<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Anand,<br>
<br>
I have experimented a little with similar setup.<br>
<br>
First, I took one of my customer roles, which work. I added two
attribute mappings to the role construction for OpenDJ resource,
such as:<br>
<br>
<attribute><br>
<ref>ri:preferredLanguage</ref><br>
<outbound><br>
<b><strength>strong</strength></b><br>
<expression><br>
<value>sk</value><br>
</expression><br>
</outbound><br>
</attribute><br>
<br>
<attribute><br>
<ref>ri:carLicense</ref><br>
<outbound><br>
<b><strength>strong</strength></b><br>
<expression><br>
<value>XXX</value><br>
</expression><br>
</outbound><br>
</attribute><br>
<br>
I've already had an user with this role assigned, so after I
reimported the role definition (because I've changed the XML file
with my role), I've edited the user and checked "reconcile"
checkbox, and saved. After saving, user surely had both attributes
(preferredLanguage and carLicense) set to predefined values. Before
the save, the values were not defined for that OpenDJ account, as
there were never the part of that role before.<br>
<br>
Next I edited the role again through Configure - Repository objects
and changed the values (e.g. preferredLanguage to "en" and
carLicense to "YYY"). Then I edited the same user and checked
"reconcile" checkbox and saved. After saving, the preferredLanguage
was set to "en" and carLicense had two values (both the original and
the new "YYY" because it's multivalue field).<br>
<br>
Later I just made another change in the attribute value and it still
worked.<br>
<br>
So it seems to be working as it should. <b>But</b>, while testing,
I discovered <a class="moz-txt-link-freetext" href="https://jira.evolveum.com/browse/MID-2194">https://jira.evolveum.com/browse/MID-2194</a>. The symptom
is as follows: whenever you edit role through GUI, the strength for
attributes is lost. It's enough just to edit+save role using Role
editor. Configure - Repository objects (XML editor) is fine.<br>
<br>
When I look at your role export, there is <b>no strength</b> for
any of the attributes in outbound mappings. I believe it might be
caused by the bug I've just reported. So please, either edit the
role using Repository objects XML editor until we fix it; or please
create the roles as XML files and import them to midPoint. It should
be ok if you export your existing roles and fix them in XML files
and then reimport.<br>
<br>
Best regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 02/02/2015 04:24 PM, Anand Kothekar
wrote:<br>
</div>
<blockquote
cite="mid:CAHUT-CQHJ6ch+XouKrgmnTs8f2rgVq_Ma71C0Xnb0g79pJfT0A@mail.gmail.com"
type="cite">
<div dir="ltr">Hi,
<div><br>
<div>As per our discussion I tried to give <strength>
tag in role but it didn't worked for me.</div>
</div>
<div><br>
</div>
<div>Basically we had two host attribute values in inducement
and member user also had the same host membership, then after
modifying the inducement I reconciled the user but no change
in host attribute of user's ldap account.</div>
<div><br>
</div>
<div>I have attached the sample role xml, please have a look and
let me know if I am doing anything wrong.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Anand Kothekar</div>
<div><br>
</div>
<div><br>
</div>
<img moz-do-not-send="true" class="mailtrack-img"
src="https://mailtrack.io/trace/mail/9f09a6a3e73ea392b4fa31eeb3398d26461faf23.png"
height="0" width="0"></div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Jan 23, 2015 at 3:15 PM, Ivan
Noris <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi Anand,<br>
<br>
please see inline:<span class=""><br>
<br>
<div>On 01/23/2015 06:17 AM, Anand Kothekar wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Ivan
<div><br>
</div>
<div>First of all Ldap connector supports Auxiliary
object classes. I have tested it and it works for
me.</div>
<div><br>
</div>
<div>Secondly, The host attribute is defined in
resource schema and I have added it in Schema
Handling but i do not have any outbound mapping
right now (quite usual for our requirement, most
of the resources have such attributes that cannot
be mapped to any focal object in midpoint).</div>
<div><br>
</div>
<div>Is it possible that i can map whatever user has
entered (instead of mapping the host or any other
attribute to midpoint's focal object) to target
resource attribute in outbound mapping.</div>
</div>
</blockquote>
<br>
</span> If user enters the value in the form, you don't
need mappings.<br>
Mapping are used to set the target attribute value
according to some other attribute value or expression.<br>
<br>
Some example:<br>
If you need to copy user/givenName attribute value to
LDAP's sn attribute, you need outbound mapping in resource
schema handling.<br>
If you need to generate LDAP's sn attribute value by
taking user/givenName attribute value and (for example)
lowercase all attributes and remove diacritics, you need
outbound mapping in resource schema handling.<br>
If you want the user to set the LDAP's host attribute to
user-defined-value, i.e. in the GUI form, manually, you
don't need any mapping for this attribute. If user enters
the value manually, provisioning will store the value to
the resource. It is NOT remembered in midPoint. There is
no expression how to derive the value, thus no mapping.
