<div dir="ltr"><div><div>Hi,</div><div><br></div><div>Using <strength>strong</strength> tag helped me with adding attribute. And let me also tell you that its working only after you reconcile the user from administrator.</div><div><br></div><div>I was testing the scenario and <strength> tag was never lost in my case.</div><div><br></div><div>Adding new attributes is working fine but when you try to delete any of the attribute its not getting reflected in Ldap.</div><div><br></div><div><br></div><div><b><u>Scenario 1</u></b> :-</div><div><br></div><div> 1. Role1 was having Open Ldap account as an Inducement. Induced Account was also having attributes host1,host2,host3.</div><div><br></div><div><span style="white-space:pre"> </span>2. Now Role1 was assigned to an User and user got the Open Ldap Account as well as the host1,host2,host3 as expected. Entry added in Ldap also. </div><div><br></div><div> 3. <attribute></div><div> <ref xmlns:qn546="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>">qn546:host</ref></div><div> <outbound></div><div> <strength>strong</strength></div><div> <expression></div><div> <value>host1</value></div><div> <value>host2</value></div><div> <value>host3</value></div><div> </expression></div><div> </outbound></div><div> </attribute></div><div><br></div><div><br></div><div> 4. host3 attribute deleted from Role1 xml And User reconciled. <strength> tag was still present.</div><div><br></div><div> 5. host3 attribute not removed from the Ldap.</div><div><br></div><div> 6. host 3 attribute is not getting deleted from OpenLdap account (midpoint) which user got due to inducement. if we try to remove the attribute from OpenLdap account, attribute is getting deleted from ldap as well.</div><div><br></div><div><br></div><div><br></div><div><b><u>Scenario 2</u></b> :-</div><div><br></div><div> 1. Role1 has Ldap account with attributes host1,host2,host3 as inducement.</div><div><br></div><div> 2. And Role2 has Role1 as an inducement.</div><div><br></div><div> 3. Role2 is then assigned to User.</div><div><br></div><div> 4. User gets all the host attributes as well as OpenLdap A/c with attributes host1,host2,host3.</div><div><br></div><div> 5. Now when you unassign Role1 from Role2 and reconcile User, Ldap a/c (midpoint) is not getting removed and attribute host1,host2,host3 are still present to User. </div><div><br></div><div> </div><div> Please assist me with the proper solution.</div><div> </div><div><br></div><div><br></div><div>Regards</div><div>Anand Kothekar</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 3, 2015 at 1:57 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
.. I have just checked your sample once again. You DO have
strength=strong for inducement mapping, I was looking a few lines
above to the assignments part.<br>
<br>
Can you please check anyway, if the strength is still there (using
Configuration - Repository objects) and if your testing scenario is
somehow different from mine?<br>
<br>
Thanks,<br>
Ivan<div><div><br>
<br>
<div>On 02/03/2015 09:23 AM, Ivan Noris
wrote:<br>
</div>
<blockquote type="cite">
Hi Anand,<br>
<br>
I have experimented a little with similar setup.<br>
<br>
First, I took one of my customer roles, which work. I added two
attribute mappings to the role construction for OpenDJ resource,
such as:<br>
<br>
<attribute><br>
<ref>ri:preferredLanguage</ref><br>
<outbound><br>
<b><strength>strong</strength></b><br>
<expression><br>
<value>sk</value><br>
</expression><br>
</outbound><br>
</attribute><br>
<br>
<attribute><br>
<ref>ri:carLicense</ref><br>
<outbound><br>
<b><strength>strong</strength></b><br>
<expression><br>
<value>XXX</value><br>
</expression><br>
</outbound><br>
</attribute><br>
<br>
I've already had an user with this role assigned, so after I
reimported the role definition (because I've changed the XML file
with my role), I've edited the user and checked "reconcile"
checkbox, and saved. After saving, user surely had both attributes
(preferredLanguage and carLicense) set to predefined values.
Before the save, the values were not defined for that OpenDJ
account, as there were never the part of that role before.<br>
<br>
Next I edited the role again through Configure - Repository
objects and changed the values (e.g. preferredLanguage to "en" and
carLicense to "YYY"). Then I edited the same user and checked
"reconcile" checkbox and saved. After saving, the
preferredLanguage was set to "en" and carLicense had two values
(both the original and the new "YYY" because it's multivalue
field).<br>
<br>
Later I just made another change in the attribute value and it
still worked.<br>
<br>
So it seems to be working as it should. <b>But</b>, while
testing, I discovered <a href="https://jira.evolveum.com/browse/MID-2194" target="_blank">https://jira.evolveum.com/browse/MID-2194</a>.
