<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Anand,<br>
<br>
for Scenario 1, please try this:<br>
<br>
<attribute><br>
<ref
xmlns:qn546=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a>>qn546:host</ref><br>
<b><tolerant>false</tolerant></b><br>
<outbound><br>
<strength>strong</strength><br>
<expression><br>
<value>host1</value><br>
<value>host2</value><br>
<!-- <value>host3</value> --><br>
</expression><br>
</outbound><br>
</attribute><br>
<br>
This will tell midpoint that when reconciling, all values not
provisioned by midPoint should be removed.<br>
Default is tolerant=true, so midPoint can add/remove values when
changes are processed.<br>
<br>
I'm thinking about Scenario 2 and will let you know.<br>
<br>
Regards,<br>
Ivan<br>
<br>
<br>
<br>
<blockquote
cite="mid:CAHUT-CTXPY44-NqibSX_HgBon+oMkH6=PioMYtY7dVR9618jRg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
<div>Adding new attributes is working fine but when you try to
delete any of the attribute its not getting reflected in
Ldap.</div>
<div><br>
</div>
<div><br>
</div>
<div><b><u>Scenario 1</u></b> :-</div>
<div><br>
</div>
<div> 1. Role1 was having Open Ldap account as an
Inducement. Induced Account was also having attributes
host1,host2,host3.</div>
<div><br>
</div>
<div><span style="white-space:pre"> </span>2. Now Role1 was
assigned to an User and user got the Open Ldap Account as
well as the host1,host2,host3 as expected. Entry added in
Ldap also. </div>
<div><br>
</div>
<div> 3. <attribute></div>
<div> <ref xmlns:qn546="<a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>">qn546:host</ref></div>
<div> <outbound></div>
<div> <strength>strong</strength></div>
<div> <expression></div>
<div> <value>host1</value></div>
<div> <value>host2</value></div>
<div> <value>host3</value></div>
<div> </expression></div>
<div> </outbound></div>
<div> </attribute></div>
<div><br>
</div>
<div><br>
</div>
<div> 4. host3 attribute deleted from Role1 xml And
User reconciled. <strength> tag was still present.</div>
<div><br>
</div>
<div> 5. host3 attribute not removed from the Ldap.</div>
<div><br>
</div>
<div> 6. host 3 attribute is not getting deleted from
OpenLdap account (midpoint) which user got due to
inducement. if we try to remove the attribute from OpenLdap
account, attribute is getting deleted from ldap as well.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><b><u>Scenario 2</u></b> :-</div>
<div><br>
</div>
<div> 1. Role1 has Ldap account with attributes
host1,host2,host3 as inducement.</div>
<div><br>
</div>
<div> 2. And Role2 has Role1 as an inducement.</div>
<div><br>
</div>
<div> 3. Role2 is then assigned to User.</div>
<div><br>
</div>
<div> 4. User gets all the host attributes as well as
OpenLdap A/c with attributes host1,host2,host3.</div>
<div><br>
</div>
<div> 5. Now when you unassign Role1 from Role2 and
reconcile User, Ldap a/c (midpoint) is not getting removed
and attribute host1,host2,host3 are still present to User.
</div>
<div><br>
</div>
<div> </div>
<div> Please assist me with the proper solution.</div>
<div> </div>
<div><br>
</div>
<div><br>
</div>
<div>Regards</div>
<div>Anand Kothekar</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Feb 3, 2015 at 1:57 PM, Ivan
Noris <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> .. I have just
checked your sample once again. You DO have
strength=strong for inducement mapping, I was looking a
few lines above to the assignments part.<br>
<br>
Can you please check anyway, if the strength is still
there (using Configuration - Repository objects) and if
your testing scenario is somehow different from mine?<br>
<br>
Thanks,<br>
Ivan
<div>
<div><br>
<br>
<div>On 02/03/2015 09:23 AM, Ivan Noris wrote:<br>
</div>
<blockquote type="cite"> Hi Anand,<br>
<br>
I have experimented a little with similar setup.<br>
<br>
First, I took one of my customer roles, which
work. I added two attribute mappings to the role
construction for OpenDJ resource, such as:<br>
<br>
<attribute><br>
<ref>ri:preferredLanguage</ref><br>
<outbound><br>
<b><strength>strong</strength></b><br>
<expression><br>
<value>sk</value><br>
</expression><br>
</outbound><br>
</attribute><br>
<br>
<attribute><br>
<ref>ri:carLicense</ref><br>
<outbound><br>
<b><strength>strong</strength></b><br>
<expression><br>
<value>XXX</value><br>
</expression><br>
</outbound><br>
</attribute><br>
<br>
I've already had an user with this role assigned,
so after I reimported the role definition (because
I've changed the XML file with my role), I've
edited the user and checked "reconcile" checkbox,
and saved. After saving, user surely had both
attributes (preferredLanguage and carLicense) set
to predefined values. Before the save, the values
were not defined for that OpenDJ account, as there
were never the part of that role before.<br>
<br>
Next I edited the role again through Configure -
Repository objects and changed the values (e.g.
