<div dir="ltr">Hi Ivan<div><br></div><div>I figured it out, i modified my role definition and added member attribute to it, for example:</div><div><br></div><div><div><inducement id="1"></div><div> <construction></div><div> <resourceRef oid="d0811790-1d80-11e4-86b2-3c970e467874" type="ResourceType"/></div><div> <kind>entitlement</kind></div><div> <intent>ldapGroup</intent></div><div> <attribute></div><div> <ref>ri:member</ref></div><div> <outbound></div><div> <expression></div><div> <value>uid=jodoe,dc=example,dc=com</value></div><div> </expression></div><div> </outbound></div><div> </attribute></div><div> </construction></div><div> </inducement></div></div><div><br></div><div>Now when i assign this role to any other role or organization it creates a ldap group with that role/organization name.</div><div><br></div><div><br></div><div>Now i have few questions:</div><div><br></div><div>Q. Is it the right way to add member attribute ?</div><div><br></div><div>Q. To make the role of kind "entitlement" do we always have to update the xml to add kind, intent and member information?</div><div><br></div><div>Q. When i make any changes like i changed the role name then the member information was gone from my role. Is it an issue or we cannot change this?</div><div><br></div><div>Q. What all types of group are supported with this ldap connector like groupOfUniqueNames and PosixGroup?</div><div><br></div><div><br></div><div><br></div><div><br></div><div>Thanks</div><div>Dharmendra</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 4, 2014 at 6:10 PM, dharmendra parakh <span dir="ltr"><<a href="mailto:dharm.parakh@gmail.com" target="_blank">dharm.parakh@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi<div><br></div><div>Thanks for all the information.</div><div><br></div><div>I added the resource inducement to the role but kind and indent information was not added to the role definition so i modified the xml and added </div><div><div><br></div><div><kind>entitlement</kind></div><div><intent>ldapGroup</intent></div></div><div><br></div><div>in inducement construction as per my resource configuration.</div><div><br></div><div>Now i assigned my role to organization, it goes and tries to create object of groupOfNames but operation fails because there was no member added to group and member is a required attribute in groupOfNames objectclass.</div><div>So where we have to add the member dn and how can we do that ?</div><div><br></div><div>Regards</div><span class="HOEnZb"><font color="#888888"><div>Dharmendra</div><div><br></div><div><br></div></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 4, 2014 at 4:29 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi Dharmendra,<br>
<br>
this is my sample role for organization (or a fragment of it), which
I assign to the organizations in midPoint. This role will cause
provisioning to LDAP:<br>
<br>
<role oid="00000000-dc00-dc00-0004-000000000010"<br>
xmlns=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:c=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a><br>
xmlns:t=<a href="http://prism.evolveum.com/xml/ns/public/types-3" target="_blank">"http://prism.evolveum.com/xml/ns/public/types-3"</a><br>
xmlns:piracy=<a href="http://midpoint.evolveum.com/xml/ns/samples/piracy" target="_blank">"http://midpoint.evolveum.com/xml/ns/samples/piracy"</a>><br>
<name>Role for org. structure replication to
directory</name><br>
<br>
. . .<br>
<inducement><br>
<construction><br>
<resourceRef
oid="00000000-dc00-dc00-0001-100000000002"
type="c:ResourceType"/><br>
<b> <kind>entitlement</kind></b><b><br>
</b><b> <intent>billing-group</intent></b><br>
</construction><br>
</inducement><br>
. . .<br>
<br>
This means, that I have to have resource (my oid is
"00000000-dc00-dc00-0001-100000000002"), where I have defined:<br>
<schemaHandling><br>
. . .<br>
<objectType><br>
<b><kind>entitlement</kind></b><b><br>
</b><b> <intent>billing-group</intent></b><br>
<displayName>Group for billing</displayName><br>
<default>false</default><br>
<b><objectClass>ri:GroupObjectClass</objectClass></b><br>
<attribute><br>
<ref>icfs:name</ref> <!-- required
attribute on AD --><br>
<matchingRule>mr:stringIgnoreCase</matchingRule><br>
<outbound><br>
. . .<br>
rest of outbounds needed for group attributes here<br>
. . .<br>
<br>
So, if <b>role gets assigned to my organization in midPoint (Edit
organization, and add the role to Assignments, not inducements)</b>,
it will construct object of type entitlement, kind of billing-group.
