<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Nicolas, Martin,</p>
<p>for attributes, there is
tolerantValuePattern/intolerantValuePattern property pair that
could help. Unfortunately, similar mechanism for associations is
not implemented yet. I'm afraid that neither baseContext nor
protected accounts are relevant means to help in your case.</p>
<p>Maybe Radovan or someone with more experiences in this area could
help you.<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 14.01.2017 0:59, Martin Besozzi
wrote:<br>
</div>
<blockquote
cite="mid:CAPV0GKSwnQyUToX3=+yS5eGY8_aBzY=prvJ6VOHZ_weBOkLmEg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif">Hi, All.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif">Also we changed
the "<i>baseContext</i>" definition in order to avoid the
groups outside the
"OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local".</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i><baseContext><br>
</i></div>
<div class="gmail_default">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
<objectClass>ri:organizationalUnit</objectClass></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
<filter></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
<q:equal></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
<q:path>attributes/dn</q:path></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
<q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
</q:equal></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
</filter></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i></baseContext></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif">But the user
shows the group association "<i>cn=Identicum,cn=Users,dc=uninorte,dc=local</i>"
which is outside the base context.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><img
src="cid:part1.8235FE91.E126A3A4@evolveum.com" alt="Inline
image 1" height="113" width="472"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default">
<div class="gmail_default"><font face="arial, helvetica,
sans-serif">Do you have any suggestion ?</font></div>
<div class="gmail_default"><font face="arial, helvetica,
sans-serif"><br>
</font></div>
<div class="gmail_default"><font face="arial, helvetica,
sans-serif">Best regards</font></div>
</div>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font face="arial, helvetica, sans-serif">Ing
Martin Besozzi</font></div>
<font face="arial, helvetica, sans-serif">Identicum
S.A.<br>
</font>
<div dir="ltr"><font face="arial, helvetica,
sans-serif">Jorge Newbery 3226</font></div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif">Tel: +54 (11) 4552-3050</font></div>
<a moz-do-not-send="true"
href="http://www.identicum.com"
target="_blank"><font face="arial,
helvetica, sans-serif">www.identicum.com</font></a><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Fri, Jan 13, 2017 at 7:41 PM,
Nicolas Rossi <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:nrossi@identicum.com" target="_blank">nrossi@identicum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
guys, I have a working AD LDAP resource. The group
association has tolerant flag in false. So when I
reconcile the user, it removes the user's group
memberships found in AD and not in midPoint. I'd like to
apply a filter there because midPoint only sees groups
under a specific organization unit. So when the user has
groups outside this OU they are also removed.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I
tried with a baseContext definition under the
schemaHandling and protected definition but nothing
worked.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Here
are some examples of protected configurations I have
tried:</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default">
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"><protected></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> <filter></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> <not></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> <q:substring></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444">
<q:matching>stringIgnoreCase</<wbr>q:matching></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> <q:path></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> declare
namespace icfs="<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>connector/icf-1/resource-<wbr>schema-3</a>";</font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444">
attributes/icfs:name</font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> </q:path></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444">
<q:value>OU=Grupos_Seguridad,<wbr>OU=Uninorte,DC=uninorte,DC=<wbr>local</q:value></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444">
<q:anchorEnd>true</q:<wbr>anchorEnd></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444">
</q:substring></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> </not></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> </filter></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"></protected></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"><br>
</font></div>
<div class="gmail_default"><font face="arial, helvetica,
sans-serif" color="#444444">The above example tries
to match any groups not ending with the managed OU.</font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"><br>
</font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"><protected></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> <filter></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> <q:equal></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444">
<path>ri:dn</path></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444">
<value>CN=Domain
Admins,DC=uninorte,DC=local</<wbr>value></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> </q:equal></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"> </filter></font></div>
<div class="gmail_default"><font face="monospace,
monospace" color="#444444"></protected></font></div>
</div>
<div>
<div class="m_924213204947202457gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font
face="arial,
helvetica, sans-serif"><br>
</font></div>
<div dir="ltr"><font
face="arial,
helvetica, sans-serif">
<div
class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">This
tries to match
specific group.</div>
</font></div>
<div dir="ltr"><font
face="arial,
helvetica, sans-serif">
<div
class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline"><br>
</div>
</font></div>
<div dir="ltr"><font
face="arial,
helvetica, sans-serif">
<div
class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">Do
you have any
suggestion ?</div>
</font></div>
<div dir="ltr"><font
face="arial,
helvetica, sans-serif"><font
color="#444444"><br>
</font></font></div>
<div dir="ltr"><font
face="arial,
helvetica, sans-serif"><font
color="#444444">
<div
class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">Best
regards,</div>
</font></font></div>
<div dir="ltr"><font
face="arial,
helvetica, sans-serif"><font
color="#444444">
<div
class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline"></div>
<br>
</font><br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54 (11) 4552-3050</font><br>
<font color="#999999"><a
moz-do-not-send="true" href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>