[midPoint] Old but still relevant - AD group filter on reconcile

Jason Everling jeverling at bshp.edu
Sat Mar 30 23:57:41 CET 2019


For some reason at the time I didn't notice it but I ran into the same
behaviour after switching to midpoint for the only source for group
management

Just remove the shortcut attributes below and it will no longer show groups
that are not defined the baseObjectClass

<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
<shortcutValueAttribute>ri:dn</shortcutValueAttribute>




On Wed, Mar 1, 2017 at 8:37 AM Nicolas Rossi <nrossi at identicum.com> wrote:

> Hi Pavol, thank you for the update !
>
> We have removed this feature on our customer and now we are handling all
> groups in MP. I will try it on a custom lab for future implementations.
>
> Kind regards,
>
>
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com
>
> On Wed, Mar 1, 2017 at 10:40 AM, Pavol Mederly <mederly at evolveum.com>
> wrote:
>
>> Hello Nicolas,
>>
>> it is implemented now (in master as well as in support-3.5).
>>
>> You can try.
>>
>> The tolerantValuePattern and intolerantValuePattern are matched against
>> naming attribute of the associated object (i.e. usually group).
>>
>> Pavol Mederly
>> Software developerevolveum.com
>>
>> On 18.01.2017 14:10, Nicolas Rossi wrote:
>>
>> Hi Pavol, have you talked with Radovan about this issue ?
>>
>> Regards,
>>
>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050
>> www.identicum.com
>>
>> On Sat, Jan 14, 2017 at 8:15 AM, Pavol Mederly <mederly at evolveum.com>
>> wrote:
>>
>>> Hello Nicolas,
>>>
>>> yes, unfortunately - as I said - it is *not* currently supported. (You
>>> can look at ReconciliationProcessor.decideIfTolerate vs
>>> decideIfTolerateAssociation.)
>>>
>>> More details (but maybe not much, anyway) can be seen by enabling TRACE
>>> logging for com.evolveum.midpoint.model.impl.lens.projector.
>>> ReconciliationProcessor. But that wouldn't help with associations,
>>> anyway. Only with attributes.
>>>
>>> Using memberOf attribute might *probably* help. But you would need to
>>> forget about managing that attribute using associations, and return to
>>> managing its values explicitly. (A step back into times of midPoint 2.x.)
>>> That would mean probably a lot of complications, and I strongly not
>>> recommend it.
>>>
>>> Maybe the best way would be to wait for Radovan. He'll be certainly able
>>> to tell what to do.
>>>
>>> Pavol Mederly
>>> Software developerevolveum.com
>>>
>>> On 14.01.2017 11:59, Nicolas Rossi wrote:
>>>
>>> Hi Pavol, I tried with that setting but It didn't work. Here is my
>>> configuration:
>>>
>>> <association>
>>>     <c:ref>ri:group</c:ref>
>>>     <displayName>AD Group Membership</displayName>
>>>     <tolerant>false</tolerant>
>>>     <*tolerantValuePattern*
>>> >.*(?<!OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local)$</
>>> *tolerantValuePattern*>
>>>     <exclusiveStrong>false</exclusiveStrong>
>>>     <kind>entitlement</kind>
>>>     <intent>group</intent>
>>>     <direction>objectToSubject</direction>
>>>     <associationAttribute>ri:member</associationAttribute>
>>>     <valueAttribute>ri:dn</valueAttribute>
>>>
>>> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
>>>     <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
>>>     <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
>>> </association>
>>>
>>> The regex matches strings not ended with
>>> "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local" (groups outside our
>>> managed OU) expecting to be tolerant with that values.
>>>
>>> Does it work in association as the same way it does for attributes ?
>>> Maybe I should create the "memberOf" attribute and define the
>>> tolerantValuePattern there.
>>>
>>> Which log should I enable to get more information about the pattern
>>> evaluation ?
>>>
>>> Best regards,
>>>
>>>
>>>
>>>
>>>
>>> Ing Nicolás Rossi
