Grouper Users - Open Discussion List

[Tom Zeller <>]

Please see responses inline.

> Greetings,
>
> Please help me understand a couple of things about ldappcng's intended
> operation.  I have it producing reasonable SPML output when I run -calc or
> -diff against either an -entityName "group" or "member", if I specify one
> subjectid or groupname on the command line.
>
> I want to specify a grouper queryFilter (group-attributes) which returns the
> groups selected for provisioning.  We do not provision all of our groups,
> and some groups go to different destinations (LDAP, AD).  Even the
> provisioning is delegated from the wheel admins to the more local admin's
> control (AD admin can assign provisioning attributes to a group, for
> example).
>
> Is there a way to make it work that way?  Alternatively, how could I run one
> instance of ldappcng for a select number of groups?  I also can appreciate
> if the answer is that I should change my way of thinking entirely.

The groups selected for provisioning are controlled by the GroupFilter
element of the GroupDataConnector in ldappc-resolver.xml. By default,
there is no filter so all groups are provisioned.

The syntax for <GroupFilter> mimics grouper-WS. There are some details
(scroll down to Group Filters) on

https://spaces.internet2.edu/display/GrouperWG/Grouper+and+Shibboleth+Integration

Currently, there are filters for ExactAttribute, StemName, and And,
Or, and Minus operations.

This is probably one of the biggest hacks to provisioning using the
attribute resolver, when you do any -bulk* operation, the
DataConnectors return all objects with match their GroupFilter.

> Three other minor questions:
> 1. Does the "diff" option operate the same as "sync", but without writing to
> the targets?

Yes.

> 2. What are the -return options returning (what does that mean)?

These match the SPMLv2 returnData types which define provisioned
object scope, in other words, they allow for partial object
provisioning.

Specifying -returnIdentifier ignores everything but object
identifiers, -returnData includes identifiers and attributes,
-returnEverything includes identifiers, attributes, and references to
identifiers of other objects. So, if you just want to provision a
group and its attributes with no members, use -returnData. The default
is -returnEverything. Make sense ?

From the SPMLv2 spec :

ReturnData. An <addRequest> MAY have a “returnData” attribute that
tells the provider which types of data to include in the provider’s
response.

·         A requestor that wants the provider to return nothing of the
added object
MUST specify “returnData=’nothing’”.

·         A requestor that wants the provider to return only the
identifier of the added object
MUST specify “returnData=’identifier’”.

·         A requestor that wants the provider to return the identifier
of the added object
plus the XML representation of the object (as defined in the schema of
the target)
MUST specify “returnData=’data’”.

·         A requestor that wants the provider to return the identifier
of the added object
plus the XML representation of the object (as defined in the schema of
the target)
plus any capability-specific data that is associated with the object
MAY specify “returnData=’everything’” or MAY omit the “returnData” attribute
(since “returnData=’everything’” is the default).

> 3. Is is designed that group's and member's objects are provisioned
> independently by design?  i.e. it is necessary to run one ldappcng instance
> per object?

Hmm, no. The -entityName is optional, and if not specified should
provision all objects, that is, unless I've made an error.

> The tool shows great promise and wasn't difficult to get started, so thanks
> for writing it.  I will probably have more questions, especially when I try
> to make it understand looking up and including users from an external AD
> forest.
>

Great, thanks for helping improve the documentation by asking for it :-)

TomZ