Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] ldappcng : modify the format attribute

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] ldappcng : modify the format attribute


Chronological Thread 
  • From: Tom Zeller <>
  • To: Wallaert-Taquet Brigitte <>
  • Cc:
  • Subject: Re: [grouper-users] ldappcng : modify the format attribute
  • Date: Thu, 14 Jul 2011 15:40:23 -0500

The purpose of ldappcng.xml is to map target (ldap) attributes to
attribute definitions from a Shibboleth attribute resolver
configuration (ldappc-resolver.xml).

In ldappcng.xml, <ldappc:attribute name=X ref=Y /> returns an (ldap)
attribute with name X and values from <resolver:AttributeDefinition
id=Y /> in ldappc-resolver.xml.

So

ldappcng.xml :
<ldappc:attribute name="members" ref="member" />

ldappc-resolver.xml :
<resolver:AttributeDefinition id="member" xsi:type="ad:Simple"
sourceAttributeID="members:immediate">
<resolver:Dependency ref="GroupDataConnector" />
</resolver:AttributeDefinition>

produces

<dsml:attr name='members' ...>
<dsml:value>'jayet'/'person'/'lille1:ldap'</dsml:value>
<dsml:value>'verdier'/'person'/'lille1:ldap'</dsml:value>
</dsml:attr>

where 'jayet'/'person'/'lille1:ldap' is the string representation of a
subject who is a member (an immediate member of the default "members"
list) of the group being provisioned.

In ldappcng.xml, a <reference /> is similar to an <attribute /> in
that values are derived from an <AttributeDefinition /> in
ldappc-resolver.xml, however, the values are resolved into
identifiers.

So, you will want something like

ldappcng.xml :
<references name="member" emptyValue="" >
<reference ref="members-lille1:ldap" toObject="member" />
</references>

ldappc-resolver.xml :
<resolver:AttributeDefinition id="members-lille1:ldap"
xsi:type="grouper:Member" sourceAttributeID="members:immediate">
<resolver:Dependency ref="GroupDataConnector" />
<grouper:Attribute id="id" source="lille1:ldap" />
</resolver:AttributeDefinition>

which resolves members into identifiers. The <AttributeDefinition
id="members-lille1:ldap" /> returns the subject "id" attribute (your
ldap uid, e.g. 'jayet') of every immediate member from the
"lille1:ldap" source of the default "members" list.

You should have a "member" object in ldappcng.xml :

ldappcng.xml :
<object id="member">
<identifier ref="member-dn" baseId="ou=people,dc=univ-lille1,dc=fr">
<identifyingAttribute name="objectclass" value="person" />
</identifier>
</object>

which refers to a "member-dn" attribute definition in
ldappc-resolver.xml, which performs an ldap lookup via an
SPMLDataConnector :

ldappc-resolver.xml :
<resolver:AttributeDefinition id="member-dn" xsi:type="ad:Simple"
sourceAttributeID="psoID">
<resolver:Dependency ref="SpmlDataConnector" />
</resolver:AttributeDefinition>

<resolver:DataConnector id="SpmlDataConnector"
provider="ldap-provider" xsi:type="ldappc:SPMLDataConnector"
scope="subTree" base="ou=people,dc=univ-lille1,dc=fr"
returnData="identifier">
<resolver:Dependency ref="MemberDataConnector" />
<ldappc:FilterTemplate>(uid=${id.get(0)})</ldappc:FilterTemplate>
</resolver:DataConnector>

So, the <AttributeDefinition id="members-lille1:ldap" /> returns
'jayet', for which an ldap search is performed (with the filter
"uid=jayet"), and the resultant identifier
'uid=jayet,ou=people,dc=univ-lille1,dc=fr' is returned as the value of
<AttributeDefinition id="member-dn" />. This becomes the identifier of
<object id="member" />, which becomes a value of <references
name="members" />.

Now, let us look at

ldappcng.xml :
<attribute name="supannGroupeAdminDN" ref="admin" />

ldappc-resolver.xml :
<resolver:AttributeDefinition id="admin" xsi:type="ad:Simple"
sourceAttributeID="members:immediate:supannGroupeAdminDN">
<resolver:Dependency ref="GroupDataConnector" />
</resolver:AttributeDefinition>

I assume that you want an ldap attribute like

supannGroupeAdminDN: uid=jayet,ou=people,dc=univ-lille1,dc=fr

To do this, you will need something like

ldappcng.xml :
<references name="supannGroupeAdminDN" emptyValue="" >
<reference ref="admin" toObject="member" />
</references>

ldappc-resolver.xml :
<resolver:AttributeDefinition id="admin" xsi:type="grouper:Member"
sourceAttributeID="members:immediate:supannGroupeAdminDN">
<resolver:Dependency ref="GroupDataConnector" />
<grouper:Attribute id="id" source="lille1:ldap" />
</resolver:AttributeDefinition>

I hope this helps. There are other configurations that will work.

