<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div> <!--StartFragment--><span style="color: #000000; font-family: arial, helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;" data-mce-style="color: #000000; font-family: arial, helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">Hi Carlos,</span><!--EndFragment--><div style="clear: both;" data-mce-style="clear: both;"><br data-mce-bogus="1"></div><div style="clear: both;" data-mce-style="clear: both;">In this case as you described for user in midpoint couldn't be unassigned group due to strong mapping off inbound in association. To resolve it use function to omit unassigned groups from processing AD resource mapping. Please see published advanced example of LDAP resource on github. </div><div style="clear: both;" data-mce-style="clear: both;">Function:<br> <!--StartFragment--><a href="https://github.com/Evolveum/midpoint-samples/blob/master/samples/resources/ad-ldap/AD%20advanced/functionLibraries/ad-library.xml" data-mce-href="https://github.com/Evolveum/midpoint-samples/blob/master/samples/resources/ad-ldap/AD%20advanced/functionLibraries/ad-library.xml">midpoint-samples/samples/resources/ad-ldap/AD advanced/functionLibraries/ad-library.xml at master · Evolveum/midpoint-samples · GitHub</a><!--EndFragment--> <br></div><div style="clear: both;" data-mce-style="clear: both;">Association in resource mapping</div><div style="clear: both;" data-mce-style="clear: both;"><a href="https://github.com/Evolveum/midpoint-samples/blob/30bc721a387a765444d9c2155ea33654aff78de0/samples/resources/ad-ldap/AD%20advanced/resources/ADfirststep.xml#L746C1-L790C27">https://github.com/Evolveum/midpoint-samples/blob/30bc721a387a765444d9c2155ea33654aff78de0/samples/resources/ad-ldap/AD%20advanced/resources/ADfirststep.xml#L746C1-L790C27</a><br data-mce-bogus="1"></div><div style="clear: both;" data-mce-style="clear: both;"><br data-mce-bogus="1"></div><div style="clear: both;" data-mce-style="clear: both;">Best regards</div><div style="clear: both;" data-mce-style="clear: both;"><br data-mce-bogus="1"></div><div style="clear: both;" data-mce-style="clear: both;">Lubomir Marton</div></div><div><br></div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><b>From: </b>"Carlos Ferreira" <carlos18619@gmail.com><br><b>To: </b>"Lubomir Marton" <lmarton@evolveum.com><br><b>Cc: </b>"midPoint General Discussion" <midpoint@lists.evolveum.com><br><b>Sent: </b>Monday, April 29, 2024 3:59:53 PM<br><b>Subject: </b>Re: [midPoint] Active Directory + associations - different behavior between Midpoint 4.8 and Midpoint 4.1<br></div><br><div data-marker="__QUOTED_TEXT__"><div dir="ltr">Hi Lubomir,<br><div>I did as you mentioned (explicitReferentialIntegrity=false), but the behavior is still the same.</div><br><div>And, as I said before, in Midpoint 4.1 the same scenarios worked perfectly.</div><br><div>Thks</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em seg., 29 de abr. de 2024 às 06:00, Lubomir Marton <<a href="mailto:lmarton@evolveum.com" target="_blank" rel="nofollow noopener noreferrer">lmarton@evolveum.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb( 204 , 204 , 204 );padding-left:1ex"><div><div style="font-family:'arial' , 'helvetica' , sans-serif;font-size:12pt;color:rgb( 0 , 0 , 0 )"><div style="font-family:'arial' , 'helvetica' , sans-serif;font-size:12pt;color:rgb( 0 , 0 , 0 )"><div>Hi Carlos,</div><br><div> We recommend turning off explicitReferentialIntegrity for associations with groups. Please see related documentation <a href="https://docs.evolveum.com/connectors/resources/active-directory/group-synchronization-howto/" target="_blank" rel="nofollow noopener noreferrer">https://docs.evolveum.com/connectors/resources/active-directory/group-synchronization-howto/</a> and <a href="https://docs.evolveum.com/connectors/resources/active-directory/active-directory-ldap/" target="_blank" rel="nofollow noopener noreferrer">https://docs.evolveum.com/connectors/resources/active-directory/active-directory-ldap/</a> .