:00 PM, dharmendra
parakh <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dharm.parakh@gmail.com"
target="_blank">dharm.parakh@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">Hi
<div><br>
</div>
<div>I was playing around the
ldap connector bundled witth
midpoint, It works well for
creating user accounts and
user group assignment. </div>
<div><br>
</div>
<div>I want to create ldap
group, Is it possible using
the same connector to
provision ldap group on
target ldap resource.
basically a
groupOfUniqueNames or a
posixGroup.</div>
<div><br>
</div>
<div>If possible please point
me to the documentation
which i can refer and
configure it.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks</div>
<span><font color="#888888">
<div>Dharmendra Parakh</div>
</font></span></div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><span><font color="#888888">
</font></span></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com"
target="_blank">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com evolveum.com/blog/
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</body>
</html>