<div>Do you have the tolerance=false configuration on the association definition?</div><div><br></div><div><br></div><div><br><div class="gmail_quote"><div>El El sáb, 14 de ene. de 2017 a las 20:03, Jason Everling <<a href="mailto:jeverling@bshp.edu">jeverling@bshp.edu</a>> escribió:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_msg">Not sure on that, still using the .NET AD connector, our users are still members of groups that midpoint is not managing. It would NOT be good if it removed groups that midpoint was not managing.</div><div class="gmail_extra gmail_msg"></div><div class="gmail_extra gmail_msg"><br clear="all" class="gmail_msg"><div class="gmail_msg"><div class="m_-7290083841959172986gmail_signature gmail_msg" data-smartmail="gmail_signature"><div class="gmail_msg">JASON</div></div></div></div><div class="gmail_extra gmail_msg"><br><br><br class="gmail_msg"><div class="gmail_quote gmail_msg">On Sat, Jan 14, 2017 at 3:47 PM, Nicolas Rossi <span class="gmail_msg"><<a href="mailto:nrossi@identicum.com" class="gmail_msg" target="_blank">nrossi@identicum.com</a>></span> wrote:<br class="gmail_msg"><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_msg"><div class="gmail_default gmail_msg" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi Jason, thank you for your feedback. I'll try it. Do you know if it works with associations ? Because we trigger a user modification, not group modification. The user has an association to the group through the memberOf attribute and it looks like this modification does not filter the group definition (i.e.: protected, baseContext..).</div><div class="gmail_default gmail_msg" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br class="gmail_msg"></div><div class="gmail_default gmail_msg" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Regards,</div><div class="gmail_extra gmail_msg"><span class="gmail_msg"><br clear="all" class="gmail_msg"><div class="gmail_msg"><div class="m_-7290083841959172986m_5778989534080482134gmail_signature gmail_msg" data-smartmail="gmail_signature"><div class="gmail_msg"><div class="gmail_msg"><div class="gmail_msg"><div class="gmail_msg"><div class="gmail_msg"><div class="gmail_msg"><div class="gmail_msg"><div class="gmail_msg"><div class="gmail_msg"><div class="gmail_msg"><div class="gmail_msg"><div class="gmail_msg"><div class="gmail_msg"><div class="gmail_msg"><div class="gmail_msg"><font face="arial, helvetica, sans-serif" class="gmail_msg"><br class="gmail_msg"><br class="gmail_msg"><font color="#444444" class="gmail_msg">Ing Nicolás Rossi</font><br class="gmail_msg"><font color="#999999" class="gmail_msg">Identicum S.A.</font><br class="gmail_msg"><font color="#999999" class="gmail_msg">Jorge Newbery 3226</font><br class="gmail_msg"><font color="#999999" class="gmail_msg">Tel: <a href="tel:+54%2011%204552-3050" value="+541145523050" class="gmail_msg" target="_blank">+54 (11) 4552-3050</a></font><br class="gmail_msg"><font color="#999999" class="gmail_msg"><a href="http://www.identicum.com" class="gmail_msg" target="_blank">www.identicum.com</a></font></font><br class="gmail_msg"></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><br><br><br class="gmail_msg"></span><div class="gmail_msg"><div class="m_-7290083841959172986h5 gmail_msg"><div class="gmail_quote gmail_msg">On Sat, Jan 14, 2017 at 5:20 PM, Jason Everling <span class="gmail_msg"><<a href="mailto:jeverling@bshp.edu" class="gmail_msg" target="_blank">jeverling@bshp.edu</a>></span> wrote:<br class="gmail_msg"><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_msg">We filter out unwanted groups, Pavol or Ivan helped with this a long time ago, would this not work under the sync settings? The below filters out any groups with the ad attribute 'info' not set to mpgroup. When we create a role in midpoint that should be a ad group we set the roleType to mpgroup and it thn gets pushed to AD, like the role below only assignes the metarole with inducements if mpgroup present.<div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg"><div class="gmail_msg"> <objectClass>ri:CustomGroupObjectClass</objectClass></div><span class="gmail_msg"><div class="gmail_msg">         <kind>entitlement</kind></div><div class="gmail_msg">         <intent>group</intent></div></span><div class="gmail_msg">         <focusType>c:RoleType</focusType></div><div class="gmail_msg">         <enabled>true</enabled></div><div class="gmail_msg"><span style="background-color:rgb(255,255,255)" class="gmail_msg"><font color="#ff9900" class="gmail_msg">         <condition></font></span></div><div class="gmail_msg"><span style="background-color:rgb(255,255,255)" class="gmail_msg"><font color="#ff9900" class="gmail_msg">            <script></font></span></div><div class="gmail_msg"><span style="background-color:rgb(255,255,255)" class="gmail_msg"><font color="#ff9900" class="gmail_msg">               <code></font></span></div><div class="gmail_msg"><span style="background-color:rgb(255,255,255)" class="gmail_msg"><font color="#ff9900" class="gmail_msg">                            tmp = basic.getAttributeValue(shadow, '<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" class="gmail_msg" target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>', 'info');</font></span></div><div class="gmail_msg"><span style="background-color:rgb(255,255,255)" class="gmail_msg"><font color="#ff9900" class="gmail_msg">                            return (tmp == 'mpgroup')</font></span></div><div class="gmail_msg"><span