[midPoint] AD group filter on reconcile
Pavol Mederly
mederly at evolveum.com
Sat Jan 14 11:22:14 CET 2017
Nicolas, Martin,
for attributes, there is tolerantValuePattern/intolerantValuePattern
property pair that could help. Unfortunately, similar mechanism for
associations is not implemented yet. I'm afraid that neither baseContext
nor protected accounts are relevant means to help in your case.
Maybe Radovan or someone with more experiences in this area could help you.
Pavol Mederly
Software developer
evolveum.com
On 14.01.2017 0:59, Martin Besozzi wrote:
> Hi, All.
> Also we changed the "/baseContext/" definition in order to avoid the
> groups outside the "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local".
>
> /<baseContext>
> /
> / <objectClass>ri:organizationalUnit</objectClass>/
> /<filter>/
> / <q:equal>/
> / <q:path>attributes/dn</q:path>/
> /<q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>/
> / </q:equal>/
> / </filter>/
> /</baseContext>/
>
> But the user shows the group association
> "/cn=Identicum,cn=Users,dc=uninorte,dc=local/" which is outside the
> base context.
>
> Inline image 1
>
> Do you have any suggestion ?
>
> Best regards
>
>
> Ing Martin Besozzi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com <http://www.identicum.com>
>
> On Fri, Jan 13, 2017 at 7:41 PM, Nicolas Rossi <nrossi at identicum.com
> <mailto:nrossi at identicum.com>> wrote:
>
> Hi guys, I have a working AD LDAP resource. The group association
> has tolerant flag in false. So when I reconcile the user, it
> removes the user's group memberships found in AD and not in
> midPoint. I'd like to apply a filter there because midPoint only
> sees groups under a specific organization unit. So when the user
> has groups outside this OU they are also removed.
>
> I tried with a baseContext definition under the schemaHandling and
> protected definition but nothing worked.
>
> Here are some examples of protected configurations I have tried:
>
> <protected>
> <filter>
> <not>
> <q:substring>
> <q:matching>stringIgnoreCase</q:matching>
> <q:path>
> declare namespace
> icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
> <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3>";
> attributes/icfs:name
> </q:path>
> <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>
> <q:anchorEnd>true</q:anchorEnd>
> </q:substring>
> </not>
> </filter>
> </protected>
>
> The above example tries to match any groups not ending with the
> managed OU.
>
> <protected>
> <filter>
> <q:equal>
> <path>ri:dn</path>
> <value>CN=Domain Admins,DC=uninorte,DC=local</value>
> </q:equal>
> </filter>
> </protected>
>
> This tries to match specific group.
>
> Do you have any suggestion ?
>
> Best regards,
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com <http://www.identicum.com>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170114/3af204e9/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 26154 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170114/3af204e9/attachment.png>
More information about the midPoint
mailing list