[midPoint] AD group filter on reconcile

Nicolas Rossi nrossi at identicum.com
Mon Jan 16 12:19:14 CET 2017


That could be the reason it's working for you. We need the tolerant setting
in false, because we are working with role inheritance and if we modify
some role definition (add or remove inducements), we need to apply this
changes to the user on the resource. So when the resource read a user group
that was not assigned by midPoint (out of scope) it is removed.

Regards,



Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com

On Sun, Jan 15, 2017 at 12:16 PM, Jason Everling <jeverling at bshp.edu> wrote:

> I don't have it set unless by default with no value present is 'true'
>
>          <association>
>             <c:ref>ri:group</c:ref>
>             <displayName>Security Groups</displayName>
>             <kind>entitlement</kind>
>             <intent>group</intent>
>             <direction>objectToSubject</direction>
>             <associationAttribute>ri:member</associationAttribute>
>             <valueAttribute>icfs:name</valueAttribute>
>             <explicitReferentialIntegrity>false</explicitReferentialInte
> grity>
>          </association>
>          <association>
>             <c:ref>ri:crsgroups</c:ref>
>
>
> JASON
>
> On Sat, Jan 14, 2017 at 5:28 PM, Nicolas Rossi <nrossi at identicum.com>
> wrote:
>
>> Do you have the tolerance=false configuration on the association
>> definition?
>>
>>
>>
>> El El sáb, 14 de ene. de 2017 a las 20:03, Jason Everling <
>> jeverling at bshp.edu> escribió:
>>
>>> Not sure on that, still using the .NET AD connector, our users are still
>>> members of groups that midpoint is not managing. It would NOT be good if it
>>> removed groups that midpoint was not managing.
>>>
>>> JASON
>>>
>>>
>>>
>>> On Sat, Jan 14, 2017 at 3:47 PM, Nicolas Rossi <nrossi at identicum.com>
>>> wrote:
>>>
>>> Hi Jason, thank you for your feedback. I'll try it. Do you know if it
>>> works with associations ? Because we trigger a user modification, not group
>>> modification. The user has an association to the group through the memberOf
>>> attribute and it looks like this modification does not filter the group
>>> definition (i.e.: protected, baseContext..).
>>>
>>> Regards,
>>>
>>>
>>>
>>> Ing Nicolás Rossi
>>> Identicum S.A.
>>> Jorge Newbery 3226
>>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>>> www.identicum.com
>>>
>>>
>>>
>>> On Sat, Jan 14, 2017 at 5:20 PM, Jason Everling <jeverling at bshp.edu>
>>> wrote:
>>>
>>> We filter out unwanted groups, Pavol or Ivan helped with this a long
>>> time ago, would this not work under the sync settings? The below filters
>>> out any groups with the ad attribute 'info' not set to mpgroup. When we
>>> create a role in midpoint that should be a ad group we set the roleType to
>>> mpgroup and it thn gets pushed to AD, like the role below only assignes the
>>> metarole with inducements if mpgroup present.
>>>
>>>  <objectClass>ri:CustomGroupObjectClass</objectClass>
>>>          <kind>entitlement</kind>
>>>          <intent>group</intent>
>>>          <focusType>c:RoleType</focusType>
>>>          <enabled>true</enabled>
>>>          <condition>
>>>             <script>
>>>                <code>
>>>                             tmp = basic.getAttributeValue(shadow, '
>>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3',
>>> 'info');
>>>                             return (tmp == 'mpgroup')
>>>                         </code>
>>>             </script>
>>>          </condition>
>>>          <correlation>
>>>             <q:equal>
>>>                <q:path>c:name</q:path>
>>>                <expression>
>>>                   <script>
>>>
>>> Role:
>>>
>>>    <mapping>
>>>       <name>Metarole Security Group Assignment</name>
>>>       <authoritative>true</authoritative>
>>>       <source>
>>>          <c:path>roleType</c:path>
>>>       </source>
>>>       <expression>
>>>          <assignmentTargetSearch>
>>>             <targetType>c:RoleType</targetType>
>>>             <oid>11111111-2222-3333-4444-200000000001</oid>
>>>          </assignmentTargetSearch>
>>>       </expression>
>>>       <target>
>>>          <c:path>assignment</c:path>
>>>       </target>
>>>       <condition>
>>>          <script>
>>>             <code>roleType == 'mpgroup'</code>
>>>          </script>
>>>       </condition>
>>>    </mapping>
>>>
>>> JASON
>>>
>>>
>>>
>>> On Sat, Jan 14, 2017 at 5:15 AM, Pavol Mederly <mederly at evolveum.com>
>>> wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Hello Nicolas,
>>>
>>>
>>> yes, unfortunately - as I said - it is *not* currently
