Skip to Content.
Sympa Menu

grouper-users - [grouper-users] PSP Configuration - JDBC subject source

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] PSP Configuration - JDBC subject source


Chronological Thread 
  • From: Richard James <>
  • To: "" <>
  • Subject: [grouper-users] PSP Configuration - JDBC subject source
  • Date: Tue, 17 Dec 2013 15:24:52 +0000
  • Accept-language: en-GB, en-US

Hi,

I am in the process of setting up PSP version 2.1.5 for our Grouper install. As a proof of concept I have successfully set this up so that it provisions groups to our active directory using the active directory as our subject source in a development environment.  

Our production grouper uses JDBC as the subject source and therefore I need to configure PSP to use the jdbc source for retrieving members from groups and provisioning the memberships into the AD. Unfortunately I haven't managed to get this working successfully so far. 

I was not entirely sure how to achieve this and therefore have tried a few changes to the configuration. Up until now, we have been getting a memberDn source attribute could not be resolved.

 I presumed that this was due to it not being able to retrieve a dn/cn for the member. I therefore added the following in (based upon the configuration for openldap-multiple);

 <resolver:AttributeDefinition
    id="memberDn"
    xsi:type="psp:PSOIdentifier"
    sourceAttributeID="cn">
    <resolver:Dependency ref="LDAPMemberPersonLookup2" />
  </resolver:AttributeDefinition>

<resolver:DataConnector
    id="LDAPMemberPersonLookup2"
    xsi:type="dc:LDAPDirectory"
    ldapURL="ldap://**.**.**.**:389"
    baseDN="${edu.internet2.middleware.psp.peopleBaseDn}"
    principal="${edu.vt.middleware.ldap.bindDn}"
    principalCredential="${edu.vt.middleware.ldap.bindCredential}"
    maxResultSize="1">
    <dc:FilterTemplate>
        <![CDATA[
            (&(uid=${requestContext.principalName})(objectclass=person))
        ]]>
    </dc:FilterTemplate>
  </resolver:DataConnector>


By adding this into the psp-resolver.xml file it is now able to resolve the source attribute for jdbc members. However when I come to run ./gsh.sh -psp -bulkSync the following error is displayed,

<psp:syncResponse status='failure' requestID='2013/12/17-14:57:55.416' error='customError'>
    <addResponse xmlns='urn:oasis:names:tc:SPML:2:0' status='failure' requestID='2013/12/17-14:57:57.746' error='customError'>
      <errorMessage>[LDAP: error code 53 - 0000054F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
_]</errorMessage>
    </addResponse>
    <errorMessage>[LDAP: error code 53 - 0000054F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
_]</errorMessage>
    <psp:id ID='Applications:test:ISS_Auto_Dev_Baton_Rouge'/>
  </psp:syncResponse>
</psp:bulkSyncResponse>

Has anyone else set up PSP with JDBC as a source? Is this the correct way of going about it? If so, are we missing any further configuration.

Any help would be gratefully received. I've attached the psp.xml, psp-resolver.xml, sources.xml and the grouper_error.log for this Sync attempt.  

Many thanks,

Richard James
Infrastructure Systems Administrator
ISS Systems Architecture
Newcastle University
0191 2228638

m.ncl.ac.uk 
facebook.com/ITbytes
@NU_ITservice

Attachment: grouper_error.log
Description: grouper_error.log

<?xml version="1.0" encoding="UTF-8"?>
<AttributeResolver
  xmlns="urn:mace:shibboleth:2.0:resolver"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
  xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
  xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
  xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
  xmlns:grouper="http://grouper.internet2.edu/shibboleth/2.0";
  xmlns:psp="http://grouper.internet2.edu/psp";
  xmlns:psp-grouper-ldap="http://grouper.internet2.edu/psp-grouper-ldap";
  xmlns:psp-grouper-changelog="http://grouper.internet2.edu/psp-grouper-changelog";
  xmlns:psp-grouper-source="http://grouper.internet2.edu/psp-grouper-source";
  xsi:schemaLocation="
   urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd
   urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd
   urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd
   http://grouper.internet2.edu/shibboleth/2.0 classpath:/schema/shibboleth-2.0-grouper.xsd
   http://grouper.internet2.edu/psp classpath:/schema/psp.xsd
   http://grouper.internet2.edu/psp-grouper-ldap classpath:/schema/psp-grouper-ldap.xsd
   http://grouper.internet2.edu/psp-grouper-changelog classpath:/schema/psp-grouper-changelog.xsd
   http://grouper.internet2.edu/psp-grouper-source classpath:/schema/psp-grouper-source.xsd">

  <!-- Grouper data connectors. -->

  <!-- The GroupDataConnector returns attributes representing the group whose name is the principal name. The returned group 
    must be a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. Groups under the "etc" stem 
    are omitted. -->
  <resolver:DataConnector
    id="GroupDataConnector"
    xsi:type="grouper:GroupDataConnector">
    <!-- The MINUS filter matches stems which match the first child filter and not the second. -->
    <grouper:Filter xsi:type="grouper:MINUS">
      <!-- The GroupInStem filter matches groups which are children of the given stem. -->
      <grouper:Filter
        xsi:type="grouper:GroupInStem"
        name="${edu.internet2.middleware.psp.baseStem}"
        scope="SUB" />
      <grouper:Filter
        xsi:type="grouper:GroupInStem"
        name="etc"
        scope="SUB" />
    </grouper:Filter>
    <!-- The "members" attribute values are equivalent to group.getMembers(). -->
    <grouper:Attribute id="members" />
    <!-- The "groups" attribute values are equivalent to group.getGroups(). -->
    <grouper:Attribute id="groups" />
  </resolver:DataConnector>

