[midPoint] AD group filter on reconcile

Fri Jan 13 23:41:10 CET 2017

Hi guys, I have a working AD LDAP resource. The group association has
tolerant flag in false. So when I reconcile the user, it removes the user's
group memberships found in AD and not in midPoint. I'd like to apply a
filter there because midPoint only sees groups under a specific
organization unit. So when the user has groups outside this OU they are
also removed.

I tried with a baseContext definition under the schemaHandling and
protected definition but nothing worked.

Here are some examples of protected configurations I have tried:

<protected>
  <filter>
    <not>
      <q:substring>
        <q:matching>stringIgnoreCase</q:matching>
        <q:path>
          declare namespace icfs="
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
";
          attributes/icfs:name
        </q:path>

<q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>
        <q:anchorEnd>true</q:anchorEnd>
      </q:substring>
    </not>
  </filter>
</protected>

The above example tries to match any groups not ending with the managed OU.

<protected>
    <filter>
       <q:equal>
        <path>ri:dn</path>
        <value>CN=Domain Admins,DC=uninorte,DC=local</value>
      </q:equal>
   </filter>
</protected>

This tries to match specific group.

Do you have any suggestion ?

Best regards,

Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170113/19ac64b8/attachment.htm>