<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hello Nicolas,</p>
<p>it is implemented now (in master as well as in support-3.5).</p>
<p>You can try.</p>
<p>The tolerantValuePattern and intolerantValuePattern are matched
against naming attribute of the associated object (i.e. usually
group).<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 18.01.2017 14:10, Nicolas Rossi
wrote:<br>
</div>
<blockquote
cite="mid:CAAxX8ci8EYoOX76Onh5+MQ2x6OA=-Qo72-wvvzeMJNo6j0TeWg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi
Pavol, have you talked with Radovan about this issue ?</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Regards,</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font
face="arial, helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54 (11) 4552-3050</font><br>
<font color="#999999"><a
moz-do-not-send="true"
href="http://www.identicum.com"
target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Sat, Jan 14, 2017 at 8:15 AM, Pavol
Mederly <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hello Nicolas,</p>
<p>yes, unfortunately - as I said - it is <i>not</i>
currently supported. (You can look at <tt>ReconciliationProcessor.<wbr>decideIfTolerate</tt>
vs <tt>decideIfTolerateAssociation</tt>.)</p>
<p>More details (but maybe not much, anyway) can be seen
by enabling TRACE logging for <tt>com.evolveum.midpoint.model.<wbr>impl.lens.projector.</tt><tt>Reconcilia<wbr>tionProcessor</tt>.
But that wouldn't help with associations, anyway. Only
with attributes.<br>
</p>
<p>Using memberOf attribute might <i>probably</i> help.
But you would need to forget about managing that
attribute using associations, and return to managing its
values explicitly. (A step back into times of midPoint
2.x.) That would mean probably a lot of complications,
and I strongly not recommend it.</p>
<p>Maybe the best way would be to wait for Radovan. He'll
be certainly able to tell what to do.<br>
</p>
<span class="">
<pre class="m_-2735851189275682983moz-signature" cols="72">Pavol Mederly
Software developer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</span>
<div>
<div class="h5">
<div class="m_-2735851189275682983moz-cite-prefix">On
14.01.2017 11:59, Nicolas Rossi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
Pavol, I tried with that setting but It didn't
work. Here is my configuration:</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">
<div class="gmail_default">
<div class="gmail_default"><association></div>
<div class="gmail_default">
<c:ref>ri:group</c:ref></div>
<div class="gmail_default">
<displayName>AD Group
Membership</displayName></div>
<div class="gmail_default">
<tolerant>false</tolerant></div>
<div class="gmail_default"> <<b>tolerantValuePattern</b>>.*(?<<wbr>!OU=Grupos_Seguridad,OU=<wbr>Uninorte,DC=uninorte,DC=local)<wbr>$</<b>tolerantValuePattern</b>></div>
<div class="gmail_default">
<exclusiveStrong>false</<wbr>exclusiveStrong></div>
<div class="gmail_default">
<kind>entitlement</kind></div>
<div class="gmail_default">
<intent>group</intent></div>
<div class="gmail_default">
<direction>objectToSubject</<wbr>direction></div>
<div class="gmail_default">
<associationAttribute>ri:<wbr>member</associationAttribute></div>
<div class="gmail_default">
<valueAttribute>ri:dn</<wbr>valueAttribute></div>
<div class="gmail_default">
<shortcutAssociationAttribute><wbr>ri:memberOf</<wbr>shortcutAssociationAttribute></div>
<div class="gmail_default">
<shortcutValueAttribute>ri:dn<<wbr>/shortcutValueAttribute></div>
<div class="gmail_default">
<explicitReferentialIntegrity><wbr>false</<wbr>explicitReferentialIntegrity></div>
<div class="gmail_default"></association></div>
</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">The regex matches
strings not ended with
"OU=Grupos_Seguridad,OU=<wbr>Uninorte,DC=uninorte,DC=local"
(groups outside our managed OU) expecting to
be tolerant with that values.</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">Does it work in
association as the same way it does for
attributes ? Maybe I should create the
"memberOf" attribute and define the
tolerantValuePattern there.</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">Which log should I
enable to get more information about the
pattern evaluation ?</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default">Best regards, </div>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div
class="m_-2735851189275682983gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif"><br>
<br>
<font
color="#444444">Ing
Nicolás Rossi</font><br>
<font
color="#999999">Identicum
S.A.</font><br>
<font
color="#999999">Jorge
Newbery 3226</font><br>
<font
color="#999999">Tel:
+54
(11) 4552-3050</font><br>
<font
color="#999999"><a
moz-do-not-send="true" href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Sat, Jan 14, 2017 at
7:22 AM, Pavol Mederly <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mederly@evolveum.com"
target="_blank">mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Nicolas, Martin,</p>
<p>for attributes, there is
tolerantValuePattern/intoleran<wbr>tValuePattern
property pair that could help.
