[midPoint] AD group filter on reconcile
Nicolas Rossi
nrossi at identicum.com
Sat Jan 14 22:47:48 CET 2017
Hi Jason, thank you for your feedback. I'll try it. Do you know if it works
with associations ? Because we trigger a user modification, not group
modification. The user has an association to the group through the memberOf
attribute and it looks like this modification does not filter the group
definition (i.e.: protected, baseContext..).
Regards,
Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com
On Sat, Jan 14, 2017 at 5:20 PM, Jason Everling <jeverling at bshp.edu> wrote:
> We filter out unwanted groups, Pavol or Ivan helped with this a long time
> ago, would this not work under the sync settings? The below filters out any
> groups with the ad attribute 'info' not set to mpgroup. When we create a
> role in midpoint that should be a ad group we set the roleType to mpgroup
> and it thn gets pushed to AD, like the role below only assignes the
> metarole with inducements if mpgroup present.
>
> <objectClass>ri:CustomGroupObjectClass</objectClass>
> <kind>entitlement</kind>
> <intent>group</intent>
> <focusType>c:RoleType</focusType>
> <enabled>true</enabled>
> <condition>
> <script>
> <code>
> tmp = basic.getAttributeValue(shadow, '
> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3', 'info');
> return (tmp == 'mpgroup')
> </code>
> </script>
> </condition>
> <correlation>
> <q:equal>
> <q:path>c:name</q:path>
> <expression>
> <script>
>
> Role:
>
> <mapping>
> <name>Metarole Security Group Assignment</name>
> <authoritative>true</authoritative>
> <source>
> <c:path>roleType</c:path>
> </source>
> <expression>
> <assignmentTargetSearch>
> <targetType>c:RoleType</targetType>
> <oid>11111111-2222-3333-4444-200000000001</oid>
> </assignmentTargetSearch>
> </expression>
> <target>
> <c:path>assignment</c:path>
> </target>
> <condition>
> <script>
> <code>roleType == 'mpgroup'</code>
> </script>
> </condition>
> </mapping>
>
> JASON
>
> On Sat, Jan 14, 2017 at 5:15 AM, Pavol Mederly <mederly at evolveum.com>
> wrote:
>
>> Hello Nicolas,
>>
>> yes, unfortunately - as I said - it is *not* currently supported. (You
>> can look at ReconciliationProcessor.decideIfTolerate vs
>> decideIfTolerateAssociation.)
>>
>> More details (but maybe not much, anyway) can be seen by enabling TRACE
>> logging for com.evolveum.midpoint.model.impl.lens.projector.Reconciliati
>> onProcessor. But that wouldn't help with associations, anyway. Only with
>> attributes.
>>
>> Using memberOf attribute might *probably* help. But you would need to
>> forget about managing that attribute using associations, and return to
>> managing its values explicitly. (A step back into times of midPoint 2.x.)
>> That would mean probably a lot of complications, and I strongly not
>> recommend it.
>>
>> Maybe the best way would be to wait for Radovan. He'll be certainly able
>> to tell what to do.
>>
>> Pavol Mederly
>> Software developerevolveum.com
>>
>> On 14.01.2017 11:59, Nicolas Rossi wrote:
>>
>> Hi Pavol, I tried with that setting but It didn't work. Here is my
>> configuration:
>>
>> <association>
>> <c:ref>ri:group</c:ref>
>> <displayName>AD Group Membership</displayName>
>> <tolerant>false</tolerant>
>> <*tolerantValuePattern*>.*(?<!OU=Grupos_Seguridad,OU=Uninor
>> te,DC=uninorte,DC=local)$</*tolerantValuePattern*>
>> <exclusiveStrong>false</exclusiveStrong>
>> <kind>entitlement</kind>
>> <intent>group</intent>
>> <direction>objectToSubject</direction>
>> <associationAttribute>ri:member</associationAttribute>
>> <valueAttribute>ri:dn</valueAttribute>
>> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociati
>> onAttribute>
>> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
>> </association>
>>
>> The regex matches strings not ended with "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local"
>> (groups outside our managed OU) expecting to be tolerant with that values.
>>
>> Does it work in association as the same way it does for attributes ?
>> Maybe I should create the "memberOf" attribute and define the
>> tolerantValuePattern there.