And midPoint has no way of forcing the attribute value to
contain the user defined value during the reconciliation,
because the user defined value is stored only on LDAP, not
in midPoint. When outbound mappings are used, the target
attribute value can be derived from some source
attribute(s)/expressions, co midPoint can enforce these
values.<br>
<br>
Maybe there is another way how to achieve what you need if
I understand it correctly. Define an extended attribute in
User (by extending schema) and let the user set/modify
this extended attribute. Then you can have schema handling
mapping in resource, and you can thus use strong mapping
strength.<br>
<br>
Best regards,<br>
Ivan
<div>
<div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>What my concern is there is no way in UI to
set the strength and doing it at policy level is
quite unmanageable(resource is one but
inducement will be thousands). </div>
<div><br>
</div>
<div>So just to summarize </div>
<div>- we want this to be done at resource level.</div>
<div>
<blockquote style="margin:0 0 0
40px;border:none;padding:0px">
<div>- i think it is achievable if we can
define outbound mapping so that user
entered value is mapped to target attribute.</div>
<div><br>
</div>
<div><br>
</div>
</blockquote>
Thanks</div>
<div>Anand</div>
<div><br>
</div>
<img moz-do-not-send="true"
src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"
height="0" width="0"></div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Jan 22, 2015 at
8:36 PM, Ivan Noris <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com"
target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi,<br>
<br>
as you have the mapping in role, not in
resource, you should have the mapping set as
strong for "host" attribute in <b>all</b>
applicable roles (that are setting this
attribute).<br>
<br>
There will be no configuration in resource,
because there is no mapping for that
attribute at the resource level. The
strength always applies to the mapping
definition.<br>
<br>
You mentioned that this is auxiliary object
class. Not sure if the LDAP connector
supports such classes...<br>
<br>
Regards,<br>
I.
<div>
<div><br>
<br>
<div>On 01/22/2015 03:49 PM, Anand
Kothekar wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>Yes, the host attribute will be
entered by the user who is
managing the midpoint or it will
be populated in inducement of a
role by our custom code . It will
never be automated to get the
value from any focus object like
User.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks</div>
<div>Anand</div>
<div><br>
</div>
<div><br>
</div>
<img moz-do-not-send="true"
height="0" width="0"></div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Jan
22, 2015 at 7:56 PM, Ivan Noris <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com"
target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000"
bgcolor="#FFFFFF"> Hi Anand,<br>
<br>
can you please be more precise
about "value entered by user"?<br>
Do you mean that the host
and/or(?) description
attributes are expected to be
managed by the user who is
editing the user in midPoint,
on the right side of User
details in Accounts part? Are
these expected to be set
always explicitly by the user?
No automation from midpoint
user attributes?<br>
<br>
Thanks,<br>
I.
