<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hello Nicolas,</p>
<p>yes, unfortunately - as I said - it is <i>not</i> currently
supported. (You can look at <tt>ReconciliationProcessor.decideIfTolerate</tt>
vs <tt>decideIfTolerateAssociation</tt>.)</p>
<p>More details (but maybe not much, anyway) can be seen by enabling
TRACE logging for <tt>com.evolveum.midpoint.model.impl.lens.projector.</tt><tt>ReconciliationProcessor</tt>.
But that wouldn't help with associations, anyway. Only with
attributes.<br>
</p>
<p>Using memberOf attribute might <i>probably</i> help. But you
would need to forget about managing that attribute using
associations, and return to managing its values explicitly. (A
step back into times of midPoint 2.x.) That would mean probably a
lot of complications, and I strongly not recommend it.</p>
<p>Maybe the best way would be to wait for Radovan. He'll be
certainly able to tell what to do.<br>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 14.01.2017 11:59, Nicolas Rossi
wrote:<br>
</div>
<blockquote
cite="mid:CAAxX8ciV71K63-H=JOObfD+Ng5Xk-7VUMEXg5q6jCVG-QSgoFA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
Pavol, I tried with that setting but It didn't work. Here is
my configuration:</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">
<div class="gmail_default">
<div class="gmail_default"><association></div>
<div class="gmail_default">
<c:ref>ri:group</c:ref></div>
<div class="gmail_default"> <displayName>AD Group
Membership</displayName></div>
<div class="gmail_default">
<tolerant>false</tolerant></div>
<div class="gmail_default"> <<b>tolerantValuePattern</b>>.*(?<!OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local)$</<b>tolerantValuePattern</b>></div>
<div class="gmail_default">
<exclusiveStrong>false</exclusiveStrong></div>
<div class="gmail_default">
<kind>entitlement</kind></div>
<div class="gmail_default">
<intent>group</intent></div>
<div class="gmail_default">
<direction>objectToSubject</direction></div>
<div class="gmail_default">
<associationAttribute>ri:member</associationAttribute></div>
<div class="gmail_default">
<valueAttribute>ri:dn</valueAttribute></div>
<div class="gmail_default">
<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute></div>
<div class="gmail_default">
<shortcutValueAttribute>ri:dn</shortcutValueAttribute></div>
<div class="gmail_default">
<explicitReferentialIntegrity>false</explicitReferentialIntegrity></div>
<div class="gmail_default"></association></div>
</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">The regex matches strings not ended
with "OU=Grupos_Seguridad,OU=Uninorte,DC=uninorte,DC=local"
(groups outside our managed OU) expecting to be tolerant
with that values.</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">Does it work in association as the
same way it does for attributes ? Maybe I should create the
"memberOf" attribute and define the tolerantValuePattern
there.</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">Which log should I enable to get
more information about the pattern evaluation ?</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">Best regards, </div>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font
face="arial, helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54 (11) 4552-3050</font><br>
<font color="#999999"><a
moz-do-not-send="true"
href="http://www.identicum.com"
target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Sat, Jan 14, 2017 at 7:22 AM, Pavol
Mederly <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Nicolas, Martin,</p>
<p>for attributes, there is tolerantValuePattern/<wbr>intolerantValuePattern
property pair that could help. Unfortunately, similar
mechanism for associations is not implemented yet. I'm
afraid that neither baseContext nor protected accounts
are relevant means to help in your case.</p>
<p>Maybe Radovan or someone with more experiences in this
area could help you.<span class="HOEnZb"><font
color="#888888"><br>
</font></span></p>
<span class="HOEnZb"><font color="#888888">
<pre class="m_7460053561329814870moz-signature" cols="72">Pavol Mederly
Software developer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</font></span>
<div>
<div class="h5">
<div class="m_7460053561329814870moz-cite-prefix">On
14.01.2017 0:59, Martin Besozzi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif">Hi,
All.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif">Also
we changed the "<i>baseContext</i>" definition
in order to avoid the groups outside the
"OU=Grupos_Seguridad,OU=<wbr>Uninorte,DC=uninorte,DC=local"<wbr>.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i><baseContext><br>
</i></div>
<div class="gmail_default">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
<objectClass>ri:<wbr>organizationalUnit</<wbr>objectClass></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
<filter></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
<q:equal></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
<q:path>attributes/dn</q:path></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
<q:value>OU=Grupos_Seguridad,<wbr>OU=Uninorte,DC=uninorte,DC=<wbr>local</q:value></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
</q:equal></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
</filter></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i></baseContext></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif">But
the user shows the group association "<i>cn=Identicum,cn=Users,dc=<wbr>uninorte,dc=local</i>"
which is outside the base context.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><img
src="cid:part4.614BB8A7.5D51757E@evolveum.com" alt="Inline image 1"
height="113" width="472"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default">
<div class="gmail_default"><font face="arial,
helvetica, sans-serif">Do you have any
