[midPoint] AD group filter on reconcile
Jason Everling
jeverling at bshp.edu
Sat Jan 14 21:20:45 CET 2017
We filter out unwanted groups, Pavol or Ivan helped with this a long time
ago, would this not work under the sync settings? The below filters out any
groups with the ad attribute 'info' not set to mpgroup. When we create a
role in midpoint that should be a ad group we set the roleType to mpgroup
and it thn gets pushed to AD, like the role below only assignes the
metarole with inducements if mpgroup present.
<objectClass>ri:CustomGroupObjectClass</objectClass>
<kind>entitlement</kind>
<intent>group</intent>
<focusType>c:RoleType</focusType>
<enabled>true</enabled>
<condition>
<script>
<code>
tmp = basic.getAttributeValue(shadow, '
http://midpoint.evolveum.com/xml/ns/public/resource/instance-3', 'info');
return (tmp == 'mpgroup')
</code>
</script>
</condition>
<correlation>
<q:equal>
<q:path>c:name</q:path>
<expression>
<script>
Role:
<mapping>
<name>Metarole Security Group Assignment</name>
<authoritative>true</authoritative>
<source>
<c:path>roleType</c:path>
</source>
<expression>
<assignmentTargetSearch>
<targetType>c:RoleType</targetType>
<oid>11111111-2222-3333-4444-200000000001</oid>
</assignmentTargetSearch>
</expression>
<target>
<c:path>assignment</c:path>
</target>
<condition>
<script>
<code>roleType == 'mpgroup'</code>
</script>
</condition>
</mapping>
JASON
On Sat, Jan 14, 2017 at 5:15 AM, Pavol Mederly <mederly at evolveum.com> wrote:
> Hello Nicolas,
>
> yes, unfortunately - as I said - it is *not* currently supported. (You
> can look at ReconciliationProcessor.decideIfTolerate vs
> decideIfTolerateAssociation.)
>
> More details (but maybe not much, anyway) can be seen by enabling TRACE
> logging for com.evolveum.midpoint.model.impl.lens.projector.Reconcilia
> tionProcessor. But that wouldn't help with associations, anyway. Only
> with attributes.
>
> Using memberOf attribute might *probably* help. But you would need to
> forget about managing that attribute using associations, and return to
> managing its values explicitly. (A step back into times of midPoint 2.x.)
> That would mean probably a lot of complications, and I strongly not
> recommend it.
>
> Maybe the best way would be to wait for Radovan. He'll be certainly able
> to tell what to do.
>
> Pavol Mederly
> Software developerevolveum.com
>
> On 14.01.2017 11:59, Nicolas Rossi wrote:
>
> Hi Pavol, I tried with that setting but It didn't work. Here is my
> configuration:
>
> <association>
> <c:ref>ri:group</c:ref>
> <displayName>AD Group Membership</displayName>
> <tolerant>false</tolerant>
> <*tolerantValuePattern*>.*(?<!OU=Grupos_Seguridad,OU=
> Uninorte,DC=uninorte,DC=local)$</*tolerantValuePattern*>
> <exclusiveStrong>false</exclusiveStrong>
> <kind>entitlement</kind>
> <intent>group</intent>
> <direction>objectToSubject</direction>
> <associationAttribute>ri:member</associationAttribute>
> <valueAttribute>ri:dn</valueAttribute>
> <shortcutAssociationAttribute>ri:memberOf</
> shortcutAssociationAttribute>
> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
> </association>
>
> The regex matches strings not ended with "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local"
> (groups outside our managed OU) expecting to be tolerant with that values.
>
> Does it work in association as the same way it does for attributes ? Maybe
> I should create the "memberOf" attribute and define the
> tolerantValuePattern there.
>
> Which log should I enable to get more information about the pattern
> evaluation ?
>
> Best regards,
>
>
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
> www.identicum.com
>
> On Sat, Jan 14, 2017 at 7:22 AM, Pavol Mederly <mederly at evolveum.com>
> wrote:
>
>> Nicolas, Martin,
>>
>> for attributes, there is tolerantValuePattern/intolerantValuePattern
>> property pair that could help. Unfortunately, similar mechanism for
>> associations is not implemented yet. I'm afraid that neither baseContext
>> nor protected accounts are relevant means to help in your case.
>>
>> Maybe Radovan or someone with more experiences in this area could help
>> you.
>>
>> Pavol Mederly
>> Software developerevolveum.com
>>
>> On 14.01.2017 0:59, Martin Besozzi wrote:
>>
>> Hi, All.
>> Also we changed the "*baseContext*" definition in order to avoid the
>> groups outside the "OU=Grupos_Seguridad,OU=Uninor
>> te,DC=uninorte,DC=local".
>>
>>
>> *<baseContext> *
>> * <objectClass>ri:organizationalUnit</objectClass>*
>> * <filter>*
>> * <q:equal>*
>> * <q:path>attributes/dn</q:path>*
>> *
>> <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>*
>> * </q:equal>*
>> * </filter>*
>> *</baseContext>*
>>
>> But the user shows the group association "
>> *cn=Identicum,cn=Users,dc=uninorte,dc=local*" which is outside the base
>> context.
>>
>> [image: Inline image 1]
>>
>> Do you have any suggestion ?
>>
>> Best regards
>>
>>
>> Ing Martin Besozzi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050
>> www.identicum.com
>>
>> On Fri, Jan 13, 2017 at 7:41 PM, Nicolas Rossi <nrossi at identicum.com>
>> wrote:
>>
>>> Hi guys, I have a working AD LDAP resource. The group association has
>>> tolerant flag in false. So when I reconcile the user, it removes the user's
>>> group memberships found in AD and not in midPoint. I'd like to apply a
>>> filter there because midPoint only sees groups under a specific
>>> organization unit. So when the user has groups outside this OU they are
>>> also removed.
>>>
>>> I tried with a baseContext definition under the schemaHandling and
>>> protected definition but nothing worked.
>>>
>>> Here are some examples of protected configurations I have tried:
>>>
>>> <protected>
>>> <filter>
>>> <not>
>>> <q:substring>
>>> <q:matching>stringIgnoreCase</q:matching>
>>> <q:path>
>>> declare namespace icfs="http://midpoint.evolveum
>>> .com/xml/ns/public/connector/icf-1/resource-schema-3";
>>> attributes/icfs:name
>>> </q:path>
>>> <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=loca
>>> l</q:value>
>>> <q:anchorEnd>true</q:anchorEnd>
>>> </q:substring>
>>> </not>
>>> </filter>
>>> </protected>
>>>
>>> The above example tries to match any groups not ending with the managed
>>> OU.
>>>
>>> <protected>
>>> <filter>
>>> <q:equal>
>>> <path>ri:dn</path>
>>> <value>CN=Domain Admins,DC=uninorte,DC=local</value>
>>> </q:equal>
>>> </filter>
>>> </protected>
>>>
>>> This tries to match specific group.
>>>
>>> Do you have any suggestion ?
>>>
>>> Best regards,
>>>
>>>
>>>
>>> Ing Nicolás Rossi
>>> Identicum S.A.
>>> Jorge Newbery 3226
>>> Tel: +54 (11) 4552-3050
>>> www.identicum.com
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________ midPoint mailing list
>> midPoint at lists.evolveum.com http://lists.evolveum.com/mail
>> man/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170114/fea0b8ca/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 26154 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170114/fea0b8ca/attachment.png>
More information about the midPoint
mailing list