<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello,</p>
<p>I was in the exact same situation some weeks ago.</p>
<p><br>
</p>
<p>Here is the explanation I have received:<br>
</p>
<p>groups in a LDAP directory usually are projections of midPoint
roles.<br>
For a more detailed explaination of the finer points see this blog
post: <br>
<a class="moz-txt-link-freetext"
href="https://evolveum.com/simplifying-ldap-group-management-using-midpoint/">https://evolveum.com/simplifying-ldap-group-management-using-midpoint/</a><br>
</p>
<p>Usually you have some meta-role(s) that define the nature of the
desired projections, then you can manage membership to those
groups via role membership in midPoint. The metarole is assigned
to all roles that should be present in your directory and defines
the properties of the assignment to the resource.<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>And here is what I have done:</p>
<p><br>
</p>
<p>- import the metarole here:
<a class="moz-txt-link-freetext"
href="https://github.com/Evolveum/midpoint-samples/blob/master/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml">https://github.com/Evolveum/midpoint-samples/blob/master/samples/stories/unix-ldap/roles/role-meta-ldapgroup.xml</a></p>
<p><br>
</p>
<p>- import the following object template :</p>
<p><br>
</p>
<p><objectTemplate oid="10000000-0000-0000-0000-000000000241"<br>
xmlns:xsi='<a class="moz-txt-link-freetext"
href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>'<br>
xmlns='<a class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>'<br>
xmlns:c='<a class="moz-txt-link-freetext"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>'<br>
xmlns:t='<a class="moz-txt-link-freetext"
href="http://prism.evolveum.com/xml/ns/public/types-3">http://prism.evolveum.com/xml/ns/public/types-3</a>'<br>
xmlns:q=<a class="moz-txt-link-rfc2396E"
href="http://prism.evolveum.com/xml/ns/public/query-3">"http://prism.evolveum.com/xml/ns/public/query-3"</a><br>
xmlns:ext=<a class="moz-txt-link-rfc2396E"
href="http://midpoint.evolveum.com/xml/ns/story/orgsync/ext">"http://midpoint.evolveum.com/xml/ns/story/orgsync/ext"</a>><br>
<br>
<name>Role template</name><br>
<br>
<mapping><br>
<name>metarole automatic assignment</name><br>
<authoritative>true</authoritative><br>
<strength>strong</strength><br>
<!--<source><br>
<path>subType</path><br>
</source>--><br>
<expression><br>
<value><br>
<targetRef
oid="1568ec1e-36cc-11e6-a052-3c970e44b9e2" type="RoleType"/><br>
</value><br>
</expression><br>
<target><br>
<path>assignment</path><br>
</target><br>
<!--<condition><br>
<script><br>
<code>subType == 'subtype'</code><br>
</script><br>
</condition>--><br>
</mapping><br>
</objectTemplate></p>
<p><br>
</p>
<p><br>
</p>
<p>- reference the object template in the global system
configuration :<br>
</p>
<p><br>
</p>
<defaultObjectPolicyConfiguration><br>
<objectTemplateRef
oid="10000000-0000-0000-0000-000000000241"
type="c:ObjectTemplateType"><br>
</objectTemplateRef><br>
<type>c:RoleType</type><br>
</defaultObjectPolicyConfiguration>
<p></p>
<p><br>
</p>
<p>Regards,</p>
<p><br>
</p>
<div class="moz-cite-prefix">Le 11/09/2023 à 09:46, Markus Calmius
via midPoint a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:z0Mhk3vCKenclHdcKc9rKRVRs58ZtVPm7J9bbx9bK7U2aEORimvJYcVpfvzbmKXtWsxvcOV4FfdQB2d_M9E88M0UVxCvctmgFEyvejCn_X0=@proton.ch">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div style="font-family: Arial, sans-serif; font-size: 14px;">Hi,</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><br>
</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">I'm
trying to figure out how to best integrate an existing LDAP
server that contains users and groups. The users is not a
difficult problem to solve, but the groups and mainly the
group-membership eats up quite some time for me.</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><br>
</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">To
be fair, I am quite new to midPoint (although I have taken the
fundamentals training), and I am still wrapping my head around
everything.</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><br>
</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">What
I want to achieve, in the long run, is for midPoint to be the
authoritative source for the LDAP directory, but before getting
there, I need to import everything.</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">Using
various pages from the mailing-list and docs.evovleum.com I have
managed to import all groups as roles. Which is the first step I
guess, but since the midPoint Role doesn't contains "members" I
got a bit stuck. The problem with searching things online is
that there isn't a "best before" note on the information you
find. So sometimes the information is old and dated. </div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><br>
</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">So,
I basically have two questions:</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">
<ol>
<li><span>is there a better way to do this?</span></li>
<li><span>if not, how do I also get the midPoint roles to
include the ldap group membership</span></li>
</ol>
<div><span><br>
</span></div>
<div><span>If you can point me in the right direction I will
much appreciate it.</span></div>
</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"> </div>
<div style="font-family: Arial, sans-serif; font-size: 14px;">Thanks
in advance!</div>
<div class="protonmail_signature_block" style="font-family: Arial,
sans-serif; font-size: 14px;">
<div class="protonmail_signature_block-user"> Markus Calmius<br>
<br>
</div>
<div class="protonmail_signature_block-proton
protonmail_signature_block-empty"> </div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
David Coutadeur | IAM integrator
<a class="moz-txt-link-abbreviated" href="mailto:david.coutadeur@worteks.com">david.coutadeur@worteks.com</a>
+33 7 88 46 85 34
16 avenue Hoche, Paris 75008
Worteks | <a class="moz-txt-link-freetext" href="https://www.worteks.com">https://www.worteks.com</a></pre>
</body>
</html>