>>>
>>> supported. (You can look at ReconciliationProcessor.decideIfTolerate
>>>
>>> vs decideIfTolerateAssociation.)
>>>
>>>
>>> More details (but maybe not much, anyway) can be seen by enabling
>>>
>>> TRACE logging for com.evolveum.midpoint.model.impl.lens.projector.
>>> ReconciliationProcessor.
>>>
>>> But that wouldn't help with associations, anyway. Only with
>>>
>>> attributes.
>>>
>>>
>>>
>>>
>>> Using memberOf attribute might *probably* help. But you
>>>
>>> would need to forget about managing that attribute using
>>>
>>> associations, and return to managing its values explicitly. (A
>>>
>>> step back into times of midPoint 2.x.) That would mean probably a
>>>
>>> lot of complications, and I strongly not recommend it.
>>>
>>>
>>> Maybe the best way would be to wait for Radovan. He'll be
>>>
>>> certainly able to tell what to do.
>>>
>>>
>>>
>>>
>>>
>>>
>>> Pavol Mederly
>>>
>>> Software developer
>>>
>>> evolveum.com
>>>
>>>
>>>
>>> On 14.01.2017 11:59, Nicolas Rossi
>>>
>>> wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Hi
>>>
>>> Pavol, I tried with that setting but It didn't work. Here is
>>>
>>> my configuration:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> <association>
>>>
>>>
>>>
>>>
>>> <c:ref>ri:group</c:ref>
>>>
>>>
>>>     <displayName>AD Group
>>>
>>> Membership</displayName>
>>>
>>>
>>>
>>>
>>> <tolerant>false</tolerant>
>>>
>>>
>>>     <*tolerantValuePattern*>.*(?<!OU=Grupos_Seguridad,OU=Uninor
>>> te,DC=uninorte,DC=local)$</*tolerantValuePattern*>
>>>
>>>
>>>
>>>
>>> <exclusiveStrong>false</exclusiveStrong>
>>>
>>>
>>>
>>>
>>> <kind>entitlement</kind>
>>>
>>>
>>>
>>>
>>> <intent>group</intent>
>>>
>>>
>>>
>>>
>>> <direction>objectToSubject</direction>
>>>
>>>
>>>
>>>
>>> <associationAttribute>ri:member</associationAttribute>
>>>
>>>
>>>
>>>
>>> <valueAttribute>ri:dn</valueAttribute>
>>>
>>>
>>>
>>>
>>> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
>>>
>>>
>>>
>>>
>>> <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>>>
>>>
>>>
>>>
>>> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
>>>
>>>
>>> </association>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> The regex matches strings not ended
>>>
>>> with "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local"
>>>
>>> (groups outside our managed OU) expecting to be tolerant
>>>
>>> with that values.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Does it work in association as the
>>>
>>> same way it does for attributes ? Maybe I should create the
>>>
>>> "memberOf" attribute and define the tolerantValuePattern
>>>
>>> there.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Which log should I enable to get
>>>
>>> more information about the pattern evaluation ?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Best regards,
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Ing
>>>
>>> Nicolás Rossi
>>>
>>>
>>> Identicum
>>>
>>> S.A.
>>>
>>>
>>> Jorge
>>>
>>> Newbery 3226
>>>
>>>
>>> Tel:
>>>
>>> +54 (11) 4552-3050 <+54%2011%204552-3050>
>>>
>>>
>>> www.identicum.com
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Sat, Jan 14, 2017 at 7:22 AM, Pavol
>>>
>>> Mederly <mederly at evolveum.com>
>>>
>>> wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>> Nicolas, Martin,
>>>
>>>
>>> for attributes, there is tolerantValuePattern/intolerantValuePattern
>>>
>>> property pair that could help. Unfortunately, similar
>>>
>>> mechanism for associations is not implemented yet. I'm
>>>
>>> afraid that neither baseContext nor protected accounts
>>>
>>> are relevant means to help in your case.
>>>
>>>
>>> Maybe Radovan or someone with more experiences in this
>>>
>>> area could help you.
>>>
>>>
>>>
>>>
>>>
>>>
>>> Pavol Mederly
>>>
>>> Software developer
>>>
>>> evolveum.com
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On
>>>
>>> 14.01.2017 0:59, Martin Besozzi wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Hi,
>>>
>>> All.​
>>>
>>>
>>> Also
>>>
>>> we changed the ​"*baseContext*" definition
>>>
>>> in order to avoid the groups outside the
>>>
>>> "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local".
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *<baseContext> *
>>>
>>>
>>>
>>>
>>>
>>>
>>> *     <objectClass>ri:organizationalUnit</objectClass>*
>>>
>>>
>>>
>>>
>>> *        <filter>*
>>>
>>>
>>>
>>>
>>> *         <q:equal>*
>>>
>>>
>>>
>>>
>>>
>>>
>>> *              <q:path>attributes/dn</q:path>*
>>>
>>>
>>>
>>>
>>>
>>>
>>> *
>>> <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>*
>>>
>>>
>>>
>>>
>>> *         </q:equal>*
>>>
>>>
>>>
>>>
>>> *       </filter>*
>>>
>>>
