<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<p>Hello,</p>
<p><br>
</p>
<p>Thanks again for your help. With your pointers, I have
successfully managed my members and roles from midpoint.<br>
</p>
<p><br>
</p>
<p>For information, I had to do this :<br>
</p>
<p><br>
</p>
<p>- import the metarole here:
<a class="moz-txt-link-freetext" href="https://github.com/Evolveum/midpoint-samples/blob/master/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml">https://github.com/Evolveum/midpoint-samples/blob/master/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml</a></p>
<p><br>
</p>
<p>- import the following object template :</p>
<p><br>
</p>
<p><objectTemplate oid="10000000-0000-0000-0000-000000000241"<br>
xmlns:xsi='<a class="moz-txt-link-freetext" href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>'<br>
xmlns='<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>'<br>
xmlns:c='<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>'<br>
xmlns:t='<a class="moz-txt-link-freetext" href="http://prism.evolveum.com/xml/ns/public/types-3">http://prism.evolveum.com/xml/ns/public/types-3</a>'<br>
xmlns:q=<a class="moz-txt-link-rfc2396E" href="http://prism.evolveum.com/xml/ns/public/query-3">"http://prism.evolveum.com/xml/ns/public/query-3"</a><br>
xmlns:ext=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/story/orgsync/ext">"http://midpoint.evolveum.com/xml/ns/story/orgsync/ext"</a>><br>
<br>
<name>Role template</name><br>
<br>
<mapping><br>
<name>metarole automatic assignment</name><br>
<authoritative>true</authoritative><br>
<strength>strong</strength><br>
<!--<source><br>
<path>subType</path><br>
</source>--><br>
<expression><br>
<value><br>
<targetRef
oid="1568ec1e-36cc-11e6-a052-3c970e44b9e2" type="RoleType"/><br>
</value><br>
</expression><br>
<target><br>
<path>assignment</path><br>
</target><br>
<!--<condition><br>
<script><br>
<code>subType == 'subtype'</code><br>
</script><br>
</condition>--><br>
</mapping><br>
</objectTemplate></p>
<p><br>
</p>
<p><br>
</p>
<p>- reference the object template in the global system
configuration :<br>
</p>
<p><br>
</p>
<p> <defaultObjectPolicyConfiguration><br>
<objectTemplateRef
oid="10000000-0000-0000-0000-000000000241"
type="c:ObjectTemplateType"><br>
</objectTemplateRef><br>
<type>c:RoleType</type><br>
</defaultObjectPolicyConfiguration><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>There is still a major problem: when synchronizing from OpenLDAP
to midpoint, the members are not created nor updated into the
roles.<br>
</p>
<p><br>
</p>
<p>Do you have an idea why this is not synchronized?</p>
<p>Thanks in advance.<br>
</p>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Regards,</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">David</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Le 01/09/2023 à 18:28, Sven Feyerabend
via midPoint a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:acc69642-54bf-4b52-8d7b-a467268b6b65@stuvus.uni-stuttgart.de">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Hello David,</p>
<p><br>
</p>
<p>groups in a LDAP directory usually are projections of midPoint
roles.<br>
For a more detailed explaination of the finer points see this
blog post: <br>
<a class="moz-txt-link-freetext"
href="https://evolveum.com/simplifying-ldap-group-management-using-midpoint/"
moz-do-not-send="true">https://evolveum.com/simplifying-ldap-group-management-using-midpoint/</a></p>
<p><br>
</p>
<p>Usually you have some meta-role(s) that define the nature of
the desired projections, then you can manage membership to those
groups via role membership in midPoint. The metarole is assigned
to all roles that should be present in your directory and
defines the properties of the assignment to the resource.<br>
</p>
<p><br>
</p>
<p>I noticed, that you have a directory with gosa schema, as I am
