<div dir="ltr">Hi,<div><br><div>As per our discussion I tried to give <strength> tag in role but it didn't worked for me.</div></div><div><br></div><div>Basically we had two host attribute values in inducement and member user also had the same host membership, then after modifying the inducement I reconciled the user but no change in host attribute of user's ldap account.</div><div><br></div><div>I have attached the sample role xml, please have a look and let me know if I am doing anything wrong.</div><div><br></div><div><br></div><div><br></div><div>Thanks,</div><div>Anand Kothekar</div><div><br></div><div><br></div><img width="0" height="0" class="mailtrack-img" src="https://mailtrack.io/trace/mail/9f09a6a3e73ea392b4fa31eeb3398d26461faf23.png"></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 23, 2015 at 3:15 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi Anand,<br>
<br>
please see inline:<span class=""><br>
<br>
<div>On 01/23/2015 06:17 AM, Anand Kothekar
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Ivan
<div><br>
</div>
<div>First of all Ldap connector supports Auxiliary object
classes. I have tested it and it works for me.</div>
<div><br>
</div>
<div>Secondly, The host attribute is defined in resource schema
and I have added it in Schema Handling but i do not have any
outbound mapping right now (quite usual for our requirement,
most of the resources have such attributes that cannot be
mapped to any focal object in midpoint).</div>
<div><br>
</div>
<div>Is it possible that i can map whatever user has entered
(instead of mapping the host or any other attribute to
midpoint's focal object) to target resource attribute in
outbound mapping.</div>
</div>
</blockquote>
<br></span>
If user enters the value in the form, you don't need mappings.<br>
Mapping are used to set the target attribute value according to some
other attribute value or expression.<br>
<br>
Some example:<br>
If you need to copy user/givenName attribute value to LDAP's sn
attribute, you need outbound mapping in resource schema handling.<br>
If you need to generate LDAP's sn attribute value by taking
user/givenName attribute value and (for example) lowercase all
attributes and remove diacritics, you need outbound mapping in
resource schema handling.<br>
If you want the user to set the LDAP's host attribute to
user-defined-value, i.e. in the GUI form, manually, you don't need
any mapping for this attribute. If user enters the value manually,
provisioning will store the value to the resource. It is NOT
remembered in midPoint. There is no expression how to derive the
value, thus no mapping. And midPoint has no way of forcing the
attribute value to contain the user defined value during the
reconciliation, because the user defined value is stored only on
LDAP, not in midPoint. When outbound mappings are used, the target
attribute value can be derived from some source
attribute(s)/expressions, co midPoint can enforce these values.<br>
<br>
Maybe there is another way how to achieve what you need if I
understand it correctly. Define an extended attribute in User (by
extending schema) and let the user set/modify this extended
attribute. Then you can have schema handling mapping in resource,
and you can thus use strong mapping strength.<br>
<br>
Best regards,<br>
Ivan<div><div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>What my concern is there is no way in UI to set the
strength and doing it at policy level is quite
unmanageable(resource is one but inducement will be
thousands). </div>
<div><br>
</div>
<div>So just to summarize </div>
<div>- we want this to be done at resource level.</div>
<div>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div>- i think it is achievable if we can define outbound
mapping so that user entered value is mapped to target
attribute.</div>
<div><br>
</div>
<div><br>
</div>
</blockquote>
Thanks</div>
<div>Anand</div>
<div><br>
</div>
<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" height="0" width="0"></div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Jan 22, 2015 at 8:36 PM, Ivan
Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi,<br>
<br>
as you have the mapping in role, not in resource, you
should have the mapping set as strong for "host" attribute
in <b>all</b> applicable roles (that are setting this
attribute).<br>
<br>
There will be no configuration in resource, because there
is no mapping for that attribute at the resource level.
The strength always applies to the mapping definition.<br>
<br>
You mentioned that this is auxiliary object class. Not
sure if the LDAP connector supports such classes...<br>
<br>
Regards,<br>
I.
<div>
<div><br>
<br>
<div>On 01/22/2015 03:49 PM, Anand Kothekar wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>Yes, the host attribute will be entered by
the user who is managing the midpoint or it will
be populated in inducement of a role by our
custom code . It will never be automated to get
the value from any focus object like User.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks</div>
<div>Anand</div>
<div><br>
</div>
<div><br>
</div>
<img height="0" width="0"></div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Jan 22, 2015 at
7:56 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi
Anand,<br>
<br>
can you please be more precise about "value
entered by user"?<br>
Do you mean that the host and/or(?)
description attributes are expected to be
managed by the user who is editing the user
in midPoint, on the right side of User
details in Accounts part? Are these expected
to be set always explicitly by the user? No
automation from midpoint user attributes?<br>
<br>
Thanks,<br>
I.