Unfortunately, similar mechanism for
associations is not implemented yet. I'm
afraid that neither baseContext nor
protected accounts are relevant means to
help in your case.</p>
<p>Maybe Radovan or someone with more
experiences in this area could help you.<span
class="m_-2735851189275682983HOEnZb"><font
color="#888888"><br>
</font></span></p>
<span class="m_-2735851189275682983HOEnZb"><font
color="#888888">
<pre class="m_-2735851189275682983m_7460053561329814870moz-signature" cols="72">Pavol Mederly
Software developer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</font></span>
<div>
<div class="m_-2735851189275682983h5">
<div
class="m_-2735851189275682983m_7460053561329814870moz-cite-prefix">On
14.01.2017 0:59, Martin Besozzi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif">Hi,
All.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif">Also
we changed the "<i>baseContext</i>"
definition in order to avoid the
groups outside the
"OU=Grupos_Seguridad,OU=Uninor<wbr>te,DC=uninorte,DC=local".</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i><baseContext><br>
</i></div>
<div class="gmail_default">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
<objectClass>ri:organizationa<wbr>lUnit</objectClass></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
<filter></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
<q:equal></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
<q:path>attributes/dn</q:path></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
<q:value>OU=Grupos_Seguridad,O<wbr>U=Uninorte,DC=uninorte,DC=loca<wbr>l</q:value></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
</q:equal></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i>
</filter></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><i></baseContext></i></div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif">But
the user shows the group
association "<i>cn=Identicum,cn=Users,dc=unin<wbr>orte,dc=local</i>"
which is outside the base
context.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><img
src="cid:part7.DF9442BA.6BE4DB43@evolveum.com" alt="Inline image 1"
height="113" width="472"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
<div class="gmail_default">
<div class="gmail_default"><font
face="arial, helvetica,
sans-serif">Do you have any
suggestion ?</font></div>
<div class="gmail_default"><font
face="arial, helvetica,
sans-serif"><br>
</font></div>
<div class="gmail_default"><font
face="arial, helvetica,
sans-serif">Best regards</font></div>
</div>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><br>
</div>
</div>
<div class="gmail_extra"><br
clear="all">
<div>
<div
class="m_-2735851189275682983m_7460053561329814870gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div><font
face="arial,
helvetica,
sans-serif">Ing
Martin Besozzi</font></div>
<font face="arial,
helvetica,
sans-serif">Identicum
S.A.<br>
</font>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif">Jorge
Newbery 3226</font></div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif">Tel:
+54 (11)
4552-3050</font></div>
<a
moz-do-not-send="true"
href="http://www.identicum.com" target="_blank"><font face="arial,
helvetica,
sans-serif">www.identicum.com</font></a><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Fri, Jan
13, 2017 at 7:41 PM, Nicolas Rossi
<span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:nrossi@identicum.com"
target="_blank">nrossi@identicum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
guys, I have a working AD
LDAP resource. The group
association has tolerant
flag in false. So when I
reconcile the user, it
removes the user's group
memberships found in AD and
not in midPoint. I'd like to
apply a filter there because
midPoint only sees groups
under a specific
organization unit. So when
the user has groups outside
this OU they are also
removed.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I
tried with a baseContext
definition under the
schemaHandling and protected
definition but nothing
worked.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Here
are some examples of
protected configurations I
have tried:</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default">
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444"><protected></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
<filter></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
<not></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
<q:substring></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
<q:matching>stringIgnoreCase</<wbr>q:matching></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
<q:path></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
declare namespace
icfs="<a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
target="_blank">http://midpoint.evolveum<wbr>.com/xml/ns/public/connector/i<wbr>cf-1/resource-schema-3</a>";</font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
attributes/icfs:name</font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
</q:path></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
<q:value>OU=Grupos_Seguridad,O<wbr>U=Uninorte,DC=uninorte,DC=loca<wbr>l</q:value></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
<q:anchorEnd>true</q:anchorEnd<wbr>></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
</q:substring></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
</not></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
</filter></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444"></protected></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444"><br>
</font></div>
<div class="gmail_default"><font
face="arial, helvetica,
sans-serif"
color="#444444">The
above example tries to
match any groups not
ending with the managed
OU.</font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444"><br>
</font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444"><protected></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
<filter></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
<q:equal></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
<path>ri:dn</path></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
<value>CN=Domain
Admins,DC=uninorte,DC=local</v<wbr>alue></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
</q:equal></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444">
</filter></font></div>
<div class="gmail_default"><font
face="monospace,
monospace"
color="#444444"></protected></font></div>
</div>
<div>
<div
class="m_-2735851189275682983m_7460053561329814870m_924213204947202457gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif">
<div
class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">This
tries to match
specific
group.</div>
</font></div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif">
<div
class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline"><br>
</div>
</font></div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif">
<div
class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">Do
you have any
suggestion ?</div>
</font></div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif"><font
color="#444444"><br>
</font></font></div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif"><font
color="#444444">
<div
class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline">Best
regards,</div>
</font></font></div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif"><font
color="#444444">
<div
class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68);display:inline"></div>
<br>
</font><br>
<font
color="#444444">Ing
Nicolás Rossi</font><br>
<font
color="#999999">Identicum
S.A.</font><br>
<font
color="#999999">Jorge
Newbery 3226</font><br>
<font
color="#999999">Tel:
+54
(11) 4552-3050</font><br>
<font
color="#999999"><a
moz-do-not-send="true" href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com"
target="_blank">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer"
target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset
class="m_-2735851189275682983m_7460053561329814870mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_-2735851189275682983m_7460053561329814870moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_-2735851189275682983m_7460053561329814870moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_-2735851189275682983mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_-2735851189275682983moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_-2735851189275682983moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body></html>