>>
>> Which log should I enable to get more information about the pattern
>> evaluation ?
>>
>> Best regards,
>>
>>
>>
>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>> www.identicum.com
>>
>> On Sat, Jan 14, 2017 at 7:22 AM, Pavol Mederly <mederly at evolveum.com>
>> wrote:
>>
>>> Nicolas, Martin,
>>>
>>> for attributes, there is tolerantValuePattern/intolerantValuePattern
>>> property pair that could help. Unfortunately, similar mechanism for
>>> associations is not implemented yet. I'm afraid that neither baseContext
>>> nor protected accounts are relevant means to help in your case.
>>>
>>> Maybe Radovan or someone with more experiences in this area could help
>>> you.
>>>
>>> Pavol Mederly
>>> Software developerevolveum.com
>>>
>>> On 14.01.2017 0:59, Martin Besozzi wrote:
>>>
>>> Hi, All.
>>> Also we changed the "*baseContext*" definition in order to avoid the
>>> groups outside the "OU=Grupos_Seguridad,OU=Uninor
>>> te,DC=uninorte,DC=local".
>>>
>>>
>>> *<baseContext> *
>>> * <objectClass>ri:organizationalUnit</objectClass>*
>>> * <filter>*
>>> * <q:equal>*
>>> * <q:path>attributes/dn</q:path>*
>>> *
>>> <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>*
>>> * </q:equal>*
>>> * </filter>*
>>> *</baseContext>*
>>>
>>> But the user shows the group association "
>>> *cn=Identicum,cn=Users,dc=uninorte,dc=local*" which is outside the base
>>> context.
>>>
>>> [image: Inline image 1]
>>>
>>> Do you have any suggestion ?
>>>
>>> Best regards
>>>
>>>
>>> Ing Martin Besozzi
>>> Identicum S.A.
>>> Jorge Newbery 3226
>>> Tel: +54 (11) 4552-3050
>>> www.identicum.com
>>>
>>> On Fri, Jan 13, 2017 at 7:41 PM, Nicolas Rossi <nrossi at identicum.com>
>>> wrote:
>>>
>>>> Hi guys, I have a working AD LDAP resource. The group association has
>>>> tolerant flag in false. So when I reconcile the user, it removes the user's
>>>> group memberships found in AD and not in midPoint. I'd like to apply a
>>>> filter there because midPoint only sees groups under a specific
>>>> organization unit. So when the user has groups outside this OU they are
>>>> also removed.
>>>>
>>>> I tried with a baseContext definition under the schemaHandling and
>>>> protected definition but nothing worked.
>>>>
>>>> Here are some examples of protected configurations I have tried:
>>>>
>>>> <protected>
>>>> <filter>
>>>> <not>
>>>> <q:substring>
>>>> <q:matching>stringIgnoreCase</q:matching>
>>>> <q:path>
>>>> declare namespace icfs="http://midpoint.evolveum
>>>> .com/xml/ns/public/connector/icf-1/resource-schema-3";
>>>> attributes/icfs:name
>>>> </q:path>
>>>> <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=loca
>>>> l</q:value>
>>>> <q:anchorEnd>true</q:anchorEnd>
>>>> </q:substring>
>>>> </not>
>>>> </filter>
>>>> </protected>
>>>>
>>>> The above example tries to match any groups not ending with the managed
>>>> OU.
>>>>
>>>> <protected>
>>>> <filter>
>>>> <q:equal>
>>>> <path>ri:dn</path>
>>>> <value>CN=Domain Admins,DC=uninorte,DC=local</value>
>>>> </q:equal>
>>>> </filter>
>>>> </protected>
>>>>
>>>> This tries to match specific group.
>>>>
>>>> Do you have any suggestion ?
>>>>
>>>> Best regards,
>>>>
>>>>
>>>>
>>>> Ing Nicolás Rossi
>>>> Identicum S.A.
>>>> Jorge Newbery 3226
>>>> Tel: +54 (11) 4552-3050
>>>> www.identicum.com
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>> _______________________________________________ midPoint mailing list
>>> midPoint at lists.evolveum.com http://lists.evolveum.com/mail
>>> man/listinfo/midpoint
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170114/589c51ca/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 26154 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170114/589c51ca/attachment.png>
More information about the midPoint
mailing list