currently in the process of migrating from gosa to a midPoint
based system here another hint:<br>
To preserve the delegated administration provided by gosa, I
used orgs to model subtrees and some RBAC configuration with
roles to allow delegated administration. This is achieved by
using the subjectRelation mechanism in the object definition of
an authorization for a role.<br>
</p>
<p><br>
</p>
<p>I hope this pointer helps.</p>
<p><br>
</p>
<p>Kind regards,</p>
<p>Sven</p>
<p><br>
</p>
<div class="moz-cite-prefix">Am 01.09.23 um 17:45 schrieb David
Coutadeur via midPoint:<br>
</div>
<blockquote type="cite"
cite="mid:4a914d90-6891-373e-86ac-8f208725ebc3@gmail.com">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<p><br>
</p>
<p>Hello,</p>
<p><br>
</p>
<p>Thanks Arnošt for your help.<br>
</p>
<p><br>
</p>
<p>Actually, I am not sure the metarole is what I want, and did
not find any tip in the documentation. (I have been searching
for associations, inducements, assignments,...)<br>
</p>
<p><br>
</p>
<p>The documentation states that group membership defined by an
association like:</p>
<p><br>
</p>
<p> <association><br>
<ref>ri:ldapGroup</ref><br>
<displayName>Appartenance aux
groupes</displayName><br>
<kind>entitlement</kind><br>
<intent>ldapGroup</intent><br>
<direction>objectToSubject</direction><br>
<associationAttribute>ri:member</associationAttribute><br>
<valueAttribute>ri:dn</valueAttribute><br>
</association></p>
<p><br>
</p>
<p><br>
</p>
<p>is only visible in projections.</p>
<p>It is not very convenient to view these groups in the
midpoint interface. And anyway it doesn't seem possible to
manage group membership there.</p>
<p><br>
</p>
<p>My use case is quite simple: I'd like to have objects in the
midpoint interface that represents my LDAP groups, and to be
able to manage them. (including their membership)</p>
<p><br>
</p>
<p>LDAP user 1 <-> midpoint shadow account <->
midpoint user</p>
<p>
^
^<br>
</p>
<p>
|
|<br>
</p>
<p>
v
v<br>
</p>
<p>LDAP group 1 <-> midpoint shadow group <->
midpoint object (role?)<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>Does anyone have an idea how to achieve this? Maybe role is
not the correct object?<br>
</p>
<p><br>
</p>
<p>Regards,</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">Le 29/08/2023 à 13:47, Arnošt
Starosta a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:AS8P194MB13509AA8DE62DB41CF0F71F78EE7A@AS8P194MB1350.EURP194.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"
class="elementToProof"> Hi David,</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"
class="elementToProof"> <br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted1"> regarding ldap group membership - you may
be missing the necessary association configuration typically
found in a metarole, please check the docs or even better
some examples in the sources like this one</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"
class="elementToProof"> <br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted0"> <a
href="https://github.com/Evolveum/midpoint-samples/blob/dde679a9757e2f74e3761fa0feaf82ac11f1310e/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml#L31"
id="LPlnk911040" moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/Evolveum/midpoint-samples/blob/dde679a9757e2f74e3761fa0feaf82ac11f1310e/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml#L31</a><br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted0"> <br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted0"> arnost<br>
</div>
<div class="elementToProof">
<div style="font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <br>
</div>
<div id="Signature">
<div>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255,
255);"> <span style="font-size: 10pt; font-family:
Arial; font-weight: 700; color: rgb(0, 0, 0);">Arnošt
Starosta</span><span style="font-size: 10pt;
font-family: Arial; color: rgb(0, 0, 0);"><br>