  <!-- The GroupWithoutMermbershipsDataConnector returns attributes representing the group whose name is the principal name. 
    The returned group must be a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. Groups under 
    the "etc" stem are omitted. No memberships (groups or members) should be returned by this data connector to improve performance 
    of identifier resolution. -->
  <resolver:DataConnector
    id="GroupWithoutMermbershipsDataConnector"
    xsi:type="grouper:GroupDataConnector">
    <!-- The MINUS filter matches stems which match the first child filter and not the second. -->
    <grouper:Filter xsi:type="grouper:MINUS">
      <!-- The GroupInStem filter matches groups which are children of the given stem. -->
      <grouper:Filter
        xsi:type="grouper:GroupInStem"
        name="${edu.internet2.middleware.psp.baseStem}"
        scope="SUB" />
      <grouper:Filter
        xsi:type="grouper:GroupInStem"
        name="etc"
        scope="SUB" />
    </grouper:Filter>
  </resolver:DataConnector>

  <!-- The StemDataConnector returns attributes representing the stem whose name is the principal name. The returned stem 
    must be a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. The "etc" stem and all children 
    are omitted. -->
  <resolver:DataConnector
    id="StemDataConnector"
    xsi:type="grouper:StemDataConnector">
    <!-- The MINUS filter matches stems which match the first child filter and not the second. -->
    <grouper:Filter xsi:type="grouper:MINUS">
      <!-- The StemInStem filter matches stems which are children of the given stem. -->
      <grouper:Filter
        xsi:type="grouper:StemInStem"
        name="${edu.internet2.middleware.psp.baseStem}"
        scope="SUB" />
      <!-- The OR filter matches stems which match either the first or second child filter. -->
      <grouper:Filter xsi:type="grouper:OR">
        <!-- The StemInStem filter matches stems which are children of the given stem. -->
        <grouper:Filter
          xsi:type="grouper:StemInStem"
          name="etc"
          scope="SUB" />
        <!-- The StemNameExact filter matches stems with the given name. -->
        <grouper:Filter
          xsi:type="grouper:StemNameExact"
          name="etc" />
      </grouper:Filter>
    </grouper:Filter>
  </resolver:DataConnector>

  <!-- The MemberDataConnector returns attributes representing the member whose subject id or identifier is the principal 
    name. -->
  <resolver:DataConnector
    id="MemberDataConnector"
    xsi:type="grouper:MemberDataConnector">
    <!-- Return members from the "ldap" source only. -->
    <grouper:Filter
      xsi:type="grouper:MemberSource"
      sourceId="jdbc"/>
    <!-- Return the "dn" attribute of members whose subject source id is "ldap". -->
    <!--grouper:Attribute
      id="dn"
      source="ldap" -->
<grouper:Attribute
      id="id"
      source="jdbc" />

  </resolver:DataConnector>




  <!-- Returns a single "groupNames" attribute whose values are the names of all groups matching the filter. The groups returned 
    are children of the stem whose name is the edu.internet2.middleware.psp.baseStem property. Groups under the "etc" stem are 
    omitted. -->
  <resolver:DataConnector
    id="AllGroupNamesConnector"
    xsi:type="psp-grouper-source:AllGroupNamesDataConnector">
    <!-- The MINUS filter matches stems which match the first child filter and not the second. -->
    <grouper:Filter xsi:type="grouper:MINUS">
      <!-- The GroupInStem filter matches groups which are children of the given stem. -->
      <grouper:Filter
        xsi:type="grouper:GroupInStem"
        name="${edu.internet2.middleware.psp.baseStem}"
        scope="SUB" />
      <grouper:Filter
        xsi:type="grouper:GroupInStem"
        name="etc"
        scope="SUB" />
    </grouper:Filter>
  </resolver:DataConnector>

  <!-- The names of all groups matching the data connector filter. -->
  <resolver:AttributeDefinition
    id="groupNames"
    xsi:type="ad:Simple">
    <resolver:Dependency ref="AllGroupNamesConnector" />
  </resolver:AttributeDefinition>

  <!-- Returns a single "stemNames" attribute whose values are the names of all stems matching the filter. The stems returned 
    are children of the stem whose name is the edu.internet2.middleware.psp.baseStem property. The "etc" stem and all children 
    are omitted. -->
  <resolver:DataConnector
    id="AllStemNamesConnector"
    xsi:type="psp-grouper-source:AllStemNamesDataConnector">
    <!-- The MINUS filter matches stems which match the first child filter and not the second. -->
    <grouper:Filter xsi:type="grouper:MINUS">
      <!-- The StemInStem filter matches stems which are children of the given stem. -->
      <grouper:Filter
        xsi:type="grouper:StemInStem"
        name="${edu.internet2.middleware.psp.baseStem}"
        scope="SUB" />
      <!-- The OR filter matches stems which match either the first or second child filter. -->
      <grouper:Filter xsi:type="grouper:OR">
        <!-- The StemInStem filter matches stems which are children of the given stem. -->
        <grouper:Filter
          xsi:type="grouper:StemInStem"
          name="etc"
          scope="SUB" />
        <!-- The StemNameExact filter matches stems with the given name. -->
        <grouper:Filter
          xsi:type="grouper:StemNameExact"
          name="etc" />
      </grouper:Filter>
    </grouper:Filter>
  </resolver:DataConnector>

