<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head><body text="#000000" bgcolor="#FFFFFF">Hi Keith,<br>
<br>
This is a quick and probably too short answer, but maybe this will point
you in the right direction.<br>
<br>
I've setup the LDAP Group MetaRole to take care of this automatically.
This MetaRole is ASSIGNED to the Role and should create the actual
role/group in LDAP. I have found that after I import a Role into
midPoint, AND BEFORE adding anyone to that Role, I should Reconcile the
Role. This creates the group in LDAP and populates it with a dummy
placeholder since some LDAP servers don't like groups with zero members.<br>
<br>
Please see these pages for more info:<br>
<a class="moz-txt-link-freetext" href="https://evolveum.com/simplifying-ldap-group-management-using-midpoint/">https://evolveum.com/simplifying-ldap-group-management-using-midpoint/</a><br>
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Roles,+Metaroles+and+Generic+Synchronization">https://wiki.evolveum.com/display/midPoint/Roles,+Metaroles+and+Generic+Synchronization</a><br>
<br>
Also be sure that you've setup your LDAP Resource with the
<objectType>-<kind>ENTITLEMENT, and the <association>
section. These must be configured correctly for group creation and
membership to function correctly.<br>
<br>
(Side note: I'm not sure which LDAP server you're using, but if it's
OpenLDAP, you'll need/want to have the memberOf overlay added into
OpenLDAP.)<br>
<br>
I hope this helps.<br>
Brad <br>
<br>
<br>
<span>Keith LeValley wrote on 7/29/19 11:44 AM:</span><br>
<blockquote type="cite"
cite="mid:CAAkzTLwL0Z8FmOLManp+BoP6YDLkkAWv_z94oLgiNZdygkDcHQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div dir="ltr">I am creating a demo to show off Midpoint to some other
IT members and I really would like to show how roles map to LDAP
groups. I am not sure if I'm taking the right approach (if not please
let me know).<div><br></div><div>I started by copying much of the live
demo site, where it has a CSV file that is used to import users into
Midpoint and then an ldap server that does a live sync with users. This
works well, but I really want to also live sync groups.</div><div><br></div><div>So
I created an org chart with some basic orgs and gave those orgs
inducements to roles. This allows me to group several roles into an
org, for instance (yes I am a big nerd) my user cbarton ("Hawkeye") has
both roles "shield agent" and "Avenger". This is working well, but the
last piece that I cannot seem to get to work is how to map those roles
to ldap groups.</div><div><br></div><div>So I have created a schema
handling that scripts the dn of the group, but I do not know what
attribute to use for the source when mapping the member field in ldap
(what attribute in Midpoint defines the members in a role). I apologize
if this is a really long email asking for a very simple answer, but I
wanted to explain my approach in-case this is not how I should be doing
this.<br clear="all"><div><br></div>-- <br><div dir="ltr"
class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div
dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Keith LeValley<br><div><font
face="arial, helvetica, sans-serif">Identity Services Architect</font>,
Davenport University</div><div><a
href="mailto:klevalley2@davenport.edu" target="_blank"
moz-do-not-send="true">klevalley2@davenport.edu<br></a></div></div></div></div></div></div></div></div></div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body></html>