Simplifying LDAP Group Management Using MidPoint

Many applications connected to LDAP use LDAP groups for authorization. With some Identity Management solutions you can put users to these groups, but you need to manage the groups by the native LDAP tools. This is not the case with midPoint! MidPoint allows you to create not only LDAP accounts, but also the groups so it can become the ultimate tool for IT administrators or even for users with limited IT skills, really simplifying the LDAP group management.

In this post I will show you how midPoint configuration of so called “metaroles” can be used to create LDAP groups (groupOfNames) as projections of midPoint roles and how to create LDAP accounts (inetOrgPerson) being members of that groups. In later blog post(s) we will use the same knowledge to create also Unix groups (posixGroup). For everything we will use just Resource Schema Handling and Generic synchronization.

You can imagine the metaroles as “role templates”. They will not be assigned to midPoint users, but to other roles and will cause appropriate resource object (such as LDAP groups) creation and management. They are also responsible for managing the group membership.

The complete scenario setup and technical description is here. So we assume that the configuration in midPoint is already uploaded, including the two metaroles.

We start with the creation of a new role for wiki access in midPoint. We wish to create a common group (groupOfNames) as a projection of the new role, to start with something simple. The scenario is configured to use the “identifier” attribute of the role as the “cn” attribute of the new group. So we go to Roles – New role and fill the following attributes of the “Basic” tab:

  1. Name: LDAP Group Wiki Users
  2. Identifier: wiki-users

Creating LDAP group, step 1

Creating LDAP group, step 1

No more attributes are necessary on this tab. Then, switch to the tab”Assignments” and assign a role named “LDAP Group Metarole”. This is the first of two metaroles created to support this scenario. Then save the form.

Creating LDAP group, step 2

Creating LDAP group, step 2

The metarole assigned to the “LDAP Group Wiki Users” role causes the creation of a new group in LDAP with DN: “cn=wiki-users,ou=groups,dc=example,dc=com”. Please note that “identifier” attribute was used in DN and for “cn” attribute, and that the group has objectClass: “groupOfNames” and is placed in “ou=groups,dc=example,dc=com”.

Created LDAP group

Created LDAP group

As a little bonus, you may have noticed that the “description” attribute of the group has been generated with the text “LDAP Group named: wiki-users”. The same value was automatically stored also in the role (attribute: “description”) in midPoint, so it allows you to quickly remember, what group name was actually created for the role, just by looking at the role description! But this is just a small addition to the fact that you now have LDAP group management as a part of midPoint configuration.

Now we have created the new role with the LDAP group projection, so let’s create new midPoint user and assign him/her that role. Go to Users – New user and create user. Fill at least the following attributes of the “Basic” tab:

  1. Name: jsmith
  2. Given Name: John
  3. Family Name: Smith
  4. Full Name: John Smith
  5. Password: secret123

Then switch to the tab “Assignments” and assign this user the role “LDAP Group Wiki Users” created previously. We are NOT assigning the metarole! Save the form now.

Creating LDAP account, step 1

Creating LDAP account, step 1

A special configuration in the metaroles called Higher-Order Inducements is used to not only for LDAP group management, when the metaroles are assigned to roles, but also to create the accounts, if the previously created roles are assigned to the users in midPoint.

If you edit the same user in midPoint and switch to the “Projections” tab, you will see that the LDAP account has been created with DN: “uid=smith,ou=people,dc=example,dc=com” and you will also see the “Associations” containing the DN of the group: “cn=wiki-users,ou=groups,dc=example,dc=com”. This means that midPoint has successfully put the account to that group.

Created LDAP account, result in midPoint

Created LDAP account, result in midPoint

You can also check that the account has been really created in LDAP:

Created LDAP account, result in LDAP

Created LDAP account, result in LDAP

And you can also check that the account is the member of the group “cn=wiki-users,ou=groups,dc=example,dc=com” in LDAP:

Standard LDAP group populated by membership

Standard LDAP group populated by membership

As you can see, it was really easy to create the midPoint role! And you got the complete LDAP group management included. You can create a number of such roles in very short time, you don’t need to create them directly in LDAP server. You can also easily assign the roles to your users.

More info and complete scenario documentation can be found here. Please refer to Roles, Metaroles and Generic Synchronization to get more information about the concepts of metaroles.

Leave a Reply

Your email address will not be published.