<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hello Anton,<br>
<br>
now I perhaps understand your situation a little bit better.
Because what I was used to see was that people extended the
"basic" AD user object with custom attributes, without introducing
separate objectClasses. Neither did I; and although I've seen that
you had mentioned using auxiliary object classes, I have no
experiences with them in Active Directory.<br>
<br>
<blockquote type="cite">I was hoping it is possible to override
the objectClasses in the schema handling, but<br>
can't find an example. </blockquote>
If you mean adding auxiliary object classes, then a sample is e.g.
in <a
href="https://github.com/Evolveum/midpoint/blob/master/testing/story/src/test/resources/unix/resource-opendj.xml">testing\story\src\test\resources\unix\resource-opendj.xml</a>
file. However, unfortunately, this is a feature of new LDAP
connector. The ActiveDirectory connector does not support
auxiliary object classes yet.<br>
<br>
<blockquote type="cite">The other option, I guess, would be to use
the the custom<br>
schema feature of ObjectClassesExtensionFile, but I have a few
questions on this:<br>
1) Is the objectClass type always Tenant?<br>
</blockquote>
No. The new object class can be anything. "Tenant" was an object
class that was used in a particular customer's setting. <br>
<br>
<blockquote type="cite">
2) Does this add an objectClass in addition of the user class or
instead of the user class?<br>
</blockquote>
In addition to the user class. The existing AccountObjectClass
will be left intact. New object class will be seen in midPoint as
Custom<b>someName</b>ObjectClass, if the object class will be
defined as "someName" in the connector.<br>
<br>
Unfortunately, the connector will not recognize such a class to be
an extension of the AccountObjectClass and will not apply the
standard functionality (written in C#) to manage objects of this
class. <br>
<br>
So, if you would like to use it to manage your users, you would
need either<br>
1) to implement everything in PowerShell, which is quite a lot of
work (given that you would have to implement e.g. exception
handling, and so on),<br>
2) or to do some hacking with custom scripts, like calling
original AD connector to do its part of the work and then manage
specific attributes using PowerShell.<br>
<br>
Neither of this seems to me a "clean solution".<br>
<br>
Overall, we plan to enhance Active Directory connector with some
of the new features Radovan has recently implemented for LDAP one.
Auxiliary object class support is among them. But I cannot say
when that would be done. Maybe you could contact Igor Farinic for
options there.<br>
<br>
<blockquote type="cite">
3) How / when are the custom scripts called?<br>
</blockquote>
Custom scripts feature is currently only available in Exchange
connector, which is a superset of AD connector useful mainly if
you want to manage also Exchange objects. (But I think nothing
precludes the use of it in AD-only settings; I hope it no longer
depends on the existence of specific Exchange run time libraries.)
These scripts are called before, after and/or instead of "main" C#
code. They can be configured with regards to object class and
operation. E.g. you can define a "Before" script for each "Create"
operation for "AddressBookList" object class. Or, if you have a
custom object class, you have to define all the operations as
PowerShell custom scripts.<br>
<br>
This is an example of definition of a custom script:<br>
<tt><br>
</tt><tt><?xml version="1.0"?></tt><tt><br>
</tt><tt><ScriptingInfo></tt><tt><br>
</tt><tt><br>
</tt><tt> <OperationInfo></tt><tt><br>
</tt><tt> <Type>Create</Type></tt><tt><br>
</tt><tt> <AfterMain></tt><tt><br>
</tt><tt>
<ObjectType>OfflineAddressBook</ObjectType></tt><tt><br>
</tt><tt> <File>after-create-OAB.ps1</File></tt><tt><br>
</tt><tt> </AfterMain></tt><tt><br>
</tt><tt> </OperationInfo></tt><tt><br>
</tt><tt><br>
</tt><tt></ScriptingInfo></tt><br>
<br>
It says that after executing main C# routine for Create operation
for OfflineAddressBook object, the after-create-OAB.ps1 file
(stored in the ConnectorServer directory) will be executed.<br>
Such a script can expect one parameter, called "ctx" (context),
pointing to the following data structure:<br>
<br>
<tt>public class Context {</tt><tt><br>
</tt><tt> public Connector Connector { get; set; }</tt><tt><br>
</tt><tt> public ActiveDirectoryConfiguration
ConnectorConfiguration { get; set; }</tt><tt><br>
</tt><tt> public string OperationName { get; set; }</tt><tt><br>
</tt><tt> public Scripting.Position Position { get; set; }</tt><tt><br>
</tt><tt> public ObjectClass ObjectClass { get; set; }</tt><tt><br>
</tt><tt>}</tt><br>
<br>
(There are specific contexts for individual operations, see <a
href="https://github.com/Evolveum/openicf/blob/master/connectors/dotnet/ActiveDirectoryConnector/Scripting.cs">https://github.com/Evolveum/openicf/blob/master/connectors/dotnet/ActiveDirectoryConnector/Scripting.cs</a><br>
<blockquote type="cite">
4) Is there examples on how to use the custom schema feature?</blockquote>
