<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi,<br>
<br>
<div class="moz-cite-prefix">On 05/03/2016 09:13 AM, Harits Elfahmi
wrote:<br>
</div>
<blockquote
cite="mid:CAG_KPw3TBgJGGboNn8Dpg4CtwS374wCwunO6dkG9JwAyUYhwzg@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Ivan,
<div><br>
</div>
<div>From what I read groups and users are saved at the same
resource in LDAP, associating them would be as you said. But
I'm using DatabaseTableConnector, and my roles and users data
are in separate table in my database. To connect them to
midpoint, I create two resource, one that connect to the users
table, and another that connect to the roles table. Is it
possible to associate them in midpoint, or is this the
limitation of the DatabaseTableConnector? </div>
<div><br>
</div>
</div>
</blockquote>
<br>
DBTable connector is currently limited to support only one table
(that's also why its configuration is so simple). The other
limitations that I know of:<br>
- it supports only accounts (AccountObjectClass) - if you use
"accounts" as projection of roles, it works<br>
- it supports only simple primary keys (not complex ones)<br>
- it does not support entitlements/associations<br>
<br>
I think you have several possibilities:<br>
<br>
1) keep using DB Table connector, and on the DB side construct a
view which will contain the user attributes as well as group
membership. As DB Table does not really support anything else than
accounts (everything is "accounts") you may skip using the
association and just use some multivalue attribute of the account
(in the DB View) to provision to the groups. I don't remember if I
tried this recently and I hope that the connector support the
multivalue attributes. If this works, it will be the simplest (but
not prettiest) solution.<br>
<br>
You may still need two resources, one for managing accounts
(including group membership using view attribute) and one for
managing roles as you originally wanted for synchronizing with
midPoint roles.<br>
<br>
2) try ScriptedSQL connector. You can twist and bend it to support
any database, any table combination. So it can be configured to
support entitlements and associations as well. This will require you
to script the behaviour Create/Update/Read/Delete/Search/Schema etc.
operations (Groovy or Javascript). One resource will be enough.<br>
Some samples:
<a class="moz-txt-link-freetext" href="https://github.com/Evolveum/midpoint/tree/master/samples/resources/scriptedsql">https://github.com/Evolveum/midpoint/tree/master/samples/resources/scriptedsql</a><br>
<br>
3) create custom DB connector. That's almost the same as
ScriptedSQL, but compiled (java) and not interpreted, so it should
be faster.<br>
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Connector+Development+HOWTO">https://wiki.evolveum.com/display/midPoint/Connector+Development+HOWTO</a><br>
<br>
[last but not least 4) the DB Table connector can be enhanced for
multiple-table / entitlement / association support, by contributing
or sponsoring such feature as documented in
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature">https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature</a>]<br>
<br>
Regards,<br>
Ivan<br>
<br>
<blockquote
cite="mid:CAG_KPw3TBgJGGboNn8Dpg4CtwS374wCwunO6dkG9JwAyUYhwzg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Thanks</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-05-03 13:50 GMT+07:00 Ivan Noris <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi,<br>
<br>
not sure if I understand how entitlement and account could
be on different resources. But the answer is -
associations works only if the entitlements and accounts
are on the SAME resource.<br>
<br>
If you think of entitlements as "groups" (most common
entitlement on resources), association configuration is
just an information for midPoint about "how to get all
account's groups" or "how to provision account's groups".