preferredLanguage to "en" and carLicense to
"YYY"). Then I edited the same user and checked
"reconcile" checkbox and saved. After saving, the
preferredLanguage was set to "en" and carLicense
had two values (both the original and the new
"YYY" because it's multivalue field).<br>
<br>
Later I just made another change in the attribute
value and it still worked.<br>
<br>
So it seems to be working as it should. <b>But</b>,
while testing, I discovered <a
moz-do-not-send="true"
href="https://jira.evolveum.com/browse/MID-2194"
target="_blank">https://jira.evolveum.com/browse/MID-2194</a>.
The symptom is as follows: whenever you edit role
through GUI, the strength for attributes is lost.
It's enough just to edit+save role using Role
editor. Configure - Repository objects (XML
editor) is fine.<br>
<br>
When I look at your role export, there is <b>no
strength</b> for any of the attributes in
outbound mappings. I believe it might be caused by
the bug I've just reported. So please, either edit
the role using Repository objects XML editor until
we fix it; or please create the roles as XML files
and import them to midPoint. It should be ok if
you export your existing roles and fix them in XML
files and then reimport.<br>
<br>
Best regards,<br>
Ivan<br>
<br>
<div>On 02/02/2015 04:24 PM, Anand Kothekar wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
<div>As per our discussion I tried to give
<strength> tag in role but it didn't
worked for me.</div>
</div>
<div><br>
</div>
<div>Basically we had two host attribute
values in inducement and member user also
had the same host membership, then after
modifying the inducement I reconciled the
user but no change in host attribute of
user's ldap account.</div>
<div><br>
</div>
<div>I have attached the sample role xml,
please have a look and let me know if I am
doing anything wrong.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Anand Kothekar</div>
<div><br>
</div>
<div><br>
</div>
<img moz-do-not-send="true"
src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"
height="0" width="0"></div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Jan 23, 2015
at 3:15 PM, Ivan Noris <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com"
target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi
Anand,<br>
<br>
please see inline:<span><br>
<br>
<div>On 01/23/2015 06:17 AM, Anand
Kothekar wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Ivan
<div><br>
</div>
<div>First of all Ldap connector
supports Auxiliary object
classes. I have tested it and it
works for me.</div>
<div><br>
</div>
<div>Secondly, The host attribute
is defined in resource schema
and I have added it in Schema
Handling but i do not have any
outbound mapping right now
(quite usual for our
requirement, most of the
resources have such attributes
that cannot be mapped to any
focal object in midpoint).</div>
<div><br>
</div>
<div>Is it possible that i can map
whatever user has entered
(instead of mapping the host or
any other attribute to
midpoint's focal object) to
target resource attribute in
outbound mapping.</div>
</div>
</blockquote>
<br>
</span> If user enters the value in the
form, you don't need mappings.<br>
Mapping are used to set the target
attribute value according to some other
attribute value or expression.<br>
<br>
Some example:<br>
If you need to copy user/givenName
attribute value to LDAP's sn attribute,
you need outbound mapping in resource
schema handling.<br>
If you need to generate LDAP's sn
attribute value by taking user/givenName
attribute value and (for example)
lowercase all attributes and remove
diacritics, you need outbound mapping in
resource schema handling.<br>
