<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">In my experience, no. I have LDAP users who are in dozens of groups. The service referencing LDAP (for example, a Nextcloud server using LDAP for Authentication) has filters that look for the user's name in the proper LDAP group. If the name is in the group, it looks for the account with credentials. Then it authenticates. <div class=""><br class=""></div><div class="">The number of groups in LDAP and the number of groups a user is part of don’t impact OpenLDAP server performance.</div><div class=""><br class=""></div><div class="">Josh<br class=""><div class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Oct 11, 2021, at 9:32 AM, Keith LeValley via midPoint <<a href="mailto:midpoint@lists.evolveum.com" class="">midpoint@lists.evolveum.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta charset="UTF-8" class=""><div dir="ltr" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">Thank you for the response, and this works so I am starting to figure out what's going on a little bit. My concern is that every group inside openldap would then have to entitle the user to openldap. I was initially thinking of controlling account creation in openldap through 3 roles (depending on placement). I can condense this into one role using account naming standards (our vendor accounts always start with v_ etc). I am not really concerned with a user having an openldap account anytime they get placed in a group that is entitled to openldap.<div class=""><br class=""></div><div class="">My concern though, and this is probably just a lack of understanding of Midpoint. If the user is placed in say 15 different openldap groups, and each of those groups are granting an entitlement to the user, does this cause any type of performance or scaling issue with the user having those 15 openldap entitlements?</div></div><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><div class="gmail_quote" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div dir="ltr" class="gmail_attr">On Mon, Oct 11, 2021 at 10:35 AM Joshua Williams <<a href="mailto:jwilliams%2Blist@globalnaz.org" class="">jwilliams+list@globalnaz.org</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div style="overflow-wrap: break-word;" class="">Hi Keith,<div class="">I am fairly new to midPoint, so I may be a little off base. However, I have a Role that is similar to yours. </div><div class=""><br class=""></div><div class="">To make the Metarole assign the account to the LDAP Posix Group, I have to use <assignment> for the Metarole and <inducement> for writing the LDAP account and attributes.</div><div class=""><br class=""></div><div class=""><div class=""> <span class="Apple-converted-space"> </span><assignment></div><div class=""> <span class="Apple-converted-space"> </span><!-- This assigns the LDAP Group Metarole --></div><div class=""> <targetRef oid="10000000-0000-0000-0000-000000000003</div><span class=""><span class=""></span></span><div class=""> <span class="Apple-converted-space"> </span></assignment></div><div class=""> </div><div class=""> <inducement></div><div class=""> <!-- Sends the job to the appropriate resource --></div><div class=""> <span class="Apple-converted-space"> </span><construction></div><div class=""> <resourceRef oid="10000000-0000-0000-0000-000000000004"</div><div class=""> <span class="Apple-converted-space"> </span>relation="org:default"</div><div class=""> <span class="Apple-converted-space"> </span>type="c:ResourceType"></resourceRef> </div><div class=""> <span class="Apple-converted-space"> </span><attribute></div><div class=""> <span class="Apple-converted-space"> </span><c:ref>ri:authServices</c:ref></div><div class=""> <span class="Apple-converted-space"> </span><outbound></div><div class=""> <strength>strong</strength></div><div class=""> <expression></div><div class=""> <span class="Apple-converted-space"> </span><value xmlns:xsd="<a href="http://www.w3.org/2001/XMLSchema" target="_blank" class="">http://www.w3.org/2001/XMLSchema</a>"</div><div class=""> xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank" class="">http://www.w3.org/2001/XMLSchema-instance</a>"</div><div class=""> xsi:type="xsd:string”>attribute</value></div><div class=""> </expression></div><div class=""> <span class="Apple-converted-space"> </span></outbound></div><div class=""> </attribute> </div><div class=""> <span class="Apple-converted-space"> </span></construction> </div><div class=""><br class=""></div><div class=""> </inducement></div><div class=""><br class=""></div><div class="">The Metarole I assign is basically this one: <a href="https://github.com/Evolveum/midpoint/blob/master/testing/story/src/test/resources/unix/role-meta-unix-group.xml" target="_blank" class="">https://github.com/Evolveum/midpoint/blob/master/testing/story/src/test/resources/unix/role-meta-unix-group.xml</a></div><div class=""><br class=""></div><div class="">Josh</div><div class=""><br class=""><blockquote type="cite" class=""><div class="">On Oct 11, 2021, at 7:45 AM, Keith LeValley via midPoint <<a href="mailto:midpoint@lists.evolveum.com" target="_blank" class="">midpoint@lists.evolveum.com</a>> wrote:</div><br class=""><div class=""><div dir="ltr" class=""><div class="">I was hoping someone might be able to explain the interaction with inducements using associations.