  <!-- The names of all stems matching the data connector filter. -->
  <resolver:AttributeDefinition
    id="stemNames"
    xsi:type="ad:Simple">
    <resolver:Dependency ref="AllStemNamesConnector" />
  </resolver:AttributeDefinition>


  <!-- ChangeLogDataConnectors return attributes representing the change log entry whose sequence number is the principal 
    name. -->

  <!-- Returns change log attributes representing the deletion of a stem. -->
  <resolver:DataConnector
    id="DeleteStemChangeLogDataConnector"
    xsi:type="psp-grouper-changelog:ChangeLogDataConnector">
    <!-- The ChangeLogEntry filter matches change log entries with the given category and action. -->
    <grouper:Filter
      xsi:type="psp-grouper-changelog:ChangeLogEntry"
      category="stem"
      action="deleteStem" />
  </resolver:DataConnector>

  <!-- Returns change log attributes representing the changing of a stem's name. -->
  <resolver:DataConnector
    id="UpdateStemChangeLogDataConnector"
    xsi:type="psp-grouper-changelog:ChangeLogDataConnector">
    <!-- The AND filter matches both child filters. -->
    <grouper:Filter xsi:type="grouper:AND">
      <!-- The ChangeLogEntry filter matches change log entries with the given category and action. -->
      <grouper:Filter
        xsi:type="psp-grouper-changelog:ChangeLogEntry"
        category="stem"
        action="updateStem" />
      <!-- The ChangeLogExactAttribute filter matches change log entries with the given attribute and value. -->
      <grouper:Filter
        xsi:type="psp-grouper-changelog:ChangeLogExactAttribute"
        name="propertyChanged"
        value="name" />
    </grouper:Filter>
  </resolver:DataConnector>

  <!-- Returns change log attributes representing the deletion of a group. -->
  <resolver:DataConnector
    id="DeleteGroupChangeLogDataConnector"
    xsi:type="psp-grouper-changelog:ChangeLogDataConnector">
    <!-- The ChangeLogEntry filter matches change log entries with the given category and action. -->
    <grouper:Filter
      xsi:type="psp-grouper-changelog:ChangeLogEntry"
      category="group"
      action="deleteGroup" />
  </resolver:DataConnector>

  <!-- Returns change log attributes representing the changing of a group's name. -->
  <resolver:DataConnector
    id="UpdateGroupChangeLogDataConnector"
    xsi:type="psp-grouper-changelog:ChangeLogDataConnector">
    <!-- The AND filter matches both child filters. -->
    <grouper:Filter xsi:type="grouper:AND">
      <!-- The ChangeLogEntry filter matches change log entries with the given category and action. -->
      <grouper:Filter
        xsi:type="psp-grouper-changelog:ChangeLogEntry"
        category="group"
        action="updateGroup" />
      <!-- The ChangeLogExactAttribute filter matches change log entries with the given attribute and value. -->
      <grouper:Filter
        xsi:type="psp-grouper-changelog:ChangeLogExactAttribute"
        name="propertyChanged"
        value="name" />
    </grouper:Filter>
  </resolver:DataConnector>

  <!-- Returns change log attributes representing a membership addition. -->
  <resolver:DataConnector
    id="AddMembershipChangeLogDataConnector"
    xsi:type="psp-grouper-changelog:ChangeLogDataConnector">
    <!-- The ChangeLogEntry filter matches change log entries with the given category and action. -->
    <grouper:Filter
      xsi:type="psp-grouper-changelog:ChangeLogEntry"
      category="membership"
      action="addMembership" />
  </resolver:DataConnector>

  <!-- Returns change log attributes representing a membership deletion. -->
  <resolver:DataConnector
    id="DeleteMembershipChangeLogDataConnector"
    xsi:type="psp-grouper-changelog:ChangeLogDataConnector">
    <!-- The ChangeLogEntry filter matches change log entries with the given category and action. -->
    <grouper:Filter
      xsi:type="psp-grouper-changelog:ChangeLogEntry"
      category="membership"
      action="deleteMembership" />
  </resolver:DataConnector>


  <!-- Static data connector. -->
  <resolver:DataConnector
    id="StaticDataConnector"
    xsi:type="dc:Static">
    <!-- Group LDAP objectclass. -->
    <dc:Attribute id="groupObjectclass">
      <dc:Value>top</dc:Value>
      <dc:Value>${edu.internet2.middleware.psp.groupObjectClass}</dc:Value>
    </dc:Attribute>
    <!-- Group LDAP eduMember objectclass. -->
    <dc:Attribute id="groupObjectclassEduMember">
      <dc:Value>top</dc:Value>
      <dc:Value>${edu.internet2.middleware.psp.groupObjectClass}</dc:Value>
      <dc:Value>member</dc:Value>
    </dc:Attribute>
    <!-- Stem LDAP objectclass. -->
    <dc:Attribute id="stemObjectclass">
      <dc:Value>top</dc:Value>
      <dc:Value>organizationalUnit</dc:Value>
    </dc:Attribute>
    <!-- The member LDAP eduMember objectclass. -->
    <dc:Attribute id="memberObjectclass">
      <dc:Value>member</dc:Value>
    </dc:Attribute>
  </resolver:DataConnector>