</span><span style="font-size: 8.5pt; font-family:
Arial; color: rgb(128, 128, 128); background-color:
rgb(255, 255, 255);">solution architect<br>
</span></p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255,
255);"> </p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255,
255);"> <span style="font-size: 8.5pt; font-family:
Arial; color: rgb(0, 0, 0);">gsm: [+420] </span><span
style="font-size: 8.5pt; font-family: Arial; color:
rgb(0, 0, 0); background-color: rgb(255, 255, 255);">603
794 932</span><span style="font-size: 8.5pt;
font-family: Arial; color: rgb(0, 0, 0);"><br>
</span><span style="font-size: 8.5pt; font-family:
Arial; color: rgb(0, 0, 0);">e-mail: </span><a
href="mailto:arnost.starosta@ami.cz"
title="mailto:arnost.starosta@ami.cz"
moz-do-not-send="true"><span style="font-size:
8.5pt; font-family: Arial; text-decoration:
underline; text-decoration-skip-ink: none; color:
rgb(182, 10, 37); background-color: rgb(255, 255,
255);">arnost.starosta@ami.cz</span></a></p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255,
255);"> <span style="font-size: 8.5pt; font-family:
Arial; color: rgb(0, 0, 0);"><br>
</span><span style="font-size: 8.5pt; font-family:
Arial; font-weight: 700; color: rgb(0, 0, 0);">AMI
Praha a.s.</span><span style="font-size: 8.5pt;
font-family: Arial; color: rgb(0, 0, 0);"><br>
</span><span style="font-size: 8.5pt; font-family:
Arial; color: rgb(0, 0, 0);">Pernerova 697/35, 186
00 Praha 8 </span></p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255,
255);"> </p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255,
255);"> <span style="font-size: 8.5pt; font-family:
Arial; color: rgb(0, 0, 0); background-color:
rgb(255, 255, 255);">recepce: [+420] 604 444 848 |
web: </span><a href="https://www.ami.cz/"
moz-do-not-send="true"><span style="font-size:
8.5pt; font-family: Arial; text-decoration:
underline; text-decoration-skip-ink: none; color:
rgb(182, 10, 37); background-color: rgb(255, 255,
255);">www.ami.cz</span></a><span
style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(0, 0, 0);"> </span></p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255,
255);"> </p>
<p dir="ltr" style="line-height: 1.2; margin-top: 0pt;
margin-bottom: 0pt; background-color: rgb(255, 255,
255);"> <span style="font-size: 10pt; font-family:
Arial; color: rgb(0, 0, 0);"><span
style="border:none;display:inline-block;overflow:hidden;width:104px;height:40px"><img
style="margin-top:0px"
src="https://lh6.googleusercontent.com/7g_5fgbXMZ1ZrwCuYbH2_TsgaiZgnYwQ5dn6yNvHftbIvoJ9ZSUgStI4w_rsNz5aS6A3xSylReE54KqqzOIUFIntFF83Mp9Bled966ePlyJM7PSW37Fme_Ml5rCID2aP_OSx601ueEYa93nD_4ELU8QKiyGfXcHpY9yu83b-NTqZZl8cOiW86cY4lH09sG_-RjHudg"
moz-do-not-send="true" width="104" height="40"></span></span><span
style="font-size: 7.5pt; font-family: Verdana;
color: rgb(0, 0, 0);"> </span></p>
<span style="font-size: 8.5pt; font-family: Arial;
color: rgb(170, 170, 170);">Textem tohoto e-mailu
podepisující neslibuje uzavřít ani neuzavírá
za společnost AMI Praha a.s.</span><span
style="font-size: 8.5pt; font-family: Arial; color:
rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family:
Arial; color: rgb(170, 170, 170);">jakoukoliv smlouvu.
Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.</span><span style="font-size: 8.5pt;
font-family: Arial; color: rgb(170, 170, 170);"><br>
</span><span style="font-size: 4.5pt; font-family:
Arial; color: rgb(170, 170, 170);"> </span><span
style="font-size: 8.5pt; font-family: Arial; color:
rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family:
Arial; color: rgb(170, 170, 170);">Tento e-mail
je určen výhradně pro potřeby jeho adresáta/ů a může
obsahovat důvěrné nebo osobní</span><span
style="font-size: 8.5pt; font-family: Arial; color:
rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family:
Arial; color: rgb(170, 170, 170);">informace.
