[midPoint] AD group filter on reconcile
Jason Everling
jeverling at bshp.edu
Sun Jan 15 16:16:19 CET 2017
I don't have it set unless by default with no value present is 'true'
<association>
<c:ref>ri:group</c:ref>
<displayName>Security Groups</displayName>
<kind>entitlement</kind>
<intent>group</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>icfs:name</valueAttribute>
<explicitReferentialIntegrity>false</
explicitReferentialIntegrity>
</association>
<association>
<c:ref>ri:crsgroups</c:ref>
JASON
On Sat, Jan 14, 2017 at 5:28 PM, Nicolas Rossi <nrossi at identicum.com> wrote:
> Do you have the tolerance=false configuration on the association
> definition?
>
>
>
> El El sáb, 14 de ene. de 2017 a las 20:03, Jason Everling <
> jeverling at bshp.edu> escribió:
>
>> Not sure on that, still using the .NET AD connector, our users are still
>> members of groups that midpoint is not managing. It would NOT be good if it
>> removed groups that midpoint was not managing.
>>
>> JASON
>>
>>
>>
>> On Sat, Jan 14, 2017 at 3:47 PM, Nicolas Rossi <nrossi at identicum.com>
>> wrote:
>>
>> Hi Jason, thank you for your feedback. I'll try it. Do you know if it
>> works with associations ? Because we trigger a user modification, not group
>> modification. The user has an association to the group through the memberOf
>> attribute and it looks like this modification does not filter the group
>> definition (i.e.: protected, baseContext..).
>>
>> Regards,
>>
>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>> www.identicum.com
>>
>>
>>
>> On Sat, Jan 14, 2017 at 5:20 PM, Jason Everling <jeverling at bshp.edu>
>> wrote:
>>
>> We filter out unwanted groups, Pavol or Ivan helped with this a long time
>> ago, would this not work under the sync settings? The below filters out any
>> groups with the ad attribute 'info' not set to mpgroup. When we create a
>> role in midpoint that should be a ad group we set the roleType to mpgroup
>> and it thn gets pushed to AD, like the role below only assignes the
>> metarole with inducements if mpgroup present.
>>
>> <objectClass>ri:CustomGroupObjectClass</objectClass>
>> <kind>entitlement</kind>
>> <intent>group</intent>
>> <focusType>c:RoleType</focusType>
>> <enabled>true</enabled>
>> <condition>
>> <script>
>> <code>
>> tmp = basic.getAttributeValue(shadow, '
>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3', 'info');
>> return (tmp == 'mpgroup')
>> </code>
>> </script>
>> </condition>
>> <correlation>
>> <q:equal>
>> <q:path>c:name</q:path>
>> <expression>
>> <script>
>>
>> Role:
>>
>> <mapping>
>> <name>Metarole Security Group Assignment</name>
>> <authoritative>true</authoritative>
>> <source>
>> <c:path>roleType</c:path>
>> </source>
>> <expression>
>> <assignmentTargetSearch>
>> <targetType>c:RoleType</targetType>
>> <oid>11111111-2222-3333-4444-200000000001</oid>
>> </assignmentTargetSearch>
>> </expression>
>> <target>
>> <c:path>assignment</c:path>
>> </target>
>> <condition>
>> <script>
>> <code>roleType == 'mpgroup'</code>
>> </script>
>> </condition>
>> </mapping>
>>
>> JASON
>>
>>
>>
>> On Sat, Jan 14, 2017 at 5:15 AM, Pavol Mederly <mederly at evolveum.com>
>> wrote:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Hello Nicolas,
>>
>>
>> yes, unfortunately - as I said - it is *not* currently
>>
>> supported. (You can look at ReconciliationProcessor.decideIfTolerate
>>
>> vs decideIfTolerateAssociation.)
>>
>>
>> More details (but maybe not much, anyway) can be seen by enabling
>>
>> TRACE logging for com.evolveum.midpoint.model.impl.lens.projector.
>> ReconciliationProcessor.
>>
>> But that wouldn't help with associations, anyway. Only with
>>
>> attributes.
>>
>>
>>
>>
>> Using memberOf attribute might *probably* help. But you
>>
>> would need to forget about managing that attribute using
>>
>> associations, and return to managing its values explicitly. (A
>>
>> step back into times of midPoint 2.x.) That would mean probably a
>>
>> lot of complications, and I strongly not recommend it.