If you want the user to set the LDAP's
host attribute to user-defined-value,
i.e. in the GUI form, manually, you
don't need any mapping for this
attribute. If user enters the value
manually, provisioning will store the
value to the resource. It is NOT
remembered in midPoint. There is no
expression how to derive the value, thus
no mapping. And midPoint has no way of
forcing the attribute value to contain
the user defined value during the
reconciliation, because the user defined
value is stored only on LDAP, not in
midPoint. When outbound mappings are
used, the target attribute value can be
derived from some source
attribute(s)/expressions, co midPoint
can enforce these values.<br>
<br>
Maybe there is another way how to
achieve what you need if I understand it
correctly. Define an extended attribute
in User (by extending schema) and let
the user set/modify this extended
attribute. Then you can have schema
handling mapping in resource, and you
can thus use strong mapping strength.<br>
<br>
Best regards,<br>
Ivan
<div>
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>What my concern is there is
no way in UI to set the
strength and doing it at
policy level is quite
unmanageable(resource is one
but inducement will be
thousands). </div>
<div><br>
</div>
<div>So just to summarize </div>
<div>- we want this to be done
at resource level.</div>
<div>
<blockquote style="margin:0px
0px 0px
40px;border:none;padding:0px">
<div>- i think it is
achievable if we can
define outbound mapping
so that user entered value
is mapped to target
attribute.</div>
<div><br>
</div>
<div><br>
</div>
</blockquote>
Thanks</div>
<div>Anand</div>
<div><br>
</div>
<img moz-do-not-send="true"
height="0" width="0"></div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu,
Jan 22, 2015 at 8:36 PM, Ivan
Noris <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com"
target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div text="#000000"
bgcolor="#FFFFFF"> Hi,<br>
<br>
as you have the mapping in
role, not in resource, you
should have the mapping
set as strong for "host"
attribute in <b>all</b>
applicable roles (that are
setting this attribute).<br>
<br>
There will be no
configuration in resource,
because there is no
mapping for that attribute
at the resource level. The
strength always applies to
the mapping definition.<br>
<br>
You mentioned that this is
auxiliary object class.
Not sure if the LDAP
connector supports such
classes...<br>
<br>
Regards,<br>
I.
<div>
<div><br>
<br>
<div>On 01/22/2015
03:49 PM, Anand
Kothekar wrote:<br>
</div>
<blockquote
type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>Yes, the host
attribute will
be entered by
the user who is
managing the
midpoint or it
will be
populated in
inducement of a
role by our
custom code . It
will never be
automated to get
the value from
any focus object
like User.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks</div>
<div>Anand</div>
<div><br>
</div>
<div><br>
</div>
<img
moz-do-not-send="true"
height="0"
width="0"></div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Thu, Jan 22,
2015 at 7:56 PM,
Ivan Noris <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:ivan.noris@evolveum.com"
target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div
text="#000000"
bgcolor="#FFFFFF"> Hi Anand,<br>
<br>
can you please
be more
precise about
"value entered
by user"?<br>
Do you mean
that the host
and/or(?)
description
attributes are
expected to be
managed by the
user who is
editing the
user in
midPoint, on
the right side
of User
details in
Accounts part?
Are these
expected to be
set always
explicitly by
the user? No
automation
from midpoint
user
attributes?<br>
<br>
Thanks,<br>
I.