>>> *</baseContext>*
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> But
>>>
>>> the user shows the group association "
>>> *cn=Identicum,cn=Users,dc=uninorte,dc=local*"
>>>
>>> which is outside the base context.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> [image: Inline image 1]
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Do you have any
>>>
>>> suggestion ?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ​Best regards
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Ing
>>>
>>> Martin Besozzi
>>>
>>>
>>> Identicum S.A.
>>>
>>>
>>>
>>>
>>> Jorge Newbery
>>>
>>> 3226
>>>
>>>
>>> Tel: +54 (11)
>>>
>>> 4552-3050
>>>
>>>
>>> www.identicum.com
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Jan 13, 2017 at
>>>
>>> 7:41 PM, Nicolas Rossi <nrossi at identicum.com>
>>>
>>> wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>> Hi
>>>
>>> guys, I have a working AD LDAP resource.
>>>
>>> The group association has tolerant flag in
>>>
>>> false. So when I reconcile the user, it
>>>
>>> removes the user's group memberships found
>>>
>>> in AD and not in midPoint. I'd like to
>>>
>>> apply a filter there because midPoint only
>>>
>>> sees groups under a specific organization
>>>
>>> unit. So when the user has groups outside
>>>
>>> this OU they are also removed.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> I
>>>
>>> tried with a baseContext definition under
>>>
>>> the schemaHandling and protected
>>>
>>> definition but nothing worked.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Here
>>>
>>> are some examples of protected
>>>
>>> configurations I have tried:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> <protected>
>>>
>>>
>>>   <filter>
>>>
>>>
>>>     <not>
>>>
>>>
>>>
>>>
>>> <q:substring>
>>>
>>>
>>>
>>>
>>> <q:matching>stringIgnoreCase</q:matching>
>>>
>>>
>>>         <q:path>
>>>
>>>
>>>           declare
>>>
>>> namespace icfs="http://midpoint.evolveum.com/xml/ns/public/connector/
>>> icf-1/resource-schema-3";
>>>
>>>
>>>
>>>
>>> attributes/icfs:name
>>>
>>>
>>>
>>>
>>> </q:path>
>>>
>>>
>>>
>>>
>>> <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>
>>>
>>>
>>>
>>>
>>> <q:anchorEnd>true</q:anchorEnd>
>>>
>>>
>>>
>>>
>>> </q:substring>
>>>
>>>
>>>     </not>
>>>
>>>
>>>   </filter>
>>>
>>>
>>> </protected>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> The above example
>>>
>>> tries to match any groups not ending
>>>
>>> with the managed OU.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> <protected>
>>>
>>>
>>>     <filter>
>>>
>>>
>>>        <q:equal>
>>>
>>>
>>>
>>>
>>> <path>ri:dn</path>
>>>
>>>
>>>
>>>
>>> <value>CN=Domain
>>>
>>> Admins,DC=uninorte,DC=local</value>
>>>
>>>
>>>       </q:equal>
>>>
>>>
>>>    </filter>
>>>
>>>
>>> </protected>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ​This
>>>
>>> tries to match
>>>
>>> specific
>>>
>>> group.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ​Do
>>>
>>> you have any
>>>
>>> suggestion ?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ​Best
>>>
>>> regards,
>>>
>>>
>>>
>>>
>>>
>>>
>>>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Ing
>>>
>>> Nicolás Rossi
>>>
>>>
>>> Identicum
>>>
>>> S.A.
>>>
>>>
>>> Jorge
>>>
>>> Newbery 3226
>>>
>>>
>>> Tel:
>>>
>>> +54
>>>
>>> (11) 4552-3050
>>>
>>>
>>> www.identicum.com
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>>
>>> midPoint mailing list
>>>
>>>
>>> midPoint at lists.evolveum.com
>>>
>>>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>> midPoint mailing list
>>>
>>> midPoint at lists.evolveum.com
>>>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>>
>>>
>>> midPoint mailing list
>>>
>>>
>>>
>>> midPoint at lists.evolveum.com
>>>
>>>
>>>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>> midPoint mailing list
>>>
>>> midPoint at lists.evolveum.com
>>>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>>
>>> midPoint mailing list
>>>
>>>
>>> midPoint at lists.evolveum.com
>>>
>>>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>>
>>> midPoint mailing list
>>>
>>>
>>> midPoint at lists.evolveum.com
>>>
>>>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>>
>>> midPoint mailing list
>>>
>>>
>>> midPoint at lists.evolveum.com
>>>
>>>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>> midPoint mailing list
>>>
>>> midPoint at lists.evolveum.com
>>>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170116/a42c540a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 26154 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170116/a42c540a/attachment.png>


More information about the midPoint mailing list