<div dir="ltr"><div>Not sure if this is what you're looking for but the name of the group in LDAP should be handled in the schema handling section of the connector. I assume you have two entitlements, one for groups and one for users.</div><div><br></div><div>Below is the code I use to map the name of my groups (I found it online and sorry I do not remember where from). The mapping is from dn to name</div><div><br></div><div><script xmlns:org="<a href="http://midpoint.evolveum.com/xml/ns/public/common/org-3">http://midpoint.evolveum.com/xml/ns/public/common/org-3</a>"><br> <code><br> import javax.naming.ldap.Rdn<br> import javax.naming.ldap.LdapName<br><br> dn = new LdapName('ou=Groups,dc=example,dc=com')<br> dn.add(new Rdn('cn', name.toString()))<br> return dn.toString()<br> </code><br></script></div><div><br></div><div>This should take the name of the role in midPoint and use it when forming the dn of the group in LDAP.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jan 15, 2020 at 10:20 AM <<a href="mailto:midpoint-request@lists.evolveum.com">midpoint-request@lists.evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Send midPoint mailing list submissions to<br>
<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:midpoint-request@lists.evolveum.com" target="_blank">midpoint-request@lists.evolveum.com</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:midpoint-owner@lists.evolveum.com" target="_blank">midpoint-owner@lists.evolveum.com</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of midPoint digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. LDAP role/group inducement (Jan Lievens)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Wed, 15 Jan 2020 16:19:46 +0100<br>
From: Jan Lievens <<a href="mailto:jan.lievens@biggerfish.be" target="_blank">jan.lievens@biggerfish.be</a>><br>
To: <a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a><br>
Subject: [midPoint] LDAP role/group inducement<br>
Message-ID:<br>
<CALKj1oZCvscGEB2jKrv9Me0=<a href="mailto:nutLxefwB1taq%2Bw8ysgq2E8G-w@mail.gmail.com" target="_blank">nutLxefwB1taq+w8ysgq2E8G-w@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi,<br>
<br>
I have a question related to inducement construction on a role toward an<br>
LDAP resource.<br>
I have the following situation in midPoint (see the attachment for all the<br>
xml files)<br>
- Accounts and Entitlements (intent: privileges) are imported from a<br>
ScriptedSQL connector.<br>
- These imported entitlements have multiple privileges which are created as<br>
roles with an "assignmentTargetSearch"<br>
(post-initial-objects/210-entitlement-object-template.xml)<br>
- I also have these privilege/roles defined with an assignment to<br>
(multiple) fixed technical roles (kind:entitlement/intent:group).<br>
- Lastly I would like for these technical roles (groups) and the associated<br>
accounts to get synced to LDAP in an objectToSubject fashion. I do this<br>
with inducements and construction tags in<br>
post-initial-objects/100-profiles-webidm.xml.<br>
- The result I get in LDAP is that accounts are synced correctly but the<br>
group names are not what I expect (I expect technical role names<br>
eg. JiraUser) but get the names of the Entitlements (intent:privileges)<br>
defined in the DB.<br>
- Additionally the associations are not synced (no uniqueMember refs are<br>
synced on the LDAP groups).<br>
<br>
Surely I am missing something here. I think this use case is quiet standard<br>
(a hierarchy of roles and only the leafs get synced to LDAP).<br>
I have experimented with the order of the inducement but these came out<br>
even more negative (no accounts or groups were created).<br>
I also have experimented with the tolerant setting on the association<br>
(since I find a lot of answers in this mailing list suggesting this) but to<br>
no avail.<br>
It is quiet frustrating to be so close to having this use-case implemented<br>
DB->mP->LDAP but failing in the sync to LDAP.<br>
<br>
Kind regards,<br>
-- <br>
Jan Lievens<br>
IT Consultant<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.evolveum.com/pipermail/midpoint/attachments/20200115/6cf601c2/attachment.html" rel="noreferrer" target="_blank">http://lists.evolveum.com/pipermail/midpoint/attachments/20200115/6cf601c2/attachment.html</a>><br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: midpoint-home.zip<br>
Type: application/zip<br>
Size: 25085 bytes<br>
Desc: not available<br>
URL: <<a href="http://lists.evolveum.com/pipermail/midpoint/attachments/20200115/6cf601c2/attachment.zip" rel="noreferrer" target="_blank">http://lists.evolveum.com/pipermail/midpoint/attachments/20200115/6cf601c2/attachment.zip</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
<br>
------------------------------<br>
<br>
End of midPoint Digest, Vol 93, Issue 8<br>
***************************************<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr">Keith LeValley<br><div><font face="arial, helvetica, sans-serif">Identity Services Architect</font>, Davenport University</div><div>phone: (616) 732-1102</div><div><a href="mailto:klevalley2@davenport.edu" target="_blank">klevalley2@davenport.edu<br></a></div></div></div></div></div></div></div></div></div>