<div dir="ltr">Hi,<div><br><div>As per our discussion I tried to give <strength> tag in role but it didn't worked for me.</div></div><div><br></div><div>Basically we had two host attribute values in inducement and member user also had the same host membership, then after modifying the inducement I reconciled the user but no change in host attribute of user's ldap account.</div><div><br></div><div>I have attached the sample role xml, please have a look and let me know if I am doing anything wrong.</div><div><br></div><div><br></div><div><br></div><div>Thanks,</div><div>Anand Kothekar</div><div><br></div><div><br></div><img width="0" height="0" class="mailtrack-img" src="https://mailtrack.io/trace/mail/9f09a6a3e73ea392b4fa31eeb3398d26461faf23.png"></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 23, 2015 at 3:15 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    Hi Anand,<br>
    <br>
    please see inline:<span class=""><br>
    <br>
    <div>On 01/23/2015 06:17 AM, Anand Kothekar
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">Hi Ivan
        <div><br>
        </div>
        <div>First of all Ldap connector supports Auxiliary object
          classes. I have tested it and it works for me.</div>
        <div><br>
        </div>
        <div>Secondly, The host attribute is defined in resource schema
          and I have added it in Schema Handling but i do not have any
          outbound mapping right now (quite usual for our requirement,
          most of the resources have such attributes that cannot be
          mapped to any focal object in midpoint).</div>
        <div><br>
        </div>
        <div>Is it possible that i can map whatever user has entered
          (instead of mapping the host or any other attribute to
          midpoint's focal object) to target resource attribute in
          outbound mapping.</div>
      </div>
    </blockquote>
    <br></span>
    If user enters the value in the form, you don't need mappings.<br>
    Mapping are used to set the target attribute value according to some
    other attribute value or expression.<br>
    <br>
    Some example:<br>
    If you need to copy user/givenName attribute value to LDAP's sn
    attribute, you need outbound mapping in resource schema handling.<br>
    If you need to generate LDAP's sn attribute value by taking
    user/givenName attribute value and (for example) lowercase all
    attributes and remove diacritics, you need outbound mapping in
    resource schema handling.<br>
    If you want the user to set the LDAP's host attribute to
    user-defined-value, i.e. in the GUI form, manually, you don't need
    any mapping for this attribute. If user enters the value manually,
    provisioning will store the value to the resource. It is NOT
    remembered in midPoint. There is no expression how to derive the
    value, thus no mapping. And midPoint has no way of forcing the
    attribute value to contain the user defined value during the
    reconciliation, because the user defined value is stored only on
    LDAP, not in midPoint. When outbound mappings are used, the target
    attribute value can be derived from some source
    attribute(s)/expressions, co midPoint can enforce these values.<br>
    <br>
    Maybe there is another way how to achieve what you need if I
    understand it correctly. Define an extended attribute in User (by
    extending schema) and let the user set/modify this extended
    attribute. Then you can have schema handling mapping in resource,
    and you can thus use strong mapping strength.<br>
    <br>
    Best regards,<br>
    Ivan<div><div class="h5"><br>
    <br>
    <blockquote type="cite">
      <div dir="ltr">
        <div><br>
        </div>
        <div>What my concern is there is no way in UI to set the
          strength and doing it at policy level is quite
          unmanageable(resource is one but inducement will be
          thousands). </div>
        <div><br>
        </div>
        <div>So just to summarize </div>
        <div>- we want this to be done at resource level.</div>
        <div>
          <blockquote style="margin:0 0 0 40px;border:none;padding:0px">
            <div>- i think it is achievable if we can define outbound
               mapping so that user entered value is mapped to target
              attribute.</div>
            <div><br>
            </div>
            <div><br>
            </div>
          </blockquote>
          Thanks</div>
        <div>Anand</div>
        <div><br>
        </div>
        <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" height="0" width="0"></div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Thu, Jan 22, 2015 at 8:36 PM, Ivan
          Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF"> Hi,<br>
              <br>
              as you have the mapping in role, not in resource, you
              should have the mapping set as strong for "host" attribute
              in <b>all</b> applicable roles (that are setting this
              attribute).<br>
              <br>
              There will be no configuration in resource, because there
              is no mapping for that attribute at the resource level.
              The strength always applies to the mapping definition.<br>
              <br>
              You mentioned that this is auxiliary object class. Not
              sure if the LDAP connector supports such classes...<br>
              <br>
              Regards,<br>
              I.
              <div>
                <div><br>
                  <br>
                  <div>On 01/22/2015 03:49 PM, Anand Kothekar wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">Hi,
                      <div><br>
                      </div>
                      <div>Yes, the host attribute will be entered by
                        the user who is managing the midpoint or it will
                        be populated in inducement of a role by our
                        custom code . It will never be automated to get
                        the value from any focus object like User.</div>
