<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<p>Hello,</p>
<p><br>
</p>
<p>Thanks Arnošt for your help.<br>
</p>
<p><br>
</p>
<p>Actually, I am not sure the metarole is what I want, and did not
find any tip in the documentation. (I have been searching for
associations, inducements, assignments,...)<br>
</p>
<p><br>
</p>
<p>The documentation states that group membership defined by an
association like:</p>
<p><br>
</p>
<p> <association><br>
<ref>ri:ldapGroup</ref><br>
<displayName>Appartenance aux
groupes</displayName><br>
<kind>entitlement</kind><br>
<intent>ldapGroup</intent><br>
<direction>objectToSubject</direction><br>
<associationAttribute>ri:member</associationAttribute><br>
<valueAttribute>ri:dn</valueAttribute><br>
</association></p>
<p><br>
</p>
<p><br>
</p>
<p>is only visible in projections.</p>
<p>It is not very convenient to view these groups in the midpoint
interface. And anyway it doesn't seem possible to manage group
membership there.</p>
<p><br>
</p>
<p>My use case is quite simple: I'd like to have objects in the
midpoint interface that represents my LDAP groups, and to be able
to manage them. (including their membership)</p>
<p><br>
</p>
<p>LDAP user 1 <-> midpoint shadow account <-> midpoint
user</p>
<p>
^
^<br>
</p>
<p>
|
|<br>
</p>
<p>
v
v<br>
</p>
<p>LDAP group 1 <-> midpoint shadow group <-> midpoint
object (role?)<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>Does anyone have an idea how to achieve this? Maybe role is not
the correct object?<br>
</p>
<p><br>
</p>
<p>Regards,</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">Le 29/08/2023 à 13:47, Arnošt Starosta
a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:AS8P194MB13509AA8DE62DB41CF0F71F78EE7A@AS8P194MB1350.EURP194.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size:
12pt; color: rgb(0, 0, 0);" class="elementToProof">
Hi David,</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size:
12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size:
12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted1">
regarding ldap group membership - you may be missing the
necessary association configuration typically found in a
metarole, please check the docs or even better some examples in
the sources like this one</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size:
12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size:
12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted0">
<a
href="https://github.com/Evolveum/midpoint-samples/blob/dde679a9757e2f74e3761fa0feaf82ac11f1310e/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml#L31"
id="LPlnk911040" moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/Evolveum/midpoint-samples/blob/dde679a9757e2f74e3761fa0feaf82ac11f1310e/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml#L31</a><br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size:
12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted0">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size:
12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted0">
arnost<br>
</div>
<div class="elementToProof">
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="Signature">
<div>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255, 255);">
<span style="font-size: 10pt; font-family: Arial;
font-weight: 700; color: rgb(0, 0, 0);">Arnošt Starosta</span><span
style="font-size: 10pt; font-family: Arial; color:
rgb(0, 0, 0);"><br>
</span><span style="font-size: 8.5pt; font-family: Arial;
color: rgb(128, 128, 128); background-color: rgb(255,
255, 255);">solution architect<br>
</span></p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255, 255);">
</p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255, 255);">
<span style="font-size: 8.5pt; font-family: Arial; color:
rgb(0, 0, 0);">gsm: [+420]
</span><span style="font-size: 8.5pt; font-family: Arial;
color: rgb(0, 0, 0); background-color: rgb(255, 255,
255);">603 794 932</span><span style="font-size: 8.5pt;
font-family: Arial; color: rgb(0, 0, 0);"><br>
</span><span style="font-size: 8.5pt; font-family: Arial;
color: rgb(0, 0, 0);">e-mail:
</span><a href="mailto:arnost.starosta@ami.cz"
title="mailto:arnost.starosta@ami.cz"
moz-do-not-send="true"><span style="font-size: 8.5pt;
font-family: Arial; text-decoration: underline;
text-decoration-skip-ink: none; color: rgb(182, 10,
37); background-color: rgb(255, 255, 255);">arnost.starosta@ami.cz</span></a></p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255, 255);">
<span style="font-size: 8.5pt; font-family: Arial; color:
rgb(0, 0, 0);"><br>
</span><span style="font-size: 8.5pt; font-family: Arial;
font-weight: 700; color: rgb(0, 0, 0);">AMI Praha a.s.</span><span
style="font-size: 8.5pt; font-family: Arial; color:
rgb(0, 0, 0);"><br>
</span><span style="font-size: 8.5pt; font-family: Arial;
color: rgb(0, 0, 0);">Pernerova 697/35, 186 00 Praha 8 </span></p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255, 255);">
</p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255, 255);">
<span style="font-size: 8.5pt; font-family: Arial; color:
rgb(0, 0, 0); background-color: rgb(255, 255, 255);">recepce:
[+420] 604 444 848 | web: </span><a
href="https://www.ami.cz/" moz-do-not-send="true"><span
style="font-size: 8.5pt; font-family: Arial;
text-decoration: underline; text-decoration-skip-ink:
none; color: rgb(182, 10, 37); background-color:
rgb(255, 255, 255);">www.ami.cz</span></a><span
style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(0, 0, 0);"> </span></p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255, 255);">
</p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255, 255);">
