<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi Jason, thank you for your feedback. I'll try it. Do you know if it works with associations ? Because we trigger a user modification, not group modification. The user has an association to the group through the memberOf attribute and it looks like this modification does not filter the group definition (i.e.: protected, baseContext..).</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Regards,</div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font face="arial, helvetica, sans-serif"><br><br><font color="#444444">Ing Nicolás Rossi</font><br><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Sat, Jan 14, 2017 at 5:20 PM, Jason Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">We filter out unwanted groups, Pavol or Ivan helped with this a long time ago, would this not work under the sync settings? The below filters out any groups with the ad attribute 'info' not set to mpgroup. When we create a role in midpoint that should be a ad group we set the roleType to mpgroup and it thn gets pushed to AD, like the role below only assignes the metarole with inducements if mpgroup present.<div><br></div><div><div> <objectClass>ri:<wbr>CustomGroupObjectClass</<wbr>objectClass></div><span class=""><div> <kind>entitlement</kind></div><div> <intent>group</intent></div></span><div> <focusType>c:RoleType</<wbr>focusType></div><div> <enabled>true</enabled></div><div><span style="background-color:rgb(255,255,255)"><font color="#ff9900"> <condition></font></span></div><div><span style="background-color:rgb(255,255,255)"><font color="#ff9900"> <script></font></span></div><div><span style="background-color:rgb(255,255,255)"><font color="#ff9900"> <code></font></span></div><div><span style="background-color:rgb(255,255,255)"><font color="#ff9900"> tmp = basic.getAttributeValue(<wbr>shadow, '<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">http://midpoint.evolveum.com/<wbr>xml/ns/public/resource/<wbr>instance-3</a>', 'info');</font></span></div><div><span style="background-color:rgb(255,255,255)"><font color="#ff9900"> return (tmp == 'mpgroup')</font></span></div><div><span style="background-color:rgb(255,255,255)"><font color="#ff9900"> </code></font></span></div><div><span style="background-color:rgb(255,255,255)"><font color="#ff9900"> </script></font></span></div><div><span style="background-color:rgb(255,255,255)"><font color="#ff9900"> </condition></font></span></div><div> <correlation></div><div> <q:equal></div><div> <q:path>c:name</q:path></div><div> <expression></div><div> <script></div></div><div><br></div><div>Role:</div><div><br></div><div><div> <mapping></div><div> <name>Metarole Security Group Assignment</name></div><div> <authoritative>true</<wbr>authoritative></div><div> <source></div><div> <c:path>roleType</c:path></div><div> </source></div><div> <expression></div><div> <assignmentTargetSearch></div><div> <targetType>c:RoleType</<wbr>targetType></div><div> <oid>11111111-2222-3333-4444-<wbr>200000000001</oid></div><div> </assignmentTargetSearch></div><div> </expression></div><div> <target></div><div> <c:path>assignment</c:path></div><div> </target></div><div> <condition></div><div> <script></div><div> <code>roleType == 'mpgroup'</code></div><div> </script></div><div> </condition></div><div> </mapping></div></div></div><div class="gmail_extra"><span class="HOEnZb"><font color="#888888"><br clear="all"><div><div class="m_2494040908606533194gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">JASON</div></div></div></font></span><div><div class="h5">
<br><div class="gmail_quote">On Sat, Jan 14, 2017 at 5:15 AM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hello Nicolas,</p>
<p>yes, unfortunately - as I said - it is <i>not</i> currently
supported. (You can look at <tt>ReconciliationProcessor.decide<wbr>IfTolerate</tt>
vs <tt>decideIfTolerateAssociation</tt>.)</p>
<p>More details (but maybe not much, anyway) can be seen by enabling
TRACE logging for <tt><a href="http://com.evolveum.midpoint.model.im">com.evolveum.midpoint.model.im</a><wbr>pl.lens.projector.</tt><tt>Reconciliati<wbr>onProcessor</tt>.
