
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<body>

<div dir="auto">

<div dir="auto">Hi Al, </div><div dir="auto"><br></div><div dir="auto">You don't have a reaction defined for "unmatched". This should be "add focus" if you want the role to be created. </div><div dir="auto"><br></div><div dir="auto">Regards, </div><div dir="auto">Chris </div><div dir="auto"><br></div>

<div id="aqm-original" style="color: black;">

<div dir="auto">Am 8. Januar 2021 19:51:19 schrieb Al Lilianstrom via midPoint <midpoint@lists.evolveum.com>:</div>

<div><br></div>

<blockquote type="cite" class="gmail_quote" style="margin: 0 0 0 0.75ex; border-left: 1px solid #808080; padding-left: 0.75ex;">

<div dir="auto">Hi Jason,</div>

<div dir="auto"><br></div>

<div dir="auto">It looks like this</div>

<div dir="auto"><br></div>

<div dir="auto"><objectSynchronization></div>

<div dir="auto">        <name>Group sync</name></div>

<div dir="auto">        <objectClass>ri:group</objectClass></div>

<div dir="auto">        <kind>entitlement</kind></div>

<div dir="auto">        <intent>group</intent></div>

<div dir="auto">        <focusType>RoleType</focusType></div>

<div dir="auto">        <enabled>true</enabled></div>

<div dir="auto">        <correlation></div>

<div dir="auto">                <q:equal></div>

<div dir="auto">                        <q:path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:dn</q:path></div>

<div dir="auto">                        <expression></div>

<div dir="auto">                                <path>$shadow/attributes/cn</path></div>

<div dir="auto">                        </expression></div>

<div dir="auto">                </q:equal></div>

<div dir="auto">        </correlation></div>

<div dir="auto">        <reaction></div>

<div dir="auto">                <situation>linked</situation></div>

<div dir="auto">                <synchronize>true</synchronize></div>

<div dir="auto">        </reaction></div>

<div dir="auto">        <reaction></div>

<div dir="auto">                <situation>deleted</situation></div>

<div dir="auto">                <action></div>

<div dir="auto">                        <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri></div>

<div dir="auto">                </action></div>

<div dir="auto">        </reaction></div>

<div dir="auto">        <reaction></div>

<div dir="auto">                <situation>unlinked</situation></div>

<div dir="auto">                <action></div>

<div dir="auto">                        <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri></div>

<div dir="auto">                </action></div>

<div dir="auto">        </reaction></div>

<div dir="auto">        <reaction></div>

<div dir="auto">                <situation>unmatched</situation></div>

<div dir="auto">        </reaction></div>

<div dir="auto"></objectSynchronization></div>

<div dir="auto"><br></div>

<div dir="auto"><br></div>

<div dir="auto">--</div>

<div dir="auto">Al Lilianstrom</div>

<div dir="auto">Authentication Services</div>

<div dir="auto"><br></div>

<div dir="auto">Fermi National Accelerator Laboratory</div>

<div dir="auto">www.fnal.gov</div>

<div dir="auto">lilstrom@fnal.gov</div>

<div dir="auto"><br></div>

<div dir="auto"><br></div>

<div dir="auto">________________________________________</div>

<div dir="auto">From: Jason Everling <jeverling@bshp.edu></div>

<div dir="auto">Sent: Friday, January 8, 2021 10:41 AM</div>

<div dir="auto">To: midPoint General Discussion</div>

<div dir="auto">Cc: Al Lilianstrom</div>

<div dir="auto">Subject: RE: [midPoint] Importing AD groups as roles</div>

<div dir="auto"><br></div>

<div dir="auto">So “name” is a midpoint attribute, the association section needs attributes that exist in AD, so for sure “ri:name” is not valid, should be “ri:dn”, what is your object synchronization section for actions?</div>

<div dir="auto"><br></div>

<div dir="auto">From: Al Lilianstrom via midPoint<mailto:midpoint@lists.evolveum.com></div>

<div dir="auto">Sent: Friday, January 8, 2021 10:27 AM</div>

<div dir="auto">To: midPoint General Discussion<mailto:midpoint@lists.evolveum.com></div>

<div dir="auto">Cc: Al Lilianstrom<mailto:lilstrom@fnal.gov></div>

<div dir="auto">Subject: Re: [midPoint] Importing AD groups as roles</div>

<div dir="auto"><br></div>

<div dir="auto">Hi Jason,</div>

<div dir="auto"><br></div>

<div dir="auto">I've tried a couple of different attributes there. Name as it's in the doc I referenced below and dn as it's in the same from your org in github. Same results. Shadow created but no role. No error that I've been able to find.</div>

