<div dir="ltr">Hi Lubomir,<div><br></div><div>I did as you mentioned (explicitReferentialIntegrity=false), but the behavior is still the same.</div><div><br></div><div>And, as I said before, in Midpoint 4.1 the same scenarios worked perfectly.</div><div><br></div><div>Thks</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em seg., 29 de abr. de 2024 às 06:00, Lubomir Marton <<a href="mailto:lmarton@evolveum.com">lmarton@evolveum.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="font-family:arial,helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><div style="font-family:arial,helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><div>Hi Carlos,</div><div><br></div><div> We recommend turning off explicitReferentialIntegrity for associations with groups. Please see related documentation <a href="https://docs.evolveum.com/connectors/resources/active-directory/group-synchronization-howto/" target="_blank">https://docs.evolveum.com/connectors/resources/active-directory/group-synchronization-howto/</a> and <a href="https://docs.evolveum.com/connectors/resources/active-directory/active-directory-ldap/" target="_blank">https://docs.evolveum.com/connectors/resources/active-directory/active-directory-ldap/</a> .</div><div><br></div><div><div>Best regards</div><div><br></div><div>Lubomir Marton</div><div><br></div></div><hr id="m_6940747213627659671zwchr"><div><b>From: </b>"midPoint General Discussion" <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>><br><b>To: </b>"midPoint General Discussion" <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>><br><b>Cc: </b>"Carlos Ferreira" <<a href="mailto:carlos18619@gmail.com" target="_blank">carlos18619@gmail.com</a>><br><b>Sent: </b>Thursday, April 25, 2024 6:33:11 PM<br><b>Subject: </b>[midPoint] Active Directory + associations - different behavior between Midpoint 4.8 and Midpoint 4.1<br></div><br><div><div dir="ltr">Hi everyone,<br><br><br>Here is a snippet of a resource that connects with Active Directory and deals with associations:<br><br> <association id="2800"><br> <ref>ldapGroups</ref><br> <displayName>Group Membership</displayName><br> <inbound id="2809"><br> <strength>strong</strength><br> <expression><br> <assignmentTargetSearch><br> <targetType>RoleType</targetType><br> <filter><br> <q:equal><br> <q:path>name</q:path><br> <expression><br> <script><br> <code><br> basic.getAttributeValue(entitlement, 'cn')<br> </code><br> </script><br> </expression><br> </q:equal><br> </filter><br><br> </assignmentTargetSearch><br> </expression><br> <target><br> <path>assignment</path><br> </target><br> </inbound><br> <kind>entitlement</kind><br> <intent>ListaAD</intent><br> <intent>GrupoAD</intent><br> <direction>objectToSubject</direction><br> <associationAttribute>ri:member</associationAttribute><br> <valueAttribute>dn</valueAttribute><br> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute><br> <shortcutValueAttribute>ri:dn</shortcutValueAttribute><br> <explicitReferentialIntegrity>true</explicitReferentialIntegrity><br> </association><br><br>And here is the specific configuration in a metarole that sums up with the previous one to populate groups in Active Directory:<br><br> <inducement id="2"><br> <construction><br> <resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e3" relation="org:default" type="c:ResourceType"><br> <!-- Active Directory 10.x.x.x - --><br> </resourceRef><br> <kind>account</kind><br> <intent>default</intent><br> <association id="3"><br> <ref>ri:ldapGroups</ref><br> <outbound><br> <strength>strong</strength><br> <expression><br> <associationFromLink><br> <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType"><br> <kind>entitlement</kind><br> <intent>GrupoAD</intent><br> </projectionDiscriminator><br> </associationFromLink><br> </expression><br> </outbound><br> </association><br> </construction><br> <order>2</order><br> <focusType>c:UserType</focusType><br> </inducement><br><br>Scenarios (for a specific user): <br><br>a) Assignment of a role<br> 1. Select the user;<br> 2. Click "assignment->role->"Just a test role";<br> 3. Click the "save" button;<br><br> -> result: <br> Midpoint 4.1:the role is assigned to the user and the association is correctly created on AD. <br> Midpoint 4.8:the role is assigned to the user and the association is correctly created on AD. <br><br>b) Unassignment of a role<br> 1. Select the user; <br> 2. Click "assignment->role->"Just a test role";<br> 3. Click on the "-" icon;<br> 4. Click the "save" button;<br><br> -> result: <br> Midpoint 4.1:the role is unassigned from the user and the association is correctly removed from AD. <- expected behavior<br> Midpoint 4.8:the role is <b>NOT</b> unassigned from the user <b>BUT</b> the association is correctly removed from AD. <- unexpected behavior<br><br>Is there any configuration (in Midpoint 4.8) missing on the resource or metarole?<br><br><div>Thks.</div></div>
<br>_______________________________________________<br>midPoint mailing list<br><a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br><a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a></div></div><div><br></div></div></div></blockquote></div>