<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-compose;
font-family:"Verdana",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:11.0pt;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="en-BE" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="en-BE" style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">Hi Yakov,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-BE" style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="en-BE" style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">Following configuration works for me (validated on
</span><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">AdLdapConnector v3.8 and upwards):<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">In the AD config options define correct object classes and use the managed association pairs:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><connectorConfiguration><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <icfc:configurationProperties><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> [...]<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><cfc:managedAssociationPairs>"user"+memberOf -# "group"+member</cfc:managedAssociationPairs><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <cfc:managedAssociationPairs>"group"+memberOf -# "group"+member</cfc:managedAssociationPairs><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <cfc:attributesNotReturnedByDefault>member</cfc:attributesNotReturnedByDefault><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <cfc:userObjectClass>user</cfc:userObjectClass><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <cfc:groupObjectClass>group</cfc:groupObjectClass><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <cfc:groupObjectMemberAttribute>member</cfc:groupObjectMemberAttribute><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> </icfc:configurationProperties><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"></connectorConfiguration><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">Define object type(s) you need. The association type handles the rest. Sample below handles user/group relation. You can define similar association
between other kind/intent objects in a similar way.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><associationType id="273"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <name>Account-Group</name><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <subject><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <objectType id="274"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <kind>account</kind><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <intent>Account</intent><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> </objectType><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <association><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <ref>ri:group</ref><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <sourceAttributeRef>ri:group</sourceAttributeRef><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <outbound id="289"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <name>account-mapping</name><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <strength>strong</strength><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <associationConstruction xsi:type="c:AssociationConstructionExpressionEvaluatorType"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <objectRef id="291"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <ref>ri:group</ref><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <mapping id="292"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <name>membership</name><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <strength>strong</strength><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <associationFromLink/><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> </expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> </mapping><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> </objectRef><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> </associationConstruction><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> </expression><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> </outbound><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> </association><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> </subject><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <object id="284"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <objectType id="285"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <kind>entitlement</kind><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> <intent>Group</intent><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> </objectType><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"> </object><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"></associationType><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">Hope this helps!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-BE" style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="en-BE" style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US">Kind regards,<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:3.75pt;margin-right:0cm;margin-bottom:3.75pt;margin-left:0cm">
<b><span lang="en-BE" style="font-size:11.0pt;font-family:"Courier New";color:#15227B">Wim Beck |
</span></b><span lang="en-BE" style="font-size:11.0pt;font-family:"Courier New";color:#777777">Identity Expert @
</span><b><span lang="en-BE" style="font-size:11.0pt;font-family:"Courier New";color:#15227B">IS4U</span></b><span lang="en-BE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-BE" style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> midPoint <midpoint-bounces@lists.evolveum.com>
<b>On Behalf Of </b>Yakov Revyakin via midPoint<br>
<b>Sent:</b> Friday, 29 August 2025 10:24<br>
<b>To:</b> midPoint General Discussion <midpoint@lists.evolveum.com><br>
<b>Cc:</b> Yakov Revyakin <yrevyakin@gmail.com><br>
<b>Subject:</b> Re: [midPoint] direct outbound group association on resource level<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">My associationType<br>
<associationType><br>
<name>computer-app</name><br>
<subject><br>
<objectType><br>
<kind>account</kind><br>
<intent>computer</intent><br>
</objectType><br>
<association><br>
<ref>ri:computer-app</ref><br>
<sourceAttributeRef>ri:group</sourceAttributeRef><br>
<tolerant>false</tolerant><br>
</association><br>
</subject><br>
<object><br>
<objectType><br>
<kind>entitlement</kind><br>
<intent>computer-app</intent><br>
</objectType><br>
</object><br>
</associationType><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Fri, 29 Aug 2025 at 11:20, Yakov Revyakin <<a href="mailto:yrevyakin@gmail.com">yrevyakin@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<p class="MsoNormal">Hi everyone,<br>
I'm trying to migrate my AD resource using 4.9 associationType concept.<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">For now I can't understand how to migrate the following part:<br>
An account objectType includes static group association which looks like:<o:p></o:p></p>
</div>
<p class="MsoNormal"><association><br>
<ref>ri:group</ref><br>
<tolerant>false</tolerant><br>
<kind>entitlement</kind><br>
<intent>computer-app</intent><br>
<outbound><br>
<expression><br>
<associationTargetSearch><br>
<filter><br>
<q:equal><br>
<q:path>attributes/ri:cn</q:path><br>
<q:value>all_computers</q:value><br>
</q:equal><br>
</filter><br>
<searchStrategy>onResourceIfNeeded</searchStrategy><br>
</associationTargetSearch><br>
</expression><br>
</outbound><br>
....<br>
</association><o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">This association results in association of this specific group with an AD account if it's appearing under user's projections. There are no roles, assignments, inducements to get this kind of association. This account can be imported and
linked only. Create capability for it is denied.<br>
<br>
It is not clear how to make this kind of association with the new 4.9 association types. I defined appropriate associationType but I can't see how to create this association not involving assignment/inducement approach. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If someone has an idea or experience please help.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Yakov<br>
<br>
<br>
<br>
<o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
</div>
</body>
</html>