The symptom is as follows: whenever you edit role through GUI, the
strength for attributes is lost. It's enough just to edit+save
role using Role editor. Configure - Repository objects (XML
editor) is fine.<br>
<br>
When I look at your role export, there is <b>no strength</b> for
any of the attributes in outbound mappings. I believe it might be
caused by the bug I've just reported. So please, either edit the
role using Repository objects XML editor until we fix it; or
please create the roles as XML files and import them to midPoint.
It should be ok if you export your existing roles and fix them in
XML files and then reimport.<br>
<br>
Best regards,<br>
Ivan<br>
<br>
<div>On 02/02/2015 04:24 PM, Anand
Kothekar wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
<div>As per our discussion I tried to give <strength>
tag in role but it didn't worked for me.</div>
</div>
<div><br>
</div>
<div>Basically we had two host attribute values in inducement
and member user also had the same host membership, then
after modifying the inducement I reconciled the user but no
change in host attribute of user's ldap account.</div>
<div><br>
</div>
<div>I have attached the sample role xml, please have a look
and let me know if I am doing anything wrong.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Anand Kothekar</div>
<div><br>
</div>
<div><br>
</div>
<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" height="0" width="0"></div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Jan 23, 2015 at 3:15 PM, Ivan
Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi Anand,<br>
<br>
please see inline:<span><br>
<br>
<div>On 01/23/2015 06:17 AM, Anand Kothekar wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Ivan
<div><br>
</div>
<div>First of all Ldap connector supports
Auxiliary object classes. I have tested it and
it works for me.</div>
<div><br>
</div>
<div>Secondly, The host attribute is defined in
resource schema and I have added it in Schema
Handling but i do not have any outbound mapping
right now (quite usual for our requirement, most
of the resources have such attributes that
cannot be mapped to any focal object in
midpoint).</div>
<div><br>
</div>
<div>Is it possible that i can map whatever user
has entered (instead of mapping the host or any
other attribute to midpoint's focal object) to
target resource attribute in outbound mapping.</div>
</div>
</blockquote>
<br>
</span> If user enters the value in the form, you don't
need mappings.<br>
Mapping are used to set the target attribute value
according to some other attribute value or expression.<br>
<br>
Some example:<br>
If you need to copy user/givenName attribute value to
LDAP's sn attribute, you need outbound mapping in
resource schema handling.<br>
If you need to generate LDAP's sn attribute value by
taking user/givenName attribute value and (for example)
lowercase all attributes and remove diacritics, you need
outbound mapping in resource schema handling.<br>
If you want the user to set the LDAP's host attribute to
user-defined-value, i.e. in the GUI form, manually, you
don't need any mapping for this attribute. If user
enters the value manually, provisioning will store the
value to the resource. It is NOT remembered in midPoint.
There is no expression how to derive the value, thus no
mapping. And midPoint has no way of forcing the
attribute value to contain the user defined value during
the reconciliation, because the user defined value is
stored only on LDAP, not in midPoint. When outbound
mappings are used, the target attribute value can be
derived from some source attribute(s)/expressions, co
midPoint can enforce these values.<br>
<br>
Maybe there is another way how to achieve what you need
if I understand it correctly. Define an extended
attribute in User (by extending schema) and let the user
set/modify this extended attribute. Then you can have
schema handling mapping in resource, and you can thus
use strong mapping strength.<br>
<br>
Best regards,<br>
Ivan
<div>
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>What my concern is there is no way in UI to
set the strength and doing it at policy level
is quite unmanageable(resource is one but
inducement will be thousands). </div>
<div><br>
</div>
<div>So just to summarize </div>
<div>- we want this to be done at resource
level.</div>
<div>
<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div>- i think it is achievable if we can
define outbound mapping so that user
entered value is mapped to target
attribute.</div>
<div><br>
</div>
<div><br>
</div>
</blockquote>
Thanks</div>
<div>Anand</div>
<div><br>
</div>
<img height="0" width="0"></div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Jan 22, 2015 at
8:36 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi,<br>
<br>
as you have the mapping in role, not in
resource, you should have the mapping set
as strong for "host" attribute in <b>all</b>
applicable roles (that are setting this
attribute).<br>
<br>
There will be no configuration in
resource, because there is no mapping for
that attribute at the resource level. The
strength always applies to the mapping
definition.<br>
<br>
You mentioned that this is auxiliary
object class. Not sure if the LDAP
connector supports such classes...<br>
<br>
Regards,<br>
I.
<div>
<div><br>
<br>
<div>On 01/22/2015 03:49 PM, Anand
Kothekar wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>Yes, the host attribute will
be entered by the user who is
managing the midpoint or it will
be populated in inducement of a
role by our custom code . It
will never be automated to get
the value from any focus object
like User.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks</div>
<div>Anand</div>
<div><br>
</div>
<div><br>
</div>
<img height="0" width="0"></div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu,
Jan 22, 2015 at 7:56 PM, Ivan
Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi Anand,<br>
<br>
can you please be more
precise about "value entered
by user"?<br>
Do you mean that the host
and/or(?) description
attributes are expected to
be managed by the user who
is editing the user in
midPoint, on the right side
of User details in Accounts
part? Are these expected to
be set always explicitly by
the user? No automation from
midpoint user attributes?<br>
<br>
Thanks,<br>
I.