<div dir="auto"><br></div>

<div dir="auto">This is what the shadow object looks like. Any clues there as to what I might be missing?</div>

<div dir="auto"><br></div>

<div dir="auto"><shadow xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"<https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3-2522&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=euDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc&s=x8Q2JNla1nZ8EAlQOJgb47OXDOw9TpzIDmUdl0VTupI&e=> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="ae7c73f6-82cf-4776-89a2-9cb099bbcabb" version="1"></div>

<div dir="auto">    <name>CN=TestSync1,OU=midPoint,DC=fermistart,DC=fnal,DC=local</name></div>

<div dir="auto">    <resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2" relation="org:default" type="c:ResourceType"></div>

<div dir="auto">        <!-- FermiStart Active Directory --></div>

<div dir="auto">    </resourceRef></div>

<div dir="auto">    <synchronizationTimestamp>2021-01-08T09:48:37.057-06:00</synchronizationTimestamp></div>

<div dir="auto">    <fullSynchronizationTimestamp>2021-01-08T09:48:37.057-06:00</fullSynchronizationTimestamp></div>

<div dir="auto">    <objectClass>ri:group</objectClass></div>

<div dir="auto">    <primaryIdentifierValue>4d011362-4f8e-4b77-ad8f-257bd2f9338e</primaryIdentifierValue></div>

<div dir="auto">    <kind>entitlement</kind></div>

<div dir="auto">    <exists>true</exists></div>

<div dir="auto">    <attributes></div>

<div dir="auto">        <ri:dn>cn=testsync1,ou=midpoint,dc=fermistart,dc=fnal,dc=local</ri:dn></div>

<div dir="auto">        <ri:objectGUID>4d011362-4f8e-4b77-ad8f-257bd2f9338e</ri:objectGUID></div>

<div dir="auto">    </attributes></div>

<div dir="auto"></shadow></div>

<div dir="auto"><br></div>

<div dir="auto"><br></div>

<div dir="auto">  al</div>

<div dir="auto"><br></div>

<div dir="auto"><br></div>

<div dir="auto">--</div>

<div dir="auto">Al Lilianstrom</div>

<div dir="auto">Authentication Services</div>

<div dir="auto"><br></div>

<div dir="auto">Fermi National Accelerator Laboratory</div>

<div dir="auto">http://www.fnal.gov</div>

<div dir="auto">lilstrom@fnal.gov</div>

<div dir="auto"><br></div>

<div dir="auto"><br></div>

<div dir="auto">________________________________________</div>

<div dir="auto">From: Jason Everling <jeverling@bshp.edu></div>

<div dir="auto">Sent: Thursday, January 7, 2021 1:49 PM</div>

<div dir="auto">To: midPoint General Discussion; chris@cmwoods.com</div>

<div dir="auto">Cc: Al Lilianstrom</div>

<div dir="auto">Subject: RE: [midPoint] Importing AD groups as roles</div>

<div dir="auto"><br></div>

<div dir="auto">From what I can see so far, pretty sure you need to use ‘ri:dn’ for ‘shortcutValueAttribute’ and ‘valueAttribute’</div>

<div dir="auto"><br></div>

<div dir="auto">From: Al Lilianstrom via midPoint<mailto:midpoint@lists.evolveum.com></div>

<div dir="auto">Sent: Thursday, January 7, 2021 1:20 PM</div>

<div dir="auto">To: chris@cmwoods.com<mailto:chris@cmwoods.com>; midPoint General Discussion<mailto:midpoint@lists.evolveum.com></div>

<div dir="auto">Cc: Al Lilianstrom<mailto:lilstrom@fnal.gov></div>

<div dir="auto">Subject: Re: [midPoint] Importing AD groups as roles</div>

<div dir="auto"><br></div>

<div dir="auto">Hi Chris,</div>

<div dir="auto"><br></div>

<div dir="auto">Thanks for the response.</div>

<div dir="auto"><br></div>

<div dir="auto">I have the inbound mapping and association defined.</div>

<div dir="auto"><br></div>

<div dir="auto"><association></div>

<div dir="auto">        <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:group</c:ref></div>

<div dir="auto">        <displayName>AD Group Membership</displayName></div>

<div dir="auto">        <kind>entitlement</kind></div>

<div dir="auto">        <intent>group</intent></div>

<div dir="auto">        <direction>objectToSubject</direction></div>

<div dir="auto">        <associationAttribute>ri:member</associationAttribute></div>

