<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Hi, All.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Also we changed the "<i>baseContext</i>" definition in order to avoid the groups outside the "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local".</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i><baseContext><br></i></div><div class="gmail_default"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i> <objectClass>ri:organizationalUnit</objectClass></i></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i> <filter></i></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i> <q:equal></i></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i> <q:path>attributes/dn</q:path></i></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i> <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value></i></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i> </q:equal></i></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i> </filter></i></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i></baseContext></i></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">But the user shows the group association "<i>cn=Identicum,cn=Users,dc=uninorte,dc=local</i>" which is outside the base context.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><img src="cid:ii_1599a428a35b07f6" alt="Inline image 1" width="472" height="113"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default"><div class="gmail_default"><font face="arial, helvetica, sans-serif">Do you have any suggestion ?</font></div><div class="gmail_default"><font face="arial, helvetica, sans-serif"><br></font></div><div class="gmail_default"><font face="arial, helvetica, sans-serif">Best regards</font></div></div></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><font face="arial, helvetica, sans-serif">Ing Martin Besozzi</font></div><font face="arial, helvetica, sans-serif">Identicum S.A.<br></font><div dir="ltr"><font face="arial, helvetica, sans-serif">Jorge Newbery 3226</font></div><div dir="ltr"><font face="arial, helvetica, sans-serif">Tel: +54 (11) 4552-3050</font></div><a href="http://www.identicum.com" target="_blank"><font face="arial, helvetica, sans-serif">www.identicum.com</font></a><br></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Fri, Jan 13, 2017 at 7:41 PM, Nicolas Rossi <span dir="ltr"><<a href="mailto:nrossi@identicum.com" target="_blank">nrossi@identicum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi guys, I have a working AD LDAP resource. The group association has tolerant flag in false. So when I reconcile the user, it removes the user's group memberships found in AD and not in midPoint. I'd like to apply a filter there because midPoint only sees groups under a specific organization unit. So when the user has groups outside this OU they are also removed.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I tried with a baseContext definition under the schemaHandling and protected definition but nothing worked.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Here are some examples of protected configurations I have tried:</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default"><div class="gmail_default"><font color="#444444" face="monospace, monospace"><protected></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> <filter></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> <not></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> <q:substring></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> <q:matching>stringIgnoreCase</<wbr>q:matching></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> <q:path></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> declare namespace icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>connector/icf-1/resource-<wbr>schema-3</a>";</font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> attributes/icfs:name</font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> </q:path></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> <q:value>OU=Grupos_Seguridad,<wbr>OU=Uninorte,DC=uninorte,DC=<wbr>local</q:value></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> <q:anchorEnd>true</q:<wbr>anchorEnd></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> </q:substring></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> </not></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> </filter></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"></protected></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><br></font></div><div class="gmail_default"><font color="#444444" face="arial, helvetica, sans-serif">The above example tries to match any groups not ending with the managed OU.</font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><br></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"><protected></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> <filter></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> <q:equal></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> <path>ri:dn</path></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> <value>CN=Domain Admins,DC=uninorte,DC=local</<wbr>value></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> </q:equal></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"> </filter></font></div><div class="gmail_default"><font color="#444444" face="monospace, monospace"></protected></font></div></div><div><div class="m_924213204947202457gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font face="arial, helvetica, sans-serif"><br></font></div><div dir="ltr"><font face="arial, helvetica, sans-serif"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">This tries to match specific group.</div></font></div><div dir="ltr"><font face="arial, helvetica, sans-serif"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline"><br></div></font></div><div dir="ltr"><font face="arial, helvetica, sans-serif"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">Do you have any suggestion ?</div></font></div><div dir="ltr"><font face="arial, helvetica, sans-serif"><font color="#444444"><br></font></font></div><div dir="ltr"><font face="arial, helvetica, sans-serif"><font color="#444444"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">Best regards,</div></font></font></div><div dir="ltr"><font face="arial, helvetica, sans-serif"><font color="#444444"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline"></div><br></font><br><font color="#444444">Ing Nicolás Rossi</font><br><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>