style="background-color:rgb(255,255,255)" class="gmail_msg"><font color="#ff9900" class="gmail_msg">                        </code></font></span></div><div class="gmail_msg"><span style="background-color:rgb(255,255,255)" class="gmail_msg"><font color="#ff9900" class="gmail_msg">            </script></font></span></div><div class="gmail_msg"><span style="background-color:rgb(255,255,255)" class="gmail_msg"><font color="#ff9900" class="gmail_msg">         </condition></font></span></div><div class="gmail_msg">         <correlation></div><div class="gmail_msg">            <q:equal></div><div class="gmail_msg">               <q:path>c:name</q:path></div><div class="gmail_msg">               <expression></div><div class="gmail_msg">                  <script></div></div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">Role:</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg"><div class="gmail_msg">   <mapping></div><div class="gmail_msg">      <name>Metarole Security Group Assignment</name></div><div class="gmail_msg">      <authoritative>true</authoritative></div><div class="gmail_msg">      <source></div><div class="gmail_msg">         <c:path>roleType</c:path></div><div class="gmail_msg">      </source></div><div class="gmail_msg">      <expression></div><div class="gmail_msg">         <assignmentTargetSearch></div><div class="gmail_msg">            <targetType>c:RoleType</targetType></div><div class="gmail_msg">            <oid>11111111-2222-3333-4444-200000000001</oid></div><div class="gmail_msg">         </assignmentTargetSearch></div><div class="gmail_msg">      </expression></div><div class="gmail_msg">      <target></div><div class="gmail_msg">         <c:path>assignment</c:path></div><div class="gmail_msg">      </target></div><div class="gmail_msg">      <condition></div><div class="gmail_msg">         <script></div><div class="gmail_msg">            <code>roleType == 'mpgroup'</code></div><div class="gmail_msg">         </script></div><div class="gmail_msg">      </condition></div><div class="gmail_msg">   </mapping></div></div></div><div class="gmail_extra gmail_msg"><span class="m_-7290083841959172986m_5778989534080482134HOEnZb gmail_msg"><font color="#888888" class="gmail_msg"><br clear="all" class="gmail_msg"><div class="gmail_msg"><div class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194gmail_signature gmail_msg" data-smartmail="gmail_signature"><div class="gmail_msg">JASON</div></div></div></font></span><div class="gmail_msg"><div class="m_-7290083841959172986m_5778989534080482134h5 gmail_msg"><br><br><br class="gmail_msg"><div class="gmail_quote gmail_msg">On Sat, Jan 14, 2017 at 5:15 AM, Pavol Mederly <span class="gmail_msg"><<a href="mailto:mederly@evolveum.com" class="gmail_msg" target="_blank">mederly@evolveum.com</a>></span> wrote:<br class="gmail_msg"><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br><br>  <br><br>    <br><br>  <br><br>  <div bgcolor="#FFFFFF" text="#000000" class="gmail_msg"><br><br>    <p class="gmail_msg">Hello Nicolas,</p><br><br>    <p class="gmail_msg">yes, unfortunately - as I said - it is <i class="gmail_msg">not</i> currently<br><br>      supported. (You can look at <tt class="gmail_msg">ReconciliationProcessor.decideIfTolerate</tt><br><br>      vs <tt class="gmail_msg">decideIfTolerateAssociation</tt>.)</p><br><br>    <p class="gmail_msg">More details (but maybe not much, anyway) can be seen by enabling<br><br>      TRACE logging for <tt class="gmail_msg"><a href="http://com.evolveum.midpoint.model.im" class="gmail_msg" target="_blank">com.evolveum.midpoint.model.im</a>pl.lens.projector.</tt><tt class="gmail_msg">ReconciliationProcessor</tt>.<br><br>      But that wouldn't help with associations, anyway. Only with<br><br>      attributes.<br class="gmail_msg"><br><br>    </p><br><br>    <p class="gmail_msg">Using memberOf attribute might <i class="gmail_msg">probably</i> help. But you<br><br>      would need to forget about managing that attribute using<br><br>      associations, and return to managing its values explicitly. (A<br><br>      step back into times of midPoint 2.x.) That would mean probably a<br><br>      lot of complications, and I strongly not recommend it.</p><br><br>    <p class="gmail_msg">Maybe the best way would be to wait for Radovan. He'll be<br><br>      certainly able to tell what to do.<br class="gmail_msg"><br><br>      <br><br>    </p><span class="gmail_msg"><br><br>    <pre class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194m_-8828315575111521266moz-signature gmail_msg" cols="72">Pavol Mederly<br><br>Software developer<br><br><a href="http://evolveum.com" class="gmail_msg" target="_blank">evolveum.com</a><br><br></pre><br><br>    </span><div class="gmail_msg"><div class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194h5 gmail_msg"><div class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194m_-8828315575111521266moz-cite-prefix gmail_msg">On 14.01.2017 11:59, Nicolas Rossi<br><br>      wrote:<br class="gmail_msg"><br><br>    </div><br><br>    <blockquote type="cite" class="gmail_msg"><br><br>      <div class="gmail_msg"><br><br>        <div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)" class="gmail_msg">Hi<br><br>          Pavol, I tried with that setting but It didn't work. Here is<br><br>          my configuration:</div><br><br>        <div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)" class="gmail_msg"><br class="gmail_msg"><br><br>        </div><br><br>        <div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)" class="gmail_msg"><br><br>          <div class="gmail_msg"><br><br>            <div class="gmail_msg"><association></div><br><br>            <div class="gmail_msg">   <br><br>              <c:ref>ri:group</c:ref></div><br><br>            <div class="gmail_msg">    <displayName>AD Group<br><br>              Membership</displayName></div><br><br>            <div class="gmail_msg">   <br><br>              <tolerant>false</tolerant></div><br><br>            <div class="gmail_msg">    <<b class="gmail_msg">tolerantValuePattern</b>>.