<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI Emoji";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Ubuntu;
panose-1:2 11 5 4 3 6 2 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.DefaultFontHxMailStyle
{mso-style-name:"Default Font HxMail Style";
font-family:"Ubuntu",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span class=DefaultFontHxMailStyle>What do you have set for Assignment Policy?<o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle>Go to left menu System > Global account synchronization . Change ' Assignment policy enforcement’ to Full<o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><p class=MsoNormal><a href="https://wiki.evolveum.com/display/midPoint/Projection+Policy">https://wiki.evolveum.com/display/midPoint/Projection+Policy</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span class=DefaultFontHxMailStyle>Within the resource, make sure you also have <tolerant>false</tolerant> for the association attribute. Looking at the unix story test it is not set. I believe the default is ‘true’ if not set.<o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle>So from the example files, ‘resource-opendj.xml’ lines 170-194 add </span><span class=DefaultFontHxMailStyle><b><tolerant>false</tolerant> </b>so that it becomes<o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><association><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <ref>ri:ldapGroup</ref><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <displayName>LDAP Group Membership</displayName><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> </span><span class=DefaultFontHxMailStyle><b><tolerant>false</tolerant><o:p></o:p></b></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <kind>entitlement</kind><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <intent>ldapGroup</intent><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <direction>objectToSubject</direction><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <associationAttribute>ri:uniqueMember</associationAttribute><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <valueAttribute>ri:dn</valueAttribute><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <shortcutAssociationAttribute>ri:isMemberOf</shortcutAssociationAttribute><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <shortcutValueAttribute>ri:dn</shortcutValueAttribute><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <explicitReferentialIntegrity>true</explicitReferentialIntegrity><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle></association><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><association><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <ref>ri:unixGroup</ref><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <displayName>UNIX Group Membership</displayName><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> </span><span class=DefaultFontHxMailStyle><b><tolerant>false</tolerant><o:p></o:p></b></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <auxiliaryObjectClass>posixAccount</auxiliaryObjectClass><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <kind>entitlement</kind><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <intent>unixGroup</intent><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <direction>objectToSubject</direction><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <associationAttribute>ri:memberUid</associationAttribute><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <valueAttribute>ri:uid</valueAttribute><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <!-- <valueAttribute>ri:uidNumber</valueAttribute> --><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <explicitReferentialIntegrity>true</explicitReferentialIntegrity><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle></association><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle>You can also set resource specific Projection Policy here instead of using the global, which in our case, we use Positive for Global and resources override accordingly.