                      <div><br>
                      </div>
                      <div><br>
                      </div>
                      <div>Thanks</div>
                      <div>Anand</div>
                      <div><br>
                      </div>
                      <div><br>
                      </div>
                      <img height="0" width="0"></div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Thu, Jan 22, 2015 at
                        7:56 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div text="#000000" bgcolor="#FFFFFF"> Hi
                            Anand,<br>
                            <br>
                            can you please be more precise about "value
                            entered by user"?<br>
                            Do you mean that the host and/or(?)
                            description attributes are expected to be
                            managed by the user who is editing the user
                            in midPoint, on the right side of User
                            details in Accounts part? Are these expected
                            to be set always explicitly by the user? No
                            automation from midpoint user attributes?<br>
                            <br>
                            Thanks,<br>
                            I.
                            <div>
                              <div><br>
                                <br>
                                <div>On 01/22/2015 02:03 PM, Anand
                                  Kothekar wrote:<br>
                                </div>
                                <blockquote type="cite">
                                  <div dir="ltr">Hi Ivan, 
                                    <div><br>
                                    </div>
                                    <div>Thanks for your inputs.</div>
                                    <div><br>
                                    </div>
                                    <div>I tried it by adding this
                                      constraint in inducement itself
                                      and it worked but I want to do
                                      this at resource level.</div>
                                    <div><br>
                                    </div>
                                    <div>I tried adding the same in
                                      resource but the thing is I do not
                                      have any outbound mapping defined
                                      for these attributes (as I use the
                                      value entered by user ) now if I
                                      add only strength property in
                                      outbound it gives me Error.</div>
                                    <div><br>
                                    </div>
                                    <div>Can you help me with pointing
                                      to the right kind of mapping I
                                      need to do.</div>
                                    <div><br>
                                    </div>
                                    <div>Here is the host attribute
                                      snippet from my resource: </div>
                                    <div>
                                      <div>         <attribute></div>
                                      <div>            <ref
                                        xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>">ri:host</ref></div>
                                      <div>            <matchingRule
                                        xmlns:mr="<a href="http://prism.evolveum.com/xml/ns/public/matching-rule-3" target="_blank">http://prism.evolveum.com/xml/ns/public/matching-rule-3</a>">mr:stringIgnoreCase</matchingRule></div>
                                      <div>            <outbound></div>
                                      <div>             
                                         <strength>strong</strength></div>
                                      <div>            </outbound></div>
                                      <div>         </attribute></div>
                                    </div>
                                    <div><br>
                                    </div>
                                    <div>I need to know how I can map
                                      value entered by user.</div>
                                    <div><br>
                                    </div>
                                    <div><br>
                                    </div>
                                    <div><br>
                                    </div>
                                    <div>Thanks,<br>
                                    </div>
                                    <div>Anand Kothekar</div>
                                    <div><br>
                                    </div>
                                    <img height="0" width="0"></div>
                                  <div class="gmail_extra"><br>
                                    <div class="gmail_quote">On Thu, Jan
                                      22, 2015 at 5:52 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
                                      wrote:<br>
                                      <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                        <div text="#000000" bgcolor="#FFFFFF"> Hi Anand,<br>
                                          <br>
                                          can you please define the
                                          mappings for description and
                                          host attributes as strong?<br>
                                          <br>
                                          Something like:<br>
                                          <br>
                                                         