*(?&lt;!OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local)$</<b class="gmail_msg">tolerantValuePattern</b>></div><br><br>            <div class="gmail_msg">   <br><br>              <exclusiveStrong>false</exclusiveStrong></div><br><br>            <div class="gmail_msg">   <br><br>              <kind>entitlement</kind></div><br><br>            <div class="gmail_msg">   <br><br>              <intent>group</intent></div><br><br>            <div class="gmail_msg">   <br><br>              <direction>objectToSubject</direction></div><br><br>            <div class="gmail_msg">   <br><br>              <associationAttribute>ri:member</associationAttribute></div><br><br>            <div class="gmail_msg">   <br><br>              <valueAttribute>ri:dn</valueAttribute></div><br><br>            <div class="gmail_msg">   <br><br><shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute></div><br><br>            <div class="gmail_msg">   <br><br>              <shortcutValueAttribute>ri:dn</shortcutValueAttribute></div><br><br>            <div class="gmail_msg">   <br><br><explicitReferentialIntegrity>false</explicitReferentialIntegrity></div><br><br>            <div class="gmail_msg"></association></div><br><br>          </div><br><br>          <div class="gmail_msg"><br class="gmail_msg"><br><br>          </div><br><br>          <div class="gmail_msg">The regex matches strings not ended<br><br>            with "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local"<br><br>            (groups outside our managed OU) expecting to be tolerant<br><br>            with that values.</div><br><br>          <div class="gmail_msg"><br class="gmail_msg"><br><br>          </div><br><br>          <div class="gmail_msg">Does it work in association as the<br><br>            same way it does for attributes ? Maybe I should create the<br><br>            "memberOf" attribute and define the tolerantValuePattern<br><br>            there.</div><br><br>          <div class="gmail_msg"><br class="gmail_msg"><br><br>          </div><br><br>          <div class="gmail_msg">Which log should I enable to get<br><br>            more information about the pattern evaluation ?</div><br><br>          <div class="gmail_msg"><br class="gmail_msg"><br><br>          </div><br><br>          <div class="gmail_msg">Best regards, </div><br><br>        </div><br><br>        <div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)" class="gmail_msg"><br class="gmail_msg"><br><br>        </div><br><br>        <div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)" class="gmail_msg"><br class="gmail_msg"><br><br>        </div><br><br>      </div><br><br>      <div class="gmail_extra gmail_msg"><br clear="all" class="gmail_msg"><br><br>        <div class="gmail_msg"><br><br>          <div class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194m_-8828315575111521266gmail_signature gmail_msg" data-smartmail="gmail_signature"><br><br>            <div class="gmail_msg"><br><br>              <div class="gmail_msg"><br><br>                <div class="gmail_msg"><br><br>                  <div class="gmail_msg"><br><br>                    <div class="gmail_msg"><br><br>                      <div class="gmail_msg"><br><br>                        <div class="gmail_msg"><br><br>                          <div class="gmail_msg"><br><br>                            <div class="gmail_msg"><br><br>                              <div class="gmail_msg"><br><br>                                <div class="gmail_msg"><br><br>                                  <div class="gmail_msg"><br><br>                                    <div class="gmail_msg"><br><br>                                      <div class="gmail_msg"><br><br>                                        <div class="gmail_msg"><font face="arial, helvetica,<br><br>                                            sans-serif" class="gmail_msg"><br class="gmail_msg"><br><br>                                            <br class="gmail_msg"><br><br>                                            <font color="#444444" class="gmail_msg">Ing<br><br>                                              Nicolás Rossi</font><br class="gmail_msg"><br><br>                                            <font color="#999999" class="gmail_msg">Identicum<br><br>                                              S.A.