  <!-- Stem identifier and attributes. -->

  <!-- The LDAP DN of a stem. For example, "ou=stemExtension,ou=groups,dc=example,dc=edu". -->
  <resolver:AttributeDefinition
    id="stemDn"
    xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier"
    structure="bushy"
    sourceAttributeID="name"
    rdnAttributeName="OU"
    stemRdnAttributeName="OU"
    baseDn="${edu.internet2.middleware.psp.groupsBaseDn}"
    baseStem="${edu.internet2.middleware.psp.baseStem}">
    <!-- Dependencies which return a "name" attribute whose value is the stem name. -->
    <resolver:Dependency ref="StemDataConnector" />
    <resolver:Dependency ref="DeleteStemChangeLogDataConnector" />
    <resolver:Dependency ref="UpdateStemChangeLogDataConnector" />
  </resolver:AttributeDefinition>

  <!-- The alternate LDAP DN of a stem via the change log. For example, the DN of a stem before it is renamed. -->
  <resolver:AttributeDefinition
    id="stemDnAlternateChangeLog"
    xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier"
    structure="bushy"
    sourceAttributeID="propertyOldValue"
    rdnAttributeName="OU"
    stemRdnAttributeName="OU"    
    baseDn="${edu.internet2.middleware.psp.groupsBaseDn}"
    baseStem="${edu.internet2.middleware.psp.baseStem}">
    <!-- Dependency which returns a "propertyOldValue" attribute whose value is the old stem name. -->
    <resolver:Dependency ref="UpdateStemChangeLogDataConnector" />
  </resolver:AttributeDefinition>

  <!-- The stem objectclass attribute. -->
  <resolver:AttributeDefinition
    id="stemObjectclass"
    xsi:type="ad:Simple">
    <resolver:Dependency ref="StaticDataConnector" />
  </resolver:AttributeDefinition>

  <!-- The value of stem "stemOu" attribute is the stem extension. -->
  <resolver:AttributeDefinition
    id="stemOu"
    xsi:type="ad:Simple"
    sourceAttributeID="extension">
    <resolver:Dependency ref="StemDataConnector" />
  </resolver:AttributeDefinition>

  <!-- The value of stem "stemDescription" attribute is the stem description. -->
  <resolver:AttributeDefinition
    id="stemDescription"
    xsi:type="ad:Simple"
    sourceAttributeID="description">
    <resolver:Dependency ref="StemDataConnector" />
  </resolver:AttributeDefinition>


  <!-- Group identifier and attributes. -->

  <!-- The LDAP DN of a group. For example, "cn=groupExtension,ou=stem,ou=groups,dc=example,dc=edu". -->
  <resolver:AttributeDefinition
    id="groupDn"
    xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier"
    structure="${edu.internet2.middleware.psp.structure}"
    sourceAttributeID="name"
    rdnAttributeName="CN"
    stemRdnAttributeName="OU"
    baseDn="${edu.internet2.middleware.psp.groupsBaseDn}"
    baseStem="${edu.internet2.middleware.psp.baseStem}">
    <!-- Dependencies which return a "name" attribute whose value is the group name. -->
    <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" />
    <resolver:Dependency ref="DeleteGroupChangeLogDataConnector" />
    <resolver:Dependency ref="UpdateGroupChangeLogDataConnector" />
  </resolver:AttributeDefinition>

  <!-- The alternate LDAP DN of a group. For example, the DN of a group before it is renamed. -->
  <resolver:AttributeDefinition
    id="groupDnAlternate"
    xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier"
    structure="${edu.internet2.middleware.psp.structure}"
    sourceAttributeID="alternateName"
    rdnAttributeName="CN"
    stemRdnAttributeName="OU"
    baseDn="${edu.internet2.middleware.psp.groupsBaseDn}"
    baseStem="${edu.internet2.middleware.psp.baseStem}">
    <!-- Dependency which returns an "alternateName" attribute whose value is the old group name. -->
    <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" />
  </resolver:AttributeDefinition>

  <!-- The alternate LDAP DN of a group via the change log. For example, the DN of a group before it is renamed. -->
  <resolver:AttributeDefinition
    id="groupDnAlternateChangeLog"
    xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier"
    structure="${edu.internet2.middleware.psp.structure}"
    sourceAttributeID="propertyOldValue"
    rdnAttributeName="CN"
    stemRdnAttributeName="OU"
    baseDn="${edu.internet2.middleware.psp.groupsBaseDn}"
    baseStem="${edu.internet2.middleware.psp.baseStem}">
    <!-- Dependency which returns a "propertyOldValue" attribute whose value is the old group name. -->
    <resolver:Dependency ref="UpdateGroupChangeLogDataConnector" />
  </resolver:AttributeDefinition>

  <!-- The group objectclass attribute. -->
  <resolver:AttributeDefinition
    id="groupObjectclass"
    xsi:type="ad:Simple">
    <resolver:Dependency ref="StaticDataConnector" />
  </resolver:AttributeDefinition>

  <!-- The group objectclass attribute with eduMember. -->
  <resolver:AttributeDefinition
    id="groupObjectclassEduMember"
    xsi:type="ad:Simple">
    <resolver:Dependency ref="StaticDataConnector" />
  </resolver:AttributeDefinition>