<span style="font-size: 10pt; font-family: Arial; color:
rgb(0, 0, 0);"><span
style="border:none;display:inline-block;overflow:hidden;width:104px;height:40px"><img
style="margin-top:0px"
src="https://lh6.googleusercontent.com/7g_5fgbXMZ1ZrwCuYbH2_TsgaiZgnYwQ5dn6yNvHftbIvoJ9ZSUgStI4w_rsNz5aS6A3xSylReE54KqqzOIUFIntFF83Mp9Bled966ePlyJM7PSW37Fme_Ml5rCID2aP_OSx601ueEYa93nD_4ELU8QKiyGfXcHpY9yu83b-NTqZZl8cOiW86cY4lH09sG_-RjHudg"
moz-do-not-send="true" width="104" height="40"></span></span><span
style="font-size: 7.5pt; font-family: Verdana; color:
rgb(0, 0, 0);"> </span></p>
<span style="font-size: 8.5pt; font-family: Arial; color:
rgb(170, 170, 170);">Textem tohoto e-mailu podepisující
neslibuje uzavřít ani neuzavírá za společnost AMI Praha
a.s.</span><span style="font-size: 8.5pt; font-family:
Arial; color: rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family: Arial;
color: rgb(170, 170, 170);">jakoukoliv smlouvu. Každá
smlouva, pokud bude uzavřena, musí mít výhradně písemnou
formu.</span><span style="font-size: 8.5pt; font-family:
Arial; color: rgb(170, 170, 170);"><br>
</span><span style="font-size: 4.5pt; font-family: Arial;
color: rgb(170, 170, 170);"> </span><span
style="font-size: 8.5pt; font-family: Arial; color:
rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family: Arial;
color: rgb(170, 170, 170);">Tento e-mail je určen výhradně
pro potřeby jeho adresáta/ů a může obsahovat důvěrné
nebo osobní</span><span style="font-size: 8.5pt;
font-family: Arial; color: rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family: Arial;
color: rgb(170, 170, 170);">informace. Nejste-li
zamýšleným příjemcem, je zakázáno jakékoliv zveřejňování,
zprostředkování</span><span style="font-size: 8.5pt;
font-family: Arial; color: rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family: Arial;
color: rgb(170, 170, 170);">nebo jiné použití těchto
informací. Pokud jste obdrželi e-mail neoprávněně,
informujte o tom prosím</span><span style="font-size:
8.5pt; font-family: Arial; color: rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family: Arial;
color: rgb(170, 170, 170);">odesílatele a vymažte
neprodleně všechny kopie tohoto e-mailu včetně
všech jeho příloh. Nakládáním</span><span
style="font-size: 8.5pt; font-family: Arial; color:
rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family: Arial;
color: rgb(170, 170, 170);">s neoprávněně získanými
informacemi se vystavujete riziku právního postihu.</span><br>
</div>
</div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
midPoint <a class="moz-txt-link-rfc2396E" href="mailto:midpoint-bounces@lists.evolveum.com"><midpoint-bounces@lists.evolveum.com></a> on behalf
of David Coutadeur via midPoint
<a class="moz-txt-link-rfc2396E" href="mailto:midpoint@lists.evolveum.com"><midpoint@lists.evolveum.com></a><br>
<b>Sent:</b> Monday, August 28, 2023 4:13 PM<br>
<b>To:</b> midPoint General Discussion
<a class="moz-txt-link-rfc2396E" href="mailto:midpoint@lists.evolveum.com"><midpoint@lists.evolveum.com></a><br>
<b>Cc:</b> David Coutadeur <a class="moz-txt-link-rfc2396E" href="mailto:david.coutadeur@gmail.com"><david.coutadeur@gmail.com></a><br>
<b>Subject:</b> [midPoint] Question about group membership
management in midpoint</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span
style="font-size:11pt;">
<div class="PlainText"><br>
Hello,<br>
<br>
I am working on an Openldap integration with midpoint.<br>
<br>
It starts working, but I have two questions:<br>
<br>
<br>
1/ I have imported OpenLDAP groups into midpoint roles.
But I can't <br>
figure out how to manage role membership. I'd like to be
able to <br>
read/write role members in midpoint so that they keep
synchronized in LDAP.<br>
<br>
You can see my openldap-resource definition attached.<br>
<br>
Please notice that LDAP group membership is already
visible in midpoint <br>
users. If I look at account shadows, I can observe shadow
group <br>
membership. But I can't manage the membership from here.<br>
<br>
Does anyone know how to do this? Is there a better
approach for managing <br>
group membership in midpoint?<br>
<br>
<br>
<br>
2/ some LDAP users are not imported in midpoint when their
names are too <br>
close to existing users. For example when their name
contain a dash.<br>
<br>
I have understood that this is due to the comparison rule
based on <br>
PolyString type. I have tried multiple rules:<br>
<br>
<q:path>name</q:path><br>
<q:matching>polyStringOrig</q:matching><br>
<br>
but I can't find any one that compares directly the
strings, without <br>
normalization. Do you know what I have missed?<br>
<br>
<br>
Also, the openldap-resource I am working on is more
complete that those <br>
in the docs. Would you be interrested to include it? Do
you accept <br>
contributions?<br>
<br>
<br>
Thanks in advance for your help!<br>
<br>
Regards,<br>
<br>
-- <br>
David Coutadeur | IAM integrator<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:david.coutadeur@worteks.com">david.coutadeur@worteks.com</a><br>
+33 7 88 46 85 34<br>
16 avenue Hoche, Paris 75008<br>
<br>
Worteks | <a href="https://www.worteks.com"
moz-do-not-send="true" class="moz-txt-link-freetext">https://www.worteks.com</a><br>
</div>
</span></font></div>
</blockquote>
<pre class="moz-signature" cols="72">--
David Coutadeur | IAM integrator
<a class="moz-txt-link-abbreviated" href="mailto:david.coutadeur@worteks.com">david.coutadeur@worteks.com</a>
+33 7 88 46 85 34
16 avenue Hoche, Paris 75008
Worteks | <a class="moz-txt-link-freetext" href="https://www.worteks.com">https://www.worteks.com</a></pre>
</body>
</html>