[midPoint] AD group filter on reconcile

Martin Besozzi mbesozzi at identicum.com
Sat Jan 14 00:59:05 CET 2017 

Hi, All.​
Also we changed the ​"*baseContext*" definition in order to avoid the
groups outside the "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local".


*<baseContext>*
*     <objectClass>ri:organizationalUnit</objectClass>*
*        <filter>*
*         <q:equal>*
*              <q:path>attributes/dn</q:path>*
*
<q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>*
*         </q:equal>*
*       </filter>*
*</baseContext>*

But the user shows the group association "
*cn=Identicum,cn=Users,dc=uninorte,dc=local*" which is outside the base
context.

[image: Inline image 1]

Do you have any suggestion ?

​Best regards


Ing Martin Besozzi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com

On Fri, Jan 13, 2017 at 7:41 PM, Nicolas Rossi <nrossi at identicum.com> wrote:

> Hi guys, I have a working AD LDAP resource. The group association has
> tolerant flag in false. So when I reconcile the user, it removes the user's
> group memberships found in AD and not in midPoint. I'd like to apply a
> filter there because midPoint only sees groups under a specific
> organization unit. So when the user has groups outside this OU they are
> also removed.
>
> I tried with a baseContext definition under the schemaHandling and
> protected definition but nothing worked.
>
> Here are some examples of protected configurations I have tried:
>
> <protected>
>   <filter>
>     <not>
>       <q:substring>
>         <q:matching>stringIgnoreCase</q:matching>
>         <q:path>
>           declare namespace icfs="http://midpoint.
> evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3";
>           attributes/icfs:name
>         </q:path>
>         <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=
> local</q:value>
>         <q:anchorEnd>true</q:anchorEnd>
>       </q:substring>
>     </not>
>   </filter>
> </protected>
>
> The above example tries to match any groups not ending with the managed OU.
>
> <protected>
>     <filter>
>        <q:equal>
>         <path>ri:dn</path>
>         <value>CN=Domain Admins,DC=uninorte,DC=local</value>
>       </q:equal>
>    </filter>
> </protected>
>
> ​This tries to match specific group.
>
> ​Do you have any suggestion ?
>
> ​Best regards,
>>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170113/34ffd623/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 26154 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170113/34ffd623/attachment.png>

More information about the midPoint mailing list