<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello David,</p>
<p><br>
</p>
<p>groups in a LDAP directory usually are projections of midPoint
roles.<br>
For a more detailed explaination of the finer points see this blog
post: <br>
<a class="moz-txt-link-freetext" href="https://evolveum.com/simplifying-ldap-group-management-using-midpoint/">https://evolveum.com/simplifying-ldap-group-management-using-midpoint/</a></p>
<p><br>
</p>
<p>Usually you have some meta-role(s) that define the nature of the
desired projections, then you can manage membership to those
groups via role membership in midPoint. The metarole is assigned
to all roles that should be present in your directory and defines
the properties of the assignment to the resource.<br>
</p>
<p><br>
</p>
<p>I noticed, that you have a directory with gosa schema, as I am
currently in the process of migrating from gosa to a midPoint
based system here another hint:<br>
To preserve the delegated administration provided by gosa, I used
orgs to model subtrees and some RBAC configuration with roles to
allow delegated administration. This is achieved by using the
subjectRelation mechanism in the object definition of an
authorization for a role.<br>
</p>
<p><br>
</p>
<p>I hope this pointer helps.</p>
<p><br>
</p>
<p>Kind regards,</p>
<p>Sven</p>
<p><br>
</p>
<div class="moz-cite-prefix">Am 01.09.23 um 17:45 schrieb David
Coutadeur via midPoint:<br>
</div>
<blockquote type="cite"
cite="mid:4a914d90-6891-373e-86ac-8f208725ebc3@gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p><br>
</p>
<p>Hello,</p>
<p><br>
</p>
<p>Thanks Arnošt for your help.<br>
</p>
<p><br>
</p>
<p>Actually, I am not sure the metarole is what I want, and did
not find any tip in the documentation. (I have been searching
for associations, inducements, assignments,...)<br>
</p>
<p><br>
</p>
<p>The documentation states that group membership defined by an
association like:</p>
<p><br>
</p>
<p> <association><br>
<ref>ri:ldapGroup</ref><br>
<displayName>Appartenance aux
groupes</displayName><br>
<kind>entitlement</kind><br>
<intent>ldapGroup</intent><br>
<direction>objectToSubject</direction><br>
<associationAttribute>ri:member</associationAttribute><br>
<valueAttribute>ri:dn</valueAttribute><br>
</association></p>
<p><br>
</p>
<p><br>
</p>
<p>is only visible in projections.</p>
<p>It is not very convenient to view these groups in the midpoint
interface. And anyway it doesn't seem possible to manage group
membership there.</p>
<p><br>
</p>
<p>My use case is quite simple: I'd like to have objects in the
midpoint interface that represents my LDAP groups, and to be
able to manage them. (including their membership)</p>
<p><br>
</p>
<p>LDAP user 1 <-> midpoint shadow account <->
midpoint user</p>
<p>
^
^<br>
</p>
<p>
|
|<br>
</p>
<p>
v
v<br>
</p>
<p>LDAP group 1 <-> midpoint shadow group <-> midpoint
object (role?)<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>Does anyone have an idea how to achieve this? Maybe role is not
the correct object?<br>
</p>
<p><br>
</p>
<p>Regards,</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">Le 29/08/2023 à 13:47, Arnošt
Starosta a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:AS8P194MB13509AA8DE62DB41CF0F71F78EE7A@AS8P194MB1350.EURP194.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Hi David,</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted1"> regarding ldap group membership - you may be
missing the necessary association configuration typically
found in a metarole, please check the docs or even better some
examples in the sources like this one</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted0"> <a
href="https://github.com/Evolveum/midpoint-samples/blob/dde679a9757e2f74e3761fa0feaf82ac11f1310e/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml#L31"
id="LPlnk911040" moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/Evolveum/midpoint-samples/blob/dde679a9757e2f74e3761fa0feaf82ac11f1310e/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml#L31</a><br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted0"> <br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted0"> arnost<br>
</div>
<div class="elementToProof">
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <br>