>>
>>
>> Maybe the best way would be to wait for Radovan. He'll be
>>
>> certainly able to tell what to do.
>>
>>
>>
>>
>>
>>
>> Pavol Mederly
>>
>> Software developer
>>
>> evolveum.com
>>
>>
>>
>> On 14.01.2017 11:59, Nicolas Rossi
>>
>> wrote:
>>
>>
>>
>>
>>
>>
>>
>>
>> Hi
>>
>> Pavol, I tried with that setting but It didn't work. Here is
>>
>> my configuration:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> <association>
>>
>>
>>
>>
>> <c:ref>ri:group</c:ref>
>>
>>
>> <displayName>AD Group
>>
>> Membership</displayName>
>>
>>
>>
>>
>> <tolerant>false</tolerant>
>>
>>
>> <*tolerantValuePattern*>.*(?<!OU=Grupos_Seguridad,OU=
>> Uninorte,DC=uninorte,DC=local)$</*tolerantValuePattern*>
>>
>>
>>
>>
>> <exclusiveStrong>false</exclusiveStrong>
>>
>>
>>
>>
>> <kind>entitlement</kind>
>>
>>
>>
>>
>> <intent>group</intent>
>>
>>
>>
>>
>> <direction>objectToSubject</direction>
>>
>>
>>
>>
>> <associationAttribute>ri:member</associationAttribute>
>>
>>
>>
>>
>> <valueAttribute>ri:dn</valueAttribute>
>>
>>
>>
>>
>> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
>>
>>
>>
>>
>> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>>
>>
>>
>>
>> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
>>
>>
>> </association>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> The regex matches strings not ended
>>
>> with "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local"
>>
>> (groups outside our managed OU) expecting to be tolerant
>>
>> with that values.
>>
>>
>>
>>
>>
>>
>>
>> Does it work in association as the
>>
>> same way it does for attributes ? Maybe I should create the
>>
>> "memberOf" attribute and define the tolerantValuePattern
>>
>> there.
>>
>>
>>
>>
>>
>>
>>
>> Which log should I enable to get
>>
>> more information about the pattern evaluation ?
>>
>>
>>
>>
>>
>>
>>
>> Best regards,
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Ing
>>
>> Nicolás Rossi
>>
>>
>> Identicum
>>
>> S.A.
>>
>>
>> Jorge
>>
>> Newbery 3226
>>
>>
>> Tel:
>>
>> +54 (11) 4552-3050 <+54%2011%204552-3050>
>>
>>
>> www.identicum.com
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Sat, Jan 14, 2017 at 7:22 AM, Pavol
>>
>> Mederly <mederly at evolveum.com>
>>
>> wrote:
>>
>>
>>
>>
>>
>>
>> Nicolas, Martin,
>>
>>
>> for attributes, there is tolerantValuePattern/intolerantValuePattern
>>
>> property pair that could help. Unfortunately, similar
>>
>> mechanism for associations is not implemented yet. I'm
>>
>> afraid that neither baseContext nor protected accounts
>>
>> are relevant means to help in your case.
>>
>>
>> Maybe Radovan or someone with more experiences in this
>>
>> area could help you.
>>
>>
>>
>>
>>
>>
>> Pavol Mederly
>>
>> Software developer
>>
>> evolveum.com
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On
>>
>> 14.01.2017 0:59, Martin Besozzi wrote:
>>
>>
>>
>>
>>
>>
>>
>>
>> Hi,
>>
>> All.
>>
>>
>> Also
>>
>> we changed the "*baseContext*" definition
>>
>> in order to avoid the groups outside the
>>
>> "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local".
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *<baseContext> *
>>
>>
>>
>>
>>
>>
>> * <objectClass>ri:organizationalUnit</objectClass>*
>>
>>
>>
>>
>> * <filter>*
>>
>>
>>
>>
>> * <q:equal>*
>>
>>
>>
>>
>>
>>
>> * <q:path>attributes/dn</q:path>*
>>
>>
>>
>>
>>
>>
>> *
>> <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>*
>>
>>
>>
>>
>> * </q:equal>*
>>
>>
>>
>>
>> * </filter>*
>>
>>
>> *</baseContext>*
>>
>>
>>
>>
>>
>>
>>
>> But
>>
>> the user shows the group association "
>> *cn=Identicum,cn=Users,dc=uninorte,dc=local*"
>>
>> which is outside the base context.
