<div dir="ltr">Thanks for the info and explanation!<div><br></div><div><br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr">JASON</div></div></div>
<br><div class="gmail_quote">On Tue, May 3, 2016 at 10:48 AM, Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hi Jason,<br>
<br>
The DatabaseTable is one of the original Sun connectors and it is
ripe for rewrite. E.g. it has obviously originated for use with Sun
IDM (Waveset) where schema was a secondary thing and account was the
only object class. Now midPoint really relies on a good schema and
we support many object classes. The connector code is difficult to
salvage. In addition to that the code is CDDL-licensed which is
quite a big cultural, philosophical and psychological obstacle for
us :-) So we do not have any plans for any substantial development
of the DatabaseTable connector. We would like to rewrite it
completely. Actually, I have even started the rewrite some time ago
(<a href="https://github.com/Evolveum/connector-dbtable" target="_blank">https://github.com/Evolveum/connector-dbtable</a>). But then the plans
for the project for which it was intended changed which means that
our priorities also changed ...<br>
<br>
Although representation of multi-value attributes in the relational
data model is not always straightforward I think we can figure out
something when it eventually comes to the connector rewrite. In the
meantime the scripted DB connector is probably your best option.<br>
<br>
<pre cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre><div><div class="h5">
<br>
<br>
<div>On 05/03/2016 04:39 PM, Jason Everling
wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr">"<span style="font-size:12.8px">I hope that the
connector support the multivalue attributes."</span>
<div><br>
</div>
<div>I could not get multi-value attributes to work in one of
our database table resources. I checked ConnID and OpenICF for
related settings and did not find any. We do though use
database views, one of them is actually read/write so updates
are pushed back to the view.</div>
<div><br>
</div>
<div>If someone does know how to use multi-value attributes in a
database resources please let me know! If not, eventually I
will need to migrate it to a scripted db resource.<br>
<div><br>
</div>
<div>JASON</div>
<div class="gmail_extra">
<div>
<div>
<div dir="ltr"><br>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Tue, May 3, 2016 at 2:34 AM,
Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi,<span><br>
<br>
<div>On 05/03/2016 09:13 AM, Harits Elfahmi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Ivan,
<div><br>
</div>
<div>From what I read groups and users are saved
at the same resource in LDAP, associating them
would be as you said. But I'm using
DatabaseTableConnector, and my roles and users
data are in separate table in my database. To
connect them to midpoint, I create two
resource, one that connect to the users table,
and another that connect to the roles table.
Is it possible to associate them in midpoint,
or is this the limitation of the
DatabaseTableConnector? </div>
<div><br>
</div>
</div>
</blockquote>
<br>
</span> DBTable connector is currently limited to
support only one table (that's also why its
configuration is so simple). The other limitations
that I know of:<br>
- it supports only accounts (AccountObjectClass) - if
you use "accounts" as projection of roles, it works<br>
- it supports only simple primary keys (not complex
ones)<br>
- it does not support entitlements/associations<br>
<br>
I think you have several possibilities:<br>
<br>
1) keep using DB Table connector, and on the DB side
construct a view which will contain the user
attributes as well as group membership. As DB Table
does not really support anything else than accounts
(everything is "accounts") you may skip using the
association and just use some multivalue attribute of
the account (in the DB View) to provision to the
groups. I don't remember if I tried this recently and
I hope that the connector support the multivalue
attributes. If this works, it will be the simplest
(but not prettiest) solution.<br>
<br>
You may still need two resources, one for managing
accounts (including group membership using view
attribute) and one for managing roles as you
originally wanted for synchronizing with midPoint
roles.<br>
<br>
2) try ScriptedSQL connector. You can twist and bend
it to support any database, any table combination. So
it can be configured to support entitlements and
associations as well. This will require you to script
the behaviour Create/Update/Read/Delete/Search/Schema
etc. operations (Groovy or Javascript). One resource
will be enough.<br>
Some samples:
<a href="https://github.com/Evolveum/midpoint/tree/master/samples/resources/scriptedsql" target="_blank">https://github.com/Evolveum/midpoint/tree/master/samples/resources/scriptedsql</a><br>
<br>
3) create custom DB connector. That's almost the same
as ScriptedSQL, but compiled (java) and not
interpreted, so it should be faster.<br>
<a href="https://wiki.evolveum.com/display/midPoint/Connector+Development+HOWTO" target="_blank">https://wiki.evolveum.com/display/midPoint/Connector+Development+HOWTO</a><br>
<br>
[last but not least 4) the DB Table connector can be
enhanced for multiple-table / entitlement /
association support, by contributing or sponsoring
such feature as documented in <a href="https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature" target="_blank"></a><a href="https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature" target="_blank">https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature</a>]<br>
<br>
Regards,<br>
Ivan
<div>
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>Thanks</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-05-03 13:50
GMT+07:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank"></a><a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi,<br>
<br>
not sure if I understand how entitlement
and account could be on different
resources. But the answer is -
associations works only if the
entitlements and accounts are on the
SAME resource.<br>
<br>
If you think of entitlements as "groups"
(most common entitlement on resources),
association configuration is just an
information for midPoint about "how to
get all account's groups" or "how to
provision account's groups". That's for
direction, associationAttribute and
valueAttribute are for.<br>
<br>
For example in OpenLDAP:<br>
<br>
<association><br>