suggestion ?</font></div>
<div class="gmail_default"><font face="arial,
helvetica, sans-serif"><br>
</font></div>
<div class="gmail_default"><font face="arial,
helvetica, sans-serif">Best regards</font></div>
</div>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div
class="m_7460053561329814870gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font face="arial,
helvetica, sans-serif">Ing
Martin Besozzi</font></div>
<font face="arial, helvetica,
sans-serif">Identicum S.A.<br>
</font>
<div dir="ltr"><font
face="arial, helvetica,
sans-serif">Jorge Newbery
3226</font></div>
<div dir="ltr"><font
face="arial, helvetica,
sans-serif">Tel: +54 (11)
4552-3050</font></div>
<a moz-do-not-send="true"
href="http://www.identicum.com"
target="_blank"><font
face="arial, helvetica,
sans-serif">www.identicum.com</font></a><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Fri, Jan 13, 2017 at
7:41 PM, Nicolas Rossi <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:nrossi@identicum.com"
target="_blank">nrossi@identicum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
guys, I have a working AD LDAP resource.
The group association has tolerant flag in
false. So when I reconcile the user, it
removes the user's group memberships found
in AD and not in midPoint. I'd like to
apply a filter there because midPoint only
sees groups under a specific organization
unit. So when the user has groups outside
this OU they are also removed.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I
tried with a baseContext definition under
the schemaHandling and protected
definition but nothing worked.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Here
are some examples of protected
configurations I have tried:</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default">
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444"><protected></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444"> <filter></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444"> <not></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444">
<q:substring></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444">
<q:matching>stringIgnoreCase</<wbr>q:matching></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444"> <q:path></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444"> declare
namespace icfs="<a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
target="_blank">http://midpoint.evolveum<wbr>.com/xml/ns/public/connector/<wbr>icf-1/resource-schema-3</a>";</font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444">
attributes/icfs:name</font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444">
</q:path></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444">
<q:value>OU=Grupos_Seguridad,O<wbr>U=Uninorte,DC=uninorte,DC=loca<wbr>l</q:value></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444">
<q:anchorEnd>true</q:anchorEnd<wbr>></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444">
</q:substring></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444"> </not></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444"> </filter></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444"></protected></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444"><br>
</font></div>
<div class="gmail_default"><font
face="arial, helvetica, sans-serif"
color="#444444">The above example
tries to match any groups not ending
with the managed OU.</font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444"><br>
</font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444"><protected></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444"> <filter></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444"> <q:equal></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444">
<path>ri:dn</path></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444">
<value>CN=Domain
Admins,DC=uninorte,DC=local</v<wbr>alue></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444"> </q:equal></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444"> </filter></font></div>
<div class="gmail_default"><font
face="monospace, monospace"
color="#444444"></protected></font></div>
</div>
<div>
<div
class="m_7460053561329814870m_924213204947202457gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif">
<div
class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">This
tries to match
specific
group.</div>
</font></div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif">
<div
class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline"><br>
</div>
</font></div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif">
<div
class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">Do
you have any
suggestion ?</div>
</font></div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif"><font
color="#444444"><br>
</font></font></div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif"><font
color="#444444">
<div
class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">Best
regards,</div>
</font></font></div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif"><font
color="#444444">
<div
class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline"></div>
<br>
</font><br>
<font
color="#444444">Ing
Nicolás Rossi</font><br>
<font
color="#999999">Identicum
S.A.</font><br>
<font
color="#999999">Jorge
Newbery 3226</font><br>
<font
color="#999999">Tel:
+54
(11) 4552-3050</font><br>
<font
color="#999999"><a
moz-do-not-send="true" href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com"
target="_blank">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset
class="m_7460053561329814870mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_7460053561329814870moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_7460053561329814870moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body></html>