<o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle>After the </consistency> block, around line 368, you can add<o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><projection><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle> <assignmentPolicyEnforcement>full</assignmentPolicyEnforcement><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle></projection><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='border:none;padding:0in'><b>From: </b><a href="mailto:jan.lievens@biggerfish.be">Jan Lievens</a><br><b>Sent: </b>Tuesday, January 21, 2020 8:50 AM<br><b>To: </b><a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br><b>Subject: </b>Re: [midPoint] LDAP role/group inducement</p></div><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><div><p class=MsoNormal>Hi,</p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>May I also add that I tried this setup with midPoint versions 4.0.1, 4.0 and 3.9 all with the same result (lingering uniqueMember attributes in LDAP).</p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>Op di 21 jan. 2020 om 14:47 schreef Jan Lievens <<a href="mailto:jan.lievens@biggerfish.be">jan.lievens@biggerfish.be</a>>:</p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-left:4.8pt'>Hi all,</p><div><p class=MsoNormal style='margin-left:4.8pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:4.8pt'>I have reduced the complexity of my use case and made it easy to reproduce. Starting from the unix story (<a href="https://wiki.evolveum.com/display/midPoint/Unix+Story+Test" target="_blank">https://wiki.evolveum.com/display/midPoint/Unix+Story+Test</a>)</p></div><div><p class=MsoNormal style='margin-left:4.8pt'>Now I have the following situation:</p></div><div><p class=MsoNormal style='margin-left:4.8pt'> - Sync accounts from CSV to OpenDJ (works great)</p></div><div><p class=MsoNormal style='margin-left:4.8pt'> - I have one meta-role that is assigned to a test role which results in an LDAP group (works great)</p></div><div><p class=MsoNormal style='margin-left:4.8pt'> - Then I assign this test role to a user which results in a uniqueMember attribute on the LDAP group (nice)</p></div><div><p class=MsoNormal style='margin-left:4.8pt'> - Then I unassign the test role from said user and the uniqueMember attribute on the LDAP group is not getting removed (<span style='font-family:"Segoe UI Emoji",sans-serif'>😭</span>)</p></div><div><p class=MsoNormal style='margin-left:4.8pt'> - The uniqueMember attribute cannot be removed even after running reconcile/recompute on accounts and entitlements</p></div><div><p class=MsoNormal style='margin-left:4.8pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:4.8pt'>More succinct description to reproduce:</p></div><div><p class=MsoNormal style='margin-left:4.8pt'>- git checkout <a href="https://github.com/jalieven/midpoint-docker" target="_blank">https://github.com/jalieven/midpoint-docker</a><br>- cd midpoint-docker<br>- git checkout simple-ldap-group<br>- 'make restart' (starts docker with postgres/opendj/midpoint)<br>- go to admin GUI <a href="http://localhost:8080/midpoint" target="_blank">http://localhost:8080/midpoint</a> <br>- login 'administrator' pwd '5ecr3t'<br>- create a new role 'TestGroup' with an assignment to role 'LDAP Group Metarole'<br>[- in OpenDJ: be.didm.group.TestGroup is created] => OK (checking can be done with 'make check_ldap' in root project) <br>- in admin GUI: add 'TestGroup' to 'user01' assignments<br>[- in OpenDJ: the be.didm.group.TestGroup gets the attribute uniqueMember set to 'uid=user01,ou=people,dc=didm,dc=be'] => OK<br>- in admin GUI: remove 'TestGroup' from 'user01' assignments (minus button and SAVE)<br>[- in OpenDJ: nothing happens: uniqueMember is not removed from be.didm.group.TestGroup] => Not OK!</p></div><div><p class=MsoNormal style='margin-left:4.8pt'>- to verify this stale uniqueMember attribute: in root of project do 'make check_ldap'<br><br>Config files can be found in demo/simple/midpoint_server/container_files/mp-home/post-initial-objects</p></div><div><p class=MsoNormal style='margin-left:4.8pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:4.8pt'>As you can see reproducing this bug/miss-config takes 5min of work. If this is a miss-configuration you might want to check because the same is happening in the unix story test. If this is a bug in midPoint all the more so to look at it. It is hard for me as a novice to say which one it is. </p></div><div><p class=MsoNormal style='margin-left:4.8pt'><o:p> </o:p></p></div><div><div><p class=MsoNormal style='margin-left:4.8pt'>It seems to me that this is a common use-case. I have come across this issue a few times in this mailing list, none of which provide a sufficient solution:</p></div><div><p class=MsoNormal style='margin-left:4.8pt'><a