</div><div class=""><br class=""></div><div class="">I am using the example from the demo site, the meta role used to grant group entitlements to openldap. Below is the xml of that inducements</div><div class=""><br class=""></div><div class=""><inducement id="2"><br class=""> <span class="Apple-converted-space"> </span><construction><br class=""> <span class="Apple-converted-space"> </span><resourceRef oid="2917a607-56a5-46cd-86a6-e8979bec7d31" relation="org:default" type="c:ResourceType"><br class=""> <span class="Apple-converted-space"> </span><!-- openldap --><br class=""> <span class="Apple-converted-space"> </span></resourceRef><br class=""> <span class="Apple-converted-space"> </span><kind>entitlement</kind><br class=""> <span class="Apple-converted-space"> </span><intent>group</intent><br class=""> <span class="Apple-converted-space"> </span></construction><br class=""> <span class="Apple-converted-space"> </span></inducement><br class=""> <span class="Apple-converted-space"> </span><inducement id="3"><br class=""> <span class="Apple-converted-space"> </span><construction><br class=""> <span class="Apple-converted-space"> </span><resourceRef oid="2917a607-56a5-46cd-86a6-e8979bec7d31" relation="org:default" type="c:ResourceType"><br class=""> <span class="Apple-converted-space"> </span><!-- openldap --><br class=""> <span class="Apple-converted-space"> </span></resourceRef><br class=""> <span class="Apple-converted-space"> </span><kind>account</kind><br class=""> <span class="Apple-converted-space"> </span><intent>default</intent><br class=""> <span class="Apple-converted-space"> </span><association id="3"><br class=""> <span class="Apple-converted-space"> </span><ref>ri:group</ref><br class=""> <span class="Apple-converted-space"> </span><outbound><br class=""> <span class="Apple-converted-space"> </span><expression><br class=""> <span class="Apple-converted-space"> </span><associationFromLink xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank" class="">http://www.w3.org/2001/XMLSchema-instance</a>" xsi:type="c:AssociationFromLinkExpressionEvaluatorType"><br class=""> <span class="Apple-converted-space"> </span><projectionDiscriminator xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank" class="">http://www.w3.org/2001/XMLSchema-instance</a>" xsi:type="c:ShadowDiscriminatorType"><br class=""> <span class="Apple-converted-space"> </span><kind>entitlement</kind><br class=""> <span class="Apple-converted-space"> </span><intent>group</intent><br class=""> <span class="Apple-converted-space"> </span></projectionDiscriminator><br class=""> <span class="Apple-converted-space"> </span></associationFromLink><br class=""> <span class="Apple-converted-space"> </span></expression><br class=""> <span class="Apple-converted-space"> </span></outbound><br class=""> <span class="Apple-converted-space"> </span></association><br class=""> <span class="Apple-converted-space"> </span></construction><br class=""> <span class="Apple-converted-space"> </span><order>2</order><br class=""> <span class="Apple-converted-space"> </span></inducement><br class=""></div><div class=""><br class=""></div><div class="">This works, when I assign a user to a group, assign that group to the meta role the user gets the openldap inducement and will be added to the group in openldap also.</div><div class=""><br class=""></div><div class="">Unfortunately this won't work for my setup, I need to split the inducement to openldap and to the group. The group and the user still get created but the association doesn't seem to work, the user is not assigned to the group. Below is the inducement to the group that entitles the user with the association</div><div class=""><br class=""></div><div class=""><inducement id="2"><br class=""> <span class="Apple-converted-space"> </span><construction><br class=""> <span class="Apple-converted-space"> </span><resourceRef oid="2917a607-56a5-46cd-86a6-e8979bec7d31" relation="org:default" type="c:ResourceType"><br class=""> <span class="Apple-converted-space"> </span><!