<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi Pavol, have you talked with Radovan about this issue ?</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Regards,</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font face="arial, helvetica, sans-serif"><br><br><font color="#444444">Ing Nicolás Rossi</font><br><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Sat, Jan 14, 2017 at 8:15 AM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hello Nicolas,</p>
<p>yes, unfortunately - as I said - it is <i>not</i> currently
supported. (You can look at <tt>ReconciliationProcessor.<wbr>decideIfTolerate</tt>
vs <tt>decideIfTolerateAssociation</tt>.)</p>
<p>More details (but maybe not much, anyway) can be seen by enabling
TRACE logging for <tt>com.evolveum.midpoint.model.<wbr>impl.lens.projector.</tt><tt>Reconcilia<wbr>tionProcessor</tt>.
But that wouldn't help with associations, anyway. Only with
attributes.<br>
</p>
<p>Using memberOf attribute might <i>probably</i> help. But you
would need to forget about managing that attribute using
associations, and return to managing its values explicitly. (A
step back into times of midPoint 2.x.) That would mean probably a
lot of complications, and I strongly not recommend it.</p>
<p>Maybe the best way would be to wait for Radovan. He'll be
certainly able to tell what to do.<br>
</p><span class="">
<pre class="m_-2735851189275682983moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</span><div><div class="h5"><div class="m_-2735851189275682983moz-cite-prefix">On 14.01.2017 11:59, Nicolas Rossi
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
Pavol, I tried with that setting but It didn't work. Here is
my configuration:</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">
<div class="gmail_default">
<div class="gmail_default"><association></div>
<div class="gmail_default">
<c:ref>ri:group</c:ref></div>
<div class="gmail_default"> <displayName>AD Group
Membership</displayName></div>
<div class="gmail_default">
<tolerant>false</tolerant></div>
<div class="gmail_default"> <<b>tolerantValuePattern</b>>.*(?<<wbr>!OU=Grupos_Seguridad,OU=<wbr>Uninorte,DC=uninorte,DC=local)<wbr>$</<b>tolerantValuePattern</b>></div>
<div class="gmail_default">
<exclusiveStrong>false</<wbr>exclusiveStrong></div>
<div class="gmail_default">
<kind>entitlement</kind></div>
<div class="gmail_default">
<intent>group</intent></div>
<div class="gmail_default">
<direction>objectToSubject</<wbr>direction></div>
<div class="gmail_default">
<associationAttribute>ri:<wbr>member</associationAttribute></div>
<div class="gmail_default">
<valueAttribute>ri:dn</<wbr>valueAttribute></div>
<div class="gmail_default">
<shortcutAssociationAttribute><wbr>ri:memberOf</<wbr>shortcutAssociationAttribute></div>
<div class="gmail_default">
<shortcutValueAttribute>ri:dn<<wbr>/shortcutValueAttribute></div>
<div class="gmail_default">
<explicitReferentialIntegrity><wbr>false</<wbr>explicitReferentialIntegrity></div>
<div class="gmail_default"></association></div>
</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">The regex matches strings not ended
with "OU=Grupos_Seguridad,OU=<wbr>Uninorte,DC=uninorte,DC=local"
(groups outside our managed OU) expecting to be tolerant
with that values.</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">Does it work in association as the
same way it does for attributes ? Maybe I should create the
"memberOf" attribute and define the tolerantValuePattern
there.</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">Which log should I enable to get
more information about the pattern evaluation ?</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">Best regards, </div>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="m_-2735851189275682983gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54 (11) 4552-3050</font><br>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Sat, Jan 14, 2017 at 7:22 AM, Pavol
Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Nicolas, Martin,</p>
<p>for attributes, there is tolerantValuePattern/intoleran<wbr>tValuePattern
property pair that could help. Unfortunately, similar
mechanism for associations is not implemented yet. I'm
afraid that neither baseContext nor protected accounts
are relevant means to help in your case.</p>
<p>Maybe Radovan or someone with more experiences in this
area could help you.<span class="m_-2735851189275682983HOEnZb"><font color="#888888"><br>
</font></span></p>
<span class="m_-2735851189275682983HOEnZb"><font color="#888888">
<pre class="m_-2735851189275682983m_7460053561329814870moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</font></span>
<div>
<div class="m_-2735851189275682983h5">
<div class="m_-2735851189275682983m_7460053561329814870moz-cite-prefix">On
14.01.2017 0:59, Martin Besozzi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Hi,
All.</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Also
we changed the "<i>baseContext</i>" definition
in order to avoid the groups outside the
"OU=Grupos_Seguridad,OU=Uninor<wbr>te,DC=uninorte,DC=local".</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i><baseContext><br>
</i></div>
<div class="gmail_default">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i>
<objectClass>ri:organizationa<wbr>lUnit</objectClass></i></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i>
<filter></i></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i>
<q:equal></i></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i>
<q:path>attributes/dn</q:path></i></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i>
<q:value>OU=Grupos_Seguridad,O<wbr>U=Uninorte,DC=uninorte,DC=loca<wbr>l</q:value></i></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i>
</q:equal></i></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i>
</filter></i></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><i></baseContext></i></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif">But