href="http://lists.evolveum.com/pipermail/midpoint/2016-April/001720.html" target="_blank">http://lists.evolveum.com/pipermail/midpoint/2016-April/001720.html</a> (the 'it-works-on-my-machine'-stance is kind of lame in this case and it doesn't help that the referred zip files does not resolve)</p></div><div><p class=MsoNormal style='margin-left:4.8pt'><a href="http://lists.evolveum.com/pipermail/midpoint/2016-November/002807.html" target="_blank">http://lists.evolveum.com/pipermail/midpoint/2016-November/002807.html</a> (a lot of tolerant/strength stuff here)</p></div><div><p class=MsoNormal style='margin-left:4.8pt'><a href="http://lists.evolveum.com/pipermail/midpoint/2016-November/002843.html" target="_blank">http://lists.evolveum.com/pipermail/midpoint/2016-November/002843.html</a> (suggests association shortcuts and multivalued schema fix in scripted sql connector, the latter of which does not apply in my described use-case)</p></div></div><div><p class=MsoNormal style='margin-left:4.8pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:4.8pt'>The midPoint Confluence suggests also to set various packages to trace log level to debug what is going on but I must say that in so much logging I have no idea what to look for.</p></div><div><p class=MsoNormal style='margin-left:4.8pt'>When I set the projector/clockwork to debug all I see is that the remove of the association is not happening. More specifically this package on trace org.identityconnectors.framework.spi.operations points to the fact that the delete is not happening in the connector.</p></div><div><p class=MsoNormal style='margin-left:4.8pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:4.8pt'>May I also add that the page <a href="https://wiki.evolveum.com/display/midPoint/Initial+Logging+Setup+HOWTO" target="_blank">https://wiki.evolveum.com/display/midPoint/Initial+Logging+Setup+HOWTO</a> is not up to date. Setting the skipRepositoryLoggingSettings does not work. So there is currently no way to add specific loggers at start up through the logback(-extra).xml. It always gets overwritten by what is inside the repository.</p></div><div><p class=MsoNormal style='margin-left:4.8pt'>It appears that the skipRepositoryLoggingSettings was removed from the code some time ago. </p></div><div><p class=MsoNormal style='margin-left:4.8pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:4.8pt'>Kind Regards,</p></div><div><p class=MsoNormal style='margin-left:4.8pt'>Jan Lievens</p></div></div><p class=MsoNormal style='margin-left:4.8pt'><o:p> </o:p></p><div><div><p class=MsoNormal style='margin-left:4.8pt'>Op wo 15 jan. 2020 om 16:19 schreef Jan Lievens <<a href="mailto:jan.lievens@biggerfish.be" target="_blank">jan.lievens@biggerfish.be</a>>:</p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-left:9.6pt'>Hi,</p><div><p class=MsoNormal style='margin-left:9.6pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:9.6pt'>I have a question related to inducement construction on a role toward an LDAP resource.</p></div><div><p class=MsoNormal style='margin-left:9.6pt'>I have the following situation in midPoint (see the attachment for all the xml files)</p></div><div><p class=MsoNormal style='margin-left:9.6pt'>- Accounts and Entitlements (intent: privileges) are imported from a ScriptedSQL connector.</p></div><div><p class=MsoNormal style='margin-left:9.6pt'>- These imported entitlements have multiple privileges which are created as roles with an "assignmentTargetSearch" (post-initial-objects/210-entitlement-object-template.xml)</p></div><div><p class=MsoNormal style='margin-left:9.6pt'>- I also have these privilege/roles defined with an assignment to (multiple) fixed technical roles (kind:entitlement/intent:group).</p></div><div><p class=MsoNormal style='margin-left:9.6pt'>- Lastly I would like for these technical roles (groups) and the associated accounts to get synced to LDAP in an objectToSubject fashion. I do this with inducements and construction tags in post-initial-objects/100-profiles-webidm.xml.</p></div><div><p class=MsoNormal style='margin-left:9.6pt'>- The result I get in LDAP is that accounts are synced correctly but the group names are not what I expect (I expect technical role names eg. JiraUser) but get the names of the Entitlements (intent:privileges) defined in the DB.</p></div><div><p class=MsoNormal style='margin-left:9.6pt'>- Additionally the associations are not synced (no uniqueMember refs are synced on the LDAP groups).