</div>
<div id="Signature">
<div>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255,
255);"> <span style="font-size: 10pt; font-family:
Arial; font-weight: 700; color: rgb(0, 0, 0);">Arnošt
Starosta</span><span style="font-size: 10pt;
font-family: Arial; color: rgb(0, 0, 0);"><br>
</span><span style="font-size: 8.5pt; font-family:
Arial; color: rgb(128, 128, 128); background-color:
rgb(255, 255, 255);">solution architect<br>
</span></p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255,
255);"> </p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255,
255);"> <span style="font-size: 8.5pt; font-family:
Arial; color: rgb(0, 0, 0);">gsm: [+420] </span><span
style="font-size: 8.5pt; font-family: Arial; color:
rgb(0, 0, 0); background-color: rgb(255, 255, 255);">603
794 932</span><span style="font-size: 8.5pt;
font-family: Arial; color: rgb(0, 0, 0);"><br>
</span><span style="font-size: 8.5pt; font-family:
Arial; color: rgb(0, 0, 0);">e-mail: </span><a
href="mailto:arnost.starosta@ami.cz"
title="mailto:arnost.starosta@ami.cz"
moz-do-not-send="true"><span style="font-size: 8.5pt;
font-family: Arial; text-decoration: underline;
text-decoration-skip-ink: none; color: rgb(182, 10,
37); background-color: rgb(255, 255, 255);">arnost.starosta@ami.cz</span></a></p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255,
255);"> <span style="font-size: 8.5pt; font-family:
Arial; color: rgb(0, 0, 0);"><br>
</span><span style="font-size: 8.5pt; font-family:
Arial; font-weight: 700; color: rgb(0, 0, 0);">AMI
Praha a.s.</span><span style="font-size: 8.5pt;
font-family: Arial; color: rgb(0, 0, 0);"><br>
</span><span style="font-size: 8.5pt; font-family:
Arial; color: rgb(0, 0, 0);">Pernerova 697/35, 186 00
Praha 8 </span></p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255,
255);"> </p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255,
255);"> <span style="font-size: 8.5pt; font-family:
Arial; color: rgb(0, 0, 0); background-color: rgb(255,
255, 255);">recepce: [+420] 604 444 848 | web: </span><a
href="https://www.ami.cz/" moz-do-not-send="true"><span
style="font-size: 8.5pt; font-family: Arial;
text-decoration: underline;
text-decoration-skip-ink: none; color: rgb(182, 10,
37); background-color: rgb(255, 255, 255);">www.ami.cz</span></a><span
style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(0, 0, 0);"> </span></p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255,
255);"> </p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255,
255);"> <span style="font-size: 10pt; font-family:
Arial; color: rgb(0, 0, 0);"><span
style="border:none;display:inline-block;overflow:hidden;width:104px;height:40px"><img
style="margin-top:0px"
src="https://lh6.googleusercontent.com/7g_5fgbXMZ1ZrwCuYbH2_TsgaiZgnYwQ5dn6yNvHftbIvoJ9ZSUgStI4w_rsNz5aS6A3xSylReE54KqqzOIUFIntFF83Mp9Bled966ePlyJM7PSW37Fme_Ml5rCID2aP_OSx601ueEYa93nD_4ELU8QKiyGfXcHpY9yu83b-NTqZZl8cOiW86cY4lH09sG_-RjHudg"
moz-do-not-send="true" width="104" height="40"></span></span><span
style="font-size: 7.5pt; font-family: Verdana; color:
rgb(0, 0, 0);"> </span></p>
<span style="font-size: 8.5pt; font-family: Arial; color:
rgb(170, 170, 170);">Textem tohoto e-mailu podepisující
neslibuje uzavřít ani neuzavírá za společnost AMI Praha
a.s.</span><span style="font-size: 8.5pt; font-family:
Arial; color: rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family: Arial;
color: rgb(170, 170, 170);">jakoukoliv smlouvu. Každá
smlouva, pokud bude uzavřena, musí mít výhradně písemnou
formu.</span><span style="font-size: 8.5pt; font-family:
Arial; color: rgb(170, 170, 170);"><br>
</span><span style="font-size: 4.5pt; font-family: Arial;
color: rgb(170, 170, 170);"> </span><span
style="font-size: 8.5pt; font-family: Arial; color:
rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family: Arial;
color: rgb(170, 170, 170);">Tento e-mail je určen
výhradně pro potřeby jeho adresáta/ů a může obsahovat
důvěrné nebo osobní</span><span style="font-size: 8.5pt;
font-family: Arial; color: rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family: Arial;
color: rgb(170, 170, 170);">informace. Nejste-li
zamýšleným příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování</span><span