The schemaHandling associates entitlement/kind with
objectClass=GroupObjectClass. So provisioning will create group, not
account. The attributes for the group are based on your schema
handling expressions for the entitlement/billing-group.<br>
<br>
If the role does not specify kind/intent, defaults are used
(kind=account, intent=default). So this may cause creating accounts
instead of groups ...<br>
<br>
If everything works, you may have the role automatically assigned to
all organizations in midPoint as they are created. But I will do
this only if everything works, because it's easier to debug.<br>
<br>
Hope this helps,<br>
regards,<br>
Ivan<div><div><br>
<br>
<br>
<div>On 12/04/2014 11:46 AM, dharmendra
parakh wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Ivan
<div><br>
</div>
<div>Thanks for the information. I have this already configured
in my LDAP resource.</div>
<div><br>
</div>
<div>I gone through all these documents and then i tried to
implement the same synchronization techinique.</div>
<div><br>
</div>
<div>So I created a role MetaRole and added LDAP resource as an
inducement (I did not filled any information in resource form)</div>
<div>Then i created another role and when i try to add that
MetaRole as assignment to this role i am getting an error
saying :</div>
<div><br>
</div>
<div><font color="#ff0000">Couldn't add object. Schema
violation: Schema violation during processing shadow:
shadow: null (OID:null): Schema violation:
javax.naming.directory.SchemaViolationException([LDAP: error
code 65 - object class 'inetOrgPerson' requires attribute
'sn']<br>
</font></div>
<div><br>
</div>
<div>I am confused why it is trying to create inetOrgPerson
object instead of groupOfNames.</div>
<div><br>
</div>
<div>Is it a configuration issue or i am doing something wrong,
Can you help me figuring this out. My resource configuration
is attached just for your reference, </div>
<div><br>
</div>
<div><br>
</div>
<div>Regards</div>
<div>Dharmendra</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Dec 4, 2014 at 3:07 PM, Ivan
Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi,<br>
<br>
you don't need new connector to create LDAP groups. Just
configuration in midPoint: new schemaHandling
<objectType> and corresponding
<synchronization><objectType> parts for
kind=entitlement and intent=group.<br>
<br>
For example you may check the sample:
samples/reosurces/opendj/opendj-resource-genericsync.xml
to see how it can be configured.<br>
<br>
After you have this configured, you can create a role
which will construct the kind=entitlement,intent=group
object on the LDAP resource.<br>
<br>
Then you assign such role to either organization or role
in midpoint and it will provision corresponding group to
LDAP.<br>
<br>
Please refer also to:<br>
<a href="https://wiki.evolveum.com/display/midPoint/Generic+Synchronization" target="_blank">https://wiki.evolveum.com/display/midPoint/Generic+Synchronization</a><br>
<a href="https://wiki.evolveum.com/display/midPoint/Focus+and+Projections" target="_blank">https://wiki.evolveum.com/display/midPoint/Focus+and+Projections</a><br>
<a href="https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization" target="_blank">https://wiki.evolveum.com/display/midPoint/Roles%2C+Metaroles+and+Generic+Synchronization</a><br>
<br>
Regards,<br>
Ivan
<div>
<div><br>
<br>
<div>On 12/04/2014 10:28 AM, dharmendra parakh wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">HI
<div><br>
</div>
<div>Is there any out of the box configuration to
achieve it or i have to write a connector?</div>
<div><br>
</div>
<div>Waiting for response..</div>
<div><br>
</div>
<div>Regards</div>
<div>Dharmendra</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Dec 3, 2014 at
7:00 PM, dharmendra parakh <span dir="ltr"><<a href="mailto:dharm.parakh@gmail.com" target="_blank">dharm.parakh@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi
<div><br>
</div>
<div>I was playing around the ldap connector
bundled witth midpoint, It works well for
creating user accounts and user group
assignment. </div>
<div><br>
</div>
<div>I want to create ldap group, Is it
possible using the same connector to
provision ldap group on target ldap
resource. basically a groupOfUniqueNames
or a posixGroup.</div>
<div><br>
</div>
<div>If possible please point me to the
documentation which i can refer and
configure it.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks</div>
<span><font color="#888888">
<div>Dharmendra Parakh</div>
</font></span></div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><span><font color="#888888">
</font></span></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>