[midPoint] AD group filter on reconcile

Jason Everling jeverling at bshp.edu
Sun Jan 15 00:00:50 CET 2017


Not sure on that, still using the .NET AD connector, our users are still
members of groups that midpoint is not managing. It would NOT be good if it
removed groups that midpoint was not managing.

JASON

On Sat, Jan 14, 2017 at 3:47 PM, Nicolas Rossi <nrossi at identicum.com> wrote:

> Hi Jason, thank you for your feedback. I'll try it. Do you know if it
> works with associations ? Because we trigger a user modification, not group
> modification. The user has an association to the group through the memberOf
> attribute and it looks like this modification does not filter the group
> definition (i.e.: protected, baseContext..).
>
> Regards,
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
> www.identicum.com
>
> On Sat, Jan 14, 2017 at 5:20 PM, Jason Everling <jeverling at bshp.edu>
> wrote:
>
>> We filter out unwanted groups, Pavol or Ivan helped with this a long time
>> ago, would this not work under the sync settings? The below filters out any
>> groups with the ad attribute 'info' not set to mpgroup. When we create a
>> role in midpoint that should be a ad group we set the roleType to mpgroup
>> and it thn gets pushed to AD, like the role below only assignes the
>> metarole with inducements if mpgroup present.
>>
>>  <objectClass>ri:CustomGroupObjectClass</objectClass>
>>          <kind>entitlement</kind>
>>          <intent>group</intent>
>>          <focusType>c:RoleType</focusType>
>>          <enabled>true</enabled>
>>          <condition>
>>             <script>
>>                <code>
>>                             tmp = basic.getAttributeValue(shadow, '
>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3', 'info');
>>                             return (tmp == 'mpgroup')
>>                         </code>
>>             </script>
>>          </condition>
>>          <correlation>
>>             <q:equal>
>>                <q:path>c:name</q:path>
>>                <expression>
>>                   <script>
>>
>> Role:
>>
>>    <mapping>
>>       <name>Metarole Security Group Assignment</name>
>>       <authoritative>true</authoritative>
>>       <source>
>>          <c:path>roleType</c:path>
>>       </source>
>>       <expression>
>>          <assignmentTargetSearch>
>>             <targetType>c:RoleType</targetType>
>>             <oid>11111111-2222-3333-4444-200000000001</oid>
>>          </assignmentTargetSearch>
>>       </expression>
>>       <target>
>>          <c:path>assignment</c:path>
>>       </target>
>>       <condition>
>>          <script>
>>             <code>roleType == 'mpgroup'</code>
>>          </script>
>>       </condition>
>>    </mapping>
>>
>> JASON
>>
>> On Sat, Jan 14, 2017 at 5:15 AM, Pavol Mederly <mederly at evolveum.com>
>> wrote:
>>
>>> Hello Nicolas,
>>>
>>> yes, unfortunately - as I said - it is *not* currently supported. (You
>>> can look at ReconciliationProcessor.decideIfTolerate vs
>>> decideIfTolerateAssociation.)
>>>
>>> More details (but maybe not much, anyway) can be seen by enabling TRACE
>>> logging for com.evolveum.midpoint.model.impl.lens.projector.Reconciliati
>>> onProcessor. But that wouldn't help with associations, anyway. Only
>>> with attributes.
>>>
>>> Using memberOf attribute might *probably* help. But you would need to
>>> forget about managing that attribute using associations, and return to
>>> managing its values explicitly. (A step back into times of midPoint 2.x.)
>>> That would mean probably a lot of complications, and I strongly not
>>> recommend it.
>>>
>>> Maybe the best way would be to wait for Radovan. He'll be certainly able
>>> to tell what to do.
>>>
>>> Pavol Mederly
>>> Software developerevolveum.com
>>>
>>> On 14.01.2017 11:59, Nicolas Rossi wrote:
>>>
>>> Hi Pavol, I tried with that setting but It didn't work. Here is my
>>> configuration:
>>>
>>> <association>
>>>     <c:ref>ri:group</c:ref>
>>>     <displayName>AD Group Membership</displayName>
>>>     <tolerant>false</tolerant>
>>>     <*tolerantValuePattern*>.*(?<!OU=Grupos_Seguridad,OU=Uninor
>>> te,DC=uninorte,DC=local)$</*tolerantValuePattern*>
>>>     <exclusiveStrong>false</exclusiveStrong>
>>>     <kind>entitlement</kind>
>>>     <intent>group</intent>
>>>     <direction>objectToSubject</direction>
>>>     <associationAttribute>ri:member</associationAttribute>
>>>     <valueAttribute>ri:dn</valueAttribute>
>>>     <shortcutAssociationAttribute>ri:memberOf</shortcutAssociati
>>> onAttribute>
