<div dir="ltr">So I have put together ours in a similar way, using the assigned orgs to build the distinguishedName and place them in the correct ou/containers, I attached some samples, cleaned up to remove our info,<div><br></div><div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jun 26, 2015 at 12:41 PM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hello Anton,<br>
<br>
one of options is to get a list of all the user assignments, and
act on it. In a similar way that I wrote Roman today morning, i.e.<br>
<br>
<tt> <outbound></tt><tt><br>
</tt><tt> <strength>strong</strength></tt><tt><br>
</tt><tt> <source></tt><tt><br>
</tt><tt> <c:path>assignment</c:path></tt><tt><br>
</tt><tt> </source><br>
<source> ....... any other sources, e.g. name, ...
</source><br>
</tt><tt> </tt><tt> <expression></tt><tt><br>
</tt><tt> <script><br>
</tt><tt><tt>
<relativityMode>absolute</relativityMode></tt><tt><br>
</tt> <code><br>
isStaff = false<br>
isAdmin = false<br>
...<br>
</tt><tt><tt> <a href="http://log.info" target="_blank">log.info</a>('assignment = {}',
assignment) // assignment is a PrismContainer</tt><tt><br>
</tt><tt> for (assignmentValue in
assignment.getValues()) {</tt><tt><br>
</tt><tt> <a href="http://log.info" target="_blank">log.info</a>('checking {}',
assignmentValue)</tt><tt><br>
</tt><tt> targetRef =
assignmentValue.asContainerable().getTargetRef()</tt><tt><br>
</tt><tt> if (targetRef?.getOid()?.equals("<font color="#cc0000">....staff role OID.....</font>")) {</tt><tt><br>
isStaff = true<br>
</tt><tt> }</tt><tt> </tt></tt><tt><tt><tt><tt>else
if (targetRef?.getOid()?.equals("<font color="#cc0000">....admin
role OID.....</font>")) {</tt><tt><br>
isAdmin = true<br>
</tt><tt> }<br>
...<br>
}<br>
<br>
... and now construct the DN based on
isStaff, isAdmin etc.<br>
</tt><tt> </tt></tt> </tt><tt> </tt><tt><br>
</tt> </code><br>
</script><br>
</tt><tt> </tt><tt> </expression></tt><br>
<tt> </outbound></tt><tt><br>
</tt><br>
I haven't actually tried it; but it could work.<br>
<br>
Another, and perhaps more elegant, way is to induce some user
properties in the roles. E.g. admin role could put value of
"Admin" to "employeeType" property. It would look like this:<br>
<br>
<tt><role></tt><tt><br>
</tt><tt> <name>admin</name></tt><tt><br>
</tt><tt> <displayName>admin</displayName></tt><tt><br>
</tt><tt> <inducement></tt><tt><br>
</tt><tt> <focusMappings></tt><tt><br>
</tt><tt> <mapping></tt><tt><br>
</tt><tt> <expression></tt><tt><br>
</tt><tt> <value>Admin</value></tt><tt><br>
</tt><tt> </expression></tt><tt><br>
</tt><tt> <target></tt><tt><br>
</tt><tt> <path>employeeType</path></tt><tt><br>
</tt><tt> </target></tt><tt><br>
</tt><tt> </mapping></tt><tt><br>
</tt><tt> </focusMappings></tt><tt><br>
</tt><tt> </inducement></tt><tt><br>
</tt><tt></role></tt><tt><br>
</tt><br>
And then you can use employeeType as just another source when
constructing the user DN. Beware of situations when there would be
more than one employeeType value (e.g. user would be both admin
and let's say manager). Naive implementation of the mapping would
yield to two DN's for the user.<br>
<br>
Maybe someone with more experiences in midPoint deployment (Ivan?)
would improve these options a bit.<br>
<br>
Best regards,<br>
Pavol<div><div class="h5"><br>
<br>
On 26. 6. 2015 19:08, <a href="mailto:midpoint@mybtinternet.com" target="_blank">midpoint@mybtinternet.com</a> wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="h5">Hi,<br>
<br>
I have a role defined with an inducement for an Active Directory
account and am able to successfully<br>
provision a basic account. However, I need the target container
to be variable based on the user's<br>
role; e.g. staff goes to ou=staff,<directory-suffix> and
admin users to ou=admin,<directory-suffix>.<br>
<br>
I was hoping to use ad_container in the role's inducement of the
Active Directory account. The<br>
attempted provisioning fails with "Cannot represent container
value without a parent as containerable".<br>
<br>
Also tried to find, unsuccessfully, references on how to
programatically get the the user's role/s or<br>
assignments and then construct the DN based on values.<br>
<br>
Any suggestions?<br>
<br>
Thx,<br>
Anton<br>
<br>
<br>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>