[midPoint] AD group filter on reconcile

Pavol Mederly mederly at evolveum.com
Wed Mar 1 14:40:37 CET 2017 

Hello Nicolas,

it is implemented now (in master as well as in support-3.5).

You can try.

The tolerantValuePattern and intolerantValuePattern are matched against 
naming attribute of the associated object (i.e. usually group).

Pavol Mederly
Software developer
evolveum.com

On 18.01.2017 14:10, Nicolas Rossi wrote:
> Hi Pavol, have you talked with Radovan about this issue ?
>
> Regards,
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com <http://www.identicum.com>
>
> On Sat, Jan 14, 2017 at 8:15 AM, Pavol Mederly <mederly at evolveum.com 
> <mailto:mederly at evolveum.com>> wrote:
>
>     Hello Nicolas,
>
>     yes, unfortunately - as I said - it is /not/ currently supported.
>     (You can look at ReconciliationProcessor.decideIfTolerate vs
>     decideIfTolerateAssociation.)
>
>     More details (but maybe not much, anyway) can be seen by enabling
>     TRACE logging for
>     com.evolveum.midpoint.model.impl.lens.projector.ReconciliationProcessor.
>     But that wouldn't help with associations, anyway. Only with
>     attributes.
>
>     Using memberOf attribute might /probably/ help. But you would need
>     to forget about managing that attribute using associations, and
>     return to managing its values explicitly. (A step back into times
>     of midPoint 2.x.) That would mean probably a lot of complications,
>     and I strongly not recommend it.
>
>     Maybe the best way would be to wait for Radovan. He'll be
>     certainly able to tell what to do.
>
>     Pavol Mederly
>     Software developer
>     evolveum.com <http://evolveum.com>
>
>     On 14.01.2017 11:59, Nicolas Rossi wrote:
>>     Hi Pavol, I tried with that setting but It didn't work. Here is
>>     my configuration:
>>
>>     <association>
>>     <c:ref>ri:group</c:ref>
>>     <displayName>AD Group Membership</displayName>
>>     <tolerant>false</tolerant>
>>        
>>     <*tolerantValuePattern*>.*(?<!OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local)$</*tolerantValuePattern*>
>>     <exclusiveStrong>false</exclusiveStrong>
>>     <kind>entitlement</kind>
>>     <intent>group</intent>
>>     <direction>objectToSubject</direction>
>>     <associationAttribute>ri:member</associationAttribute>
>>     <valueAttribute>ri:dn</valueAttribute>
>>     <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
>>     <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>>     <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
>>     </association>
>>
>>     The regex matches strings not ended with
>>     "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local" (groups
>>     outside our managed OU) expecting to be tolerant with that values.
>>
>>     Does it work in association as the same way it does for
>>     attributes ? Maybe I should create the "memberOf" attribute and
>>     define the tolerantValuePattern there.
>>
>>     Which log should I enable to get more information about the
>>     pattern evaluation ?
>>
>>     Best regards,
>>
>>
>>
>>
>>
>>     Ing Nicolás Rossi
>>     Identicum S.A.
>>     Jorge Newbery 3226
>>     Tel: +54 (11) 4552-3050
>>     www.identicum.com <http://www.identicum.com>
>>
>>     On Sat, Jan 14, 2017 at 7:22 AM, Pavol Mederly
>>     <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>>
>>         Nicolas, Martin,
>>
>>         for attributes, there is
>>         tolerantValuePattern/intolerantValuePattern property pair
>>         that could help. Unfortunately, similar mechanism for
>>         associations is not implemented yet. I'm afraid that neither
>>         baseContext nor protected accounts are relevant means to help
>>         in your case.
>>
>>         Maybe Radovan or someone with more experiences in this area
>>         could help you.
>>
>>         Pavol Mederly
>>         Software developer
>>         evolveum.com <http://evolveum.com>
>>
>>         On 14.01.2017 0:59, Martin Besozzi wrote:
>>>         Hi, All.​
>>>         Also we changed the ​"/baseContext/" definition in order to
>>>         avoid the groups outside the
>>>         "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local".
>>>
>>>         /<baseContext>
>>>         /
>>>         / <objectClass>ri:organizationalUnit</objectClass>/
>>>         /      <filter>/
>>>         /       <q:equal>/
>>>         /<q:path>attributes/dn</q:path>/
>>>         /<q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>/
>>>         /       </q:equal>/
>>>         /     </filter>/
>>>         /</baseContext>/
>>>
>>>         But the user shows the group association
>>>         "/cn=Identicum,cn=Users,dc=uninorte,dc=local/" which is
>>>         outside the base context.
>>>
>>>         Inline image 1
>>>
>>>         Do you have any suggestion ?
>>>
>>>         ​Best regards
>>>
>>>
>>>         Ing Martin Besozzi
>>>         Identicum S.A.
>>>         Jorge Newbery 3226
>>>         Tel: +54 (11) 4552-3050
>>>         www.identicum.com <http://www.identicum.com>
>>>
>>>         On Fri, Jan 13, 2017 at 7:41 PM, Nicolas Rossi
>>>         <nrossi at identicum.com <mailto:nrossi at identicum.com>> wrote:
>>>
>>>             Hi guys, I have a working AD LDAP resource. The group
>>>             association has tolerant flag in false. So when I
>>>             reconcile the user, it removes the user's group
>>>             memberships found in AD and not in midPoint. I'd like to
>>>             apply a filter there because midPoint only sees groups
>>>             under a specific organization unit. So when the user has
>>>             groups outside this OU they are also removed.
>>>
>>>             I tried with a baseContext definition under the
>>>             schemaHandling and protected definition but nothing worked.
>>>
>>>             Here are some examples of protected configurations I
>>>             have tried:
>>>
>>>             <protected>
>>>             <filter>
>>>             <not>
>>>             <q:substring>
>>>             <q:matching>stringIgnoreCase</q:matching>
>>>             <q:path>
>>>               declare namespace
>>>             icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>>>             <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3>";
>>>               attributes/icfs:name
>>>             </q:path>
>>>             <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>
>>>             <q:anchorEnd>true</q:anchorEnd>
>>>             </q:substring>
>>>             </not>
>>>             </filter>
>>>             </protected>
>>>
>>>             The above example tries to match any groups not ending
>>>             with the managed OU.
>>>
>>>             <protected>
>>>             <filter>
>>>              <q:equal>
>>>             <path>ri:dn</path>
>>>             <value>CN=Domain Admins,DC=uninorte,DC=local</value>
>>>             </q:equal>
>>>              </filter>
>>>             </protected>
>>>
>>>             ​This tries to match specific group.
>>>
>>>             ​Do you have any suggestion ?
>>>
>>>             ​Best regards,
>>>>>>
>>>
>>>             Ing Nicolás Rossi
>>>             Identicum S.A.
>>>             Jorge Newbery 3226
>>>             Tel: +54 (11) 4552-3050
>>>             www.identicum.com <http://www.identicum.com>
>>>
>>>             _______________________________________________
>>>             midPoint mailing list
>>>             midPoint at lists.evolveum.com
>>>             <mailto:midPoint at lists.evolveum.com>
>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>>             <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>
>>>
>>>
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>>         <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>         _______________________________________________ midPoint
>>         mailing list midPoint at lists.evolveum.com
>>         <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>         <http://lists.evolveum.com/mailman/listinfo/midpoint> 
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>     _______________________________________________ midPoint mailing
>     list midPoint at lists.evolveum.com
>     <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint> 
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170301/38383529/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 26154 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170301/38383529/attachment.png>

More information about the midPoint mailing list