</font><br class="gmail_msg"><br><br>                                            <font color="#999999" class="gmail_msg">Jorge<br><br>                                              Newbery 3226</font><br class="gmail_msg"><br><br>                                            <font color="#999999" class="gmail_msg">Tel:<br><br>                                              <a href="tel:+54%2011%204552-3050" value="+541145523050" class="gmail_msg" target="_blank">+54 (11) 4552-3050</a></font><br class="gmail_msg"><br><br>                                            <font color="#999999" class="gmail_msg"><a href="http://www.identicum.com" class="gmail_msg" target="_blank">www.identicum.com</a></font></font><br class="gmail_msg"><br><br>                                        </div><br><br>                                      </div><br><br>                                    </div><br><br>                                  </div><br><br>                                </div><br><br>                              </div><br><br>                            </div><br><br>                          </div><br><br>                        </div><br><br>                      </div><br><br>                    </div><br><br>                  </div><br><br>                </div><br><br>              </div><br><br>            </div><br><br>          </div><br><br>        </div><br><br>        <br class="gmail_msg"><br><br>        <div class="gmail_quote gmail_msg">On Sat, Jan 14, 2017 at 7:22 AM, Pavol<br><br>          Mederly <span class="gmail_msg"><<a href="mailto:mederly@evolveum.com" class="gmail_msg" target="_blank">mederly@evolveum.com</a>></span><br><br>          wrote:<br class="gmail_msg"><br><br>          <blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br><br>            <div bgcolor="#FFFFFF" text="#000000" class="gmail_msg"><br><br>              <p class="gmail_msg">Nicolas, Martin,</p><br><br>              <p class="gmail_msg">for attributes, there is tolerantValuePattern/intolerantValuePattern<br><br>                property pair that could help. Unfortunately, similar<br><br>                mechanism for associations is not implemented yet. I'm<br><br>                afraid that neither baseContext nor protected accounts<br><br>                are relevant means to help in your case.</p><br><br>              <p class="gmail_msg">Maybe Radovan or someone with more experiences in this<br><br>                area could help you.<span class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194m_-8828315575111521266HOEnZb gmail_msg"><font color="#888888" class="gmail_msg"><br class="gmail_msg"><br><br>                  </font></span></p><br><br>              <span class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194m_-8828315575111521266HOEnZb gmail_msg"><font color="#888888" class="gmail_msg"><br><br>                  <pre class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194m_-8828315575111521266m_7460053561329814870moz-signature gmail_msg" cols="72">Pavol Mederly<br><br>Software developer<br><br><a href="http://evolveum.com" class="gmail_msg" target="_blank">evolveum.com</a><br><br></pre><br><br>                </font></span><br><br>              <div class="gmail_msg"><br><br>                <div class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194m_-8828315575111521266h5 gmail_msg"><br><br>                  <div class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194m_-8828315575111521266m_7460053561329814870moz-cite-prefix gmail_msg">On<br><br>                    14.01.2017 0:59, Martin Besozzi wrote:<br class="gmail_msg"><br><br>                  </div><br><br>                  <blockquote type="cite" class="gmail_msg"><br><br>                    <div class="gmail_msg"><br><br>                      <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg">Hi,<br><br>                        All.​</div><br><br>                      <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg">Also<br><br>                        we changed the ​"<i class="gmail_msg">baseContext</i>" definition<br><br>                        in order to avoid the groups outside the<br><br>                        "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local".</div><br><br>                      <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg"><br class="gmail_msg"><br><br>                      </div><br><br>                      <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg"><i class="gmail_msg"><baseContext><br class="gmail_msg"><br><br>                        </i></div><br><br>                      <div class="gmail_msg"><br><br>                        <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg"><i class="gmail_msg"> <br><br>                               <objectClass>ri:organizationalUnit</objectClass></i></div><br><br>                        <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg"><i class="gmail_msg"> <br><br>                                  <filter></i></div><br><br>                        <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg"><i class="gmail_msg"> <br><br>                                   <q:equal></i></div><br><br>                        <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg"><i class="gmail_msg"> <br><br>                                       <br><br>                            <q:path>attributes/dn</q:path></i></div><br><br>                        <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg"><i class="gmail_msg"> <br><br>                                       <br><br>                            <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value></i></div><br><br>                        <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg"><i class="gmail_msg"> <br><br>                                   </q:equal></i></div><br><br>                        <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg"><i class="gmail_msg"> <br><br>                                 </filter></i></div><br><br>                        <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg"><i class="gmail_msg"></baseContext></i></div><br><br>                        <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg"><br class="gmail_msg"><br><br>                        </div><br><br>                        <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg">But<br><br>                          the user shows the group association "<i class="gmail_msg">cn=Identicum,cn=Users,dc=uninorte,dc=local</i>"<br><br>                          which is outside the base context.