<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Pertti,<br>
</p>
<br>
<div class="moz-cite-prefix">On 11/23/2016 11:57 AM, Pertti
Kellomäki wrote:<br>
</div>
<blockquote cite="mid:1479898629678.53696@datactica.fi" type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} --></style>
<p>Hi,</p>
<p><br>
</p>
<p>Sorry in advance for the amount of inline xml below.<br>
</p>
<p><br>
</p>
<p>I am trying to create a setup, where midPoint roles create ldap
groups in a tree of ou's. I am able to create the hierarchy and
groups, but I am unable to actually make users be members of
those groups.<br>
<br>
Studying the unix-ldap story leads me to think that group name
calculation should best be performed in the resource
configuration xml file so that it is easily usable in the
membership inducement. Currently I do the name calculation in a
role as follows:<br>
<br>
</p>
</blockquote>
<br>
For 99% cases we also generate icfs:name (or other naming
attributes) in resource, so that it would work with all roles
defined now and in the future. But $assignment variable is not
accessible in resource. (Imagine your user has 10 roles assigned,
from which assignment should $assignment variable contain data?)<br>
<br>
At least I don't know of any way how to access $assignment and
related variables in resource... :(<br>
<br>
But thinking of group membership. Did you configure the resource and
role(s) for associations? Or what have you tried if the membership
didn't work?<br>
<br>
Ivan<br>
<br>
<blockquote cite="mid:1479898629678.53696@datactica.fi" type="cite">
<p>
<br>
<inducement><br>
<construction><br>
<resourceRef oid="..." type="c:ResourceType"/><br>
<kind>entitlement</kind><br>
<intent>OrgServiceRoleLdapGroup</intent><br>
<attribute><br>
<ref>ri:dn</ref><br>
<matchingRule>mr:stringIgnoreCase</matchingRule><br>
<outbound><br>
<source><br>
<path>$assignment/orgRef</path><br>
</source><br>
<source><br>
<path>$immediateRole/name</path><br>
</source><br>
<expression><br>
<script><br>
<code><br>
import
com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;<br>
import javax.naming.ldap.Rdn;<br>
import javax.naming.ldap.LdapName;<br>
<br>
org = midpoint.getObject(OrgType.class,
orgRef.getOid());<br>
dn = new LdapName('ou=Roles,dc=kapa,dc=local');<br>
dn.add(new Rdn('ou', org.getName().getOrig()));<br>
dn.add(new Rdn('ou', name.toString().split(' ')[0]));<br>
dn.add(new Rdn('cn', 'viewer'));<br>
return dn.toString();<br>
</code><br>
</script><br>
</expression><br>
</outbound><br>
</attribute><br>
</construction><br>
</inducement></p>
<p><br>
</p>
<p>The corresponding (kind,intent) pair in the resource
configuration is<br>
<br>
<objectType><br>
<kind>entitlement</kind><br>
<intent>OrgServiceRoleLdapGroup</intent><br>
<displayName>LDAP Group</displayName><br>
<objectClass>ri:groupOfNames</objectClass><br>
<br>
<attribute><br>
<ref>ri:member</ref><br>
<matchingRule>mr:distinguishedName</matchingRule><br>
<fetchStrategy>minimal</fetchStrategy><br>
<outbound><br>
<strength>strong</strength><br>
<!-- Workaround - groupOfNames MUST have at least one
member. Even non-existent DN. --><br>
<expression><br>
<value>cn=dummy,o=whatever</value><br>
</expression><br>
</outbound><br>
</attribute> <br>
<attribute><br>
<ref>ri:description</ref><br>
<outbound><br>
<source><br>
<path>description</path><br>
</source><br>
</outbound><br>
</attribute><br>
<configuredCapabilities><br>
<cap:pagedSearch><br>
<cap:defaultSortField>ri:uid</cap:defaultSortField><br>
</cap:pagedSearch><br>
</configuredCapabilities><br>
<dependency><br>
<kind>generic</kind><br>
<intent>serviceOu</intent><br>
<strictness>relaxed</strictness><br>
</dependency><br>
</objectType><br>
<br>
If I naively cut the ri:dn attribute from the inducement in the
role and paste it as an attribute in the above objectType, I get
an error message complaining:<br>
<br>
"No variable with name assignment in source definition in
mapping in outbound mapping for {.../resource/instance-3}dn in
<a class="moz-txt-link-freetext" href="resource:46515c38-7fd3-41ec-bbef-42756fa19845(LDAP)">resource:46515c38-7fd3-41ec-bbef-42756fa19845(LDAP)</a>"<br>
<br>
My question is, can I somehow access the assignment from an
outbound mapping in the resource configuration? Or do I maybe
need some kind of mediating mapping in the role?</p>
<p><br>
</p>
<p>Thanks, Pertti</p>
<p><br>
</p>
<p><br>
</p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>