<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
OK, so now I know...<br>
<br>
Seems you are using OpenLDAP... and its GroupOfNames objectClass
requires having at least one member of any group.<br>
<br>
So there are basically 3 options:<br>
1) having one static (dummy) member in each group - which probably
you have even now before you tried to test midPoint<br>
2) modification of schema in OpenLDAP<br>
3) another directory server<br>
<br>
From these options, 1) seems to be the fastest and with no
collateral damage.<br>
<br>
So the mapping you have for ri:member can be either in the role or
in the resource schemaHandling for this kind/intent combination.<br>
<br>
From your schema I see that the following can be used:<br>
- CustomposixGroupObjectClass (corresponding to LDAP's posixGroup)
with memberUid attribute<br>
- GroupObjectClass (corresponding perhaps to GroupOfUniqueNames?
connector hides this as __GROUP__) with <br>
- CustomGroupOfNamesObjectClass (corresponding to LDAP's
groupOfNames) with member attribute - this is what you use now<br>
<br>
If you need to create groups of more than one type, you need to
extend your resource configuration (almost copy/paste from what you
have now for CustomGroupOfNamesObjectClass, but with different
objectClass, and intent. The kind will be entitlement for all of
them.<br>
<br>
Regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 12/04/2014 02:20 PM, dharmendra
parakh wrote:<br>
</div>
<blockquote
cite="mid:CAKvVWqyoqYnt2m-jNUusYY5LtTiFtzrtfTn-T59AHq4KHvmcNg@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Ivan
<div><br>
</div>
<div>I figured it out, i modified my role definition and added
member attribute to it, for example:</div>
<div><br>
</div>
<div>
<div><inducement id="1"></div>
<div> <construction></div>
<div> <resourceRef
oid="d0811790-1d80-11e4-86b2-3c970e467874"
type="ResourceType"/></div>
<div> <kind>entitlement</kind></div>
<div> <intent>ldapGroup</intent></div>
<div> <attribute></div>
<div> <ref>ri:member</ref></div>
<div> <outbound></div>
<div> <expression></div>
<div>
<value>uid=jodoe,dc=example,dc=com</value></div>
<div> </expression></div>
<div> </outbound></div>
<div> </attribute></div>
<div> </construction></div>
<div> </inducement></div>
</div>
<div><br>
</div>
<div>Now when i assign this role to any other role or
organization it creates a ldap group with that
role/organization name.</div>
<div><br>
</div>
<div><br>
</div>
<div>Now i have few questions:</div>
<div><br>
</div>
<div>Q. Is it the right way to add member attribute ?</div>
<div><br>
</div>
<div>Q. To make the role of kind "entitlement" do we always have
to update the xml to add kind, intent and member information?</div>
<div><br>
</div>
<div>Q. When i make any changes like i changed the role name
then the member information was gone from my role. Is it an
issue or we cannot change this?</div>
<div><br>
</div>
<div>Q. What all types of group are supported with this ldap
connector like groupOfUniqueNames and PosixGroup?</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks</div>
<div>Dharmendra</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Dec 4, 2014 at 6:10 PM,
dharmendra parakh <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dharm.parakh@gmail.com" target="_blank">dharm.parakh@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi
<div><br>
</div>
<div>Thanks for all the information.</div>
<div><br>
</div>
<div>I added the resource inducement to the role but kind
and indent information was not added to the role
definition so i modified the xml and added </div>
<div>
<div><br>
</div>
<div><kind>entitlement</kind></div>
<div><intent>ldapGroup</intent></div>
</div>
<div><br>
</div>
<div>in inducement construction as per my resource
configuration.</div>
<div><br>
</div>
<div>Now i assigned my role to organization, it goes and
tries to create object of groupOfNames but operation
fails because there was no member added to group and
member is a required attribute in groupOfNames
objectclass.</div>
<div>So where we have to add the member dn and how can we
do that ?</div>
<div><br>
</div>
<div>Regards</div>
<span class="HOEnZb"><font color="#888888">
<div>Dharmendra</div>
<div><br>
</div>
<div><br>
</div>
</font></span></div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Dec 4, 2014 at 4:29
PM, Ivan Noris <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com"
target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi
Dharmendra,<br>
<br>
this is my sample role for organization (or a
fragment of it), which I assign to the
organizations in midPoint. This role will cause
provisioning to LDAP:<br>
<br>
<role
oid="00000000-dc00-dc00-0004-000000000010"<br>
xmlns=<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:c=<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:t=<a moz-do-not-send="true"
href="http://prism.evolveum.com/xml/ns/public/types-3"
target="_blank">"http://prism.evolveum.com/xml/ns/public/types-3"</a><br>
xmlns:piracy=<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/samples/piracy"
target="_blank">"http://midpoint.evolveum.com/xml/ns/samples/piracy"</a>><br>
<name>Role for org. structure
replication to directory</name><br>
<br>
. . .<br>
<inducement><br>
<construction><br>
<resourceRef
oid="00000000-dc00-dc00-0001-100000000002"
type="c:ResourceType"/><br>
<b>
<kind>entitlement</kind></b><b><br>
</b><b>
<intent>billing-group</intent></b><br>
</construction><br>
</inducement><br>
. . .<br>
<br>
This means, that I have to have resource (my oid
is "00000000-dc00-dc00-0001-100000000002"),
where I have defined:<br>
<schemaHandling><br>