-- openldap --><br class=""> <span class="Apple-converted-space"> </span></resourceRef><br class=""> <span class="Apple-converted-space"> </span><kind>account</kind><br class=""> <span class="Apple-converted-space"> </span><intent>default</intent><br class=""> <span class="Apple-converted-space"> </span><association id="9"><br class=""> <span class="Apple-converted-space"> </span><ref>ri:group</ref><br class=""> <span class="Apple-converted-space"> </span><outbound><br class=""> <span class="Apple-converted-space"> </span><expression><br class=""> <span class="Apple-converted-space"> </span><associationFromLink xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank" class="">http://www.w3.org/2001/XMLSchema-instance</a>" xsi:type="c:AssociationFromLinkExpressionEvaluatorType"><br class=""> <span class="Apple-converted-space"> </span><projectionDiscriminator xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank" class="">http://www.w3.org/2001/XMLSchema-instance</a>" xsi:type="c:ShadowDiscriminatorType"><br class=""> <span class="Apple-converted-space"> </span><kind>entitlement</kind><br class=""> <span class="Apple-converted-space"> </span><intent>group</intent><br class=""> <span class="Apple-converted-space"> </span></projectionDiscriminator><br class=""> <span class="Apple-converted-space"> </span></associationFromLink><br class=""> <span class="Apple-converted-space"> </span></expression><br class=""> <span class="Apple-converted-space"> </span></outbound><br class=""> <span class="Apple-converted-space"> </span></association><br class=""> <span class="Apple-converted-space"> </span></construction><br class=""> <span class="Apple-converted-space"> </span></inducement><br class=""></div><div class=""><br class=""></div><div class="">Below is the inducement used to entitle the group</div><div class=""><br class=""></div><div class=""><inducement id="2"><br class=""> <span class="Apple-converted-space"> </span><construction><br class=""> <span class="Apple-converted-space"> </span><resourceRef oid="2917a607-56a5-46cd-86a6-e8979bec7d31" relation="org:default" type="c:ResourceType"><br class=""> <span class="Apple-converted-space"> </span><!-- openldap --><br class=""> <span class="Apple-converted-space"> </span></resourceRef><br class=""> <span class="Apple-converted-space"> </span><kind>entitlement</kind><br class=""> <span class="Apple-converted-space"> </span><intent>group</intent><br class=""> <span class="Apple-converted-space"> </span></construction><br class=""> <span class="Apple-converted-space"> </span></inducement></div><div class=""><br class=""></div><div class="">This to me looks like it should work? The user still has the same inducements; it's just spread between two different roles instead of on a single meta role.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div>--<span class="Apple-converted-space"> </span><br class=""><div dir="ltr" class=""><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class="">Keith LeValley<br class=""><div class=""><font face="arial, helvetica, sans-serif" class="">Identity Services Architect</font>, Davenport University</div><div class="">phone: (616) 732-1102</div><div class=""><a href="mailto:klevalley2@davenport.edu" target="_blank" class="">klevalley2@davenport.edu<br class=""></a></div></div></div></div></div></div></div></div></div></div>_______________________________________________<br class="">midPoint mailing list<br class=""><a href="mailto:midPoint@lists.evolveum.com" target="_blank" class="">midPoint@lists.evolveum.com</a><br class=""><a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" class="">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br class=""></div></blockquote></div><br class=""></div></div></blockquote></div><br clear="all" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br class=""></div><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">--<span class="Apple-converted-space"> </span></span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><div dir="ltr" class="gmail_signature" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class="">Keith LeValley<br class=""><div class=""><font face="arial, helvetica, sans-serif" class="">Identity Services Architect</font>, Davenport University</div><div class="">phone: (616) 732-1102</div><div class=""><a href="mailto:klevalley2@davenport.edu" target="_blank" class="">klevalley2@davenport.edu<br class=""></a></div></div></div></div></div></div></div></div></div><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">_______________________________________________</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">midPoint mailing list</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><a href="mailto:midPoint@lists.evolveum.com" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">midPoint@lists.evolveum.com</a><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><a href="https://lists.evolveum.com/mailman/listinfo/midpoint" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">https://lists.evolveum.com/mailman/listinfo/midpoint</a></div></blockquote></div><br class=""></div></div></body></html>