  <!-- The value of the group "cn" attribute is the group extension. -->
  <!-- If the group DN structure is "bushy" the sourceAttributeID should be "extension". -->
  <!-- If the group DN structure is "flat" the sourceAttributeID should be "name". -->
  <resolver:AttributeDefinition
    id="cn"
    xsi:type="ad:Simple"
    sourceAttributeID="${edu.internet2.middleware.psp.cnSourceAttributeID}">
    <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" />
  </resolver:AttributeDefinition>

  <!-- The value of the group "description" attribute is the group description. -->
  <resolver:AttributeDefinition
    id="description"
    xsi:type="ad:Simple">
    <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" />
  </resolver:AttributeDefinition>

  <!-- The values of the "membersLdap" attribute are the subject ids of group members from the "ldap" source. -->
  <resolver:AttributeDefinition
    id="membersLdap"
    xsi:type="grouper:Member"
    sourceAttributeID="members">
    <resolver:Dependency ref="GroupDataConnector" />
    <!-- The values of the "id" attribute are the identifiers of subjects whose source id is "ldap". -->
    <!--grouper:Attribute
      id="id"
      source="ldap" -->
<grouper:Attribute
      id="id"
      source="jdbc" />

  </resolver:AttributeDefinition>




  <!-- The values of the "membersGsa" attribute are the names of group members which are grouper groups. -->
  <resolver:AttributeDefinition
    id="membersGsa"
    xsi:type="grouper:Member"
    sourceAttributeID="members">
    <resolver:Dependency ref="GroupDataConnector" />
    <!-- The values of the "name" attribute are the names of groups whose source is "g:gsa". -->
    <grouper:Attribute
      id="name"
      source="g:gsa" />
  </resolver:AttributeDefinition>


  <!-- Member identifier. -->

  <!-- The LDAP DN of a member. The value of this attribute is the "dn" of subjects whose source id is "ldap". -->
 <resolver:AttributeDefinition
    id="memberDn"
    xsi:type="psp:PSOIdentifier"
    sourceAttributeID="cn">
    <resolver:Dependency ref="MemberDataConnector" />
  </resolver:AttributeDefinition>




  <!-- Change log group membership. -->

  <!-- The value of the "changeLogMembershipGroupDn" attribute is a pso identifier whose ID is the ldap DN of the group of 
    a membership change log entry. -->
  <resolver:AttributeDefinition
    id="changeLogMembershipGroupDn"
    xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier"
    structure="${edu.internet2.middleware.psp.structure}"
    sourceAttributeID="changeLogMembershipGroupName"
    rdnAttributeName="CN"
    stemRdnAttributeName="OU"
    baseDn="${edu.internet2.middleware.psp.groupsBaseDn}"
    baseStem="${edu.internet2.middleware.psp.baseStem}">
    <resolver:Dependency ref="changeLogMembershipGroupName" />
  </resolver:AttributeDefinition>

  <!-- The value of the "changeLogMembershipGroupName" attribute is the name of the group of a membership change log entry. 
    The name of the group is returned only if the group is a child of the stem whose name is the edu.internet2.middleware.psp.baseStem 
    property. If the edu.internet2.middleware.psp.baseStem property is the root stem, groups under the "etc" stem are omitted. -->
  <resolver:AttributeDefinition
    id="changeLogMembershipGroupName"
    xsi:type="ad:Script">
    <resolver:Dependency ref="AddMembershipChangeLogDataConnector" />
    <resolver:Dependency ref="DeleteMembershipChangeLogDataConnector" />
    <ad:Script><![CDATA[
        // Import Shibboleth attribute provider.
        importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
        
        // Create the attribute to be returned.
        changeLogMembershipGroupName = new BasicAttribute("changeLogMembershipGroupName")
        
        // Return the group name if it is a child of the base stem to be provisioned, omitting 'etc'.
        if (typeof groupName != "undefined" && groupName != null ) {
            // The name of the base stem to be provisioned.
            var scriptBaseStem = "${edu.internet2.middleware.psp.baseStem}";

            // If the base stem is the root stem, ignore groups under the 'etc' stem.
            if (scriptBaseStem.length == 0) {
                if (groupName.getValues().get(0).lastIndexOf("etc:", 0) === -1) {
                    changeLogMembershipGroupName.getValues().add(groupName.getValues().get(0));
                }
            // Return the group name if it starts with the base stem to be provisioned.
            } else {
                if (groupName.getValues().get(0).lastIndexOf(scriptBaseStem + ":", 0) != -1) {
                    changeLogMembershipGroupName.getValues().add(groupName.getValues().get(0));                
                }
            }
        }
    ]]></ad:Script>
  </resolver:AttributeDefinition>

  <!-- The value of the "changeLogMembershipGroupSubjectName" attribute is the name of the group member of a membership change 
    log entry. -->
  <resolver:AttributeDefinition
    id="changeLogMembershipGroupSubjectName"
    xsi:type="ad:Script">
    <resolver:Dependency ref="AddMembershipChangeLogDataConnector" />
    <resolver:Dependency ref="DeleteMembershipChangeLogDataConnector" />
    <ad:Script><![CDATA[
        // Import Shibboleth attribute provider.
        importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
        
        // Create the attribute to be returned.
        changeLogMembershipGroupSubjectName = new BasicAttribute("changeLogMembershipGroupSubjectName");
        