                                          <attribute><br>
                                                             
                                          <ref>ri:description</ref><br>
                                                             
                                          <outbound><br>
                                          <b>                       
                                            <strength>strong</strength></b><b><br>
                                          </b>. . .<br>
                                                             
                                          </outbound><br>
                                                         
                                          </attribute><br>
                                          Then run the reconciliation
                                          again please.<br>
                                          <br>
                                          If you already have this
                                          configured and it does not
                                          work, please share the
                                          attribute mappings here.<br>
                                          <br>
                                          Regards,<br>
                                          I.
                                          <div>
                                            <div><br>
                                              <br>
                                              <div>On 01/20/2015 11:15
                                                AM, Anand Kothekar
                                                wrote:<br>
                                              </div>
                                            </div>
                                          </div>
                                          <blockquote type="cite">
                                            <div>
                                              <div>
                                                <div dir="ltr">Hi,
                                                  <div><br>
                                                  </div>
                                                  <div>I have been
                                                    playing around with
                                                    role inducements and
                                                    found some issue,
                                                    need some quick help
                                                    as inducements are
                                                    quite important for
                                                    our solution.</div>
                                                  <div><br>
                                                  </div>
                                                  <div><u>Issue:</u>
                                                    Inducement updates
                                                    are not propagated
                                                    properly to User
                                                    after
                                                    reconciliation.</div>
                                                  <div><br>
                                                  </div>
                                                  <div><u>Details:</u>
                                                    When user is a
                                                    assigned a role
                                                    having a resource
                                                    inducement, User
                                                    gets appropriate
                                                    accounts and induced
                                                    group memberships.
                                                    Now Changing some
                                                    attributes in role
                                                    inducements are not
                                                    propagated after
                                                    reconciling User.</div>
                                                  <div><br>
                                                  </div>
                                                  <div><u>Steps
                                                      Followed:</u></div>
                                                  <div>- I added and
                                                    ldap resource
                                                    inducement in a
                                                    new Role<b>. </b>I
                                                    provided some
                                                    attributes
                                                    like LdapGroups,
                                                    Host, and
                                                    description.<br>
                                                  </div>
                                                  <div>- User is
                                                     assigned to this
                                                    Role. User gets the
                                                    ldap account,
                                                    appropriate group
                                                    memberships and
                                                    other attributes
                                                    specified in
                                                    inducement (i.e.
                                                    description
                                                    ,host(multivalued
                                                    attribute from an
                                                    Auxiliary object
                                                    class)). So all good
                                                    till now.</div>
                                                  <div>- Now I updated
                                                    the
                                                    Resource inducement
                                                    for example changed
                                                    the description,
                                                    added few groups,
                                                    added few host.</div>
                                                  <div>- After
                                                    inducement
                                                    modification I
                                                    reconciled the User,
                                                    and following are
                                                    the results:</div>
                                                  <div>
                                                    <blockquote style="margin:0 0 0 40px;border:none;padding:0px">
                                                      <div>- Group
                                                        membership is
                                                        updated
                                                        appropriately.</div>
                                                    </blockquote>
                                                    <blockquote style="margin:0 0 0 40px;border:none;padding:0px">
                                                      <div>- Description
                                                        is not updated</div>
                                                    </blockquote>
                                                    <blockquote style="margin:0 0 0 40px;border:none;padding:0px">
                                                      <div>- host
                                                        attribute is not
                                                        updated</div>
                                                    </blockquote>
                                                  </div>
                                                  <div><br>
                                                  </div>
                                                  <div>Can you guys
                                                    please check and let
                                                    me know if I am
                                                    doing something
                                                    wrong or is it a
                                                    problem somewhere in
                                                    my resource or some
                                                    other issue with
                                                    midpoint system.</div>
                                                  <div><br>
                                                  </div>
                                                  <div>Regards</div>
                                                  <div>Anand Kothekar</div>
                                                  <img height="0" width="0"></div>
                                                <br>
                                                <fieldset></fieldset>
                                                <br>
                                              </div>
                                            </div>
                                            <pre>_______________________________________________
midPoint-dev mailing list
<a href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><span><font color="#888888">
</font></span></pre>
                                            <span><font color="#888888">
                                              </font></span></blockquote>
                                          <span><font color="#888888"> <br>
                                              <pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  <a href="http://evolveum.com" target="_blank">evolveum.com</a>     <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  _____________________________________________
  "Semper Id(e)M Vix."
</pre>
                                            </font></span></div>
                                      </blockquote>
                                    </div>
                                    <br>
                                  </div>
                                </blockquote>
                                <br>
                                <pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  <a href="http://evolveum.com" target="_blank">evolveum.com</a>     <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  _____________________________________________
  "Semper Id(e)M Vix."
</pre>
                              </div>
                            </div>
                          </div>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                  </blockquote>
                  <br>
                  <pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  <a href="http://evolveum.com" target="_blank">evolveum.com</a>     <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  _____________________________________________
  "Semper Id(e)M Vix."
</pre>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
    <pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  <a href="http://evolveum.com" target="_blank">evolveum.com</a>     <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  _____________________________________________
  "Semper Id(e)M Vix."
</pre>
  </div></div></div>

</blockquote></div><br></div>