</div><br><br>                        <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg"><br class="gmail_msg"><br><br>                        </div><br><br>                        <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg"><img src="cid:92289c161e32e96c_0.0.1.1" alt="Inline image 1" class="gmail_msg" style="width:667px;max-width:100%"><br class="gmail_msg"><br><br>                        </div><br><br>                        <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg"><br class="gmail_msg"><br><br>                        </div><br><br>                        <div class="gmail_msg"><br><br>                          <div class="gmail_msg"><font face="arial,<br><br>                              helvetica, sans-serif" class="gmail_msg">Do you have any<br><br>                              suggestion ?</font></div><br><br>                          <div class="gmail_msg"><font face="arial,<br><br>                              helvetica, sans-serif" class="gmail_msg"><br class="gmail_msg"><br><br>                            </font></div><br><br>                          <div class="gmail_msg"><font face="arial,<br><br>                              helvetica, sans-serif" class="gmail_msg">​Best regards</font></div><br><br>                        </div><br><br>                      </div><br><br>                      <div style="font-family:arial,helvetica,sans-serif" class="gmail_msg"><br class="gmail_msg"><br><br>                      </div><br><br>                    </div><br><br>                    <div class="gmail_extra gmail_msg"><br clear="all" class="gmail_msg"><br><br>                      <div class="gmail_msg"><br><br>                        <div class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194m_-8828315575111521266m_7460053561329814870gmail_signature gmail_msg" data-smartmail="gmail_signature"><br><br>                          <div class="gmail_msg"><br><br>                            <div class="gmail_msg"><br><br>                              <div class="gmail_msg"><br><br>                                <div class="gmail_msg"><br><br>                                  <div class="gmail_msg"><br><br>                                    <div class="gmail_msg"><br><br>                                      <div class="gmail_msg"><br><br>                                        <div class="gmail_msg"><font face="arial,<br><br>                                            helvetica, sans-serif" class="gmail_msg">Ing<br><br>                                            Martin Besozzi</font></div><br><br>                                        <font face="arial, helvetica,<br><br>                                          sans-serif" class="gmail_msg">Identicum S.A.<br class="gmail_msg"><br><br>                                        </font><br><br>                                        <div class="gmail_msg"><font face="arial, helvetica,<br><br>                                            sans-serif" class="gmail_msg">Jorge Newbery<br><br>                                            3226</font></div><br><br>                                        <div class="gmail_msg"><font face="arial, helvetica,<br><br>                                            sans-serif" class="gmail_msg">Tel: +54 (11)<br><br>                                            4552-3050</font></div><br><br>                                        <a href="http://www.identicum.com" class="gmail_msg" target="_blank"><font face="arial, helvetica,<br><br>                                            sans-serif" class="gmail_msg">www.identicum.com</font></a><br class="gmail_msg"><br><br>                                      </div><br><br>                                    </div><br><br>                                  </div><br><br>                                </div><br><br>                              </div><br><br>                            </div><br><br>                          </div><br><br>                        </div><br><br>                      </div><br><br>                      <br class="gmail_msg"><br><br>                      <div class="gmail_quote gmail_msg">On Fri, Jan 13, 2017 at<br><br>                        7:41 PM, Nicolas Rossi <span class="gmail_msg"><<a href="mailto:nrossi@identicum.com" class="gmail_msg" target="_blank">nrossi@identicum.com</a>></span><br><br>                        wrote:<br class="gmail_msg"><br><br>                        <blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br><br>                          <div class="gmail_msg"><br><br>                            <div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)" class="gmail_msg">Hi<br><br>                              guys, I have a working AD LDAP resource.<br><br>                              The group association has tolerant flag in<br><br>                              false. So when I reconcile the user, it<br><br>                              removes the user's group memberships found<br><br>                              in AD and not in midPoint. I'd like to<br><br>                              apply a filter there because midPoint only<br><br>                              sees groups under a specific organization<br><br>                              unit. So when the user has groups outside<br><br>                              this OU they are also removed.