style="font-size: 8.5pt; font-family: Arial; color:
rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family: Arial;
color: rgb(170, 170, 170);">nebo jiné použití těchto
informací. Pokud jste obdrželi e-mail neoprávněně,
informujte o tom prosím</span><span style="font-size:
8.5pt; font-family: Arial; color: rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family: Arial;
color: rgb(170, 170, 170);">odesílatele a vymažte
neprodleně všechny kopie tohoto e-mailu včetně
všech jeho příloh. Nakládáním</span><span
style="font-size: 8.5pt; font-family: Arial; color:
rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family: Arial;
color: rgb(170, 170, 170);">s neoprávněně získanými
informacemi se vystavujete riziku právního postihu.</span><br>
</div>
</div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
midPoint <a class="moz-txt-link-rfc2396E"
href="mailto:midpoint-bounces@lists.evolveum.com"
moz-do-not-send="true"><midpoint-bounces@lists.evolveum.com></a>
on behalf of David Coutadeur via midPoint <a
class="moz-txt-link-rfc2396E"
href="mailto:midpoint@lists.evolveum.com"
moz-do-not-send="true"><midpoint@lists.evolveum.com></a><br>
<b>Sent:</b> Monday, August 28, 2023 4:13 PM<br>
<b>To:</b> midPoint General Discussion <a
class="moz-txt-link-rfc2396E"
href="mailto:midpoint@lists.evolveum.com"
moz-do-not-send="true"><midpoint@lists.evolveum.com></a><br>
<b>Cc:</b> David Coutadeur <a class="moz-txt-link-rfc2396E"
href="mailto:david.coutadeur@gmail.com"
moz-do-not-send="true"><david.coutadeur@gmail.com></a><br>
<b>Subject:</b> [midPoint] Question about group membership
management in midpoint</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span
style="font-size:11pt;">
<div class="PlainText"><br>
Hello,<br>
<br>
I am working on an Openldap integration with midpoint.<br>
<br>
It starts working, but I have two questions:<br>
<br>
<br>
1/ I have imported OpenLDAP groups into midpoint roles.
But I can't <br>
figure out how to manage role membership. I'd like to be
able to <br>
read/write role members in midpoint so that they keep
synchronized in LDAP.<br>
<br>
You can see my openldap-resource definition attached.<br>
<br>
Please notice that LDAP group membership is already
visible in midpoint <br>
users. If I look at account shadows, I can observe
shadow group <br>
membership. But I can't manage the membership from here.<br>
<br>
Does anyone know how to do this? Is there a better
approach for managing <br>
group membership in midpoint?<br>
<br>
<br>
<br>
2/ some LDAP users are not imported in midpoint when
their names are too <br>
close to existing users. For example when their name
contain a dash.<br>
<br>
I have understood that this is due to the comparison
rule based on <br>
PolyString type. I have tried multiple rules:<br>
<br>
<q:path>name</q:path><br>
<q:matching>polyStringOrig</q:matching><br>
<br>
but I can't find any one that compares directly the
strings, without <br>
normalization. Do you know what I have missed?<br>
<br>
<br>
Also, the openldap-resource I am working on is more
complete that those <br>
in the docs. Would you be interrested to include it? Do
you accept <br>
contributions?<br>
<br>
<br>
Thanks in advance for your help!<br>
<br>
Regards,<br>
<br>
-- <br>
David Coutadeur | IAM integrator<br>
<br>
<a class="moz-txt-link-abbreviated
moz-txt-link-freetext"
href="mailto:david.coutadeur@worteks.com"
moz-do-not-send="true">david.coutadeur@worteks.com</a><br>
+33 7 88 46 85 34<br>
16 avenue Hoche, Paris 75008<br>
<br>
Worteks | <a href="https://www.worteks.com"
moz-do-not-send="true" class="moz-txt-link-freetext">https://www.worteks.com</a><br>
</div>
</span></font></div>
</blockquote>
<pre class="moz-signature" cols="72">--
David Coutadeur | IAM integrator
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:david.coutadeur@worteks.com" moz-do-not-send="true">david.coutadeur@worteks.com</a>
+33 7 88 46 85 34
16 avenue Hoche, Paris 75008
Worteks | <a class="moz-txt-link-freetext" href="https://www.worteks.com" moz-do-not-send="true">https://www.worteks.com</a></pre>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Sven Feyerabend
Referent für IT-Betreuung
stuvus – Studierendenvertretung Universität Stuttgart
Pfaffenwaldring 5c
70569 Stuttgart</pre>
</body>
</html>