<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>Hi Carlos,</div><div><br data-mce-bogus="1"></div><div> <!--StartFragment-->We recommend turning off explicitReferentialIntegrity for associations with groups. Please see related documentation <a href="https://docs.evolveum.com/connectors/resources/active-directory/group-synchronization-howto/">https://docs.evolveum.com/connectors/resources/active-directory/group-synchronization-howto/</a> and <a href="https://docs.evolveum.com/connectors/resources/active-directory/active-directory-ldap/">https://docs.evolveum.com/connectors/resources/active-directory/active-directory-ldap/</a> .<!--EndFragment--></div><div><br data-mce-bogus="1"></div><div data-marker="__SIG_PRE__"><div>Best regards</div><div><br></div><div>Lubomir Marton</div><div><br></div></div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><b>From: </b>"midPoint General Discussion" <midpoint@lists.evolveum.com><br><b>To: </b>"midPoint General Discussion" <midpoint@lists.evolveum.com><br><b>Cc: </b>"Carlos Ferreira" <carlos18619@gmail.com><br><b>Sent: </b>Thursday, April 25, 2024 6:33:11 PM<br><b>Subject: </b>[midPoint] Active Directory + associations - different behavior between Midpoint 4.8 and Midpoint 4.1<br></div><br><div data-marker="__QUOTED_TEXT__"><div dir="ltr">Hi everyone,<br><br><br>Here is a snippet of a resource that connects with Active Directory and deals with associations:<br><br>            <association id="2800"><br>                <ref>ldapGroups</ref><br>                <displayName>Group Membership</displayName><br>                <inbound id="2809"><br>                    <strength>strong</strength><br>                    <expression><br>                        <assignmentTargetSearch><br>                            <targetType>RoleType</targetType><br>                            <filter><br>                                <q:equal><br>                                    <q:path>name</q:path><br>                                    <expression><br>                                        <script><br>                                            <code><br>                                               basic.getAttributeValue(entitlement, 'cn')<br>                                            </code><br>                                        </script><br>                                    </expression><br>                                </q:equal><br>                            </filter><br><br>                        </assignmentTargetSearch><br>                    </expression><br>                    <target><br>                        <path>assignment</path><br>                    </target><br>                </inbound><br>                <kind>entitlement</kind><br>                <intent>ListaAD</intent><br>                <intent>GrupoAD</intent><br>                <direction>objectToSubject</direction><br>                <associationAttribute>ri:member</associationAttribute><br>                <valueAttribute>dn</valueAttribute><br>                <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute><br>                <shortcutValueAttribute>ri:dn</shortcutValueAttribute><br>                <explicitReferentialIntegrity>true</explicitReferentialIntegrity><br>            </association><br><br>And here is the specific configuration in a metarole that sums up with the previous one to populate groups in Active Directory:<br><br>    <inducement id="2"><br>        <construction><br>            <resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e3" relation="org:default" type="c:ResourceType"><br>                <!-- Active Directory 10.x.x.x -  --><br>            </resourceRef><br>            <kind>account</kind><br>            <intent>default</intent><br>            <association id="3"><br>                <ref>ri:ldapGroups</ref><br>                <outbound><br>                    <strength>strong</strength><br>                    <expression><br>                        <associationFromLink><br>                            <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType"><br>                                <kind>entitlement</kind><br>                                <intent>GrupoAD</intent><br>                            </projectionDiscriminator><br>                        </associationFromLink><br>                    </expression><br>                </outbound><br>            </association><br>        </construction><br>        <order>2</order><br>        <focusType>c:UserType</focusType><br>    </inducement><br><br>Scenarios (for a specific user): <br><br>a) Assignment of a role<br>  1. Select the user;<br>  2. Click "assignment->role->"Just a test role";<br>  3. Click the "save" button;<br><br>   -> result: <br>         Midpoint 4.1:the role is assigned to the user and the association is correctly created on AD. <br>         Midpoint 4.8:the role is assigned to the user and the association is correctly created on AD. <br><br>b) Unassignment of a role<br>  1. Select the user;  <br>  2. Click "assignment->role->"Just a test role";<br>  3. Click on the "-" icon;<br>  4. Click the "save" button;<br><br>   -> result: <br>         Midpoint 4.1:the role is unassigned from the user and the association is correctly removed from AD.        <- expected behavior<br>         Midpoint 4.8:the role is <b>NOT</b> unassigned from the user <b>BUT</b> the association is correctly removed from AD.    <- unexpected behavior<br><br>Is there any configuration (in Midpoint 4.8) missing on the resource or metarole?<br><br><div>Thks.</div></div>
<br>_______________________________________________<br>midPoint mailing list<br>midPoint@lists.evolveum.com<br>https://lists.evolveum.com/mailman/listinfo/midpoint</div></div><div><br></div></div></body></html>