But that wouldn't help with associations, anyway. Only with
attributes.<br>
</p>
<p>Using memberOf attribute might <i>probably</i> help. But you
would need to forget about managing that attribute using
associations, and return to managing its values explicitly. (A
step back into times of midPoint 2.x.) That would mean probably a
lot of complications, and I strongly not recommend it.</p>
<p>Maybe the best way would be to wait for Radovan. He'll be
certainly able to tell what to do.<br>
</p><span>
<pre class="m_2494040908606533194m_-8828315575111521266moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</span><div><div class="m_2494040908606533194h5"><div class="m_2494040908606533194m_-8828315575111521266moz-cite-prefix">On 14.01.2017 11:59, Nicolas Rossi
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
Pavol, I tried with that setting but It didn't work. Here is
my configuration:</div>
<div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">
<div>
<div><association></div>
<div>
<c:ref>ri:group</c:ref></div>
<div> <displayName>AD Group
Membership</displayName></div>
<div>
<tolerant>false</tolerant></div>
<div> <<b>tolerantValuePattern</b>>.*(?<<wbr>!OU=Grupos_Seguridad,OU=Uninor<wbr>te,DC=uninorte,DC=local)$</<b>tol<wbr>erantValuePattern</b>></div>
<div>
<exclusiveStrong>false</exclus<wbr>iveStrong></div>
<div>
<kind>entitlement</kind></div>
<div>
<intent>group</intent></div>
<div>
<direction>objectToSubject</di<wbr>rection></div>
<div>
<associationAttribute>ri:membe<wbr>r</associationAttribute></div>
<div>
<valueAttribute>ri:dn</valueAt<wbr>tribute></div>
<div>
<shortcutAssociationAttribute><wbr>ri:memberOf</shortcutAssociati<wbr>onAttribute></div>
<div>
<shortcutValueAttribute>ri:dn<<wbr>/shortcutValueAttribute></div>
<div>
<explicitReferentialIntegrity><wbr>false</explicitReferentialInte<wbr>grity></div>
<div></association></div>
</div>
<div><br>
</div>
<div>The regex matches strings not ended
with "OU=Grupos_Seguridad,OU=Uninor<wbr>te,DC=uninorte,DC=local"
(groups outside our managed OU) expecting to be tolerant
with that values.</div>
<div><br>
</div>
<div>Does it work in association as the
same way it does for attributes ? Maybe I should create the
"memberOf" attribute and define the tolerantValuePattern
there.</div>
<div><br>
</div>
<div>Which log should I enable to get
more information about the pattern evaluation ?</div>
<div><br>
</div>
<div>Best regards, </div>
</div>
<div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="m_2494040908606533194m_-8828315575111521266gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
<a href="tel:+54%2011%204552-3050" value="+541145523050" target="_blank">+54 (11) 4552-3050</a></font><br>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Sat, Jan 14, 2017 at 7:22 AM, Pavol
Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Nicolas, Martin,</p>
<p>for attributes, there is tolerantValuePattern/intoleran<wbr>tValuePattern
property pair that could help. Unfortunately, similar
mechanism for associations is not implemented yet. I'm
afraid that neither baseContext nor protected accounts
are relevant means to help in your case.</p>
<p>Maybe Radovan or someone with more experiences in this
area could help you.<span class="m_2494040908606533194m_-8828315575111521266HOEnZb"><font color="#888888"><br>
</font></span></p>
<span class="m_2494040908606533194m_-8828315575111521266HOEnZb"><font color="#888888">
<pre class="m_2494040908606533194m_-8828315575111521266m_7460053561329814870moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</font></span>
<div>
<div class="m_2494040908606533194m_-8828315575111521266h5">
<div class="m_2494040908606533194m_-8828315575111521266m_7460053561329814870moz-cite-prefix">On
14.01.2017 0:59, Martin Besozzi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div style="font-family:arial,helvetica,sans-serif">Hi,
All.</div>
<div style="font-family:arial,helvetica,sans-serif">Also
we changed the "<i>baseContext</i>" definition
in order to avoid the groups outside the
"OU=Grupos_Seguridad,OU=Uninor<wbr>te,DC=uninorte,DC=local".</div>
<div style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div style="font-family:arial,helvetica,sans-serif"><i><baseContext><br>
</i></div>
<div>
<div style="font-family:arial,helvetica,sans-serif"><i>
<objectClass>ri:organizationa<wbr>lUnit</objectClass></i></div>
<div style="font-family:arial,helvetica,sans-serif"><i>
<filter></i></div>
<div style="font-family:arial,helvetica,sans-serif"><i>
<q:equal></i></div>
<div style="font-family:arial,helvetica,sans-serif"><i>
<q:path>attributes/dn</q:path></i></div>
<div style="font-family:arial,helvetica,sans-serif"><i>
<q:value>OU=Grupos_Seguridad,O<wbr>U=Uninorte,DC=uninorte,DC=loca<wbr>l</q:value></i></div>
<div style="font-family:arial,helvetica,sans-serif"><i>
</q:equal></i></div>
<div style="font-family:arial,helvetica,sans-serif"><i>
</filter></i></div>
<div style="font-family:arial,helvetica,sans-serif"><i></baseContext></i></div>
<div style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div style="font-family:arial,helvetica,sans-serif">But
the user shows the group association "<i>cn=Identicum,cn=Users,dc=unin<wbr>orte,dc=local</i>"
which is outside the base context.</div>
<div style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div style="font-family:arial,helvetica,sans-serif"><img src="cid:part4.614BB8A7.5D51757E@evolveum.com" alt="Inline image 1" height="113" width="472"><br>
</div>
<div style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div>
<div><font face="arial,
helvetica, sans-serif">Do you have any
suggestion ?</font></div>
<div><font face="arial,
helvetica, sans-serif"><br>
</font></div>
<div><font face="arial,
helvetica, sans-serif">Best regards</font></div>
</div>
</div>
<div style="font-family:arial,helvetica,sans-serif"><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="m_2494040908606533194m_-8828315575111521266m_7460053561329814870gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font face="arial,
helvetica, sans-serif">Ing
Martin Besozzi</font></div>
<font face="arial, helvetica,
sans-serif">Identicum S.A.<br>
</font>
<div dir="ltr"><font face="arial, helvetica,
sans-serif">Jorge Newbery
3226</font></div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif">Tel: +54 (11)
4552-3050</font></div>
<a href="http://www.identicum.com" target="_blank"><font face="arial, helvetica,
sans-serif">www.identicum.com</font></a><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Fri, Jan 13, 2017 at
7:41 PM, Nicolas Rossi <span dir="ltr"><<a href="mailto:nrossi@identicum.com" target="_blank">nrossi@identicum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
guys, I have a working AD LDAP resource.