<div dir="auto">        <valueAttribute>ri:name</valueAttribute></div>

<div dir="auto">        <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute></div>

<div dir="auto">        <shortcutValueAttribute>ri:name</shortcutValueAttribute></div>

<div dir="auto">        <explicitReferentialIntegrity>false</explicitReferentialIntegrity></div>

<div dir="auto"></association></div>

<div dir="auto"><br></div>

<div dir="auto"><objectType></div>

<div dir="auto">        <kind>entitlement</kind></div>

<div dir="auto">        <intent>group</intent></div>

<div dir="auto">        <displayName>AD Group</displayName></div>

<div dir="auto">        <default>true</default></div>

<div dir="auto">        <objectClass>ri:group</objectClass></div>

<div dir="auto">        <attribute></div>

<div dir="auto">                <c:ref xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">ri:cn</c:ref></div>

<div dir="auto">                <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule></div>

<div dir="auto">                <inbound></div>

<div dir="auto">                        <target></div>

<div dir="auto">                                <c:path>$focus/name</c:path></div>

<div dir="auto">                        </target></div>

<div dir="auto">                </inbound></div>

<div dir="auto">        </attribute></div>

<div dir="auto">...</div>

<div dir="auto"><br></div>

<div dir="auto">I'd really appreciate an example. Please send it when you have a chance on Monday.</div>

<div dir="auto"><br></div>

<div dir="auto">  al</div>

<div dir="auto"><br></div>

<div dir="auto"><br></div>

<div dir="auto">--</div>

<div dir="auto">Al Lilianstrom</div>

<div dir="auto">Authentication Services</div>

<div dir="auto"><br></div>

<div dir="auto">Fermi National Accelerator Laboratory</div>

<div dir="auto">http://www.fnal.gov</div>

<div dir="auto">lilstrom@fnal.gov</div>

<div dir="auto"><br></div>

<div dir="auto"><br></div>

<div dir="auto">________________________________________</div>

<div dir="auto">From: chris@cmwoods.com <chris@cmwoods.com></div>

<div dir="auto">Sent: Thursday, January 7, 2021 11:44 AM</div>

<div dir="auto">To: midPoint General Discussion</div>

<div dir="auto">Cc: Al Lilianstrom</div>

<div dir="auto">Subject: Re: [midPoint] Importing AD groups as roles</div>

<div dir="auto"><br></div>

<div dir="auto">Hi Al,</div>

<div dir="auto"><br></div>

<div dir="auto">the importing as a role is not defined in the task. You have to define that in an inbound mapping in an association in your resource schema handling. For AD it also gets more complicated due to nested groups - if you want roles as members of roles in midpoint.</div>

<div dir="auto"><br></div>

<div dir="auto">I am back at work on Monday and can send you an example if you like.</div>

<div dir="auto"><br></div>

<div dir="auto">Regards,</div>

<div dir="auto">Chris</div>

<div dir="auto"><br></div>

<div dir="auto">January 7, 2021 6:29 PM, "Al Lilianstrom via midPoint" <midpoint@lists.evolveum.com> wrote:</div>

<div dir="auto"><br></div>

<blockquote type="cite" class="gmail_quote" style="margin: 0 0 0 0.75ex; border-left: 1px solid #0099CC; padding-left: 0.75ex;">

<div dir="auto">Still struggling with this. Given up on importing the existing groups as roles for now. Using</div>

<div dir="auto">https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.evolveum.com_display_midPoint_Active-2BDirectory-2BGroup-2BSynchronization-2BHOWTO&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=qzlO4VhAsDjofkMBBzEIVXfh548pEhTobTb4-k4Iw8A&e=  as a guide</div>

<div dir="auto">I verified that my configuration for the AD resource matched the guide. I then created the task for</div>

<div dir="auto">syncing groups</div>

<div dir="auto"><br></div>

<div dir="auto"><task xmlns="https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=A-QjjPWUuFgmB5_adbMwnoSDeMofyb4hVVFNEdFgPSQ&e= "</div>

<div dir="auto">xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"</div>

<div dir="auto">xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</div>

<div dir="auto">xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"</div>

<div dir="auto">xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"</div>

<div dir="auto">xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</div>

<div dir="auto">xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"></div>

<div dir="auto"><name>Synchronization: Active Directory Groups</name></div>

<div dir="auto"><extension></div>

<div dir="auto"><mext:kind</div>

<div dir="auto">xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">entitlement</mext:kind></div>