</div><br><br>                            <div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)" class="gmail_msg"><br class="gmail_msg"><br><br>                            </div><br><br>                            <div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)" class="gmail_msg">I<br><br>                              tried with a baseContext definition under<br><br>                              the schemaHandling and protected<br><br>                              definition but nothing worked.</div><br><br>                            <div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)" class="gmail_msg"><br class="gmail_msg"><br><br>                            </div><br><br>                            <div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)" class="gmail_msg">Here<br><br>                              are some examples of protected<br><br>                              configurations I have tried:</div><br><br>                            <div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)" class="gmail_msg"><br class="gmail_msg"><br><br>                            </div><br><br>                            <div class="gmail_msg"><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg"><protected></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">  <filter></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">    <not></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">     <br><br>                                  <q:substring></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">       <br><br>                                  <q:matching>stringIgnoreCase</q:matching></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">        <q:path></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">          declare<br><br>                                  namespace icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" class="gmail_msg" target="_blank">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>";</font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">         <br><br>                                  attributes/icfs:name</font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">       <br><br>                                  </q:path></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">       <br><br>                                  <q:value>OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local</q:value></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">       <br><br>                                  <q:anchorEnd>true</q:anchorEnd></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">     <br><br>                                  </q:substring></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">    </not></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">  </filter></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg"></protected></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg"><br class="gmail_msg"><br><br>                                </font></div><br><br>                              <div class="gmail_msg"><font face="arial, helvetica, sans-serif" color="#444444" class="gmail_msg">The above example<br><br>                                  tries to match any groups not ending<br><br>                                  with the managed OU.</font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg"><br class="gmail_msg"><br><br>                                </font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg"><protected></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">    <filter></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">       <q:equal></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">       <br><br>                                  <path>ri:dn</path></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">       <br><br>                                  <value>CN=Domain<br><br>                                  Admins,DC=uninorte,DC=local</value></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">      </q:equal></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg">   </filter></font></div><br><br>                              <div class="gmail_msg"><font face="monospace, monospace" color="#444444" class="gmail_msg"></protected></font></div><br><br>                            </div><br><br>                            <div class="gmail_msg"><br><br>                              <div class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194m_-8828315575111521266m_7460053561329814870m_924213204947202457gmail_signature gmail_msg"><br><br>                                <div class="gmail_msg"><br><br>                                  <div class="gmail_msg"><br><br>                                    <div class="gmail_msg"><br><br>                                      <div class="gmail_msg"><br><br>                                        <div class="gmail_msg"><br><br>                                          <div class="gmail_msg"><br><br>                                            <div class="gmail_msg"><br><br>                                              <div class="gmail_msg"><br><br>                                                <div class="gmail_msg"><br><br>                                                  <div