The group association has tolerant flag in
false. So when I reconcile the user, it
removes the user's group memberships found
in AD and not in midPoint. I'd like to
apply a filter there because midPoint only
sees groups under a specific organization
unit. So when the user has groups outside
this OU they are also removed.</div>
<div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I
tried with a baseContext definition under
the schemaHandling and protected
definition but nothing worked.</div>
<div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Here
are some examples of protected
configurations I have tried:</div>
<div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div>
<div><font face="monospace, monospace" color="#444444"><protected></font></div>
<div><font face="monospace, monospace" color="#444444"> <filter></font></div>
<div><font face="monospace, monospace" color="#444444"> <not></font></div>
<div><font face="monospace, monospace" color="#444444">
<q:substring></font></div>
<div><font face="monospace, monospace" color="#444444">
<q:matching>stringIgnoreCase</<wbr>q:matching></font></div>
<div><font face="monospace, monospace" color="#444444"> <q:path></font></div>
<div><font face="monospace, monospace" color="#444444"> declare
namespace icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">http://midpoint.evolveum<wbr>.com/xml/ns/public/connector/i<wbr>cf-1/resource-schema-3</a>";</font></div>
<div><font face="monospace, monospace" color="#444444">
attributes/icfs:name</font></div>
<div><font face="monospace, monospace" color="#444444">
</q:path></font></div>
<div><font face="monospace, monospace" color="#444444">
<q:value>OU=Grupos_Seguridad,O<wbr>U=Uninorte,DC=uninorte,DC=loca<wbr>l</q:value></font></div>
<div><font face="monospace, monospace" color="#444444">
<q:anchorEnd>true</q:anchorEnd<wbr>></font></div>
<div><font face="monospace, monospace" color="#444444">
</q:substring></font></div>
<div><font face="monospace, monospace" color="#444444"> </not></font></div>
<div><font face="monospace, monospace" color="#444444"> </filter></font></div>
<div><font face="monospace, monospace" color="#444444"></protected></font></div>
<div><font face="monospace, monospace" color="#444444"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif" color="#444444">The above example
tries to match any groups not ending
with the managed OU.</font></div>
<div><font face="monospace, monospace" color="#444444"><br>
</font></div>
<div><font face="monospace, monospace" color="#444444"><protected></font></div>
<div><font face="monospace, monospace" color="#444444"> <filter></font></div>
<div><font face="monospace, monospace" color="#444444"> <q:equal></font></div>
<div><font face="monospace, monospace" color="#444444">
<path>ri:dn</path></font></div>
<div><font face="monospace, monospace" color="#444444">
<value>CN=Domain
Admins,DC=uninorte,DC=local</v<wbr>alue></font></div>
<div><font face="monospace, monospace" color="#444444"> </q:equal></font></div>
<div><font face="monospace, monospace" color="#444444"> </filter></font></div>
<div><font face="monospace, monospace" color="#444444"></protected></font></div>
</div>
<div>
<div class="m_2494040908606533194m_-8828315575111521266m_7460053561329814870m_924213204947202457gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif">
<div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">This
tries to match
specific
group.</div>
</font></div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif">
<div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline"><br>
</div>
</font></div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif">
<div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">Do
you have any
suggestion ?</div>
</font></div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><font color="#444444"><br>
</font></font></div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><font color="#444444">
<div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">Best
regards,</div>
</font></font></div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><font color="#444444">
<div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline"></div>
<br>
</font><br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54
(11) 4552-3050</font><br>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="m_2494040908606533194m_-8828315575111521266m_7460053561329814870mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_2494040908606533194m_-8828315575111521266m_7460053561329814870moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_2494040908606533194m_-8828315575111521266m_7460053561329814870moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_2494040908606533194m_-8828315575111521266mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_2494040908606533194m_-8828315575111521266moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_2494040908606533194m_-8828315575111521266moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br></blockquote></div><br></div></div></div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div></div>