<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi Pavol, I tried with that setting but It didn't work. Here is my configuration:</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><div class="gmail_default"><div class="gmail_default"><association></div><div class="gmail_default"> <c:ref>ri:group</c:ref></div><div class="gmail_default"> <displayName>AD Group Membership</displayName></div><div class="gmail_default"> <tolerant>false</tolerant></div><div class="gmail_default"> <<b>tolerantValuePattern</b>>.*(?<!OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local)$</<b>tolerantValuePattern</b>></div><div class="gmail_default"> <exclusiveStrong>false</exclusiveStrong></div><div class="gmail_default"> <kind>entitlement</kind></div><div class="gmail_default"> <intent>group</intent></div><div class="gmail_default"> <direction>objectToSubject</direction></div><div class="gmail_default"> <associationAttribute>ri:member</associationAttribute></div><div class="gmail_default"> <valueAttribute>ri:dn</valueAttribute></div><div class="gmail_default"> <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute></div><div class="gmail_default"> <shortcutValueAttribute>ri:dn</shortcutValueAttribute></div><div class="gmail_default"> <explicitReferentialIntegrity>false</explicitReferentialIntegrity></div><div class="gmail_default"></association></div></div><div class="gmail_default"><br></div><div class="gmail_default">The regex matches strings not ended with "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local" (groups outside our managed OU) expecting to be tolerant with that values.</div><div class="gmail_default"><br></div><div class="gmail_default">Does it work in association as the same way it does for attributes ? Maybe I should create the "memberOf" attribute and define the tolerantValuePattern there.</div><div class="gmail_default"><br></div><div class="gmail_default">Which log should I enable to get more information about the pattern evaluation ?</div><div class="gmail_default"><br></div><div class="gmail_default">Best regards, </div></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font face="arial, helvetica, sans-serif"><br><br><font color="#444444">Ing Nicolás Rossi</font><br><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Sat, Jan 14, 2017 at 7:22 AM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Nicolas, Martin,</p>
<p>for attributes, there is
tolerantValuePattern/<wbr>intolerantValuePattern property pair that
could help. Unfortunately, similar mechanism for associations is
not implemented yet. I'm afraid that neither baseContext nor
protected accounts are relevant means to help in your case.</p>
<p>Maybe Radovan or someone with more experiences in this area could
help you.<span class="HOEnZb"><font color="#888888"><br>
</font></span></p><span class="HOEnZb"><font color="#888888">
<pre class="m_7460053561329814870moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></font></span><div><div class="h5">
<div class="m_7460053561329814870moz-cite-prefix">On 14.01.2017 0:59, Martin Besozzi
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Hi, All.</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Also we changed
the "<i>baseContext</i>" definition in order to avoid the
groups outside the
"OU=Grupos_Seguridad,OU=<wbr>Uninorte,DC=uninorte,DC=local"<wbr>.</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i><baseContext><br>
</i></div>
<div class="gmail_default">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i>
<objectClass>ri:<wbr>organizationalUnit</<wbr>objectClass></i></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i>
<filter></i></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i>
<q:equal></i></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i>
<q:path>attributes/dn</q:path></i></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i>
<q:value>OU=Grupos_Seguridad,<wbr>OU=Uninorte,DC=uninorte,DC=<wbr>local</q:value></i></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i>
</q:equal></i></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i>
</filter></i></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i></baseContext></i></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif">But the user
shows the group association "<i>cn=Identicum,cn=Users,dc=<wbr>uninorte,dc=local</i>"
which is outside the base context.</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><img src="cid:part1.8235FE91.E126A3A4@evolveum.com" alt="Inline
image 1" height="113" width="472"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default">
<div class="gmail_default"><font face="arial, helvetica,
sans-serif">Do you have any suggestion ?</font></div>
<div class="gmail_default"><font face="arial, helvetica,
sans-serif"><br>
</font></div>
<div class="gmail_default"><font face="arial, helvetica,
sans-serif">Best regards</font></div>
</div>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="m_7460053561329814870gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font face="arial, helvetica, sans-serif">Ing
Martin Besozzi</font></div>
<font face="arial, helvetica, sans-serif">Identicum
S.A.<br>
</font>
<div dir="ltr"><font face="arial, helvetica,
sans-serif">Jorge Newbery 3226</font></div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif">Tel: +54 (11) 4552-3050</font></div>
<a href="http://www.identicum.com" target="_blank"><font face="arial,
helvetica, sans-serif">www.identicum.com</font></a><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Fri, Jan 13, 2017 at 7:41 PM,
Nicolas Rossi <span dir="ltr"><<a href="mailto:nrossi@identicum.com" target="_blank">nrossi@identicum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
guys, I have a working AD LDAP resource. The group
association has tolerant flag in false. So when I
reconcile the user, it removes the user's group
memberships found in AD and not in midPoint. I'd like to
apply a filter there because midPoint only sees groups
under a specific organization unit. So when the user has
groups outside this OU they are also removed.</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I
tried with a baseContext definition under the
schemaHandling and protected definition but nothing
worked.</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Here
are some examples of protected configurations I have
tried:</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default">
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"><protected></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> <filter></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> <not></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> <q:substring></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444">
<q:matching>stringIgnoreCase</<wbr>q:matching></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> <q:path></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> declare
namespace icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">http://midpoint.evolveum<wbr>.com/xml/ns/public/connector/<wbr>icf-1/resource-schema-3</a>";</font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444">
attributes/icfs:name</font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> </q:path></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444">
<q:value>OU=Grupos_Seguridad,O<wbr>U=Uninorte,DC=uninorte,DC=loca<wbr>l</q:value></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444">
<q:anchorEnd>true</q:anchorEnd<wbr>></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444">
</q:substring></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> </not></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> </filter></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"></protected></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"><br>
</font></div>
<div class="gmail_default"><font face="arial, helvetica,
sans-serif" color="#444444">The above example tries
to match any groups not ending with the managed OU.</font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"><br>
</font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"><protected></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> <filter></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> <q:equal></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444">
<path>ri:dn</path></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444">
<value>CN=Domain
Admins,DC=uninorte,DC=local</v<wbr>alue></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> </q:equal></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> </filter></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"></protected></font></div>
</div>
<div>
<div class="m_7460053561329814870m_924213204947202457gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial,
helvetica, sans-serif"><br>
</font></div>
<div dir="ltr"><font face="arial,
helvetica, sans-serif">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">This
tries to match
specific group.</div>
</font></div>
<div dir="ltr"><font face="arial,
helvetica, sans-serif">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline"><br>
</div>
</font></div>
<div dir="ltr"><font face="arial,
helvetica, sans-serif">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">Do
you have any
suggestion ?</div>
</font></div>
<div dir="ltr"><font face="arial,
helvetica, sans-serif"><font color="#444444"><br>
</font></font></div>
<div dir="ltr"><font face="arial,
helvetica, sans-serif"><font color="#444444">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">Best
regards,</div>
</font></font></div>
<div dir="ltr"><font face="arial,
helvetica, sans-serif"><font color="#444444">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline"></div>
<br>
</font><br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54 (11) 4552-3050</font><br>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="m_7460053561329814870mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_7460053561329814870moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_7460053561329814870moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>