        // Return 'subjectName' attribute values if the 'sourceId' attribute is 'g:gsa'.
        if (typeof sourceId != "undefined" && sourceId != null ){            
            if (sourceId.getValues().contains("g:gsa")) {
                if (typeof subjectName != "undefined" && subjectName != null ){
                    changeLogMembershipGroupSubjectName.getValues().add(subjectName.getValues().get(0));
                }
            }          
        }
    ]]></ad:Script>
  </resolver:AttributeDefinition>

  <!-- The value of the "changeLogMembershipLdapSubjectId" attribute is the subject identifier of the "ldap" source member 
    of a membership change log entry. -->
  <resolver:AttributeDefinition
    id="changeLogMembershipLdapSubjectId"
    xsi:type="ad:Script">
    <resolver:Dependency ref="AddMembershipChangeLogDataConnector" />
    <resolver:Dependency ref="DeleteMembershipChangeLogDataConnector" />
    <ad:Script><![CDATA[
        // Import Shibboleth attribute provider.
        importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
        
        // Create the attribute to be returned.
        changeLogMembershipLdapSubjectId = new BasicAttribute("changeLogMembershipLdapSubjectId");
        
        // Return 'subjectId' attribute values if the 'sourceId' attribute is 'ldap'.
        if (typeof sourceId != "undefined" && sourceId != null ){            
            if (sourceId.getValues().contains("jdbc")) {
                if (typeof subjectId != "undefined" && subjectId != null ){
                    changeLogMembershipLdapSubjectId.getValues().add(subjectId.getValues().get(0));
                }
            }
        }
    ]]></ad:Script>
  </resolver:AttributeDefinition>

</AttributeResolver>
<?xml version="1.0" encoding="utf-8"?>

<!--
Grouper's subject resolver configuration
$Id: sources.example.xml,v 1.8 2009-08-11 20:18:09 mchyzer Exp $
-->

<sources>


  <source adapterClass="edu.internet2.middleware.grouper.GrouperSourceAdapter">
    <id>g:gsa</id>
    <name>Grouper: Group Source Adapter</name>
    <type>group</type>

    <init-param>
      <param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>
      <param-value>${subject.getAttributeValue('name')},${subject.getAttributeValue('displayName')},${subject.getAttributeValue('alternateName')}</param-value>
    </init-param>
    <init-param>
      <param-name>sortAttribute0</param-name>
      <param-value>name</param-value>
    </init-param>
    <init-param>
      <param-name>searchAttribute0</param-name>
      <param-value>searchAttribute0</param-value>
    </init-param>
    <internal-attribute>searchAttribute0</internal-attribute>
  </source>
  <!-- Group Subject Resolver -->


  <!-- 
    NOTE: It is recommended that you **not** change the default
          values for this source adapter.
  -->
  <source adapterClass="edu.internet2.middleware.grouper.entity.EntitySourceAdapter">
    <id>grouperEntities</id>
    <name>Grouper: Entity Source Adapter</name>
    <type>application</type>

    <init-param>
      <param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>
      <!-- TODO add attribute for subject identifier -->
      <param-value>${subject.getAttributeValue('name')},${subject.getAttributeValue('displayName')},${subject.getAttributeValue('alternateName')}</param-value>
    </init-param>
    <init-param>
      <param-name>sortAttribute0</param-name>
      <param-value>name</param-value>
    </init-param>
    <init-param>
      <param-name>searchAttribute0</param-name>
      <param-value>searchAttribute0</param-value>
    </init-param>
    <internal-attribute>searchAttribute0</internal-attribute>
  </source>
  <!-- Entity Subject Resolver -->  

<source adapterClass="edu.internet2.middleware.subject.provider.LdapSourceAdapter">
    <id>ldap</id>
    <name>LdapSourceAdapter</name>
    <type>person</type>

    <!-- Note that most of the ldap configuration is in the properties file.
         The filename can be a file in your classpath or an absolute pathname. -->

    <init-param>
      <param-name>ldapProperties_file</param-name>
      <param-value>ldap.properties</param-value>
    </init-param>

    <init-param>
      <param-name>Multiple_Results</param-name>
      <param-value>false</param-value>
    </init-param>

    <init-param>
      <param-name>sortAttribute0</param-name>
      <param-value>cn</param-value>
    </init-param>
    <init-param>
      <param-name>searchAttribute0</param-name>
      <param-value>cn</param-value>
    </init-param>

     <init-param>
      <param-name>SubjectID_AttributeType</param-name>
      <param-value>cn</param-value>
    </init-param>
    <init-param>
      <param-name>Name_AttributeType</param-name>
      <param-value>displayName</param-value>
    </init-param>
    <init-param>
      <param-name>Description_AttributeType</param-name>
      <param-value>displayName</param-value>
    </init-param>

    <search>
        <searchType>searchSubject</searchType>
        <param>
            <param-name>filter</param-name>
            <param-value>
                (&amp;(cn=%TERM%)(objectclass=person))
            </param-value>
        </param>
 <param>
            <param-name>scope</param-name>
            <param-value>SUBTREE_SCOPE</param-value>
        </param>
        <param>
            <param-name>base</param-name>
            <param-value>ou=Campus Users,DC=campus,DC=ncl,DC=ac,DC=uk</param-value>
        </param>

