[midPoint] <protected> not working for non-Identifier attributes
Javier Martinez
jmartinez at identicum.com
Wed Feb 5 21:46:21 CET 2020
Hello,
We have an AD resource configured to protect an Organizational Unit from
being modified with the following code:
> <protected>
> <filter>
> <q:substring>
> <q:matching>stringIgnoreCase</q:matching>
> <q:path>declare namespace icfs='
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3';
> attributes/ri:dn</q:path>
>
> <q:value>OU=VIPs,OU=Groups&Users,OU=-SMG-,DC=qaswm,DC=com,DC=ar</q:value>
> <q:anchorEnd>true</q:anchorEnd>
> </q:substring>
> </filter>
> </protected>
>
We recently ran into the need to apply this logic only to enabled account
within that organizational unit, so we modified the <protected> node to
look like this:
<protected>
> <filter>
> <q:and>
> <q:substring>
> <q:matching>stringIgnoreCase</q:matching>
> <q:path>declare namespace icfs='
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3';
> attributes/ri:dn</q:path>
>
> <q:value>OU=VIPs,OU=Groups&Users,OU=-SMG-,DC=qaswm,DC=com,DC=ar</q:value>
> <q:anchorEnd>true</q:anchorEnd>
> </q:substring>
> <q:equal>
> <q:matching>polyStringNorm</q:matching>
> <q:path>declare namespace icfs='
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3';
> attributes/ri:userAccountControl</q:path>
> <q:value>512</q:value>
> </q:equal>
> </q:and>
> </filter>
> </protected>
>
After adding that condition, the filter is not working and it is not
preventing modifications.
Is this a bug? Or can you only use that filter for shadow identifiers?
Thanks in advance.
Regards,
--
Javier MartÃnez
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200205/6cec91ed/attachment.htm>
More information about the midPoint
mailing list