[midPoint] AD group filter on reconcile

Nicolas Rossi nrossi at identicum.com
Sat Jan 14 11:59:03 CET 2017 

Hi Pavol, I tried with that setting but It didn't work. Here is my
configuration:

<association>
    <c:ref>ri:group</c:ref>
    <displayName>AD Group Membership</displayName>
    <tolerant>false</tolerant>
    <*tolerantValuePattern*
>.*(?<!OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local)$</
*tolerantValuePattern*>
    <exclusiveStrong>false</exclusiveStrong>
    <kind>entitlement</kind>
    <intent>group</intent>
    <direction>objectToSubject</direction>
    <associationAttribute>ri:member</associationAttribute>
    <valueAttribute>ri:dn</valueAttribute>
    <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
    <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
    <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>

The regex matches strings not ended with
"OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local" (groups outside our
managed OU) expecting to be tolerant with that values.

Does it work in association as the same way it does for attributes ? Maybe
I should create the "memberOf" attribute and define the
tolerantValuePattern there.

Which log should I enable to get more information about the pattern
evaluation ?

Best regards,





Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com

On Sat, Jan 14, 2017 at 7:22 AM, Pavol Mederly <mederly at evolveum.com> wrote:

> Nicolas, Martin,
>
> for attributes, there is tolerantValuePattern/intolerantValuePattern
> property pair that could help. Unfortunately, similar mechanism for
> associations is not implemented yet. I'm afraid that neither baseContext
> nor protected accounts are relevant means to help in your case.
>
> Maybe Radovan or someone with more experiences in this area could help you.
>
> Pavol Mederly
> Software developerevolveum.com
>
> On 14.01.2017 0:59, Martin Besozzi wrote:
>
> Hi, All.​
> Also we changed the ​"*baseContext*" definition in order to avoid the
> groups outside the "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local".
>
>
> *<baseContext> *
> *     <objectClass>ri:organizationalUnit</objectClass>*
> *        <filter>*
> *         <q:equal>*
> *              <q:path>attributes/dn</q:path>*
> *
> <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>*
> *         </q:equal>*
> *       </filter>*
> *</baseContext>*
>
> But the user shows the group association "
> *cn=Identicum,cn=Users,dc=uninorte,dc=local*" which is outside the base
> context.
>
> [image: Inline image 1]
>
> Do you have any suggestion ?
>
> ​Best regards
>
>
> Ing Martin Besozzi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com
>
> On Fri, Jan 13, 2017 at 7:41 PM, Nicolas Rossi <nrossi at identicum.com>
> wrote:
>
>> Hi guys, I have a working AD LDAP resource. The group association has
>> tolerant flag in false. So when I reconcile the user, it removes the user's
>> group memberships found in AD and not in midPoint. I'd like to apply a
>> filter there because midPoint only sees groups under a specific
>> organization unit. So when the user has groups outside this OU they are
>> also removed.
>>
>> I tried with a baseContext definition under the schemaHandling and
>> protected definition but nothing worked.
>>
>> Here are some examples of protected configurations I have tried:
>>
>> <protected>
>>   <filter>
>>     <not>
>>       <q:substring>
>>         <q:matching>stringIgnoreCase</q:matching>
>>         <q:path>
>>           declare namespace icfs="http://midpoint.evolveum
>> .com/xml/ns/public/connector/icf-1/resource-schema-3";
>>           attributes/icfs:name
>>         </q:path>
>>         <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=loca
>> l</q:value>
>>         <q:anchorEnd>true</q:anchorEnd>
>>       </q:substring>
>>     </not>
>>   </filter>
>> </protected>
>>
>> The above example tries to match any groups not ending with the managed
>> OU.
>>
>> <protected>
>>     <filter>
>>        <q:equal>
>>         <path>ri:dn</path>
>>         <value>CN=Domain Admins,DC=uninorte,DC=local</value>
>>       </q:equal>
>>    </filter>
>> </protected>
>>
>> ​This tries to match specific group.
>>
>> ​Do you have any suggestion ?
>>
>> ​Best regards,
>>>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050
>> www.identicum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170114/11a4b8c7/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 26154 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170114/11a4b8c7/attachment.png>

More information about the midPoint mailing list