    </search>
    <search>
        <searchType>searchSubjectByIdentifier</searchType>
        <param>
            <param-name>filter</param-name>
            <param-value>
                (&amp;(cn=%TERM%)(objectclass=person))
            </param-value>
        </param>
        <param>
            <param-name>scope</param-name>
            <param-value>SUBTREE_SCOPE</param-value>
        </param>
        <param>
            <param-name>base</param-name>
            <param-value>ou=Campus Users,DC=campus,DC=ncl,DC=ac,DC=uk</param-value>
        </param>
    </search>

    <!-- use the firstlastfilter to allow: last, first lookup -->
    <search>
       <searchType>search</searchType>
         <param>
            <param-name>filter</param-name>
            <param-value>
                 (&amp;(cn=%TERM%)(objectclass=person))
            </param-value>
        </param>
         <param>
            <param-name>firstlastfilter</param-name>
            <param-value>
                (&amp;(sn=%TERM%)(objectclass=person)))
            </param-value>
        </param>
        <param>
            <param-name>scope</param-name>
            <param-value>SUBTREE_SCOPE</param-value>
        </param>
         <param>
            <param-name>base</param-name>
      <param-value>ou=Campus Users,DC=campus,DC=ncl,DC=ac,DC=uk</param-value>
        </param>
    </search>
    <init-param>
      <param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>
      <param-value>${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('sn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), 
"")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('mail'), "")}</param-value>
    </init-param>
    <init-param>
      <param-name>sortAttribute0</param-name>
      <param-value>cn</param-value>
    </init-param>
    <init-param>
      <param-name>searchAttribute0</param-name>
      <param-value>searchAttribute0</param-value>
    </init-param>
    <internal-attribute>searchAttribute0</internal-attribute>
    ///Attributes you would like to display when doing a search
    <attribute>cn</attribute>
    <attribute>displayName</attribute>

  </source>

<source adapterClass="edu.internet2.middleware.grouper.subj.GrouperJdbcSourceAdapter2">

<id>jdbc</id> 
    <name>NCL_Users</name> 
     <type>person</type> 
     <init-param> 
       <param-name>jdbcConnectionProvider</param-name> 
       <param-value>edu.internet2.middleware.grouper.subj.GrouperJdbcConnectionProvider</param-value> 
     </init-param> 
     

     

      <init-param> 
       <param-name>dbTableOrView</param-name> 
       <param-value>NCL_Users</param-value> 
     </init-param> 
      <init-param> 
       <param-name>subjectIdCol</param-name> 
       <param-value>loginname</param-value> 
     </init-param> 
     <init-param> 
       <param-name>nameCol</param-name> 
       <param-value>surname</param-value> 
     </init-param> 
     <init-param> 
       <param-name>name2Col</param-name> 
       <param-value>forenames</param-value> 
     </init-param> 
<init-param>
<param-name>descriptionCol</param-name>
<param-value>fullname</param-value>
</init-param>
  

     <init-param> 
       <!-- search col where general searches take place, lower case --> 
       <param-name>lowerSearchCol</param-name> 
       <param-value>searchvalues</param-value> 
     </init-param> 
     <init-param> 
       <!-- optional col if you want the search results sorted in the API (note, UI might override) --> 
       <param-name>defaultSortCol</param-name> 
       <param-value>known_as</param-value> 
     </init-param> 
     <init-param> 
       <!-- col which identifies the row, perhaps not subjectId --> 
       <param-name>subjectIdentifierCol0</param-name> 
       <param-value>loginname</param-value> 
     </init-param> 
     <init-param> 
       <param-name>subjectIdentifierCol1</param-name> 
       <param-value>SAMA</param-value> 
     </init-param> 
     <!-- now you can count up from 0 to N of attributes for various cols --> 
     <init-param> 
       <param-name>subjectAttributeCol0</param-name> 
       <param-value>SAMA</param-value> 
     </init-param> 
     <init-param> 
       <param-name>subjectAttributeName0</param-name> 
       <param-value>SAMA</param-value>
     </init-param> 
 <init-param>
       <param-name>subjectAttributeCol1</param-name>
       <param-value>searchvalues</param-value>
     </init-param>
     <init-param>
       <param-name>subjectAttributeName1</param-name>
       <param-value>emailaddress</param-value>
     </init-param>
 <init-param>
       <param-name>subjectAttributeCol2</param-name>
       <param-value>forenames</param-value>
     </init-param>
     <init-param>
       <param-name>subjectAttributeName2</param-name>
       <param-value>Forenames</param-value>
     </init-param>


	<init-param> 
       <param-name>sortAttribute0</param-name> 
       <param-value>SAMA</param-value>
     </init-param> 
<init-param>
       <param-name>sortAttribute1</param-name>
       <param-value>Forenames</param-value>
     </init-param>

<init-param> 
       <param-name>searchAttribute0</param-name> 
       <param-value>emailaddress</param-value>
     </init-param> 

<internal-attribute>emailaddress</internal-attribute>

   </source> 
</sources>

<?xml version="1.0" encoding="utf-8"?>

<!-- Provisioning Service Provider (PSP) configuration. -->

<!-- A <pso /> is a Provisioning Service Object. The authoritative and allSourceIdentifiersRef attributes control the provisioning 
  of all source and target objects. If authoritative is "true", orphan objects will be deleted. Orphan objects exist on a target 
  without a corresponding source object. The allSourceIdentifiersRef attribute refers to an attribute resolver definition whose 
  values are all source identifiers applicable to this provisioned object. -->
<!-- <pso id="entityName" authoritative="[true|false]" allSourceIdentifiersRef="attributeDefinitionID" /> -->