That's for direction, associationAttribute and
valueAttribute are for.<br>
<br>
For example in OpenLDAP:<br>
<br>
<association><br>
<ref>ri:group</ref><br>
<displayName>LDAP
Group Membership</displayName><br>
<kind>entitlement</kind><br>
<intent>ldapGroup</intent><br>
<direction>objectToSubject</direction><br>
<associationAttribute>ri:member</associationAttribute><br>
<valueAttribute>ri:dn</valueAttribute><br>
</association><br>
<br>
This means:<br>
1) midPoint will use "virtual" attribute "ri:group" that
you can use in mappings (e.g. in roles) to provision to
OpenLDAP groups<br>
2) direction=objectToSubject: midPoint will put accounts
to groups (because group membership works this way in LDAP
servers and also most other systems)<br>
3) midPoint will use group's attribute "ri:member" ....<br>
4) ... and will put corresponding accounts DN ("ri:dn")
attribute value there<br>
<br>
<br>
What are you trying to achieve..?<br>
<br>
Regards,<br>
Ivan
<div>
<div class="h5"><br>
<br>
<div>On 05/03/2016 07:50 AM, Harits Elfahmi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello Ivan,
<div><br>
</div>
<div>Thanks for your suggestion, it works now. But
now I want to associate the entitlement to the
account. I use the association example from
midpoint GitHub:</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><association><br>
<span style="white-space:pre-wrap"> </span><ref>ri:role_id</ref><br>
<span style="white-space:pre-wrap"> </span><displayName>My
Role</displayName><br>
<span style="white-space:pre-wrap"> </span><kind>entitlement</kind><br>
<span style="white-space:pre-wrap"> </span><intent>default</intent><br>
<span style="white-space:pre-wrap"> </span><direction>objectToSubject</direction><br>
<span style="white-space:pre-wrap"> </span><associationAttribute>icfs:uid</associationAttribute><br>
<span style="white-space:pre-wrap"> </span><valueAttribute>ri:role_name</valueAttribute><br>
</association></blockquote>
<div> </div>
<div>But it causes an error, and my guess is
because of the entitlements and accounts are in
different resources. Is it possible to do the
association with another resource? </div>
<div><br>
</div>
<div>Thanks</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-05-02 14:02
GMT+07:00 Ivan Noris <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.com</a></a>></span>:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi
Harits,<span><br>
<br>
<div>On 05/02/2016 08:17 AM, Harits
Elfahmi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello all,
<div><br>
</div>
<div>I'm trying to sync my role data
from database table to midpoint
using the GUI. From the docs I get
the impression that the
entitlements and accounts
originated from single resource,
but since DatabaseTableConnector
connect to a certain table, I
think I need to make another
resource to store entitlement
data. What I don't get is:</div>
<div><br>
</div>
<div>- In Schema Handling what's the
attribute I use in <b>target</b>?
Is it <b>$role/name</b>? I can't
find the reference in the docs</div>
</div>
</blockquote>
<br>
</span> Instead of $user you would use
$focus. (It would work for users as well.)<span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>- In Synchronization, what's
the appropriate reaction? I can't
find <b>add role</b> reaction in
the dropdown list</div>
</div>
</blockquote>
<br>
</span> No, that's connected to the bug
you discovered earlier. The proper action
is addFocus.<br>
<handlerUri><a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus"
target="_blank"><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus">http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</a></a></handlerUri><br>
<br>
In order to synchronize resource objects
to anything else than users, the following
must be added to synchronization settings
(I don't know if the wizard supports it):<br>
<br>
...<br>
<objectSynchronization><br>
<name>role
sync</name><br>
<objectClass>ri:AccountObjectClass</objectClass><!--
DB Table connector supports only accounts
--><br>
<kind>account</kind><br>
<intent>default</intent><br>
<focusType><b>c:RoleType</b></focusType><br>
<enabled>true</enabled><br>
<correlation><br>
...<br>
</correlation><br>
...<br>
<br>
This means that the object will be
corelated with Roles, not Users (which is
default). In correlation expression you
will search for Roles and not Users. If
the correlation expressions returns zero
results, unmatched situation will occur
and action (e.g. addFocus) will be
executed. Everything is the same as for
users. Just use $focus instead of $user in
the inbound mappings.<br>
<br>
See some of our Generic Synchronization
samples such as <a moz-do-not-send="true"
href="https://github.com/Evolveum/midpoint/blob/master/samples/resources/opendj/opendj-resource-genericsync.xml"
target="_blank">https://github.com/Evolveum/midpoint/blob/master/samples/resources/opendj/opendj-resource-genericsync.xml</a>
(it's OpenDJ, not DB Table, but you will
see the things I mentioned).<br>
<br>
Also see <a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Generic+Synchronization"
target="_blank">https://wiki.evolveum.com/display/midPoint/Generic+Synchronization</a><br>
<br>
Regards,<br>
Ivan<br>
<br>
<blockquote type="cite"><span>
<div dir="ltr">
<div><br>
</div>
<div>Is it possible to do this? Or
do I need to manually add roles to
midpoint? Please help.</div>
<div><br>
</div>
<div>Thanks</div>
<div>
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>Cheers,</div>
<div><b><br>
</b></div>
<div><b>Harits</b> Elfahmi</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</span>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><span><font color="#888888">
</font></span></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper ID(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com"
target="_blank">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>Cheers,</div>
<div><b><br>
</b></div>
<div><b>Harits</b> Elfahmi</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper ID(e)M Vix."
</pre>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>Cheers,</div>
<div><b><br>
</b></div>
<div><b>Harits</b> Elfahmi</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
</pre>
</body>
</html>