Let us know if you are successful, or not.

TomZ

On Wed, Jul 13, 2011 at 2:52 AM, Wallaert-Taquet Brigitte
<>
wrote:
> Hello,
>
> Here is my sources.xml
>
> Yes, I use only ldap source for my group members.
>
> Thanks for you help.
>
> Cordialement
> Le 12/07/2011 21:45, Tom Zeller a écrit :
>>
>> Could you attach a copy of sources.xml (omitting any passwords) please ?
>>
>> I assume you are using an ldap source for group members, is that correct ?
>>
>> On Tue, Jul 12, 2011 at 12:12 PM, Wallaert-Taquet Brigitte
>> <>
>>  wrote:
>>>
>>> Hello,
>>>
>>> I want to obtain this with my ldappcng but I don't find how :
>>>
>>>    my attributes are a simple attribute "ustlPresident" or "owner" for
>>> example or is the default list members and also a custom list
>>> "supannGroupeAdminDN". I would like that ldappcng do that :
>>> For example : in Grouper, members = jayet, verdier
>>>                       in ldap : member =
>>> uid=jayet,ou=people,dc=univ-lille1,dc=fr
>>>
>>> uid=verdier,ou=people,dc=univ-lille1,dc=fr
>>>
>>> At the moment, I obtain this :
>>> <dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' name='members'>
>>> <dsml:value>'jayet'/'person'/'lille1:ldap'</dsml:value>
>>> <dsml:value>'verdier'/'person'/'lille1:ldap'</dsml:value>
>>> </dsml:attr>
>>>
>>> Here is part of my ldappc-resolver.xml and ldappcng.xml :
>>> ------ ldappcng.xml ------------
>>> <object id="group" authoritative="false">
>>> <identifier ref="group-dn" baseId="${groupsOU}">
>>> <identifyingAttribute name="objectClass" value="${groupObjectClass}" />
>>> </identifier>
>>> <attribute name="objectClass" />
>>> <attribute name="cn" />
>>> <attribute name="description" />
>>> <attribute name="owner" />
>>> <attribute name="ustlPresident" />
>>> <attribute name="supannGroupeDateFin" />
>>> <attribute name="members" ref="member" />
>>> <attribute name="supannGroupeAdminDN" ref="admin" />
>>> </object>
>>>
>>> ----------- ldappc-resolver.xml --------------------
>>> <resolver:AttributeDefinition id="owner" xsi:type="ad:Simple"
>>> sourceAttributeID="owner">
>>> <resolver:Dependency ref="GroupDataConnector" />
>>> </resolver:AttributeDefinition>
>>>
>>> <resolver:AttributeDefinition id="ustlPresident" xsi:type="ad:Simple"
>>> sourceAttributeID="ustlPresident">
>>> <resolver:Dependency ref="GroupDataConnector" />
>>> </resolver:AttributeDefinition>
>>>
>>> <resolver:AttributeDefinition id="member" xsi:type="ad:Simple"
>>> sourceAttributeID="members:immediate">
>>> <resolver:Dependency ref="GroupDataConnector" />
>>> </resolver:AttributeDefinition>
>>>
>>> <resolver:AttributeDefinition id="admin" xsi:type="ad:Simple"
>>> sourceAttributeID="members:immediate:supannGroupeAdminDN">
>>> <resolver:Dependency ref="GroupDataConnector" />
>>> </resolver:AttributeDefinition>
>>>
>>> Anyone could help me ?
>>> Thank you.
>>>
>>> Nota : Excuse-me for my poor english...
>>>
>>> Cordialement
>>>
>>> --
>>> Brigitte Wallaert-Taquet
>>> Ingénieure d'études
>>> Chargée d'étude
>>> Espace collaboratif de Documents
>>> Université Lille1
>>> Sciences et Technologies
>>>
>>>
>>>
>>>
>>>
>
>
> --
> Brigitte Wallaert-Taquet
> Ingénieure d'études
> Chargée d'étude
> Espace collaboratif de Documents
> Université Lille1
> Sciences et Technologies
>
>



Archive powered by MHonArc 2.6.16.

Top of Page