>>> Identicum S.A.
>>> Jorge Newbery 3226
>>> Tel: +54 (11) 4552-3050
>>> www.identicum.com
>>>
>>> On Sat, Jan 14, 2017 at 7:22 AM, Pavol Mederly <mederly at evolveum.com>
>>> wrote:
>>>
>>>> Nicolas, Martin,
>>>>
>>>> for attributes, there is tolerantValuePattern/intolerantValuePattern
>>>> property pair that could help. Unfortunately, similar mechanism for
>>>> associations is not implemented yet. I'm afraid that neither baseContext
>>>> nor protected accounts are relevant means to help in your case.
>>>>
>>>> Maybe Radovan or someone with more experiences in this area could help
>>>> you.
>>>>
>>>> Pavol Mederly
>>>> Software developerevolveum.com
>>>>
>>>> On 14.01.2017 0:59, Martin Besozzi wrote:
>>>>
>>>> Hi, All.
>>>> Also we changed the "*baseContext*" definition in order to avoid the
>>>> groups outside the "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local".
>>>>
>>>>
>>>> *<baseContext> *
>>>> *     <objectClass>ri:organizationalUnit</objectClass>*
>>>> *        <filter>*
>>>> *         <q:equal>*
>>>> *              <q:path>attributes/dn</q:path>*
>>>> *
>>>> <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>*
>>>> *         </q:equal>*
>>>> *       </filter>*
>>>> *</baseContext>*
>>>>
>>>> But the user shows the group association "
>>>> *cn=Identicum,cn=Users,dc=uninorte,dc=local*" which is outside the
>>>> base context.
>>>>
>>>> [image: Inline image 1]
>>>>
>>>> Do you have any suggestion ?
>>>>
>>>> Best regards
>>>>
>>>>
>>>> Ing Martin Besozzi
>>>> Identicum S.A.
>>>> Jorge Newbery 3226
>>>> Tel: +54 (11) 4552-3050
>>>> www.identicum.com
>>>>
>>>> On Fri, Jan 13, 2017 at 7:41 PM, Nicolas Rossi <nrossi at identicum.com>
>>>> wrote:
>>>>
>>>>> Hi guys, I have a working AD LDAP resource. The group association has
>>>>> tolerant flag in false. So when I reconcile the user, it removes the user's
>>>>> group memberships found in AD and not in midPoint. I'd like to apply a
>>>>> filter there because midPoint only sees groups under a specific
>>>>> organization unit. So when the user has groups outside this OU they are
>>>>> also removed.
>>>>>
>>>>> I tried with a baseContext definition under the schemaHandling and
>>>>> protected definition but nothing worked.
>>>>>
>>>>> Here are some examples of protected configurations I have tried:
>>>>>
>>>>> <protected>
>>>>>   <filter>
>>>>>     <not>
>>>>>       <q:substring>
>>>>>         <q:matching>stringIgnoreCase</q:matching>
>>>>>         <q:path>
>>>>>           declare namespace icfs="
>>>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>>>>> ";
>>>>>           attributes/icfs:name
>>>>>         </q:path>
>>>>>
>>>>> <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value>
>>>>>         <q:anchorEnd>true</q:anchorEnd>
>>>>>       </q:substring>
>>>>>     </not>
>>>>>   </filter>
>>>>> </protected>
>>>>>
>>>>> The above example tries to match any groups not ending with the
>>>>> managed OU.
>>>>>
>>>>> <protected>
>>>>>     <filter>
>>>>>        <q:equal>
>>>>>         <path>ri:dn</path>
>>>>>         <value>CN=Domain Admins,DC=uninorte,DC=local</value>
>>>>>       </q:equal>
>>>>>    </filter>
>>>>> </protected>
>>>>>
>>>>> This tries to match specific group.
>>>>>
>>>>> Do you have any suggestion ?
>>>>>
>>>>> Best regards,
>>>>>
>>>>>
>>>>> Ing Nicolás Rossi
>>>>> Identicum S.A.
>>>>> Jorge Newbery 3226
>>>>> Tel: +54 (11) 4552-3050
>>>>> www.identicum.com
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>> _______________________________________________ midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>> _______________________________________________ midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190330/9d3b700b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/png
Size: 26154 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190330/9d3b700b/attachment.png>


More information about the midPoint mailing list