[midPoint] AD group filter on reconcile

Nicolas Rossi nrossi at identicum.com
Sun Jan 15 00:28:09 CET 2017


Do you have the tolerance=false configuration on the association definition?



El El sáb, 14 de ene. de 2017 a las 20:03, Jason Everling <
jeverling at bshp.edu> escribió:

> Not sure on that, still using the .NET AD connector, our users are still
> members of groups that midpoint is not managing. It would NOT be good if it
> removed groups that midpoint was not managing.
>
> JASON
>
>
>
> On Sat, Jan 14, 2017 at 3:47 PM, Nicolas Rossi <nrossi at identicum.com>
> wrote:
>
> Hi Jason, thank you for your feedback. I'll try it. Do you know if it
> works with associations ? Because we trigger a user modification, not group
> modification. The user has an association to the group through the memberOf
> attribute and it looks like this modification does not filter the group
> definition (i.e.: protected, baseContext..).
>
> Regards,
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
> www.identicum.com
>
>
>
> On Sat, Jan 14, 2017 at 5:20 PM, Jason Everling <jeverling at bshp.edu>
> wrote:
>
> We filter out unwanted groups, Pavol or Ivan helped with this a long time
> ago, would this not work under the sync settings? The below filters out any
> groups with the ad attribute 'info' not set to mpgroup. When we create a
> role in midpoint that should be a ad group we set the roleType to mpgroup
> and it thn gets pushed to AD, like the role below only assignes the
> metarole with inducements if mpgroup present.
>
>  <objectClass>ri:CustomGroupObjectClass</objectClass>
>          <kind>entitlement</kind>
>          <intent>group</intent>
>          <focusType>c:RoleType</focusType>
>          <enabled>true</enabled>
>          <condition>
>             <script>
>                <code>
>                             tmp = basic.getAttributeValue(shadow, '
> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3', 'info');
>                             return (tmp == 'mpgroup')
>                         </code>
>             </script>
>          </condition>
>          <correlation>
>             <q:equal>
>                <q:path>c:name</q:path>
>                <expression>
>                   <script>
>
> Role:
>
>    <mapping>
>       <name>Metarole Security Group Assignment</name>
>       <authoritative>true</authoritative>
>       <source>
>          <c:path>roleType</c:path>
>       </source>
>       <expression>
>          <assignmentTargetSearch>
>             <targetType>c:RoleType</targetType>
>             <oid>11111111-2222-3333-4444-200000000001</oid>
>          </assignmentTargetSearch>
>       </expression>
>       <target>
>          <c:path>assignment</c:path>
>       </target>
>       <condition>
>          <script>
>             <code>roleType == 'mpgroup'</code>
>          </script>
>       </condition>
>    </mapping>
>
> JASON
>
>
>
> On Sat, Jan 14, 2017 at 5:15 AM, Pavol Mederly <mederly at evolveum.com>
> wrote:
>
>
>
>
>
>
>
>
>
>
>
> Hello Nicolas,
>
>
> yes, unfortunately - as I said - it is *not* currently
>
> supported. (You can look at ReconciliationProcessor.decideIfTolerate
>
> vs decideIfTolerateAssociation.)
>
>
> More details (but maybe not much, anyway) can be seen by enabling
>
> TRACE logging for com.evolveum.midpoint.model.impl.lens.projector.
> ReconciliationProcessor.
>
> But that wouldn't help with associations, anyway. Only with
>
> attributes.
>
>
>
>
> Using memberOf attribute might *probably* help. But you
>
> would need to forget about managing that attribute using
>
> associations, and return to managing its values explicitly. (A
>
> step back into times of midPoint 2.x.) That would mean probably a
>
> lot of complications, and I strongly not recommend it.
>
>
> Maybe the best way would be to wait for Radovan. He'll be
>
> certainly able to tell what to do.
>
>
>
>
>
>
> Pavol Mederly
>
> Software developer
>
> evolveum.com
>
>
>
> On 14.01.2017 11:59, Nicolas Rossi
>
> wrote:
>
>
>
>
>
>
>
>
> Hi
>
> Pavol, I tried with that setting but It didn't work. Here is
>
> my configuration:
>
>
>
>
>
>
>
>
>
>
>
> <association>
>
>
>
>
> <c:ref>ri:group</c:ref>
>
>
>     <displayName>AD Group
>
> Membership</displayName>
>
>
>
>
> <tolerant>false</tolerant>
>
>
>     <*tolerantValuePattern*
> >.*(?<!OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local)$</
> *tolerantValuePattern*>
>
>
>
>
> <exclusiveStrong>false</exclusiveStrong>
>
>
>
>
> <kind>entitlement</kind>
>
>
>
>
> <intent>group</intent>
>
>
>
>
> <direction>objectToSubject</direction>
>
>
>
>
> <associationAttribute>ri:member</associationAttribute>
>
>
>
>
> <valueAttribute>ri:dn</valueAttribute>
>
>
>
>
> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
>
>
>
>
> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>
>
>
>
> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
>
>
> </association>
>
>
>
>
>
>
>
>
>
> The regex matches strings not ended
>
> with "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local"
>
> (groups outside our managed OU) expecting to be tolerant
>
> with that values.
>
>
>
>
>
>
>
> Does it work in association as the
>
> same way it does for attributes ? Maybe I should create the
>
> "memberOf" attribute and define the tolerantValuePattern
>
> there.
>