Well, the documentation of these new features is still in its
beginnings. I'm afraid the wiki article I mentioned is the only
piece available :(<br>
Maybe someone on this list could provide some examples...<br>
<br>
Overall, the most clean way (as I currently see it) is to add
support for auxiliary object classes to the standard AD/Exchange
connector.<br>
<br>
Best regards,<br>
Pavol<br>
<br>
<br>
On 6. 7. 2015 14:51, ANTON OPPERMAN wrote:<br>
</div>
<blockquote
cite="mid:16967792.34375.1436187109339.JavaMail.defaultUser@defaultHost"
type="cite">Thx Pavol! That is getting me very close ... <br>
<br>
Took a while to figure out just how to do it; the documentation
can be clearer; e.g. where<br>
the value of ObjectClassesExtensionFile is set and which system it
should be stored on. I<br>
saw a ref in the UI that seemed to allow for this, but this didn't
work for me.<br>
<br>
I have defined my custom schema entries in the AccountObjectClass
section and can<br>
retrieve and set values if my auxiliary objectClass is present on
the user. Obviously<br>
creating an account with schema extension fails as newly created
users will not have<br>
the auxiliary objectClass (yet).<br>
<br>
I was hoping it is possible to override the objectClasses in the
schema handling, but<br>
can't find an example. The other option, I guess, would be to use
the the custom<br>
schema feature of ObjectClassesExtensionFile, but I have a few
questions on this:<br>
1) Is the objectClass type always Tenant?<br>
2) Does this add an objectClass in addition of the user class or
instead of the user class?<br>
3) How / when are the custom scripts called?<br>
4) Is there examples on how to use the custom schema feature?<br>
<br>
Thx!<br>
<br>
Regards,<br>
Anton<br>
<br>
<br>
<blockquote style="margin-right: 0px; margin-left:15px;">----Original
message----<br>
From : <a class="moz-txt-link-abbreviated" href="mailto:mederly@evolveum.com">mederly@evolveum.com</a><br>
Date : 02/07/2015 - 15:17 (BST)<br>
To : <a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
Subject : Re: [midPoint] Active Directory and custom attributes
& auxiliary objectclass<br>
<br>
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Hello Anton,<br>
<br>
the AD connector schema can now be extended via configuration.
Please see <a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Extending+AD+and+Exchange+Connector+Schema+HOWTO">https://wiki.evolveum.com/display/midPoint/Extending+AD+and+Exchange+Connector+Schema+HOWTO</a>
for a simple HOWTO.<br>
<br>
However, contrary to what's written there, I would recommend
using the latest versions of AD/Exchange connector and ConnId:<br>
- Exchange Connector: 1.4.1.20283 (<a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Exchange+Connector">https://wiki.evolveum.com/display/midPoint/Exchange+Connector</a>)<br>
- Connector Server: 1.4.0.84 (<a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/.NET+Connector+Server">https://wiki.evolveum.com/display/midPoint/.NET+Connector+Server</a>)<br>
<br>
Also please note that auxiliary object classes are not
supported for AD. What you need to do is to extend the basic
AccountObjectClass (or object class for group/OU) with your
custom attributes.<br>
<br>
Best regards,<br>
Pavol<br>
<br>
On 2. 7. 2015 16:10, <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:midpoint@mybtinternet.com">midpoint@mybtinternet.com</a>
wrote:<br>
</div>
<blockquote
cite="mid:25085999.40778.1435846210242.JavaMail.defaultUser@defaultHost"
type="cite">Hi,<br>
<br>
We intend managing a number of different directories with
similar data but for populations of users that<br>
must be stored separately. We also have a fairly extensive
number of custom attributes grouped in an<br>
auxiliary objectClass.<br>
<br>
For OpenDJ, I was able to setup the resources and am able to
manage all the custom attributes; e.g.<br>
the connector allows definition of which classes to use.<br>
<br>
Now trying to replicate with AD and have basic AD
provisioning working; however, I don't see similar<br>
options for defining additional objectClasses to use. Have
looked in Jira; all references suggest modifying<br>
objectClasses.xml and building a custom instance of the
connector. I don't see how the custom<br>
objectClass is referenced. Have I missed something?<br>
<br>
As for building a custom instance of the connector; I would
prefer not to do that as:<br>
<span> </span>1) we could run into issues that are related
to our attempt of implementing<br>
2) each time there is a new fix, we would need to go and
retro-fit and rebuild<br>
3) each time we extend the schema, we need to go and
ammend and rebuild<br>
<br>
While I may be able to build a custom instance, once this is
handed-over to business-as-usual, they<br>
most certainly will not have the skills to support this.<br>
<br>
Is this still the process to follow at this time, or has
this changed? If not changed, is there a plan to<br>
make the AD adapter configurable ito custom schema (like
OpenDJ)? Time-frame?<br>
<br>
Thx<br>
<br>
Regards,<br>
Anton<br>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>