<div>
<div><br>
<br>
<div>On
01/22/2015
02:03 PM,
Anand Kothekar
wrote:<br>
</div>
<blockquote
type="cite">
<div dir="ltr">Hi
Ivan,
<div><br>
</div>
<div>Thanks
for your
inputs.</div>
<div><br>
</div>
<div>I tried
it by adding
this
constraint in
inducement
itself and it
worked but I
want to do
this at
resource
level.</div>
<div><br>
</div>
<div>I tried
adding the
same in
resource but
the thing is I
do not have
any outbound
mapping
defined for
these
attributes (as
I use the
value entered
by user ) now
if I add only
strength
property in
outbound it
gives me
Error.</div>
<div><br>
</div>
<div>Can you
help me with
pointing to
the right kind
of mapping I
need to do.</div>
<div><br>
</div>
<div>Here is
the host
attribute
snippet from
my resource: </div>
<div>
<div>
<attribute></div>
<div>
<ref
xmlns:ri="<a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>">ri:host</ref></div>
<div>
<matchingRule
xmlns:mr="<a
moz-do-not-send="true"
href="http://prism.evolveum.com/xml/ns/public/matching-rule-3"
target="_blank">http://prism.evolveum.com/xml/ns/public/matching-rule-3</a>">mr:stringIgnoreCase</matchingRule></div>
<div>
<outbound></div>
<div>
<strength>strong</strength></div>
<div>
</outbound></div>
<div>
</attribute></div>
</div>
<div><br>
</div>
<div>I need to
know how I can
map value
entered by
user.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks,<br>
</div>
<div>Anand
Kothekar</div>
<div><br>
</div>
<img
moz-do-not-send="true"
height="0"
width="0"></div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Thu, Jan 22,
2015 at 5:52
PM, Ivan Noris
<span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:ivan.noris@evolveum.com"
target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div
text="#000000"
bgcolor="#FFFFFF"> Hi Anand,<br>
<br>
can you please
define the
mappings for
description
and host
attributes as
strong?<br>
<br>
Something
like:<br>
<br>
<attribute><br>
<ref>ri:description</ref><br>
<outbound><br>
<b>
<strength>strong</strength></b><b><br>
</b>. . .<br>
</outbound><br>
</attribute><br>
Then run the
reconciliation
again please.<br>
<br>
If you already
have this
configured and
it does not
work, please
share the
attribute
mappings here.<br>
<br>
Regards,<br>
I.
<div>
<div><br>
<br>
<div>On
01/20/2015
11:15 AM,
Anand Kothekar
wrote:<br>
</div>
</div>
</div>
<blockquote
type="cite">
<div>
<div>
<div dir="ltr">Hi,
<div><br>
</div>
<div>I have
been playing
around with
role
inducements
and found some
issue, need
some quick
help as
inducements
are quite
important for
our solution.</div>
<div><br>
</div>
<div><u>Issue:</u>
Inducement
updates are
not propagated
properly to
User after
reconciliation.</div>
<div><br>
</div>
<div><u>Details:</u>
When user is a
assigned a
role having a
resource
inducement,
User gets
appropriate
accounts and
induced group
memberships.
Now Changing
some
attributes in
role
inducements
are not
propagated
after
reconciling
User.</div>
<div><br>
</div>
<div><u>Steps
Followed:</u></div>
<div>- I added
and ldap
resource
inducement in
a new Role<b>.
</b>I provided
some
attributes
like LdapGroups,
Host, and
description.<br>
</div>
<div>- User is
assigned
to this Role.
User gets the
ldap account,
appropriate
group
memberships and
other
attributes
specified in
inducement
(i.e.
description
,host(multivalued
attribute from
an Auxiliary
object
class)). So
all good till
now.</div>
<div>- Now
I updated the
Resource inducement
for example
changed the
description,
added few
groups, added
few host.</div>
<div>- After
inducement
modification I
reconciled the
User, and
following are
the results:</div>
<div>
<blockquote
style="margin:0px
0px 0px
40px;border:none;padding:0px">
<div>- Group
membership is
updated
appropriately.</div>
</blockquote>
<blockquote
style="margin:0px
0px 0px
40px;border:none;padding:0px">
<div>-
Description is
not updated</div>
</blockquote>
<blockquote
style="margin:0px
0px 0px
40px;border:none;padding:0px">
<div>- host
attribute is
not updated</div>
</blockquote>
</div>
<div><br>
</div>
<div>Can you
guys please
check and let
me know if I
am doing
something
wrong or is it
a problem
somewhere in
my resource or
some other
issue with
midpoint
system.</div>
<div><br>
</div>
<div>Regards</div>
<div>Anand
Kothekar</div>
<img
moz-do-not-send="true"
height="0"
width="0"></div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
midPoint-dev mailing list
<a moz-do-not-send="true" href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><span><font color="#888888">
</font></span></pre>
<span><font
color="#888888">
</font></span></blockquote>
<span><font
color="#888888">
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint-dev mailing list
<a moz-do-not-send="true" href="mailto:midPoint-dev@lists.evolveum.com" target="_blank">midPoint-dev@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint-dev@lists.evolveum.com"
target="_blank">midPoint-dev@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint-dev"
target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<img moz-do-not-send="true" class="mailtrack-img"
src="https://mailtrack.io/trace/mail/002e61bb7b6fc989dc04c6afc3b378f5239a65be.png"
height="0" width="0"></div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
evolveum.com evolveum.com/blog/
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</body>
</html>