<div>
<div><br>
<br>
<div>On 01/22/2015 02:03
PM, Anand Kothekar
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi
Ivan,
<div><br>
</div>
<div>Thanks for your
inputs.</div>
<div><br>
</div>
<div>I tried it by
adding this
constraint in
inducement itself
and it worked but
I want to do this
at resource level.</div>
<div><br>
</div>
<div>I tried adding
the same in
resource but the
thing is I do not
have any outbound
mapping defined
for these
attributes (as I
use the value
entered by user )
now if I add only
strength property
in outbound it
gives me Error.</div>
<div><br>
</div>
<div>Can you help me
with pointing to
the right kind of
mapping I need to
do.</div>
<div><br>
</div>
<div>Here is the
host attribute
snippet from my
resource: </div>
<div>
<div>
<attribute></div>
<div>
<ref
xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>">ri:host</ref></div>
<div>
<matchingRule
xmlns:mr="<a href="http://prism.evolveum.com/xml/ns/public/matching-rule-3" target="_blank">http://prism.evolveum.com/xml/ns/public/matching-rule-3</a>">mr:stringIgnoreCase</matchingRule></div>
<div>
<outbound></div>
<div>
<strength>strong</strength></div>
<div>
</outbound></div>
<div>
</attribute></div>
</div>
<div><br>
</div>
<div>I need to know
how I can map
value entered by
user.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks,<br>
</div>
<div>Anand Kothekar</div>
<div><br>
</div>
<img height="0" width="0"></div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Thu, Jan 22, 2015
at 5:52 PM, Ivan
Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi Anand,<br>
<br>
can you please
define the
mappings for
description
and host
attributes as
strong?<br>
<br>
Something
like:<br>
<br>
<attribute><br>
<ref>ri:description</ref><br>
<outbound><br>
<b>
<strength>strong</strength></b><b><br>
</b>. . .<br>
</outbound><br>
</attribute><br>
Then run the
reconciliation
again please.<br>
<br>
If you already
have this
configured and
it does not
work, please
share the
attribute
mappings here.<br>
<br>
Regards,<br>
I.
<div>
<div><br>
<br>
<div>On
01/20/2015
11:15 AM,
Anand Kothekar
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Hi,
<div><br>
</div>
<div>I have
been playing
around with
role
inducements
and found some
issue, need
some quick
help as
inducements
are quite
important for
our solution.</div>
<div><br>
</div>
<div><u>Issue:</u>
Inducement
updates are
not propagated
properly to
User after
reconciliation.</div>
<div><br>
</div>
<div><u>Details:</u>
When user is a
assigned a
role having a
resource
inducement,
User gets
appropriate
accounts and
induced group
memberships.
Now Changing
some
attributes in
role
inducements
are not
propagated
after
reconciling
User.</div>
<div><br>
</div>
<div><u>Steps
Followed:</u></div>
<div>- I added
and ldap
resource
inducement in
a new Role<b>.
</b>I provided
some
attributes
like LdapGroups,
Host, and
description.<br>
</div>
<div>- User is
assigned
to this Role.
User gets the
ldap account,
appropriate
group
memberships and
other
attributes
specified in
inducement
(i.e.
description
,host(multivalued
attribute from
an Auxiliary
object
class)). So
all good till
now.</div>
<div>- Now
I updated the
Resource inducement
for example
changed the
description,
added few
groups, added
few host.</div>
<div>- After
inducement
modification I
reconciled the
User, and
following are
the results:</div>
<div>
<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div>- Group
membership is
updated
appropriately.</div>
</blockquote>
<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div>-
Description is
not updated</div>
</blockquote>
<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div>- host
attribute is
not updated</div>
</blockquote>
</div>
<div><br>
</div>
<div>Can you
guys please
check and let
me know if I
am doing
something
wrong or is it
a problem
somewhere in
my resource or
some other
issue with
midpoint
system.</div>
<div><br>
</div>
<div>Regards</div>
<div>Anand
Kothekar</div>
<img height="0" width="0"></div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
midPoint-dev mailing list
<a href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><span><font color="#888888">
</font></span></pre>
<span><font color="#888888">
</font></span></blockquote>
<span><font color="#888888">
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint-dev mailing list
<a href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div></div></div>
<br>_______________________________________________<br>
midPoint-dev mailing list<br>
<a href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><br>
<br></blockquote></div><br></div><img width="0" height="0" class="mailtrack-img" src="https://mailtrack.io/trace/mail/002e61bb7b6fc989dc04c6afc3b378f5239a65be.png"></div>