</p></div><div><p class=MsoNormal style='margin-left:9.6pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:9.6pt'>Surely I am missing something here. I think this use case is quiet standard (a hierarchy of roles and only the leafs get synced to LDAP).</p></div><div><p class=MsoNormal style='margin-left:9.6pt'>I have experimented with the order of the inducement but these came out even more negative (no accounts or groups were created).</p></div><div><p class=MsoNormal style='margin-left:9.6pt'>I also have experimented with the tolerant setting on the association (since I find a lot of answers in this mailing list suggesting this) but to no avail.</p></div><div><p class=MsoNormal style='margin-left:9.6pt'>It is quiet frustrating to be so close to having this use-case implemented DB->mP->LDAP but failing in the sync to LDAP.</p></div><div><p class=MsoNormal style='margin-left:9.6pt'><br clear=all></p><div><p class=MsoNormal style='margin-left:9.6pt'>Kind regards,</p></div><p class=MsoNormal style='margin-left:9.6pt'>-- </p><div><div><div><div><div><div><p class=MsoNormal style='margin-left:9.6pt'>Jan Lievens</p><div><div><div><div><p class=MsoNormal style='margin-left:9.6pt'><span style='font-size:9.5pt;letter-spacing:.15pt'>IT Consultant<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:9.6pt'><span style='letter-spacing:.15pt'><o:p> </o:p></span></p></div></div></div></div></div></div></div></div></div></div></div></div></blockquote></div><p class=MsoNormal style='margin-left:4.8pt'><br clear=all></p><div><p class=MsoNormal style='margin-left:4.8pt'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:4.8pt'>-- </p><div><div><div><div><div><div><div><div><div><div><div><p class=MsoNormal style='margin-left:4.8pt'>Jan Lievens</p><div><div><div><div><div><div><div><p class=MsoNormal style='margin-left:4.8pt'><span style='font-size:9.5pt;letter-spacing:.15pt'>IT Consultant<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:4.8pt'><span style='font-size:7.5pt;letter-spacing:.15pt'>Bigger Fish</span><span style='letter-spacing:.15pt'><o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:4.8pt'><span style='font-size:7.5pt;letter-spacing:.15pt'>Hoogstraat 35</span><span style='letter-spacing:.15pt'><o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:4.8pt'><span style='font-size:7.5pt;letter-spacing:.15pt'>9450 Haaltert</span><span style='letter-spacing:.15pt'><o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:4.8pt'><span style='font-size:7.5pt;letter-spacing:.15pt'>Belgium</span><span style='letter-spacing:.15pt'><o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:4.8pt'><span style='font-size:7.5pt;letter-spacing:.15pt'>VAT: BE 0734.993.447</span><span style='letter-spacing:.15pt'><o:p></o:p></span></p></div><div><div><p class=MsoNormal style='margin-left:4.8pt'><span style='font-size:7.5pt;letter-spacing:.15pt'>Mob: +32 494 84 66 97</span><span style='font-size:9.5pt;letter-spacing:.15pt'><o:p></o:p></span></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></blockquote></div><p class=MsoNormal><br clear=all></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- </p><div><div><div><div><div><div><div><div><div><div><div><p class=MsoNormal>Jan Lievens</p><div><div><div><div><div><div><div><p class=MsoNormal><span style='font-size:9.5pt;letter-spacing:.15pt'>IT Consultant<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:7.5pt;letter-spacing:.15pt'>Bigger Fish</span><span style='letter-spacing:.15pt'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:7.5pt;letter-spacing:.15pt'>Hoogstraat 35</span><span style='letter-spacing:.15pt'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:7.5pt;letter-spacing:.15pt'>9450 Haaltert</span><span style='letter-spacing:.15pt'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:7.5pt;letter-spacing:.15pt'>Belgium</span><span style='letter-spacing:.15pt'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:7.5pt;letter-spacing:.15pt'>VAT: BE 0734.993.447</span><span style='letter-spacing:.15pt'><o:p></o:p></span></p></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><p class=MsoNormal><span style='font-size:7.5pt;letter-spacing:.15pt'>Mob: +32 494 84 66 97</span><span style='font-size:9.5pt;letter-spacing:.15pt'><o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p></div></body></html>