. . .<br>
<objectType><br>
<b><kind>entitlement</kind></b><b><br>
</b><b>
<intent>billing-group</intent></b><br>
<displayName>Group for
billing</displayName><br>
<default>false</default><br>
<b><objectClass>ri:GroupObjectClass</objectClass></b><br>
<attribute><br>
<ref>icfs:name</ref>
<!-- required attribute on AD --><br>
<matchingRule>mr:stringIgnoreCase</matchingRule><br>
<outbound><br>
. . .<br>
rest of outbounds needed for group attributes
here<br>
. . .<br>
<br>
So, if <b>role gets assigned to my organization
in midPoint (Edit organization, and add the
role to Assignments, not inducements)</b>, it
will construct object of type entitlement, kind
of billing-group. The schemaHandling associates
entitlement/kind with
objectClass=GroupObjectClass. So provisioning
will create group, not account. The attributes
for the group are based on your schema handling
expressions for the entitlement/billing-group.<br>
<br>
If the role does not specify kind/intent,
defaults are used (kind=account,
intent=default). So this may cause creating
accounts instead of groups ...<br>
<br>
If everything works, you may have the role
automatically assigned to all organizations in
midPoint as they are created. But I will do this
only if everything works, because it's easier to
debug.<br>
<br>
Hope this helps,<br>
regards,<br>
Ivan
<div>
<div><br>
<br>
<br>
<div>On 12/04/2014 11:46 AM, dharmendra
parakh wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Ivan
<div><br>
</div>
<div>Thanks for the information. I have
this already configured in my LDAP
resource.</div>
<div><br>
</div>
<div>I gone through all these documents
and then i tried to implement the same
synchronization techinique.</div>
<div><br>
</div>
<div>So I created a role MetaRole and
added LDAP resource as an inducement
(I did not filled any information in
resource form)</div>
<div>Then i created another role and
when i try to add that MetaRole as
assignment to this role i am getting
an error saying :</div>
<div><br>
</div>
<div><font color="#ff0000">Couldn't add
object. Schema violation: Schema
violation during processing shadow:
shadow: null (OID:null): Schema
violation:
javax.naming.directory.SchemaViolationException([LDAP:
error code 65 - object class
'inetOrgPerson' requires attribute
'sn']<br>
</font></div>
<div><br>
</div>
<div>I am confused why it is trying to
create inetOrgPerson object instead of
groupOfNames.</div>
<div><br>
</div>
<div>Is it a configuration issue or i am
doing something wrong, Can you help me
figuring this out. My resource
configuration is attached just for
your reference, </div>
<div><br>
</div>
<div><br>
</div>
<div>Regards</div>
<div>Dharmendra</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Dec 4,
2014 at 3:07 PM, Ivan Noris <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com"
target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000"> Hi,<br>
<br>
you don't need new connector to
create LDAP groups. Just
configuration in midPoint: new
schemaHandling <objectType>
and corresponding
<synchronization><objectType>
parts for kind=entitlement and
intent=group.<br>
<br>
For example you may check the
sample:
samples/reosurces/opendj/opendj-resource-genericsync.xml
to see how it can be configured.<br>
<br>
After you have this configured,
you can create a role which will
construct the
kind=entitlement,intent=group
object on the LDAP resource.<br>
<br>
Then you assign such role to
either organization or role in
midpoint and it will provision
corresponding group to LDAP.<br>
<br>
Please refer also to:<br>
<a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Generic+Synchronization"
target="_blank">https://wiki.evolveum.com/display/midPoint/Generic+Synchronization</a><br>
<a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Focus+and+Projections"
target="_blank">https://wiki.evolveum.com/display/midPoint/Focus+and+Projections</a><br>
<a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization"
target="_blank">https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization</a><br>
<br>
Regards,<br>
Ivan
<div>
<div><br>
<br>
<div>On 12/04/2014 10:28 AM,
dharmendra parakh wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">HI
<div><br>
</div>
<div>Is there any out of
the box configuration to
achieve it or i have to
write a connector?</div>
<div><br>
</div>
<div>Waiting for
response..</div>
<div><br>
</div>
<div>Regards</div>
<div>Dharmendra</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Wed, Dec 3, 2014 at 7:00
PM, dharmendra parakh <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dharm.parakh@gmail.com" target="_blank">dharm.parakh@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div dir="ltr">Hi
<div><br>
</div>
<div>I was playing
around the ldap
connector bundled
witth midpoint, It
works well for
creating user
accounts and user
group assignment. </div>
<div><br>
</div>
<div>I want to
create ldap group,
Is it possible
using the same
connector to
provision ldap
group on target
ldap resource.
basically a
groupOfUniqueNames
or a posixGroup.</div>
<div><br>
</div>
<div>If possible
please point me to
the documentation
which i can refer
and configure it.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks</div>
<span><font
color="#888888">
<div>Dharmendra
Parakh</div>
</font></span></div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><span><font color="#888888">
</font></span></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com"
target="_blank">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com evolveum.com/blog/
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</body>
</html>