<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Martin,<br>
<br>
AFAIK the (old) .NET AD connector has a special account attribute
icfs:groups which is a list of groups where the account is member
of.<br>
<br>
So I can imagine something like this (not tried):<br>
<br>
1) First you need to import the groups from AD - and create midPoint
roles from them.<br>
<br>
2) Then you need a AD resource - mapping for storing
user-account-groups relation:<br>
...<br>
<attribute><br>
<ref>icfs:groups</ref><br>
<displayName>Groups</displayName><br>
<inbound><br>
<!-- FIXME expression here if needed to filter the groups --><br>
<target><br>
<b> <path>$user/extension/adGroups</path></b><br>
</target><br>
</attribute><br>
...<br>
The extension attribute adGroups must be defined for UserType as
multivalue and it will store the list of groups from AD when you run
import from that resource.<br>
<br>
3) Then you need object template for UserType which will
automatically assign the roles (created by 1) based on the value of
extension/adGroups attribute.<br>
<br>
<br>
Very similar (and working) example for SAP system is here:
<a class="moz-txt-link-freetext" href="https://github.com/Evolveum/midpoint/blob/master/samples/resources/sap/assignment/object-template-user.xml">https://github.com/Evolveum/midpoint/blob/master/samples/resources/sap/assignment/object-template-user.xml</a><br>
<br>
The task for importing roles is
<a class="moz-txt-link-freetext" href="https://github.com/Evolveum/midpoint/blob/master/samples/resources/sap/assignment/task-import-roles.xml">https://github.com/Evolveum/midpoint/blob/master/samples/resources/sap/assignment/task-import-roles.xml</a>,
using kind:entitlement, intent:roles schema handling expressions
from the SAP resource.<br>
<br>
The SAP resource
<a class="moz-txt-link-freetext" href="https://github.com/Evolveum/midpoint/blob/master/samples/resources/sap/assignment/sap-advanced.xml">https://github.com/Evolveum/midpoint/blob/master/samples/resources/sap/assignment/sap-advanced.xml</a>
is used for organization creation (from SAP activity groups) as well
as for user provisioning and synchronization.<br>
<br>
The SAP account attribute with group list is <<span
class="pl-ent">c</span><span class="pl-ent">:</span><span
class="pl-ent">ref</span>>ri:ACTIVITYGROUPS.AGR_NAME</<span
class="pl-ent">c</span><span class="pl-ent">:</span><span
class="pl-ent">ref</span>>.<br>
<br>
The User extension attribute is extension/sapRoles.<br>
<br>
The object template for users is
<a class="moz-txt-link-freetext" href="https://github.com/Evolveum/midpoint/blob/master/samples/resources/sap/assignment/object-template-user.xml">https://github.com/Evolveum/midpoint/blob/master/samples/resources/sap/assignment/object-template-user.xml</a>,
mapping "User - SAP Role mapping". The SAP groups are represented by
midPoint organizations and assigned using this template.<br>
<br>
Best regards<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 05/23/2016 04:54 PM, Martin Herbert
wrote:<br>
</div>
<blockquote
cite="mid:647E2A18-16E0-4F0F-85D2-180BF7B8A8A6@tahzoo.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Courier New";
panose-1:2 7 3 9 2 2 5 2 4 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:Calibri;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Courier;}
span.EmailStyle19
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hi Radovan,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Appreciate
this is not currently supported but do you happen to have
any examples or documentation on how we can get this to
work? From what I can see, it should just be a case of
adding a script expression to populate the group membership
within Midpoint but have as of yet not found any examples of
that.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">What we’re
trying to achieve is migrating all of our existing user base
from an older AD environment to a new one, and wanted to do
that via Midpoint itself instead of manually creating all
the users with group assignments.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Please do
note though this is using the AD .Net connector, not the
newer LDAP connector.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black">Thanks<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black">Martin<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:black">From: </span></b><span
style="color:black">midPoint
<a class="moz-txt-link-rfc2396E" href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a> on behalf of
Radovan Semancik <a class="moz-txt-link-rfc2396E" href="mailto:radovan.semancik@evolveum.com"><radovan.semancik@evolveum.com></a><br>
<b>Reply-To: </b>midPoint General Discussion
<a class="moz-txt-link-rfc2396E" href="mailto:midpoint@lists.evolveum.com"><midpoint@lists.evolveum.com></a><br>
<b>Date: </b>Thursday, 19 May 2016 at 11:16<br>
<b>To: </b><a class="moz-txt-link-rfc2396E" href="mailto:midpoint@lists.evolveum.com">"midpoint@lists.evolveum.com"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:midpoint@lists.evolveum.com"><midpoint@lists.evolveum.com></a><br>
<b>Subject: </b>Re: [midPoint] Import AD group membership<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Times New
Roman""><o:p> </o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">Hi,<br>
<br>
MidPoint has strong and quite convenient way how to
manage group membership in the outbound direction. Which
means that midPoint is the source of the membership
information (e.g. defined by roles or orgs) and that
information is propagated to the resources.<br>
<br>
The inbound direction is also possible. But currently it
is not very convenient and you have to use a lot of
tricks. The reason that this is not so convenient is
simple: the existing use-cases of midPoint subscribers
and sponsors focused on the outbound direction. None of
the midPoint subscribers or sponsors indicated the
inbound direction as a priority. Maybe my colleagues may
provide some hints how to work around this. But it might
be a bit scary.<br>
<br>
Implementing a convenient way also for the inbound
direction is something that I would really love to do.
Currently this is one of the missing pieces in the
puzzle. But, as usual, this is a question of funding.
And, as usual, see here:
<a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature">https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature</a><br>
<br>
However, if I remember correctly, I have seen this
question several times during last couple of months. So
maybe if there are several people willing to donate a
small sum to have this feature implemented then together
it can be enough to fund the development of this
feature? Are there any midPoint subscribers that would
like to endorse this feature as a priority? Or any
non-subscribers willing to partially sponsor this
feature?<br>
<br>
<br>
<o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre>Radovan Semancik<o:p></o:p></pre>
<pre>Software Architect<o:p></o:p></pre>
<pre>evolveum.com<o:p></o:p></pre>
<p class="MsoNormal"><br>
<br>
On 05/19/2016 11:33 AM, Dick Muller wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt">Hi,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I
already saw some mails about importing AD Group
membership with Aivo Kuhlberg , but I still have
problems to get this running.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Users
and Groups created in Midpoint are successfully synced
to the AD domain, including group membership.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">But I
have a resource domain with a lot of groups and users
that I want to import including the group membership.
That is working, with exception for the group
membership.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">That
is not configured during import.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">If I
understand correctly I need to change the User
Template. That is what I did, I modified the User
template that has a reference with the AD resource and
added a mapping for Group membership. I used the
object-template in the SAP story as example.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">But
still I have no group membership.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Is
there somebody that can help me on this?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Kind
regards,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dick</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Times
New Roman""><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>midPoint mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-family:"Times New Roman""><o:p> </o:p></span></p>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
</pre>
</body>
</html>