<div>
<div><br>
<br>
<div>On 01/22/2015 02:03
PM, Anand Kothekar
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Ivan,
<div><br>
</div>
<div>Thanks for your
inputs.</div>
<div><br>
</div>
<div>I tried it by
adding this
constraint in
inducement itself
and it worked but I
want to do this at
resource level.</div>
<div><br>
</div>
<div>I tried adding
the same in resource
but the thing is I
do not have any
outbound mapping
defined for these
attributes (as I use
the value entered by
user ) now if I add
only strength
property in outbound
it gives me Error.</div>
<div><br>
</div>
<div>Can you help me
with pointing to the
right kind of
mapping I need to
do.</div>
<div><br>
</div>
<div>Here is the host
attribute snippet
from my resource: </div>
<div>
<div>
<attribute></div>
<div>
<ref xmlns:ri="<a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>">ri:host</ref></div>
<div>
<matchingRule
xmlns:mr="<a
moz-do-not-send="true"
href="http://prism.evolveum.com/xml/ns/public/matching-rule-3"
target="_blank">http://prism.evolveum.com/xml/ns/public/matching-rule-3</a>">mr:stringIgnoreCase</matchingRule></div>
<div>
<outbound></div>
<div>
<strength>strong</strength></div>
<div>
</outbound></div>
<div>
</attribute></div>
</div>
<div><br>
</div>
<div>I need to know
how I can map value
entered by user.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks,<br>
</div>
<div>Anand Kothekar</div>
<div><br>
</div>
<img
moz-do-not-send="true"
height="0" width="0"></div>
<div class="gmail_extra"><br>
<div
class="gmail_quote">On
Thu, Jan 22, 2015 at
5:52 PM, Ivan Noris
<span dir="ltr"><<a
moz-do-not-send="true" href="mailto:ivan.noris@evolveum.com"
target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0
0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div
text="#000000"
bgcolor="#FFFFFF">
Hi Anand,<br>
<br>
can you please
define the
mappings for
description and
host attributes
as strong?<br>
<br>
Something like:<br>
<br>
<attribute><br>
<ref>ri:description</ref><br>
<outbound><br>
<b>
<strength>strong</strength></b><b><br>
</b>. . .<br>
</outbound><br>
</attribute><br>
Then run the
reconciliation
again please.<br>
<br>
If you already
have this
configured and
it does not
work, please
share the
attribute
mappings here.<br>
<br>
Regards,<br>
I.
<div>
<div><br>
<br>
<div>On
01/20/2015
11:15 AM,
Anand Kothekar
wrote:<br>
</div>
</div>
</div>
<blockquote
type="cite">
<div>
<div>
<div dir="ltr">Hi,
<div><br>
</div>
<div>I have
been playing
around with
role
inducements
and found some
issue, need
some quick
help as
inducements
are quite
important for
our solution.</div>
<div><br>
</div>
<div><u>Issue:</u>
Inducement
updates are
not propagated
properly to
User after
reconciliation.</div>
<div><br>
</div>
<div><u>Details:</u>
When user is a
assigned a
role having a
resource
inducement,
User gets
appropriate
accounts and
induced group
memberships.
Now Changing
some
attributes in
role
inducements
are not
propagated
after
reconciling
User.</div>
<div><br>
</div>
<div><u>Steps
Followed:</u></div>
<div>- I added
and ldap
resource
inducement in
a new Role<b>.
</b>I provided
some
attributes
like LdapGroups,
Host, and
description.<br>
</div>
<div>- User is
assigned
to this Role.
User gets the
ldap account,
appropriate
group
memberships and
other
attributes
specified in
inducement
(i.e.
description
,host(multivalued
attribute from
an Auxiliary
object
class)). So
all good till
now.</div>
<div>- Now
I updated the
Resource inducement
for example
changed the
description,
added few
groups, added
few host.</div>
<div>- After
inducement
modification I
reconciled the
User, and
following are
the results:</div>
<div>
<blockquote
style="margin:0
0 0
40px;border:none;padding:0px">
<div>- Group
membership is
updated
appropriately.</div>
</blockquote>
<blockquote
style="margin:0
0 0
40px;border:none;padding:0px">
<div>-
Description is
not updated</div>
</blockquote>
<blockquote
style="margin:0
0 0
40px;border:none;padding:0px">
<div>- host
attribute is
not updated</div>
</blockquote>
</div>
<div><br>
</div>
<div>Can you
guys please
check and let
me know if I
am doing
something
wrong or is it
a problem
somewhere in
my resource or
some other
issue with
midpoint
system.</div>
<div><br>
</div>
<div>Regards</div>
<div>Anand
Kothekar</div>
<img
moz-do-not-send="true"
height="0"
width="0"></div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
midPoint-dev mailing list
<a moz-do-not-send="true" href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><span><font color="#888888">
</font></span></pre>
<span><font
color="#888888">
</font></span></blockquote>
<span><font
color="#888888">
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com evolveum.com/blog/
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</body>
</html>