[midPoint] AD group filter on reconcile

Pavol Mederly mederly at evolveum.com
Sat Jan 14 12:15:06 CET 2017 

Hello Nicolas,

yes, unfortunately - as I said - it is /not/ currently supported. (You 
can look at ReconciliationProcessor.decideIfTolerate vs 
decideIfTolerateAssociation.)

More details (but maybe not much, anyway) can be seen by enabling TRACE 
logging for 
com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor. 
But that wouldn't help with associations, anyway. Only with attributes.

Using memberOf attribute might /probably/ help. But you would need to 
forget about managing that attribute using associations, and return to 
managing its values explicitly. (A step back into times of midPoint 
2.x.) That would mean probably a lot of complications, and I strongly 
not recommend it.

Maybe the best way would be to wait for Radovan. He'll be certainly able 
to tell what to do.

Pavol Mederly
Software developer
evolveum.com

On 14.01.2017 11:59, Nicolas Rossi wrote:
> Hi Pavol, I tried with that setting but It didn't work. Here is my 
> configuration:
>
> <association>
> <c:ref>ri:group</c:ref>
>     <displayName>AD Group Membership</displayName>
> <tolerant>false</tolerant>
>     
> <*tolerantValuePattern*>.*(?<!OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local)$</*tolerantValuePattern*>
> <exclusiveStrong>false</exclusiveStrong>
> <kind>entitlement</kind>
> <intent>group</intent>
> <direction>objectToSubject</direction>
> <associationAttribute>ri:member</associationAttribute>
> <valueAttribute>ri:dn</valueAttribute>
> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
> </association>
>
> The regex matches strings not ended with 
> "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local" (groups outside 
> our managed OU) expecting to be tolerant with that values.
>
> Does it work in association as the same way it does for attributes ? 
> Maybe I should create the "memberOf" attribute and define the 
> tolerantValuePattern there.
>
> Which log should I enable to get more information about the pattern 
> evaluation ?
>
> Best regards,
>
>
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com <http://www.identicum.com>
>
> On Sat, Jan 14, 2017 at 7:22 AM, Pavol Mederly <mederly at evolveum.com 
> <mailto:mederly at evolveum.com>> wrote:
>
>     Nicolas, Martin,
>
>     for attributes, there is
>     tolerantValuePattern/intolerantValuePattern property pair that
>     could help. Unfortunately, similar mechanism for associations is
>     not implemented yet. I'm afraid that neither baseContext nor
>     protected accounts are relevant means to help in your case.
>
>     Maybe Radovan or someone with more experiences in this area could
>     help you.
>
>     Pavol Mederly
>     Software developer
>     evolveum.com <http://evolveum.com>
>
>     On 14.01.2017 0:59, Martin Besozzi wrote:
>>     Hi, All.​
>>     Also we changed the ​"/baseContext/" definition in order to avoid
>>     the groups outside the
>>     "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local".
>>
>>     /<baseContext>
>>     /
>>     /   <objectClass>ri:organizationalUnit</objectClass>/
>>     /      <filter>/
>>     /       <q:equal>/
>>     /<q:path>attributes/dn</q:path>/
>>     /<q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>/
>>     /       </q:equal>/
>>     /     </filter>/
>>     /</baseContext>/
>>
>>     But the user shows the group association
>>     "/cn=Identicum,cn=Users,dc=uninorte,dc=local/" which is outside
>>     the base context.
>>
>>     Inline image 1
>>
>>     Do you have any suggestion ?
>>
>>     ​Best regards
>>
>>
>>     Ing Martin Besozzi
>>     Identicum S.A.
>>     Jorge Newbery 3226
>>     Tel: +54 (11) 4552-3050
>>     www.identicum.com <http://www.identicum.com>
>>
>>     On Fri, Jan 13, 2017 at 7:41 PM, Nicolas Rossi
>>     <nrossi at identicum.com <mailto:nrossi at identicum.com>> wrote:
>>
>>         Hi guys, I have a working AD LDAP resource. The group
>>         association has tolerant flag in false. So when I reconcile
>>         the user, it removes the user's group memberships found in AD
>>         and not in midPoint. I'd like to apply a filter there because
>>         midPoint only sees groups under a specific organization unit.
>>         So when the user has groups outside this OU they are also
>>         removed.
>>
>>         I tried with a baseContext definition under the
>>         schemaHandling and protected definition but nothing worked.
>>
>>         Here are some examples of protected configurations I have tried:
>>
>>         <protected>
>>           <filter>
>>             <not>
>>         <q:substring>
>>         <q:matching>stringIgnoreCase</q:matching>
>>                 <q:path>
>>                   declare namespace
>>         icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>>         <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3>";
>>         attributes/icfs:name
>>         </q:path>
>>         <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>
>>         <q:anchorEnd>true</q:anchorEnd>
>>         </q:substring>
>>             </not>
>>           </filter>
>>         </protected>
>>
>>         The above example tries to match any groups not ending with
>>         the managed OU.
>>
>>         <protected>
>>             <filter>
>>                <q:equal>
>>         <path>ri:dn</path>
>>         <value>CN=Domain Admins,DC=uninorte,DC=local</value>
>>               </q:equal>
>>            </filter>
>>         </protected>
>>
>>         ​This tries to match specific group.
>>
>>         ​Do you have any suggestion ?
>>
>>         ​Best regards,
>>>>
>>
>>         Ing Nicolás Rossi
>>         Identicum S.A.
>>         Jorge Newbery 3226
>>         Tel: +54 (11) 4552-3050
>>         www.identicum.com <http://www.identicum.com>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>         <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>
>>
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>     _______________________________________________ midPoint mailing
>     list midPoint at lists.evolveum.com
>     <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint> 
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170114/87b29665/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 26154 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170114/87b29665/attachment.png>

More information about the midPoint mailing list