>
>
>
>
>
>
> Which log should I enable to get
>
> more information about the pattern evaluation ?
>
>
>
>
>
>
>
> Best regards,
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Ing
>
> Nicolás Rossi
>
>
> Identicum
>
> S.A.
>
>
> Jorge
>
> Newbery 3226
>
>
> Tel:
>
> +54 (11) 4552-3050 <+54%2011%204552-3050>
>
>
> www.identicum.com
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Sat, Jan 14, 2017 at 7:22 AM, Pavol
>
> Mederly <mederly at evolveum.com>
>
> wrote:
>
>
>
>
>
>
> Nicolas, Martin,
>
>
> for attributes, there is tolerantValuePattern/intolerantValuePattern
>
> property pair that could help. Unfortunately, similar
>
> mechanism for associations is not implemented yet. I'm
>
> afraid that neither baseContext nor protected accounts
>
> are relevant means to help in your case.
>
>
> Maybe Radovan or someone with more experiences in this
>
> area could help you.
>
>
>
>
>
>
> Pavol Mederly
>
> Software developer
>
> evolveum.com
>
>
>
>
>
>
>
>
>
> On
>
> 14.01.2017 0:59, Martin Besozzi wrote:
>
>
>
>
>
>
>
>
> Hi,
>
> All.​
>
>
> Also
>
> we changed the ​"*baseContext*" definition
>
> in order to avoid the groups outside the
>
> "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local".
>
>
>
>
>
>
>
>
>
>
> *<baseContext> *
>
>
>
>
>
>
> *     <objectClass>ri:organizationalUnit</objectClass>*
>
>
>
>
> *        <filter>*
>
>
>
>
> *         <q:equal>*
>
>
>
>
>
>
> *              <q:path>attributes/dn</q:path>*
>
>
>
>
>
>
> *
> <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>*
>
>
>
>
> *         </q:equal>*
>
>
>
>
> *       </filter>*
>
>
> *</baseContext>*
>
>
>
>
>
>
>
> But
>
> the user shows the group association "
> *cn=Identicum,cn=Users,dc=uninorte,dc=local*"
>
> which is outside the base context.
>
>
>
>
>
>
>
> [image: Inline image 1]
>
>
>
>
>
>
>
>
>
>
>
> Do you have any
>
> suggestion ?
>
>
>
>
>
>
>
> ​Best regards
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Ing
>
> Martin Besozzi
>
>
> Identicum S.A.
>
>
>
>
> Jorge Newbery
>
> 3226
>
>
> Tel: +54 (11)
>
> 4552-3050
>
>
> www.identicum.com
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Fri, Jan 13, 2017 at
>
> 7:41 PM, Nicolas Rossi <nrossi at identicum.com>
>
> wrote:
>
>
>
>
>
>
> Hi
>
> guys, I have a working AD LDAP resource.
>
> The group association has tolerant flag in
>
> false. So when I reconcile the user, it
>
> removes the user's group memberships found
>
> in AD and not in midPoint. I'd like to
>
> apply a filter there because midPoint only
>
> sees groups under a specific organization
>
> unit. So when the user has groups outside
>
> this OU they are also removed.
>
>
>
>
>
>
>
> I
>
> tried with a baseContext definition under
>
> the schemaHandling and protected
>
> definition but nothing worked.
>
>
>
>
>
>
>
> Here
>
> are some examples of protected
>
> configurations I have tried:
>
>
>
>
>
>
>
>
>
> <protected>
>
>
>   <filter>
>
>
>     <not>
>
>
>
>
> <q:substring>
>
>
>
>
> <q:matching>stringIgnoreCase</q:matching>
>
>
>         <q:path>
>
>
>           declare
>
> namespace icfs="
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
> ";
>
>
>
>
> attributes/icfs:name
>
>
>
>
> </q:path>
>
>
>
>
> <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>
>
>
>
>
> <q:anchorEnd>true</q:anchorEnd>
>
>
>
>
> </q:substring>
>
>
>     </not>
>
>
>   </filter>
>
>
> </protected>
>
>
>
>
>
>
>
> The above example
>
> tries to match any groups not ending
>
> with the managed OU.
>
>
>
>
>
>
>
> <protected>
>
>
>     <filter>
>
>
>        <q:equal>
>
>
>
>
> <path>ri:dn</path>
>
>
>
>
> <value>CN=Domain
>
> Admins,DC=uninorte,DC=local</value>
>
>
>       </q:equal>
>
>
>    </filter>
>
>
> </protected>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ​This
>
> tries to match
>
> specific
>
> group.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ​Do
>
> you have any
>
> suggestion ?
>
>
>
>
>
>
>
>
>
>
>
> ​Best
>
> regards,
>
>
>
>
>
>
>>
>
>
>
>
>
>
>
> Ing
>
> Nicolás Rossi
>
>
> Identicum
>
> S.A.
>
>
> Jorge
>
> Newbery 3226
>
>
> Tel:
>
> +54
>
> (11) 4552-3050
>
>
> www.identicum.com
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
>
>
> midPoint mailing list
>
>
> midPoint at lists.evolveum.com
>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
>
>
>
> midPoint mailing list
>
>
>
> midPoint at lists.evolveum.com
>
>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>
>
>
> _______________________________________________
>
>
> midPoint mailing list
>
>
> midPoint at lists.evolveum.com
>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>
>
> _______________________________________________
>
>
> midPoint mailing list
>
>
> midPoint at lists.evolveum.com
>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>
>
> _______________________________________________
>
>
> midPoint mailing list
>
>
> midPoint at lists.evolveum.com
>
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
>
> _______________________________________________
>
> midPoint mailing list
>
> midPoint at lists.evolveum.com
>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170114/46eb07cf/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 26154 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170114/46eb07cf/attachment.png>


More information about the midPoint mailing list