the user shows the group association "<i>cn=Identicum,cn=Users,dc=unin<wbr>orte,dc=local</i>"
which is outside the base context.</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><img src="cid:part4.614BB8A7.5D51757E@evolveum.com" alt="Inline image 1" height="113" width="472"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default">
<div class="gmail_default"><font face="arial,
helvetica, sans-serif">Do you have any
suggestion ?</font></div>
<div class="gmail_default"><font face="arial,
helvetica, sans-serif"><br>
</font></div>
<div class="gmail_default"><font face="arial,
helvetica, sans-serif">Best regards</font></div>
</div>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="m_-2735851189275682983m_7460053561329814870gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font face="arial,
helvetica, sans-serif">Ing
Martin Besozzi</font></div>
<font face="arial, helvetica,
sans-serif">Identicum S.A.<br>
</font>
<div dir="ltr"><font face="arial, helvetica,
sans-serif">Jorge Newbery
3226</font></div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif">Tel: +54 (11)
4552-3050</font></div>
<a href="http://www.identicum.com" target="_blank"><font face="arial, helvetica,
sans-serif">www.identicum.com</font></a><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Fri, Jan 13, 2017 at
7:41 PM, Nicolas Rossi <span dir="ltr"><<a href="mailto:nrossi@identicum.com" target="_blank">nrossi@identicum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
guys, I have a working AD LDAP resource.
The group association has tolerant flag in
false. So when I reconcile the user, it
removes the user's group memberships found
in AD and not in midPoint. I'd like to
apply a filter there because midPoint only
sees groups under a specific organization
unit. So when the user has groups outside
this OU they are also removed.</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I
tried with a baseContext definition under
the schemaHandling and protected
definition but nothing worked.</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Here
are some examples of protected
configurations I have tried:</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default">
<div class="gmail_default"><font face="monospace, monospace" color="#444444"><protected></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444"> <filter></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444"> <not></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444">
<q:substring></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444">
<q:matching>stringIgnoreCase</<wbr>q:matching></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444"> <q:path></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444"> declare
namespace icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">http://midpoint.evolveum<wbr>.com/xml/ns/public/connector/i<wbr>cf-1/resource-schema-3</a>";</font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444">
attributes/icfs:name</font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444">
</q:path></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444">
<q:value>OU=Grupos_Seguridad,O<wbr>U=Uninorte,DC=uninorte,DC=loca<wbr>l</q:value></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444">
<q:anchorEnd>true</q:anchorEnd<wbr>></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444">
</q:substring></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444"> </not></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444"> </filter></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444"></protected></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444"><br>
</font></div>
<div class="gmail_default"><font face="arial, helvetica, sans-serif" color="#444444">The above example
tries to match any groups not ending
with the managed OU.</font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444"><br>
</font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444"><protected></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444"> <filter></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444"> <q:equal></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444">
<path>ri:dn</path></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444">
<value>CN=Domain
Admins,DC=uninorte,DC=local</v<wbr>alue></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444"> </q:equal></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444"> </filter></font></div>
<div class="gmail_default"><font face="monospace, monospace" color="#444444"></protected></font></div>
</div>
<div>
<div class="m_-2735851189275682983m_7460053561329814870m_924213204947202457gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">This
tries to match
specific
group.</div>
</font></div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline"><br>
</div>
</font></div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">Do
you have any
suggestion ?</div>
</font></div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><font color="#444444"><br>
</font></font></div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><font color="#444444">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">Best
regards,</div>
</font></font></div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><font color="#444444">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline"></div>
<br>
</font><br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54
(11) 4552-3050</font><br>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="m_-2735851189275682983m_7460053561329814870mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-2735851189275682983m_7460053561329814870moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-2735851189275682983m_7460053561329814870moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_-2735851189275682983mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-2735851189275682983moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-2735851189275682983moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>