>>
>>
>>
>>
>>
>>
>>
>> [image: Inline image 1]
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Do you have any
>>
>> suggestion ?
>>
>>
>>
>>
>>
>>
>>
>> Best regards
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Ing
>>
>> Martin Besozzi
>>
>>
>> Identicum S.A.
>>
>>
>>
>>
>> Jorge Newbery
>>
>> 3226
>>
>>
>> Tel: +54 (11)
>>
>> 4552-3050
>>
>>
>> www.identicum.com
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Fri, Jan 13, 2017 at
>>
>> 7:41 PM, Nicolas Rossi <nrossi at identicum.com>
>>
>> wrote:
>>
>>
>>
>>
>>
>>
>> Hi
>>
>> guys, I have a working AD LDAP resource.
>>
>> The group association has tolerant flag in
>>
>> false. So when I reconcile the user, it
>>
>> removes the user's group memberships found
>>
>> in AD and not in midPoint. I'd like to
>>
>> apply a filter there because midPoint only
>>
>> sees groups under a specific organization
>>
>> unit. So when the user has groups outside
>>
>> this OU they are also removed.
>>
>>
>>
>>
>>
>>
>>
>> I
>>
>> tried with a baseContext definition under
>>
>> the schemaHandling and protected
>>
>> definition but nothing worked.
>>
>>
>>
>>
>>
>>
>>
>> Here
>>
>> are some examples of protected
>>
>> configurations I have tried:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> <protected>
>>
>>
>> <filter>
>>
>>
>> <not>
>>
>>
>>
>>
>> <q:substring>
>>
>>
>>
>>
>> <q:matching>stringIgnoreCase</q:matching>
>>
>>
>> <q:path>
>>
>>
>> declare
>>
>> namespace icfs="http://midpoint.evolveum.com/xml/ns/public/
>> connector/icf-1/resource-schema-3";
>>
>>
>>
>>
>> attributes/icfs:name
>>
>>
>>
>>
>> </q:path>
>>
>>
>>
>>
>> <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>
>>
>>
>>
>>
>> <q:anchorEnd>true</q:anchorEnd>
>>
>>
>>
>>
>> </q:substring>
>>
>>
>> </not>
>>
>>
>> </filter>
>>
>>
>> </protected>
>>
>>
>>
>>
>>
>>
>>
>> The above example
>>
>> tries to match any groups not ending
>>
>> with the managed OU.
>>
>>
>>
>>
>>
>>
>>
>> <protected>
>>
>>
>> <filter>
>>
>>
>> <q:equal>
>>
>>
>>
>>
>> <path>ri:dn</path>
>>
>>
>>
>>
>> <value>CN=Domain
>>
>> Admins,DC=uninorte,DC=local</value>
>>
>>
>> </q:equal>
>>
>>
>> </filter>
>>
>>
>> </protected>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> This
>>
>> tries to match
>>
>> specific
>>
>> group.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Do
>>
>> you have any
>>
>> suggestion ?
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Best
>>
>> regards,
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Ing
>>
>> Nicolás Rossi
>>
>>
>> Identicum
>>
>> S.A.
>>
>>
>> Jorge
>>
>> Newbery 3226
>>
>>
>> Tel:
>>
>> +54
>>
>> (11) 4552-3050
>>
>>
>> www.identicum.com
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>>
>> midPoint mailing list
>>
>>
>> midPoint at lists.evolveum.com
>>
>>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>> midPoint mailing list
>>
>> midPoint at lists.evolveum.com
>>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>>
>>
>> midPoint mailing list
>>
>>
>>
>> midPoint at lists.evolveum.com
>>
>>
>>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>> midPoint mailing list
>>
>> midPoint at lists.evolveum.com
>>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>>
>> midPoint mailing list
>>
>>
>> midPoint at lists.evolveum.com
>>
>>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>>
>> midPoint mailing list
>>
>>
>> midPoint at lists.evolveum.com
>>
>>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>>
>> midPoint mailing list
>>
>>
>> midPoint at lists.evolveum.com
>>
>>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>> midPoint mailing list
>>
>> midPoint at lists.evolveum.com
>>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170115/cf40f984/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 26154 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170115/cf40f984/attachment.png>
More information about the midPoint
mailing list