Nejste-li zamýšleným příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování</span><span
style="font-size: 8.5pt; font-family: Arial; color:
rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family:
Arial; color: rgb(170, 170, 170);">nebo jiné použití
těchto informací. Pokud jste obdrželi e-mail
neoprávněně, informujte o tom prosím</span><span
style="font-size: 8.5pt; font-family: Arial; color:
rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family:
Arial; color: rgb(170, 170, 170);">odesílatele
a vymažte neprodleně všechny kopie tohoto e-mailu
včetně všech jeho příloh. Nakládáním</span><span
style="font-size: 8.5pt; font-family: Arial; color:
rgb(170, 170, 170);"><br>
</span><span style="font-size: 8.5pt; font-family:
Arial; color: rgb(170, 170, 170);">s neoprávněně
získanými informacemi se vystavujete riziku právního
postihu.</span><br>
</div>
</div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
midPoint <a class="moz-txt-link-rfc2396E"
href="mailto:midpoint-bounces@lists.evolveum.com"
moz-do-not-send="true"><midpoint-bounces@lists.evolveum.com></a>
on behalf of David Coutadeur via midPoint <a
class="moz-txt-link-rfc2396E"
href="mailto:midpoint@lists.evolveum.com"
moz-do-not-send="true"><midpoint@lists.evolveum.com></a><br>
<b>Sent:</b> Monday, August 28, 2023 4:13 PM<br>
<b>To:</b> midPoint General Discussion <a
class="moz-txt-link-rfc2396E"
href="mailto:midpoint@lists.evolveum.com"
moz-do-not-send="true"><midpoint@lists.evolveum.com></a><br>
<b>Cc:</b> David Coutadeur <a
class="moz-txt-link-rfc2396E"
href="mailto:david.coutadeur@gmail.com"
moz-do-not-send="true"><david.coutadeur@gmail.com></a><br>
<b>Subject:</b> [midPoint] Question about group membership
management in midpoint</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span
style="font-size:11pt;">
<div class="PlainText"><br>
Hello,<br>
<br>
I am working on an Openldap integration with midpoint.<br>
<br>
It starts working, but I have two questions:<br>
<br>
<br>
1/ I have imported OpenLDAP groups into midpoint
roles. But I can't <br>
figure out how to manage role membership. I'd like to
be able to <br>
read/write role members in midpoint so that they keep
synchronized in LDAP.<br>
<br>
You can see my openldap-resource definition attached.<br>
<br>
Please notice that LDAP group membership is already
visible in midpoint <br>
users. If I look at account shadows, I can observe
shadow group <br>
membership. But I can't manage the membership from
here.<br>
<br>
Does anyone know how to do this? Is there a better
approach for managing <br>
group membership in midpoint?<br>
<br>
<br>
<br>
2/ some LDAP users are not imported in midpoint when
their names are too <br>
close to existing users. For example when their name
contain a dash.<br>
<br>
I have understood that this is due to the comparison
rule based on <br>
PolyString type. I have tried multiple rules:<br>
<br>
<q:path>name</q:path><br>
<q:matching>polyStringOrig</q:matching><br>
<br>
but I can't find any one that compares directly the
strings, without <br>
normalization. Do you know what I have missed?<br>
<br>
<br>
Also, the openldap-resource I am working on is more
complete that those <br>
in the docs. Would you be interrested to include it?
Do you accept <br>
contributions?<br>
<br>
<br>
Thanks in advance for your help!<br>
<br>
Regards,<br>
<br>
-- <br>
David Coutadeur | IAM integrator<br>
<br>
<a class="moz-txt-link-abbreviated
moz-txt-link-freetext"
href="mailto:david.coutadeur@worteks.com"
moz-do-not-send="true">david.coutadeur@worteks.com</a><br>
+33 7 88 46 85 34<br>
16 avenue Hoche, Paris 75008<br>
<br>
Worteks | <a href="https://www.worteks.com"
moz-do-not-send="true" class="moz-txt-link-freetext">https://www.worteks.com</a><br>
</div>
</span></font></div>
</blockquote>
<pre class="moz-signature" cols="72">--
David Coutadeur | IAM integrator
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:david.coutadeur@worteks.com" moz-do-not-send="true">david.coutadeur@worteks.com</a>
+33 7 88 46 85 34
16 avenue Hoche, Paris 75008
Worteks | <a class="moz-txt-link-freetext" href="https://www.worteks.com" moz-do-not-send="true">https://www.worteks.com</a></pre>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:midPoint@lists.evolveum.com" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint" moz-do-not-send="true">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Sven Feyerabend
Referent für IT-Betreuung
stuvus – Studierendenvertretung Universität Stuttgart
Pfaffenwaldring 5c
70569 Stuttgart</pre>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
David Coutadeur | IAM integrator
<a class="moz-txt-link-abbreviated" href="mailto:david.coutadeur@worteks.com">david.coutadeur@worteks.com</a>
+33 7 88 46 85 34
16 avenue Hoche, Paris 75008
Worteks | <a class="moz-txt-link-freetext" href="https://www.worteks.com">https://www.worteks.com</a></pre>
</body>
</html>