grouper-users - Re: [grouper-users] Provision groups with different rules
Subject: Grouper Users - Open Discussion List
List archive
- From: Tom Zeller <>
- To: Francesco Malvezzi <>
- Cc:
- Subject: Re: [grouper-users] Provision groups with different rules
- Date: Wed, 1 Dec 2010 21:54:41 -0600
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=uYFoXu6gaD5jQ11AtkjOVHEe2FzhDo40zlPDLhqeIgtFwYvx5OjE0ilKYx+qCgK/ea UL6Pui4oGfmZGsX8hevifwr5aijXlq84GxRPoPv89CvnzL7RNusrc+PSTcKrUjKdiU4V B2lGslBBRvZBProHnnE+P2Zx/XuYTk+V+wQjM=
Possible, but not elegant. Please let me know if you are successful or not.
In ldappc-resolver.xml, define GroupDataConnectors which filter by
stem. Each GroupDataConnector needs a unique "id", and the "name"
attribute of the <GroupFilter/> should be the name of the parent stem
:
<resolver:DataConnector id="PlainGroupDataConnector"
xsi:type="grouper:GroupDataConnector">
<grouper:GroupFilter xsi:type="grouper:StemName" name="PlainStem"
scope="SUB" />
<grouper:Attribute id="members" />
<grouper:Attribute id="groups" />
</resolver:DataConnector>
<resolver:DataConnector id="PosixGroupDataConnector"
xsi:type="grouper:GroupDataConnector">
<grouper:GroupFilter xsi:type="grouper:StemName" name="PosixStem"
scope="SUB" />
<grouper:Attribute id="members" />
<grouper:Attribute id="groups" />
</resolver:DataConnector>
Also in ldappcng-resolver.xml, define a dn attribute for each type of
group, dependent upon the appropriate GroupDataConnector :
<resolver:AttributeDefinition id="group-dn-posix"
xsi:type="ldappc:LdapDnPSOIdentifier"
structure="${DNstructure}" sourceAttributeID="name"
rdnAttributeName="cn" base="ou=posixGroups,dc=unimore,dc=it">
<resolver:Dependency ref="PosixGroupDataConnector" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="group-dn-plain"
xsi:type="ldappc:LdapDnPSOIdentifier"
structure="${DNstructure}" sourceAttributeID="name"
rdnAttributeName="cn" base="ou=plainGroups,dc=unimore,dc=it">
<resolver:Dependency ref="PlainGroupDataConnector" />
</resolver:AttributeDefinition>
In the above example, I provisioned each group type to a different ou,
but this is optional.
Again in ldappc-resolver.xml, the objectclass attribute for each type
of group should be defined uniquely :
<resolver:DataConnector id="StaticDataConnector" xsi:type="dc:Static">
<dc:Attribute id="group-posix-objectclass">
<dc:Value>top</dc:Value>
<dc:Value>posixGroup</dc:Value>
<dc:Value>eduMember</dc:Value>
</dc:Attribute>
<dc:Attribute id="group-plain-objectclass">
<dc:Value>top</dc:Value>
<dc:Value>groupOfNames</dc:Value>
<dc:Value>eduMember</dc:Value>
</dc:Attribute>
</resolver:DataConnector>
In the ldappcng configuration, ldappcng.xml, reference the appropriate
AttributeDefinitions (in ldappc-resolver.xml) in the <identifier/> of
each group type and in the "objectClass" <attribute/> :
<object id="posix_group" authoritative="true">
<identifier ref="group-dn-posix" baseId="ou=posixGroups,dc=unimore,dc=it">
<identifyingAttribute name="objectClass" value="posixGroup" />
</identifier>
<attribute name="objectClass" ref="group-posix-objectclass" />
...
<object id="plain_group" authoritative="true">
<identifier ref="group-dn-plain" baseId="ou=plainGroups,dc=unimore,dc=it">
<identifyingAttribute name="objectClass" value="groupOfNames" />
</identifier>
<attribute name="objectClass" ref="group-plain-objectclass" />
...
Note that each group <object/> has a different
<identifyingAttribute/>. The <identifyAttribute/> maps an ldap entry
to an ldappcng <object/>, in this case, by the "posixGroup" or
"groupOfNames" value of the "objectClass" ldap attribute. It is
critical that only posix_groups have the posixGroup objectClass value,
and that only plain_groups have the groupOfNames objectClass value.
What did you do for gidNumber ? e.g.
<resolver:AttributeDefinition id="gidNumber" xsi:type="ad:Simple"
sourceAttributeID="gidNumber?">
<resolver:Dependency ref="GroupDataConnector" />
</resolver:AttributeDefinition>
Hope this helps,
TomZ
On Wed, Dec 1, 2010 at 2:54 AM, Francesco Malvezzi
<>
wrote:
> Hi all,
>
> I would like to provision differently groups to ldap according to their
> intended usage. Some groups are to be used as posixGroup, so they do
> need gidNumber attributes, other are plain group or admninistrative
> groups like etc:sysadmingroup.
>
> These groups can be held in different stems, and if this helps, also in
> different ou in ldap (while if it is possibile I would avoid it).
>
> How I configure ldappcng to use different rules for different stems?
>
> It looks to me that ldappcng.xml defines just one type of group.
> Actually I could define more, but next come the question: how to
> instruct ldappcng to use
>
> <object id="posix_group" authoritative="true">
> <identifier ref="group-dn" baseId="${groupsOU}">
> <identifyingAttribute name="objectClass"
> value="${groupObjectClass}" />
> </identifier>
> <attribute name="objectClass" ref="group-objectclass-eduMember" />
> <attribute name="cn" />
> <attribute name="description" />
> <attribute name="gidNumber" />
> <attribute name="isMemberOf" ref="groupIsMemberOf" />
> <attribute name="memberUid" ref="hasMember" />
> <attribute name="hasMember" ref="hasMember" />
> <references name="member" emptyValue="" >
> <reference ref="members-jdbc" toObject="member" />
> <reference ref="members-g:gsa" toObject="group" />
> </references>
> </object>
> or
>
> <object id="plain_group" authoritative="true">
> <identifier ref="group-dn" baseId="${groupsOU}">
> <identifyingAttribute name="objectClass"
> value="${groupObjectClass}" />
> </identifier>
> <attribute name="objectClass" ref="group-plain-objectclass" />
> <attribute name="cn" />
> <attribute name="description" />
> <attribute name="isMemberOf" ref="groupIsMemberOf" />
> <attribute name="memberUid" ref="hasMember" />
> <attribute name="hasMember" ref="hasMember" />
> <references name="member" emptyValue="" >
> <reference ref="members-jdbc" toObject="member" />
> <reference ref="members-g:gsa" toObject="group" />
> </references>
> </object>
>
> (objectClass and the presence of gidNumber is different)?
>
> What I'm missing? Thank you in advance,
>
> Francesco
>
- [grouper-users] Provision groups with different rules, Francesco Malvezzi, 12/01/2010
- Re: [grouper-users] Provision groups with different rules, Tom Zeller, 12/01/2010
Archive powered by MHonArc 2.6.16.