<div dir="ltr">Dear Alcides,<div><br></div><div>If you haven't solved the issue yet, here is a hint that may solve the problem (works for Midpoint 4.1; I could not reproduce it in Midpoint 4.8 yet):</div><div><br></div><div><br></div><div><i> <association id="400"><br> <c:ref xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>">ri:ldapGroups</c:ref><br> <displayName>LDAP Group Membership</displayName><br> <tolerant>true</tolerant><br> <exclusiveStrong>true</exclusiveStrong><br> <inbound id="401"><br> <authoritative>true</authoritative><br> <exclusive>false</exclusive><br> <strength>strong</strength><br> <expression><br> <assignmentTargetSearch xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>" xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>" xsi:type="c:AssignmentTargetSearchExpressionEvaluatorType"><br> <targetType>RoleType</targetType><br> <filter><br> <q:equal><br> <q:path>name</q:path><br> <expression><br> <script><br> <code><br> return basic.getAttributeValue(entitlement, 'cn')<br> </code><br> </script><br> </expression><br> </q:equal><br> </filter><br> <createOnDemand>true</createOnDemand><br> <populateObject><br> <populateItem><br> <expression><br> <script xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>" xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>" xsi:type="c:ScriptExpressionEvaluatorType"><br> <code><br> return basic.getAttributeValue(entitlement, 'cn')<br><br> </code><br> </script><br> </expression><br> <target><br> <c:path>name</c:path><br> </target><br> </populateItem><br> <populateItem><br> <expression><br> <script xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>" xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>" xsi:type="c:ScriptExpressionEvaluatorType"><br> <code><br> return 'Grupo do AD'<br><br> </code><br> </script><br> </expression><br> <target><br> <c:path>subtype</c:path><br> </target><br> </populateItem><br> <populateItem><br> <expression><br> <assignmentTargetSearch xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>" xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>" xsi:type="c:AssignmentTargetSearchExpressionEvaluatorType"><br> <targetType>c:RoleType</targetType><br> <filter><br> <q:equal><br> <q:path xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>">c:name</q:path><br> <expression><br> <value>AD - grupos (metarole)</value><br> </expression><br> </q:equal><br> </filter><br> </assignmentTargetSearch><br> </expression><br> <target><br> <c:path>assignment</c:path><br> </target><br> </populateItem><br> </populateObject><br> <assignmentProperties xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>" xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>" xsi:type="c:AssignmentPropertiesSpecificationType"/><br> </assignmentTargetSearch><br> </expression><br> <target><br> <c:path>assignment</c:path><br> </target><br> </inbound><br> <kind>entitlement</kind><br> <intent>GrupoAD</intent><br> <direction>objectToSubject</direction><br> <associationAttribute>ri:member</associationAttribute><br> <valueAttribute>ri:dn</valueAttribute><br> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute><br> <shortcutValueAttribute>ri:dn</shortcutValueAttribute><br> <explicitReferentialIntegrity>true</explicitReferentialIntegrity><br> </association></i><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em seg., 6 de mar. de 2023 às 19:22, Alcides Moraes via midPoint <<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;">Following up on this, I'm still not able to createOnDemand with associationTargetSearch.<div><br></div><div>So I decided to replace this with an assignmenttTargetSearch with createOnDemand role in midPoint that maps to the group in AD.</div><div>But doing this, I faced another problem.</div><div><br></div><div>This assignment is created in an inbound mapping from another resource, so it’s a secondary change.</div><div>Doing this, the association to the AD group is not done until I recompute the user again.</div><div>This wouldn’t be such a problem if the assignment removal worked, however it does not.</div><div>If the inbound mapping removes this assignment, the group association is not removed, even after recomputing.</div><div><br></div><div>If the assignment is created and removed manually directly in midpoint, it works fine.</div><div><br></div><div>Here’s what I’m trying to achieve:</div><div><br></div><div>Inbound mapping from Resource A creates user assignment to a role, with some context value on it</div><div><br></div><div>User —context:999—> Role R</div><div><br></div><div>I want this to map to an AD group R_999</div><div><br></div><div>so first I tried with associationTargetSearch and createOnDemand , could not make it work.</div><div>(context values are not fixed, I need to create on demand)</div><div><br></div><div>So I tried this</div><div><br></div><div>User —context:999 —> Role R —> focusMapping assignmentTargetSearch createOnDemand —> Role R_999 —> AD group R_999</div><div><div><br></div><div>This does not ‘finish’, it stops at Role R_999 creation and assignment, but the association is not made. I guess it’s too long a chain of events for midpoint.</div><div>Since the context is dynamic, I cannot create beforehand the groups. </div><div>Is there a better way to achieve this?</div><div><br></div><div><br></div><div>Thanks in advance for any help on this</div><div><br><blockquote type="cite"><div>Em 27 de fev. de 2023, à(s) 20:43, Alcides Moraes <<a href="mailto:alcides.neto@gmail.com" target="_blank">alcides.neto@gmail.com</a>> escreveu:</div><br><div><div style="overflow-wrap: break-word;">Hello list,<div><br></div><div>I’m attempting to use createOnDemand with associationTargetSearch with Active Directory groups, is this possible?</div><div>I have not seen any example or documentation on this.</div><div><br></div><div>The associationTargetSearch works if the group exists, but I cannot seem to create a group with createOnDemand.</div><div>I’ve created roles with createOnDemand with no problem, but since this is a resource object, is this supported? According to the schema, it should.</div><div><br></div><div>I’m getting this error, there is a single populateItem trying to write do the DN attribute:</div><div><br></div><div><b>Error evaluating mapping for association {.../resource/instance-3}group
in construction for
(resource:xxxx(AD)/ACCOUNT/default/null)
in role:xxx(Metarole): No target item that would conform to the path
attributes/dn in expression in mapping in outbound mapping for
association</b></div><div><b><br></b></div><div>I have tried “dn”, “ri:dn”, “attributes/ri:dn” on the <path> element, none of them worked.</div><div><br></div><div>My code:</div><div><associationTargetSearch><br> <filter><br> <q:equal><br> <q:path>attributes/ri:dn</q:path><br> <expression><br> <script><br> <code><br> // my logic here<br> </code><br> </script><br> </expression><br> </q:equal><br> </filter><br> <searchStrategy>onResourceIfNeeded</searchStrategy><br> <createOnDemand>true</createOnDemand><br> <populateObject><br> <populateItem><br> <expression><br> <script><br> <code><br> // my logic here<br> </code><br> </script><br> </expression><br> <target><br> <path>attributes/dn</path><br> </target><br> </populateItem><br> </populateObject><br></associationTargetSearch></div><div><br></div><div><br></div></div></div></blockquote></div><br></div></div>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>