<div dir="auto"></extension></div>

<div dir="auto"><executionStatus>runnable</executionStatus></div>

<div dir="auto"><handlerUri>https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_model_synchronization_task_live-2Dsync_handler-2D&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=Pq5GOOAao17jRFm3GE-ojdVS-MYluBMNYXFDy_DHQvk&e=</div>

<div dir="auto"></handlerUri></div>

<div dir="auto"><objectRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2" type="c:ResourceType"/></div>

<div dir="auto"><recurrence>recurring</recurrence></div>

<div dir="auto"><binding>tight</binding></div>

<div dir="auto"><schedule></div>

<div dir="auto"><interval>5</interval></div>

<div dir="auto"></schedule></div>

<div dir="auto"></task></div>

<div dir="auto"><br></div>

<div dir="auto">Task runs without errors.</div>

<div dir="auto"><br></div>

<div dir="auto">I then created a group. The task picked up the group and added it as a shadow.</div>

<div dir="auto"><br></div>

<div dir="auto">From this line in the document "When new group is created, it appears in midPoint as a new</div>

<div dir="auto">entitlement shadow and a role." I expected a role to be created.</div>

<div dir="auto"><br></div>

<div dir="auto">Am I misunderstanding the document or missing something in the task?</div>

<div dir="auto"><br></div>

<div dir="auto">--</div>

<div dir="auto">Al Lilianstrom</div>

<div dir="auto">Authentication Services</div>

<div dir="auto"><br></div>

<div dir="auto">Fermi National Accelerator Laboratory</div>

<div dir="auto">http://www.fnal.gov</div>

<div dir="auto">lilstrom@fnal.gov</div>

<div dir="auto"><br></div>

<div dir="auto">_______________________________________________</div>

<div dir="auto">midPoint mailing list</div>

<div dir="auto">midPoint@lists.evolveum.com</div>

<div dir="auto">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=rA0e1fhQRZUWOFzxH4J3jXfGT2pTU-1BoDRZcAH_I4E&s=ZJ5Xkl5mnRIijyiycMv8NSCIutNVsI7Ms85zGDzPAGk&e=</div>

</blockquote>

<div dir="auto">_______________________________________________</div>

<div dir="auto">midPoint mailing list</div>

<div dir="auto">midPoint@lists.evolveum.com</div>

<div dir="auto">https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=E-pS5lDMr22Ozzbxu9moDTQHzshMdKpMAufR3KF8y34&s=KuFK2U5lkSCpx4JT2YEr0QxMaN-R0_isO6GM5HZ5SG4&e=><https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint-253Chttps-3A__urldefense.proofpoint.com_v2_url-3Fu-3Dhttps-2D3A-5F-5Flists.evolveum.com-5Fmailman-5Flistinfo-5Fmidpoint-26d-3DDwQFaQ-26c-3DgRgGjJ3BkIsb5y6s49QqsA-26r-3DCcoy53oEM8wW3-2DvUAuZFE1kez-2D3vbV9LOfLVoaEsm3A-26m-3DE-2DpS5lDMr22Ozzbxu9moDTQHzshMdKpMAufR3KF8y34-26s-3DKuFK2U5lkSCpx4JT2YEr0QxMaN-2DR0-5FisO6GM5HZ5SG4-26e-3D-253E&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=euDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc&s=4Sif4_8r35Tu-5d6RLHErZJYO0Wp0DfMEqfRsmcevjQ&e=></div>

<div dir="auto"><br></div>

<div dir="auto">_______________________________________________</div>

<div dir="auto">midPoint mailing list</div>

<div dir="auto">midPoint@lists.evolveum.com</div>

<div dir="auto">https://lists.evolveum.com/mailman/listinfo/midpoint<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwQFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=Ccoy53oEM8wW3-vUAuZFE1kez-3vbV9LOfLVoaEsm3A&m=euDFtQ1rGv8nroNy8rptOWENBlOivwIMx0MEhQw6qIc&s=W_8Al5vdpwLO-vVwofRE1pfHGM1x1LgN80lmZ82BOB0&e=></div>

<div dir="auto"><br></div>

<div dir="auto">_______________________________________________</div>

<div dir="auto">midPoint mailing list</div>

<div dir="auto">midPoint@lists.evolveum.com</div>

<div dir="auto">https://lists.evolveum.com/mailman/listinfo/midpoint</div>

</blockquote>

</div><div dir="auto"><br></div>

</div></body>

</html>