<div>
<div><br>
<br>
<div>On 01/22/2015 02:03 PM, Anand
Kothekar wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Ivan,
<div><br>
</div>
<div>Thanks for your inputs.</div>
<div><br>
</div>
<div>I tried it by adding this
constraint in inducement itself
and it worked but I want to do
this at resource level.</div>
<div><br>
</div>
<div>I tried adding the same in
resource but the thing is I do not
have any outbound mapping defined
for these attributes (as I use the
value entered by user ) now if I
add only strength property in
outbound it gives me Error.</div>
<div><br>
</div>
<div>Can you help me with pointing
to the right kind of mapping I
need to do.</div>
<div><br>
</div>
<div>Here is the host attribute
snippet from my resource: </div>
<div>
<div> <attribute></div>
<div> <ref
xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>">ri:host</ref></div>
<div> <matchingRule
xmlns:mr="<a href="http://prism.evolveum.com/xml/ns/public/matching-rule-3" target="_blank">http://prism.evolveum.com/xml/ns/public/matching-rule-3</a>">mr:stringIgnoreCase</matchingRule></div>
<div> <outbound></div>
<div>
<strength>strong</strength></div>
<div> </outbound></div>
<div> </attribute></div>
</div>
<div><br>
</div>
<div>I need to know how I can map
value entered by user.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks,<br>
</div>
<div>Anand Kothekar</div>
<div><br>
</div>
<img height="0" width="0"></div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Jan
22, 2015 at 5:52 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi Anand,<br>
<br>
can you please define the
mappings for description and
host attributes as strong?<br>
<br>
Something like:<br>
<br>
<attribute><br>
<ref>ri:description</ref><br>
<outbound><br>
<b>
<strength>strong</strength></b><b><br>
</b>. . .<br>
</outbound><br>
</attribute><br>
Then run the reconciliation
again please.<br>
<br>
If you already have this
configured and it does not
work, please share the
attribute mappings here.<br>
<br>
Regards,<br>
I.
<div>
<div><br>
<br>
<div>On 01/20/2015 11:15
AM, Anand Kothekar
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Hi,
<div><br>
</div>
<div>I have been
playing around with
role inducements and
found some issue,
need some quick help
as inducements are
quite important for
our solution.</div>
<div><br>
</div>
<div><u>Issue:</u>
Inducement updates
are not propagated
properly to User
after
reconciliation.</div>
<div><br>
</div>
<div><u>Details:</u>
When user is a
assigned a role
having a resource
inducement, User
gets appropriate
accounts and induced
group memberships.
Now Changing some
attributes in role
inducements are not
propagated after
reconciling User.</div>
<div><br>
</div>
<div><u>Steps
Followed:</u></div>
<div>- I added and
ldap resource
inducement in a
new Role<b>. </b>I
provided some
attributes
like LdapGroups,
Host, and
description.<br>
</div>
<div>- User is
assigned to this
Role. User gets the
ldap account,
appropriate group
memberships and
other attributes
specified in
inducement (i.e.
description
,host(multivalued
attribute from an
Auxiliary object
class)). So all good
till now.</div>
<div>- Now I updated
the
Resource inducement
for example changed
the description,
added few groups,
added few host.</div>
<div>- After
inducement
modification I
reconciled the User,
and following are
the results:</div>
<div>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div>- Group
membership is
updated
appropriately.</div>
</blockquote>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div>- Description
is not updated</div>
</blockquote>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div>- host
attribute is not
updated</div>
</blockquote>
</div>
<div><br>
</div>
<div>Can you guys
please check and let
me know if I am
doing something
wrong or is it a
problem somewhere in
my resource or some
other issue with
midpoint system.</div>
<div><br>
</div>
<div>Regards</div>
<div>Anand Kothekar</div>
<img height="0" width="0"></div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
midPoint-dev mailing list
<a href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><span><font color="#888888">
</font></span></pre>
<span><font color="#888888">
</font></span></blockquote>
<span><font color="#888888"> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div></div></div>
</blockquote></div><br></div>