>>>     <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>>>     <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
>>> </association>
>>>
>>> The regex matches strings not ended with "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local"
>>> (groups outside our managed OU) expecting to be tolerant with that values.
>>>
>>> Does it work in association as the same way it does for attributes ?
>>> Maybe I should create the "memberOf" attribute and define the
>>> tolerantValuePattern there.
>>>
>>> Which log should I enable to get more information about the pattern
>>> evaluation ?
>>>
>>> Best regards,
>>>
>>>
>>>
>>>
>>>
>>> Ing Nicolás Rossi
>>> Identicum S.A.
>>> Jorge Newbery 3226
>>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>>> www.identicum.com
>>>
>>> On Sat, Jan 14, 2017 at 7:22 AM, Pavol Mederly <mederly at evolveum.com>
>>> wrote:
>>>
>>>> Nicolas, Martin,
>>>>
>>>> for attributes, there is tolerantValuePattern/intolerantValuePattern
>>>> property pair that could help. Unfortunately, similar mechanism for
>>>> associations is not implemented yet. I'm afraid that neither baseContext
>>>> nor protected accounts are relevant means to help in your case.
>>>>
>>>> Maybe Radovan or someone with more experiences in this area could help
>>>> you.
>>>>
>>>> Pavol Mederly
>>>> Software developerevolveum.com
>>>>
>>>> On 14.01.2017 0:59, Martin Besozzi wrote:
>>>>
>>>> Hi, All.​
>>>> Also we changed the ​"*baseContext*" definition in order to avoid the
>>>> groups outside the "OU=Grupos_Seguridad,OU=Uninor
>>>> te,DC=uninorte,DC=local".
>>>>
>>>>
>>>> *<baseContext> *
>>>> *     <objectClass>ri:organizationalUnit</objectClass>*
>>>> *        <filter>*
>>>> *         <q:equal>*
>>>> *              <q:path>attributes/dn</q:path>*
>>>> *
>>>> <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>*
>>>> *         </q:equal>*
>>>> *       </filter>*
>>>> *</baseContext>*
>>>>
>>>> But the user shows the group association "
>>>> *cn=Identicum,cn=Users,dc=uninorte,dc=local*" which is outside the
>>>> base context.
>>>>
>>>> [image: Inline image 1]
>>>>
>>>> Do you have any suggestion ?
>>>>
>>>> ​Best regards
>>>>
>>>>
>>>> Ing Martin Besozzi
>>>> Identicum S.A.
>>>> Jorge Newbery 3226
>>>> Tel: +54 (11) 4552-3050
>>>> www.identicum.com
>>>>
>>>> On Fri, Jan 13, 2017 at 7:41 PM, Nicolas Rossi <nrossi at identicum.com>
>>>> wrote:
>>>>
>>>>> Hi guys, I have a working AD LDAP resource. The group association has
>>>>> tolerant flag in false. So when I reconcile the user, it removes the user's
>>>>> group memberships found in AD and not in midPoint. I'd like to apply a
>>>>> filter there because midPoint only sees groups under a specific
>>>>> organization unit. So when the user has groups outside this OU they are
>>>>> also removed.
>>>>>
>>>>> I tried with a baseContext definition under the schemaHandling and
>>>>> protected definition but nothing worked.
>>>>>
>>>>> Here are some examples of protected configurations I have tried:
>>>>>
>>>>> <protected>
>>>>>   <filter>
>>>>>     <not>
>>>>>       <q:substring>
>>>>>         <q:matching>stringIgnoreCase</q:matching>
>>>>>         <q:path>
>>>>>           declare namespace icfs="http://midpoint.evolveum
>>>>> .com/xml/ns/public/connector/icf-1/resource-schema-3";
>>>>>           attributes/icfs:name
>>>>>         </q:path>
>>>>>         <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=loca
>>>>> l</q:value>
>>>>>         <q:anchorEnd>true</q:anchorEnd>
>>>>>       </q:substring>
>>>>>     </not>
>>>>>   </filter>
>>>>> </protected>
>>>>>
>>>>> The above example tries to match any groups not ending with the
>>>>> managed OU.
>>>>>
>>>>> <protected>
>>>>>     <filter>
>>>>>        <q:equal>
>>>>>         <path>ri:dn</path>
>>>>>         <value>CN=Domain Admins,DC=uninorte,DC=local</value>
>>>>>       </q:equal>
>>>>>    </filter>
>>>>> </protected>
>>>>>
>>>>> ​This tries to match specific group.
>>>>>
>>>>> ​Do you have any suggestion ?
>>>>>
>>>>> ​Best regards,
>>>>>>>>>>
>>>>>
>>>>> Ing Nicolás Rossi
>>>>> Identicum S.A.
>>>>> Jorge Newbery 3226
>>>>> Tel: +54 (11) 4552-3050
>>>>> www.identicum.com
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>> _______________________________________________ midPoint mailing list
>>>> midPoint at lists.evolveum.com http://lists.evolveum.com/mail
>>>> man/listinfo/midpoint
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170114/5311f006/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 26154 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170114/5311f006/attachment.png>


More information about the midPoint mailing list