</div><br><div><div>Best regards</div><br><div>Lubomir Marton</div><br></div><hr id="m_6940747213627659671zwchr"><div><b>From: </b>"midPoint General Discussion" <<a href="mailto:midpoint@lists.evolveum.com" target="_blank" rel="nofollow noopener noreferrer">midpoint@lists.evolveum.com</a>><br><b>To: </b>"midPoint General Discussion" <<a href="mailto:midpoint@lists.evolveum.com" target="_blank" rel="nofollow noopener noreferrer">midpoint@lists.evolveum.com</a>><br><b>Cc: </b>"Carlos Ferreira" <<a href="mailto:carlos18619@gmail.com" target="_blank" rel="nofollow noopener noreferrer">carlos18619@gmail.com</a>><br><b>Sent: </b>Thursday, April 25, 2024 6:33:11 PM<br><b>Subject: </b>[midPoint] Active Directory + associations - different behavior between Midpoint 4.8 and Midpoint 4.1<br></div><br><div><div dir="ltr">Hi everyone,<br><br><br>Here is a snippet of a resource that connects with Active Directory and deals with associations:<br><br> <association id="2800"><br> <ref>ldapGroups</ref><br> <displayName>Group Membership</displayName><br> <inbound id="2809"><br> <strength>strong</strength><br> <expression><br> <assignmentTargetSearch><br> <targetType>RoleType</targetType><br> <filter><br> <q:equal><br> <q:path>name</q:path><br> <expression><br> <script><br> <code><br> basic.getAttributeValue(entitlement, 'cn')<br> </code><br> </script><br> </expression><br> </q:equal><br> </filter><br><br> </assignmentTargetSearch><br> </expression><br> <target><br> <path>assignment</path><br> </target><br> </inbound><br> <kind>entitlement</kind><br> <intent>ListaAD</intent><br> <intent>GrupoAD</intent><br> <direction>objectToSubject</direction><br> <associationAttribute>ri:member</associationAttribute><br> <valueAttribute>dn</valueAttribute><br> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute><br> <shortcutValueAttribute>ri:dn</shortcutValueAttribute><br> <explicitReferentialIntegrity>true</explicitReferentialIntegrity><br> </association><br><br>And here is the specific configuration in a metarole that sums up with the previous one to populate groups in Active Directory:<br><br> <inducement id="2"><br> <construction><br> <resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e3" relation="org:default" type="c:ResourceType"><br> <!-- Active Directory 10.x.x.x - --><br> </resourceRef><br> <kind>account</kind><br> <intent>default</intent><br> <association id="3"><br> <ref>ri:ldapGroups</ref><br> <outbound><br> <strength>strong</strength><br> <expression><br> <associationFromLink><br> <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType"><br> <kind>entitlement</kind><br> <intent>GrupoAD</intent><br> </projectionDiscriminator><br> </associationFromLink><br> </expression><br> </outbound><br> </association><br> </construction><br> <order>2</order><br> <focusType>c:UserType</focusType><br> </inducement><br><br>Scenarios (for a specific user): <br><br>a) Assignment of a role<br> 1. Select the user;<br> 2. Click "assignment->role->"Just a test role";<br> 3. Click the "save" button;<br><br> -> result: <br> Midpoint 4.1:the role is assigned to the user and the association is correctly created on AD. <br> Midpoint 4.8:the role is assigned to the user and the association is correctly created on AD. <br><br>b) Unassignment of a role<br> 1. Select the user; <br> 2. Click "assignment->role->"Just a test role";<br> 3. Click on the "-" icon;<br> 4. Click the "save" button;<br><br> -> result: <br> Midpoint 4.1:the role is unassigned from the user and the association is correctly removed from AD. <- expected behavior<br> Midpoint 4.8:the role is <b>NOT</b> unassigned from the user <b>BUT</b> the association is correctly removed from AD. <- unexpected behavior<br><br>Is there any configuration (in Midpoint 4.8) missing on the resource or metarole?<br><br><div>Thks.</div></div>
<br>_______________________________________________<br>midPoint mailing list<br><a href="mailto:midPoint@lists.evolveum.com" target="_blank" rel="nofollow noopener noreferrer">midPoint@lists.evolveum.com</a><br><a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" rel="nofollow noopener noreferrer">https://lists.evolveum.com/mailman/listinfo/midpoint</a></div></div></div></div></blockquote></div><br></div></div></body></html>