class="gmail_msg"><br><br>                                                    <div class="gmail_msg"><br><br>                                                      <div class="gmail_msg"><br><br>                                                        <div class="gmail_msg"><br><br>                                                          <div class="gmail_msg"><br><br>                                                          <div class="gmail_msg"><font face="arial,<br><br>                                                          helvetica,<br><br>                                                          sans-serif" class="gmail_msg"><br class="gmail_msg"><br><br>                                                          </font></div><br><br>                                                          <div class="gmail_msg"><font face="arial,<br><br>                                                          helvetica,<br><br>                                                          sans-serif" class="gmail_msg"><br><br>                                                          <div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline" class="gmail_msg">​This<br><br>                                                          tries to match<br><br>                                                          specific<br><br>                                                          group.</div><br><br>                                                          </font></div><br><br>                                                          <div class="gmail_msg"><font face="arial,<br><br>                                                          helvetica,<br><br>                                                          sans-serif" class="gmail_msg"><br><br>                                                          <div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline" class="gmail_msg"><br class="gmail_msg"><br><br>                                                          </div><br><br>                                                          </font></div><br><br>                                                          <div class="gmail_msg"><font face="arial,<br><br>                                                          helvetica,<br><br>                                                          sans-serif" class="gmail_msg"><br><br>                                                          <div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline" class="gmail_msg">​Do<br><br>                                                          you have any<br><br>                                                          suggestion ?</div><br><br>                                                          </font></div><br><br>                                                          <div class="gmail_msg"><font face="arial,<br><br>                                                          helvetica,<br><br>                                                          sans-serif" class="gmail_msg"><font color="#444444" class="gmail_msg"><br class="gmail_msg"><br><br>                                                          </font></font></div><br><br>                                                          <div class="gmail_msg"><font face="arial,<br><br>                                                          helvetica,<br><br>                                                          sans-serif" class="gmail_msg"><font color="#444444" class="gmail_msg"><br><br>                                                          <div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline" class="gmail_msg">​Best<br><br>                                                          regards,</div><br><br>                                                          </font></font></div><br><br>                                                          <div class="gmail_msg"><font face="arial,<br><br>                                                          helvetica,<br><br>                                                          sans-serif" class="gmail_msg"><font color="#444444" class="gmail_msg"><br><br>                                                          <div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline" class="gmail_msg">​</div><br><br>                                                          <br class="gmail_msg"><br><br>                                                          </font><br class="gmail_msg"><br><br>                                                          <font color="#444444" class="gmail_msg">Ing<br><br>                                                          Nicolás Rossi</font><br class="gmail_msg"><br><br>                                                          <font color="#999999" class="gmail_msg">Identicum<br><br>                                                          S.A.