<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Ubuntu;
panose-1:2 11 5 4 3 6 2 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.DefaultFontHxMailStyle
{mso-style-name:"Default Font HxMail Style";
font-family:"Ubuntu",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span class=DefaultFontHxMailStyle>From what I can see so far, pretty sure you need to use ‘ri:dn’ for ‘shortcutValueAttribute’ and ‘valueAttribute’ <o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='border:none;padding:0in'><b>From: </b><a href="mailto:midpoint@lists.evolveum.com">Al Lilianstrom via midPoint</a><br><b>Sent: </b>Thursday, January 7, 2021 1:20 PM<br><b>To: </b><a href="mailto:chris@cmwoods.com">chris@cmwoods.com</a>; <a href="mailto:midpoint@lists.evolveum.com">midPoint General Discussion</a><br><b>Cc: </b><a href="mailto:lilstrom@fnal.gov">Al Lilianstrom</a><br><b>Subject: </b>Re: [midPoint] Importing AD groups as roles</p></div><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><p class=MsoNormal>Hi Chris,</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks for the response.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I have the inbound mapping and association defined.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><association></p><p class=MsoNormal> <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:group</c:ref></p><p class=MsoNormal> <displayName>AD Group Membership</displayName></p><p class=MsoNormal> <kind>entitlement</kind></p><p class=MsoNormal> <intent>group</intent></p><p class=MsoNormal> <direction>objectToSubject</direction></p><p class=MsoNormal> <associationAttribute>ri:member</associationAttribute></p><p class=MsoNormal> <valueAttribute>ri:name</valueAttribute></p><p class=MsoNormal> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute></p><p class=MsoNormal> <shortcutValueAttribute>ri:name</shortcutValueAttribute></p><p class=MsoNormal> <explicitReferentialIntegrity>false</explicitReferentialIntegrity></p><p class=MsoNormal></association></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><objectType></p><p class=MsoNormal> <kind>entitlement</kind></p><p class=MsoNormal> <intent>group</intent></p><p class=MsoNormal> <displayName>AD Group</displayName></p><p class=MsoNormal> <default>true</default></p><p class=MsoNormal> <objectClass>ri:group</objectClass></p><p class=MsoNormal> <attribute></p><p class=MsoNormal> <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn</c:ref></p><p class=MsoNormal> <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule></p><p class=MsoNormal> <inbound></p><p class=MsoNormal> <target></p><p class=MsoNormal> <c:path>$focus/name</c:path></p><p class=MsoNormal> </target></p><p class=MsoNormal> </inbound></p><p class=MsoNormal> </attribute></p><p class=MsoNormal>...</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I'd really appreciate an example. Please send it when you have a chance on Monday.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> al</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>--</p><p class=MsoNormal>Al Lilianstrom</p><p class=MsoNormal>Authentication Services</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Fermi National Accelerator Laboratory</p><p class=MsoNormal>www.fnal.gov</p><p class=MsoNormal>lilstrom@fnal.gov</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>________________________________________</p><p class=MsoNormal>From: chris@cmwoods.com <chris@cmwoods.com></p><p class=MsoNormal>Sent: Thursday, January 7, 2021 11:44 AM</p><p class=MsoNormal>To: midPoint General Discussion</p><p class=MsoNormal>Cc: Al Lilianstrom</p><p class=MsoNormal>Subject: Re: [midPoint] Importing AD groups as roles</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Hi Al,</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>the importing as a role is not defined in the task. You have to define that in an inbound mapping in an association in your resource schema handling. For AD it also gets more complicated due to nested groups - if you want roles as members of roles in midpoint.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I am back at work on Monday and can send you an example if you like.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Regards,</p><p class=MsoNormal>Chris</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint" <midpoint@lists.evolveum.com> wrote:</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>> Still struggling with this. Given up on importing the existing groups as roles for now. Using</p><p class=MsoNormal>> https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2BGroup-2BSynchronization-2BHOWTO&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=qzlO4VhAsDjofkMBBzEIVXfh548pEhTobTb4-k4Iw8A&e= as a guide</p><p class=MsoNormal>> I verified that my configuration for the AD resource matched the guide. I then created the task for</p><p class=MsoNormal>> syncing groups</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> <task xmlns="https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=A-QjjPWUuFgmB5_adbMwnoSDeMofyb4hVVFNEdFgPSQ&e= "</p><p class=MsoNormal>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"</p><p class=MsoNormal>> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</p><p class=MsoNormal>> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"</p><p class=MsoNormal>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"</p><p class=MsoNormal>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</p><p class=MsoNormal>> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"></p><p class=MsoNormal>> <name>Synchronization: Active Directory Groups</name></p><p class=MsoNormal>> <extension></p><p class=MsoNormal>> <mext:kind</p><p class=MsoNormal>> xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">entitlement</mext:kind></p><p class=MsoNormal>> </extension></p><p class=MsoNormal>> <executionStatus>runnable</executionStatus></p><p class=MsoNormal>> <handlerUri>https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_synchronization_task_live-2Dsync_handler-2D&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=Pq5GOOAao17jRFm3GE-ojdVS-MYluBMNYXFDy_DHQvk&e=</p><p class=MsoNormal>> </handlerUri></p><p class=MsoNormal>> <objectRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2" type="c:ResourceType"/></p><p class=MsoNormal>> <recurrence>recurring</recurrence></p><p class=MsoNormal>> <binding>tight</binding></p><p class=MsoNormal>> <schedule></p><p class=MsoNormal>> <interval>5</interval></p><p class=MsoNormal>> </schedule></p><p class=MsoNormal>> </task></p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> Task runs without errors.</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> I then created a group. The task picked up the group and added it as a shadow.</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> From this line in the document "When new group is created, it appears in midPoint as a new</p><p class=MsoNormal>> entitlement shadow and a role." I expected a role to be created.</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> Am I misunderstanding the document or missing something in the task?</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> --</p><p class=MsoNormal>> Al Lilianstrom</p><p class=MsoNormal>> Authentication Services</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> Fermi National Accelerator Laboratory</p><p class=MsoNormal>> http://www.fnal.gov</p><p class=MsoNormal>> lilstrom@fnal.gov</p><p class=MsoNormal>><o:p> </o:p></p><p class=MsoNormal>> _______________________________________________</p><p class=MsoNormal>> midPoint mailing list</p><p class=MsoNormal>> midPoint@lists.evolveum.com</p><p class=MsoNormal>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=ZJ5Xkl5mnRIijyiycMv8NSCIutNVsI7Ms85zGDzPAGk&e=</p><p class=MsoNormal>_______________________________________________</p><p class=MsoNormal>midPoint mailing list</p><p class=MsoNormal>midPoint@lists.evolveum.com</p><p class=MsoNormal>https://lists.evolveum.com/mailman/listinfo/midpoint</p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p></div></body></html>