<!-- The pso identifier refers to an attribute resolver definition. The targetId must match the id of a provisioning service 
  target in psp-services.xml. The containerId is the string id of the pso identifier containing these objects. -->
<!-- <identifier ref="attributeDefinitionID" targetId="targetId" containerId="containerId"/> -->

<!-- The identifying attribute has two purposes : (1) to determine the schema entity of target objects returned from a lookup 
  or search request and (2) to be converted to a query to search a target for all identifiers. If the identifying attribute 
  is not present, the pso will be ignored during bulk requests. -->
<!-- <identifyingAttribute name="attributeName" value="attributeValue" /> -->

<!-- The alternate identifier refers to an attribute resolver definition, and is the previous (old) identifier of an object 
  after it has been renamed. -->
<!-- <alternateIdentifier ref="attributeDefinitionID" /> -->

<!-- A provisioned attribute refers to an attribute resolver definition. -->
<!-- <attribute name="attributeName" ref="attributeDefinitionID" /> -->

<!-- References to the identifiers of other objects. -->
<!-- <references name="attributeName"> <reference ... /> </references> -->

<!-- A reference to the identifier of an object refers to an attribute resolver definition. -->
<!-- <reference ref="attributeDefinitionID" toObject="psoId" /> -->

<psp
  xmlns="http://grouper.internet2.edu/psp";
  xmlns:psp="http://grouper.internet2.edu/psp";
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
  xsi:schemaLocation="http://grouper.internet2.edu/psp classpath:/schema/psp.xsd">

  <!-- Provision a grouper stem as an ldap organizational unit. -->
  <pso
    id="stem"
    authoritative="true"
    allSourceIdentifiersRef="stemNames">

    <!-- The ldap organizational unit DN. -->
    <identifier
      ref="stemDn"
      targetId="ldap"
      containerId="${edu.internet2.middleware.psp.groupsBaseDn}" />

    <!-- Identifies stem objects which exist on the target by objectclass attribute value. -->
    <identifyingAttribute
      name="objectclass"
      value="organizationalUnit" />

    <!-- The "old" ldap organizational unit DN calculated from stem update change log events. -->
    <alternateIdentifier ref="stemDnAlternateChangeLog" />


    <!-- The ldap organizational unit "objectClass" attribute. -->
    <attribute
      name="objectClass"
      ref="stemObjectclass" />

    <!-- The ldap organizational unit "ou" attribute. -->
    <attribute
      name="ou"
      ref="stemOu" />

    <!-- The ldap organizational unit "description" attribute. -->
    <attribute
      name="description"
      ref="stemDescription" />

  </pso>

  <!-- Provision a grouper group as an ldap group. -->
  <pso
    id="group"
    authoritative="true"
    allSourceIdentifiersRef="groupNames">

    <!-- The ldap group DN. -->
    <identifier
      ref="groupDn"
      targetId="ldap"
      containerId="${edu.internet2.middleware.psp.groupsBaseDn}" />

    <!-- Identifies ldap group objects which exist on the target by objectClass attribute value. -->
    <identifyingAttribute
      name="objectClass"
      value="${edu.internet2.middleware.psp.groupObjectClass}" />

    <!-- The "old" ldap group DN if a group has been renamed. -->
    <alternateIdentifier ref="groupDnAlternate" />

    <!-- The "old" ldap group DN calculated from group update change log events. -->
    <alternateIdentifier ref="groupDnAlternateChangeLog" />

    <!-- The ldap group "objectClass" attribute. -->
    <attribute
      name="objectClass"
      ref="groupObjectclass" />

    <!-- The ldap group "cn" attribute. -->
    <attribute name="cn" />

    <!-- The ldap group "description" attribute. -->
    <attribute
      name="description"
      ref="cn" />

    <!-- See http://ldapwiki.willeke.com/wiki/SamAccountName. -->
    <attribute
      name="sAMAccountName"
      ref="cn" />

    <!-- The ldap group "member" attribute. -->
    <references
      name="member"
      caseSensitive="false">

      <reference
        ref="membersLdap"
        toObject="member" />

      <reference
        ref="membersGsa"
        toObject="group" />

    </references>

  </pso>

  <!-- Do not provision grouper members, but enable lookup. -->
  <pso id="member">

    <!-- The ldap member DN. -->
    <identifier
      ref="memberDn"
      targetId="ldap"
      containerId="${edu.internet2.middleware.psp.peopleBaseDn}" />

    <!-- Identifies member objects which exist on the target by objectclass attribute value. -->
    <identifyingAttribute
      name="objectclass"
      value="person" />

  </pso>





  <!-- Provision a group membership triggered by the grouper change log. -->
  <pso id="groupMembership">

    <!-- The ldap group DN calculated from membership change log events. -->
    <identifier
      ref="changeLogMembershipGroupDn"
      targetId="ldap"
      containerId="${edu.internet2.middleware.psp.groupsBaseDn}" />

    <!-- The ldap group "member" attribute. -->
    <references
      name="member"
      caseSensitive="false">

      <reference
        ref="changeLogMembershipLdapSubjectId"
        toObject="member" />


      <reference
        ref="changeLogMembershipGroupSubjectName"
        toObject="group" />

    </references>

  </pso>

</psp>
 





Archive powered by MHonArc 2.6.16.

Top of Page