<ref>ri:group</ref><br>
<displayName>LDAP Group
Membership</displayName><br>
<kind>entitlement</kind><br>
<intent>ldapGroup</intent><br>
<direction>objectToSubject</direction><br>
<associationAttribute>ri:member</associationAttribute><br>
<valueAttribute>ri:dn</valueAttribute><br>
</association><br>
<br>
This means:<br>
1) midPoint will use "virtual" attribute
"ri:group" that you can use in mappings
(e.g. in roles) to provision to OpenLDAP
groups<br>
2) direction=objectToSubject: midPoint
will put accounts to groups (because
group membership works this way in LDAP
servers and also most other systems)<br>
3) midPoint will use group's attribute
"ri:member" ....<br>
4) ... and will put corresponding
accounts DN ("ri:dn") attribute value
there<br>
<br>
<br>
What are you trying to achieve..?<br>
<br>
Regards,<br>
Ivan
<div>
<div><br>
<br>
<div>On 05/03/2016 07:50 AM, Harits
Elfahmi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello Ivan,
<div><br>
</div>
<div>Thanks for your suggestion,
it works now. But now I want
to associate the entitlement
to the account. I use the
association example from
midpoint GitHub:</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><association><br>
<span style="white-space:pre-wrap"> </span><ref>ri:role_id</ref><br>
<span style="white-space:pre-wrap"> </span><displayName>My
Role</displayName><br>
<span style="white-space:pre-wrap"> </span><kind>entitlement</kind><br>
<span style="white-space:pre-wrap"> </span><intent>default</intent><br>
<span style="white-space:pre-wrap"> </span><direction>objectToSubject</direction><br>
<span style="white-space:pre-wrap"> </span><associationAttribute>icfs:uid</associationAttribute><br>
<span style="white-space:pre-wrap"> </span><valueAttribute>ri:role_name</valueAttribute><br>
</association></blockquote>
<div> </div>
<div>But it causes an error, and
my guess is because of the
entitlements and accounts are
in different resources. Is it
possible to do the association
with another resource? </div>
<div><br>
</div>
<div>Thanks</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-05-02
14:02 GMT+07:00 Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank"></a><a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi
Harits,<span><br>
<br>
<div>On 05/02/2016
08:17 AM, Harits
Elfahmi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello
all,
<div><br>
</div>
<div>I'm trying to
sync my role
data from
database table
to midpoint
using the GUI.
From the docs I
get the
impression that
the entitlements
and accounts
originated from
single resource,
but since
DatabaseTableConnector
connect to a
certain table, I
think I need to
make another
resource to
store
entitlement
data. What I
don't get is:</div>
<div><br>
</div>
<div>- In Schema
Handling what's
the attribute I
use in <b>target</b>?
Is it <b>$role/name</b>?
I can't find the
reference in the
docs</div>
</div>
</blockquote>
<br>
</span> Instead of $user
you would use $focus.
(It would work for users
as well.)<span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>-
In Synchronization,
what's the
appropriate
reaction? I
can't find <b>add
role</b>
reaction in the
dropdown list</div>
</div>
</blockquote>
<br>
</span> No, that's
connected to the bug you
discovered earlier. The
proper action is
addFocus.<br>
<handlerUri><a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus" target="_blank"></a><a href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</a></handlerUri><br>
<br>
In order to synchronize
resource objects to
anything else than
users, the following
must be added to
synchronization settings
(I don't know if the
wizard supports it):<br>
<br>
...<br>
<objectSynchronization><br>
<name>role
sync</name><br>
<objectClass>ri:AccountObjectClass</objectClass><!--
DB Table connector
supports only accounts
--><br>
<kind>account</kind><br>
<intent>default</intent><br>
<focusType><b>c:RoleType</b></focusType><br>
<enabled>true</enabled><br>
<correlation><br>
...<br>
</correlation><br>
...<br>
<br>
This means that the
object will be corelated
with Roles, not Users
(which is default). In
correlation expression
you will search for
Roles and not Users. If
the correlation
expressions returns zero
results, unmatched
situation will occur and
action (e.g. addFocus)
will be executed.
Everything is the same
as for users. Just use
$focus instead of $user
in the inbound mappings.<br>
<br>
See some of our Generic
Synchronization samples
such as <a href="https://github.com/Evolveum/midpoint/blob/master/samples/resources/opendj/opendj-resource-genericsync.xml" target="_blank"></a><a href="https://github.com/Evolveum/midpoint/blob/master/samples/resources/opendj/opendj-resource-genericsync.xml" target="_blank">https://github.com/Evolveum/midpoint/blob/master/samples/resources/opendj/opendj-resource-genericsync.xml</a>
(it's OpenDJ, not DB
Table, but you will see
the things I mentioned).<br>
<br>
Also see <a href="https://wiki.evolveum.com/display/midPoint/Generic+Synchronization" target="_blank"></a><a href="https://wiki.evolveum.com/display/midPoint/Generic+Synchronization" target="_blank">https://wiki.evolveum.com/display/midPoint/Generic+Synchronization</a><br>
<br>
Regards,<br>
Ivan<br>
<br>
<blockquote type="cite"><span>
<div dir="ltr">
<div><br>
</div>
<div>Is it
possible to do
this? Or do I
need to manually
add roles to
midpoint? Please
help.</div>
<div><br>
</div>
<div>Thanks</div>
<div>
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>Cheers,</div>
<div><b><br>
</b></div>
<div><b>Harits</b> Elfahmi</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</span>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><span><font color="#888888">
</font></span></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper ID(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>Cheers,</div>
<div><b><br>
</b></div>
<div><b>Harits</b> Elfahmi</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper ID(e)M Vix."
</pre>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>Cheers,</div>
<div><b><br>
</b></div>
<div><b>Harits</b> Elfahmi</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper ID(e)M Vix."
</pre>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
</div></div><font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br><span class="">
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</span></blockquote>
<br>
<pre cols="72"></pre>
</div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div></div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>