</font><br class="gmail_msg"><br><br>                                                          <font color="#999999" class="gmail_msg">Jorge<br><br>                                                          Newbery 3226</font><br class="gmail_msg"><br><br>                                                          <font color="#999999" class="gmail_msg">Tel:<br><br>                                                          +54<br><br>                                                          (11) 4552-3050</font><br class="gmail_msg"><br><br>                                                          <font color="#999999" class="gmail_msg"><a href="http://www.identicum.com" class="gmail_msg" target="_blank">www.identicum.com</a></font></font><br class="gmail_msg"><br><br>                                                          </div><br><br>                                                          </div><br><br>                                                        </div><br><br>                                                      </div><br><br>                                                    </div><br><br>                                                  </div><br><br>                                                </div><br><br>                                              </div><br><br>                                            </div><br><br>                                          </div><br><br>                                        </div><br><br>                                      </div><br><br>                                    </div><br><br>                                  </div><br><br>                                </div><br><br>                              </div><br><br>                            </div><br><br>                          </div><br><br>                          <br class="gmail_msg"><br><br>                          _______________________________________________<br class="gmail_msg"><br><br>                          midPoint mailing list<br class="gmail_msg"><br><br>                          <a href="mailto:midPoint@lists.evolveum.com" class="gmail_msg" target="_blank">midPoint@lists.evolveum.com</a><br class="gmail_msg"><br><br>                          <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br class="gmail_msg"><br><br>                          <br class="gmail_msg"><br><br>                        </blockquote><br><br>                      </div><br><br>                      <br class="gmail_msg"><br><br>                    </div><br><br>                    <br class="gmail_msg"><br><br>                    <fieldset class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194m_-8828315575111521266m_7460053561329814870mimeAttachmentHeader gmail_msg"></fieldset><br><br>                    <br class="gmail_msg"><br><br>                    <pre class="gmail_msg">_______________________________________________<br><br>midPoint mailing list<br><br><a class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194m_-8828315575111521266m_7460053561329814870moz-txt-link-abbreviated gmail_msg" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br><br><a class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194m_-8828315575111521266m_7460053561329814870moz-txt-link-freetext gmail_msg" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br><br></pre><br><br>    </blockquote><br><br>    <br><br><br><br>  </div></div></div><br><br><br><br><br><br>_______________________________________________<br><br><br><br>midPoint mailing list<br><br><br><br><a href="mailto:midPoint@lists.evolveum.com" class="gmail_msg" target="_blank">midPoint@lists.evolveum.com</a><br><br><br><br><a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br><br><br><br><br><br></blockquote></div><br><br></div><br><br><br><br><br><br><fieldset class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194m_-8828315575111521266mimeAttachmentHeader gmail_msg"></fieldset><br><br><pre class="gmail_msg">_______________________________________________<br><br>midPoint mailing list<br><br><a class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194m_-8828315575111521266moz-txt-link-abbreviated gmail_msg" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br><br><a class="m_-7290083841959172986m_5778989534080482134m_2494040908606533194m_-8828315575111521266moz-txt-link-freetext gmail_msg" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br><br></pre><br><br><br><br></blockquote><br><br></div></div></div><br class="gmail_msg">_______________________________________________<br class="gmail_msg"><br><br>midPoint mailing list<br class="gmail_msg"><br><br><a href="mailto:midPoint@lists.evolveum.com" class="gmail_msg" target="_blank">midPoint@lists.evolveum.com</a><br class="gmail_msg"><br><br><a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br class="gmail_msg"><br><br><br class="gmail_msg"></blockquote></div><br class="gmail_msg"></div></div></div><br><br><br class="gmail_msg">_______________________________________________<br class="gmail_msg"><br><br>midPoint mailing list<br class="gmail_msg"><br><br><a href="mailto:midPoint@lists.evolveum.com" class="gmail_msg" target="_blank">midPoint@lists.evolveum.com</a><br class="gmail_msg"><br><br><a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br class="gmail_msg"><br><br><br class="gmail_msg"></blockquote></div><br class="gmail_msg"></div></div></div></div><br><br><br class="gmail_msg">_______________________________________________<br class="gmail_msg"><br><br>midPoint mailing list<br class="gmail_msg"><br><br><a href="mailto:midPoint@lists.evolveum.com" class="gmail_msg" target="_blank">midPoint@lists.evolveum.com</a><br class="gmail_msg"><br><br><a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br class="gmail_msg"><br><br><br class="gmail_msg"></blockquote></div><br class="gmail_msg"></div><br><br>_______________________________________________<br class="gmail_msg"><br>midPoint mailing list<br class="gmail_msg"><br><a href="mailto:midPoint@lists.evolveum.com" class="gmail_msg" target="_blank">midPoint@lists.evolveum.com</a><br class="gmail_msg"><br><a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br class="gmail_msg"><br></blockquote></div></div>