Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-1839

Association for group does not work when the group is not created by midpoint

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 3.0 (Newton)
    • 3.0 (Newton)
    • None
    • None
    • git-v2.3devel-1346-g039c088

    Description

      The configuration is as follows:

      • when organization of certain type is created in midPoint, object template assigns a role for this organization, that creates OU and group in AD
      • this works

      When user is created in midPoint, and assigned to certain organization, and assigned role, it will create account in AD (there are multiple account types (intents)) and should associate two groups: the first group is the group created previously by midPoint. The second group is a group, that already exists in Active Directory.

      The second group is not associated, and its shadow is not created.

      The role definition for a role, that assigns already created group (this works):

      <role oid="00000000-dc00-dc00-0004-000000000014"
              xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-2a"
              xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-2a"
      	xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-2"
               xmlns:q="http://prism.evolveum.com/xml/ns/public/query-2"
              xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-2">
          <name>AD Linux Administrator (TODO: no groups so far)</name>
          <description>
           This role assigns AD (Exchange) resource in OU=Vendor
          </description>
          <inducement>
          	<construction>
          		<!-- The c: prefix in type must be there due to a JAXB bug -->
          		<resourceRef oid="00000000-dc00-dc00-0001-000000000002" type="c:ResourceType"/>
      
              <kind>account</kind>
              <intent>linux-admin</intent>
      
              <association>
                  <ref>ri:adGroups</ref>
                  <outbound>
                      <expression>
                          <associationTargetSearch>
                              <query>
                                  <q:equal>
                                      <q:path>attributes/icfs:name</q:path>
                                      <expression>
                                          <script>
                                              <code>
      tmpOrgList = midpoint.getOrgUnits(user)
      if (tmpOrgList.size() &gt;= 1) {
      
              tmpOrgIterator = tmpOrgList.iterator().next()
              tmpOrgObject = midpoint.getOrgByOid(tmpOrgIterator)
              tmpOrganization = basic.stringify(basic.getPropertyValue(tmpOrgObject, 'name'))
              log.info('XXXXXXXXXXXXXX: {}', 'CN=' + tmpOrganization + ',OU=Groups,OU=EXAMPLEDEV,DC=EXAMPLEDEV,DC=INTRA')
              return 'CN=' + tmpOrganization + ',OU=Groups,OU=EXAMPLEDEV,DC=EXAMPLEDEV,DC=INTRA'
      }
                                              </code>
                                          </script>
                                      </expression>
                                  </q:equal>
                              </query>
                          </associationTargetSearch>
                      </expression>
                  </outbound>
              </association>
      
          	</construction>
          </inducement>  
      </role>
      

      The role assigning another group, which is not created by midPoint (this does not associate):

      <role oid="00000000-dc00-dc00-0004-000000000011"
              xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-2a"
              xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-2a"
      	xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-2"
               xmlns:q="http://prism.evolveum.com/xml/ns/public/query-2"
              xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-2">
          <name>AD TestGroup1 (via Entitlements)</name>
          <description>
           This role assigns AD (Exchange) resource and adds user to "TestGroup1" group.
          </description>
          <inducement>
          	<construction>
          		<!-- The c: prefix in type must be there due to a JAXB bug -->
          		<resourceRef oid="00000000-dc00-dc00-0001-000000000002" type="c:ResourceType"/>
      
              <kind>account</kind>
              <intent>linux-admin</intent>
              <association>
                  <ref>ri:adGroups</ref>
                  <outbound>
                      <expression>
                          <associationTargetSearch>
                              <query>
                                  <q:equal>
                                      <q:path>attributes/icfs:name</q:path>
                                      <q:value>CN=TestGroup1,OU=EXAMPLEDEV,DC=EXAMPLEDEV,DC=INTRA</q:value>
                                  </q:equal>
                              </query>
                          </associationTargetSearch>
                      </expression>
                  </outbound>
              </association>
      
          	</construction>
          </inducement>  
      </role>
      
      

      Attachments

        Activity

          People

            vix Ivan Noris
            vix Ivan Noris
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: