grouper-users - [grouper-users] PSP Configuration - JDBC subject source
Subject: Grouper Users - Open Discussion List
List archive
- From: Richard James <>
- To: "" <>
- Subject: [grouper-users] PSP Configuration - JDBC subject source
- Date: Tue, 17 Dec 2013 15:24:52 +0000
- Accept-language: en-GB, en-US
|
Hi,
I am in the process of setting up PSP version 2.1.5 for our Grouper install. As a proof of concept I have successfully set this up so that it provisions groups to our active directory using the active directory as our subject source in a development environment.
Our production grouper uses JDBC as the subject source and therefore I need to configure PSP to use the jdbc source for retrieving members from groups and provisioning the memberships into the AD. Unfortunately I haven't managed to get this working successfully
so far.
I was not entirely sure how to achieve this and therefore have tried a few changes to the configuration. Up until now, we have been getting a memberDn source attribute could not be resolved.
I presumed that this was due to it not being able to retrieve a dn/cn for the member. I therefore added the following in (based upon the configuration for openldap-multiple);
<resolver:AttributeDefinition
id="memberDn"
xsi:type="psp:PSOIdentifier"
sourceAttributeID="cn">
<resolver:Dependency ref="LDAPMemberPersonLookup2" />
</resolver:AttributeDefinition>
<resolver:DataConnector
id="LDAPMemberPersonLookup2"
xsi:type="dc:LDAPDirectory"
ldapURL="ldap://**.**.**.**:389"
baseDN="${edu.internet2.middleware.psp.peopleBaseDn}"
principal="${edu.vt.middleware.ldap.bindDn}"
principalCredential="${edu.vt.middleware.ldap.bindCredential}"
maxResultSize="1">
<dc:FilterTemplate>
<![CDATA[
(&(uid=${requestContext.principalName})(objectclass=person))
]]>
</dc:FilterTemplate>
</resolver:DataConnector>
By adding this into the psp-resolver.xml file it is now able to resolve the source attribute for jdbc members. However when I come to run ./gsh.sh -psp -bulkSync the following error is displayed,
<psp:syncResponse status='failure' requestID='2013/12/17-14:57:55.416' error='customError'>
<addResponse xmlns='urn:oasis:names:tc:SPML:2:0' status='failure' requestID='2013/12/17-14:57:57.746' error='customError'>
<errorMessage>[LDAP: error code 53 - 0000054F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
_]</errorMessage>
</addResponse>
<errorMessage>[LDAP: error code 53 - 0000054F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
_]</errorMessage>
<psp:id ID='Applications:test:ISS_Auto_Dev_Baton_Rouge'/>
</psp:syncResponse>
</psp:bulkSyncResponse>
Has anyone else set up PSP with JDBC as a source? Is this the correct way of going about it? If so, are we missing any further configuration.
Any help would be gratefully received. I've attached the psp.xml, psp-resolver.xml, sources.xml and the grouper_error.log for this Sync attempt.
Many thanks,
Richard James
Infrastructure Systems Administrator
ISS Systems Architecture
Newcastle University
0191 2228638
m.ncl.ac.uk
facebook.com/ITbytes @NU_ITservice |
Attachment:
grouper_error.log
Description: grouper_error.log
<?xml version="1.0" encoding="UTF-8"?> <AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:resolver="urn:mace:shibboleth:2.0:resolver" xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc" xmlns:grouper="http://grouper.internet2.edu/shibboleth/2.0"; xmlns:psp="http://grouper.internet2.edu/psp"; xmlns:psp-grouper-ldap="http://grouper.internet2.edu/psp-grouper-ldap"; xmlns:psp-grouper-changelog="http://grouper.internet2.edu/psp-grouper-changelog"; xmlns:psp-grouper-source="http://grouper.internet2.edu/psp-grouper-source"; xsi:schemaLocation=" urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd http://grouper.internet2.edu/shibboleth/2.0 classpath:/schema/shibboleth-2.0-grouper.xsd http://grouper.internet2.edu/psp classpath:/schema/psp.xsd http://grouper.internet2.edu/psp-grouper-ldap classpath:/schema/psp-grouper-ldap.xsd http://grouper.internet2.edu/psp-grouper-changelog classpath:/schema/psp-grouper-changelog.xsd http://grouper.internet2.edu/psp-grouper-source classpath:/schema/psp-grouper-source.xsd"> <!-- Grouper data connectors. --> <!-- The GroupDataConnector returns attributes representing the group whose name is the principal name. The returned group must be a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. Groups under the "etc" stem are omitted. --> <resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector"> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:MINUS"> <!-- The GroupInStem filter matches groups which are children of the given stem. --> <grouper:Filter xsi:type="grouper:GroupInStem" name="${edu.internet2.middleware.psp.baseStem}" scope="SUB" /> <grouper:Filter xsi:type="grouper:GroupInStem" name="etc" scope="SUB" /> </grouper:Filter> <!-- The "members" attribute values are equivalent to group.getMembers(). --> <grouper:Attribute id="members" /> <!-- The "groups" attribute values are equivalent to group.getGroups(). --> <grouper:Attribute id="groups" /> </resolver:DataConnector> <!-- The GroupWithoutMermbershipsDataConnector returns attributes representing the group whose name is the principal name. The returned group must be a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. Groups under the "etc" stem are omitted. No memberships (groups or members) should be returned by this data connector to improve performance of identifier resolution. --> <resolver:DataConnector id="GroupWithoutMermbershipsDataConnector" xsi:type="grouper:GroupDataConnector"> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:MINUS"> <!-- The GroupInStem filter matches groups which are children of the given stem. --> <grouper:Filter xsi:type="grouper:GroupInStem" name="${edu.internet2.middleware.psp.baseStem}" scope="SUB" /> <grouper:Filter xsi:type="grouper:GroupInStem" name="etc" scope="SUB" /> </grouper:Filter> </resolver:DataConnector> <!-- The StemDataConnector returns attributes representing the stem whose name is the principal name. The returned stem must be a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. The "etc" stem and all children are omitted. --> <resolver:DataConnector id="StemDataConnector" xsi:type="grouper:StemDataConnector"> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:MINUS"> <!-- The StemInStem filter matches stems which are children of the given stem. --> <grouper:Filter xsi:type="grouper:StemInStem" name="${edu.internet2.middleware.psp.baseStem}" scope="SUB" /> <!-- The OR filter matches stems which match either the first or second child filter. --> <grouper:Filter xsi:type="grouper:OR"> <!-- The StemInStem filter matches stems which are children of the given stem. --> <grouper:Filter xsi:type="grouper:StemInStem" name="etc" scope="SUB" /> <!-- The StemNameExact filter matches stems with the given name. --> <grouper:Filter xsi:type="grouper:StemNameExact" name="etc" /> </grouper:Filter> </grouper:Filter> </resolver:DataConnector> <!-- The MemberDataConnector returns attributes representing the member whose subject id or identifier is the principal name. --> <resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector"> <!-- Return members from the "ldap" source only. --> <grouper:Filter xsi:type="grouper:MemberSource" sourceId="jdbc"/> <!-- Return the "dn" attribute of members whose subject source id is "ldap". --> <!--grouper:Attribute id="dn" source="ldap" --> <grouper:Attribute id="id" source="jdbc" /> </resolver:DataConnector> <!-- Returns a single "groupNames" attribute whose values are the names of all groups matching the filter. The groups returned are children of the stem whose name is the edu.internet2.middleware.psp.baseStem property. Groups under the "etc" stem are omitted. --> <resolver:DataConnector id="AllGroupNamesConnector" xsi:type="psp-grouper-source:AllGroupNamesDataConnector"> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:MINUS"> <!-- The GroupInStem filter matches groups which are children of the given stem. --> <grouper:Filter xsi:type="grouper:GroupInStem" name="${edu.internet2.middleware.psp.baseStem}" scope="SUB" /> <grouper:Filter xsi:type="grouper:GroupInStem" name="etc" scope="SUB" /> </grouper:Filter> </resolver:DataConnector> <!-- The names of all groups matching the data connector filter. --> <resolver:AttributeDefinition id="groupNames" xsi:type="ad:Simple"> <resolver:Dependency ref="AllGroupNamesConnector" /> </resolver:AttributeDefinition> <!-- Returns a single "stemNames" attribute whose values are the names of all stems matching the filter. The stems returned are children of the stem whose name is the edu.internet2.middleware.psp.baseStem property. The "etc" stem and all children are omitted. --> <resolver:DataConnector id="AllStemNamesConnector" xsi:type="psp-grouper-source:AllStemNamesDataConnector"> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:MINUS"> <!-- The StemInStem filter matches stems which are children of the given stem. --> <grouper:Filter xsi:type="grouper:StemInStem" name="${edu.internet2.middleware.psp.baseStem}" scope="SUB" /> <!-- The OR filter matches stems which match either the first or second child filter. --> <grouper:Filter xsi:type="grouper:OR"> <!-- The StemInStem filter matches stems which are children of the given stem. --> <grouper:Filter xsi:type="grouper:StemInStem" name="etc" scope="SUB" /> <!-- The StemNameExact filter matches stems with the given name. --> <grouper:Filter xsi:type="grouper:StemNameExact" name="etc" /> </grouper:Filter> </grouper:Filter> </resolver:DataConnector> <!-- The names of all stems matching the data connector filter. --> <resolver:AttributeDefinition id="stemNames" xsi:type="ad:Simple"> <resolver:Dependency ref="AllStemNamesConnector" /> </resolver:AttributeDefinition> <!-- ChangeLogDataConnectors return attributes representing the change log entry whose sequence number is the principal name. --> <!-- Returns change log attributes representing the deletion of a stem. --> <resolver:DataConnector id="DeleteStemChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="stem" action="deleteStem" /> </resolver:DataConnector> <!-- Returns change log attributes representing the changing of a stem's name. --> <resolver:DataConnector id="UpdateStemChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The AND filter matches both child filters. --> <grouper:Filter xsi:type="grouper:AND"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="stem" action="updateStem" /> <!-- The ChangeLogExactAttribute filter matches change log entries with the given attribute and value. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogExactAttribute" name="propertyChanged" value="name" /> </grouper:Filter> </resolver:DataConnector> <!-- Returns change log attributes representing the deletion of a group. --> <resolver:DataConnector id="DeleteGroupChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="group" action="deleteGroup" /> </resolver:DataConnector> <!-- Returns change log attributes representing the changing of a group's name. --> <resolver:DataConnector id="UpdateGroupChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The AND filter matches both child filters. --> <grouper:Filter xsi:type="grouper:AND"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="group" action="updateGroup" /> <!-- The ChangeLogExactAttribute filter matches change log entries with the given attribute and value. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogExactAttribute" name="propertyChanged" value="name" /> </grouper:Filter> </resolver:DataConnector> <!-- Returns change log attributes representing a membership addition. --> <resolver:DataConnector id="AddMembershipChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="membership" action="addMembership" /> </resolver:DataConnector> <!-- Returns change log attributes representing a membership deletion. --> <resolver:DataConnector id="DeleteMembershipChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="membership" action="deleteMembership" /> </resolver:DataConnector> <!-- Static data connector. --> <resolver:DataConnector id="StaticDataConnector" xsi:type="dc:Static"> <!-- Group LDAP objectclass. --> <dc:Attribute id="groupObjectclass"> <dc:Value>top</dc:Value> <dc:Value>${edu.internet2.middleware.psp.groupObjectClass}</dc:Value> </dc:Attribute> <!-- Group LDAP eduMember objectclass. --> <dc:Attribute id="groupObjectclassEduMember"> <dc:Value>top</dc:Value> <dc:Value>${edu.internet2.middleware.psp.groupObjectClass}</dc:Value> <dc:Value>member</dc:Value> </dc:Attribute> <!-- Stem LDAP objectclass. --> <dc:Attribute id="stemObjectclass"> <dc:Value>top</dc:Value> <dc:Value>organizationalUnit</dc:Value> </dc:Attribute> <!-- The member LDAP eduMember objectclass. --> <dc:Attribute id="memberObjectclass"> <dc:Value>member</dc:Value> </dc:Attribute> </resolver:DataConnector> <!-- Stem identifier and attributes. --> <!-- The LDAP DN of a stem. For example, "ou=stemExtension,ou=groups,dc=example,dc=edu". --> <resolver:AttributeDefinition id="stemDn" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="bushy" sourceAttributeID="name" rdnAttributeName="OU" stemRdnAttributeName="OU" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <!-- Dependencies which return a "name" attribute whose value is the stem name. --> <resolver:Dependency ref="StemDataConnector" /> <resolver:Dependency ref="DeleteStemChangeLogDataConnector" /> <resolver:Dependency ref="UpdateStemChangeLogDataConnector" /> </resolver:AttributeDefinition> <!-- The alternate LDAP DN of a stem via the change log. For example, the DN of a stem before it is renamed. --> <resolver:AttributeDefinition id="stemDnAlternateChangeLog" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="bushy" sourceAttributeID="propertyOldValue" rdnAttributeName="OU" stemRdnAttributeName="OU" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <!-- Dependency which returns a "propertyOldValue" attribute whose value is the old stem name. --> <resolver:Dependency ref="UpdateStemChangeLogDataConnector" /> </resolver:AttributeDefinition> <!-- The stem objectclass attribute. --> <resolver:AttributeDefinition id="stemObjectclass" xsi:type="ad:Simple"> <resolver:Dependency ref="StaticDataConnector" /> </resolver:AttributeDefinition> <!-- The value of stem "stemOu" attribute is the stem extension. --> <resolver:AttributeDefinition id="stemOu" xsi:type="ad:Simple" sourceAttributeID="extension"> <resolver:Dependency ref="StemDataConnector" /> </resolver:AttributeDefinition> <!-- The value of stem "stemDescription" attribute is the stem description. --> <resolver:AttributeDefinition id="stemDescription" xsi:type="ad:Simple" sourceAttributeID="description"> <resolver:Dependency ref="StemDataConnector" /> </resolver:AttributeDefinition> <!-- Group identifier and attributes. --> <!-- The LDAP DN of a group. For example, "cn=groupExtension,ou=stem,ou=groups,dc=example,dc=edu". --> <resolver:AttributeDefinition id="groupDn" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="${edu.internet2.middleware.psp.structure}" sourceAttributeID="name" rdnAttributeName="CN" stemRdnAttributeName="OU" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <!-- Dependencies which return a "name" attribute whose value is the group name. --> <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" /> <resolver:Dependency ref="DeleteGroupChangeLogDataConnector" /> <resolver:Dependency ref="UpdateGroupChangeLogDataConnector" /> </resolver:AttributeDefinition> <!-- The alternate LDAP DN of a group. For example, the DN of a group before it is renamed. --> <resolver:AttributeDefinition id="groupDnAlternate" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="${edu.internet2.middleware.psp.structure}" sourceAttributeID="alternateName" rdnAttributeName="CN" stemRdnAttributeName="OU" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <!-- Dependency which returns an "alternateName" attribute whose value is the old group name. --> <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" /> </resolver:AttributeDefinition> <!-- The alternate LDAP DN of a group via the change log. For example, the DN of a group before it is renamed. --> <resolver:AttributeDefinition id="groupDnAlternateChangeLog" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="${edu.internet2.middleware.psp.structure}" sourceAttributeID="propertyOldValue" rdnAttributeName="CN" stemRdnAttributeName="OU" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <!-- Dependency which returns a "propertyOldValue" attribute whose value is the old group name. --> <resolver:Dependency ref="UpdateGroupChangeLogDataConnector" /> </resolver:AttributeDefinition> <!-- The group objectclass attribute. --> <resolver:AttributeDefinition id="groupObjectclass" xsi:type="ad:Simple"> <resolver:Dependency ref="StaticDataConnector" /> </resolver:AttributeDefinition> <!-- The group objectclass attribute with eduMember. --> <resolver:AttributeDefinition id="groupObjectclassEduMember" xsi:type="ad:Simple"> <resolver:Dependency ref="StaticDataConnector" /> </resolver:AttributeDefinition> <!-- The value of the group "cn" attribute is the group extension. --> <!-- If the group DN structure is "bushy" the sourceAttributeID should be "extension". --> <!-- If the group DN structure is "flat" the sourceAttributeID should be "name". --> <resolver:AttributeDefinition id="cn" xsi:type="ad:Simple" sourceAttributeID="${edu.internet2.middleware.psp.cnSourceAttributeID}"> <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" /> </resolver:AttributeDefinition> <!-- The value of the group "description" attribute is the group description. --> <resolver:AttributeDefinition id="description" xsi:type="ad:Simple"> <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" /> </resolver:AttributeDefinition> <!-- The values of the "membersLdap" attribute are the subject ids of group members from the "ldap" source. --> <resolver:AttributeDefinition id="membersLdap" xsi:type="grouper:Member" sourceAttributeID="members"> <resolver:Dependency ref="GroupDataConnector" /> <!-- The values of the "id" attribute are the identifiers of subjects whose source id is "ldap". --> <!--grouper:Attribute id="id" source="ldap" --> <grouper:Attribute id="id" source="jdbc" /> </resolver:AttributeDefinition> <!-- The values of the "membersGsa" attribute are the names of group members which are grouper groups. --> <resolver:AttributeDefinition id="membersGsa" xsi:type="grouper:Member" sourceAttributeID="members"> <resolver:Dependency ref="GroupDataConnector" /> <!-- The values of the "name" attribute are the names of groups whose source is "g:gsa". --> <grouper:Attribute id="name" source="g:gsa" /> </resolver:AttributeDefinition> <!-- Member identifier. --> <!-- The LDAP DN of a member. The value of this attribute is the "dn" of subjects whose source id is "ldap". --> <resolver:AttributeDefinition id="memberDn" xsi:type="psp:PSOIdentifier" sourceAttributeID="cn"> <resolver:Dependency ref="MemberDataConnector" /> </resolver:AttributeDefinition> <!-- Change log group membership. --> <!-- The value of the "changeLogMembershipGroupDn" attribute is a pso identifier whose ID is the ldap DN of the group of a membership change log entry. --> <resolver:AttributeDefinition id="changeLogMembershipGroupDn" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="${edu.internet2.middleware.psp.structure}" sourceAttributeID="changeLogMembershipGroupName" rdnAttributeName="CN" stemRdnAttributeName="OU" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <resolver:Dependency ref="changeLogMembershipGroupName" /> </resolver:AttributeDefinition> <!-- The value of the "changeLogMembershipGroupName" attribute is the name of the group of a membership change log entry. The name of the group is returned only if the group is a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. If the edu.internet2.middleware.psp.baseStem property is the root stem, groups under the "etc" stem are omitted. --> <resolver:AttributeDefinition id="changeLogMembershipGroupName" xsi:type="ad:Script"> <resolver:Dependency ref="AddMembershipChangeLogDataConnector" /> <resolver:Dependency ref="DeleteMembershipChangeLogDataConnector" /> <ad:Script><![CDATA[ // Import Shibboleth attribute provider. importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); // Create the attribute to be returned. changeLogMembershipGroupName = new BasicAttribute("changeLogMembershipGroupName") // Return the group name if it is a child of the base stem to be provisioned, omitting 'etc'. if (typeof groupName != "undefined" && groupName != null ) { // The name of the base stem to be provisioned. var scriptBaseStem = "${edu.internet2.middleware.psp.baseStem}"; // If the base stem is the root stem, ignore groups under the 'etc' stem. if (scriptBaseStem.length == 0) { if (groupName.getValues().get(0).lastIndexOf("etc:", 0) === -1) { changeLogMembershipGroupName.getValues().add(groupName.getValues().get(0)); } // Return the group name if it starts with the base stem to be provisioned. } else { if (groupName.getValues().get(0).lastIndexOf(scriptBaseStem + ":", 0) != -1) { changeLogMembershipGroupName.getValues().add(groupName.getValues().get(0)); } } } ]]></ad:Script> </resolver:AttributeDefinition> <!-- The value of the "changeLogMembershipGroupSubjectName" attribute is the name of the group member of a membership change log entry. --> <resolver:AttributeDefinition id="changeLogMembershipGroupSubjectName" xsi:type="ad:Script"> <resolver:Dependency ref="AddMembershipChangeLogDataConnector" /> <resolver:Dependency ref="DeleteMembershipChangeLogDataConnector" /> <ad:Script><![CDATA[ // Import Shibboleth attribute provider. importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); // Create the attribute to be returned. changeLogMembershipGroupSubjectName = new BasicAttribute("changeLogMembershipGroupSubjectName"); // Return 'subjectName' attribute values if the 'sourceId' attribute is 'g:gsa'. if (typeof sourceId != "undefined" && sourceId != null ){ if (sourceId.getValues().contains("g:gsa")) { if (typeof subjectName != "undefined" && subjectName != null ){ changeLogMembershipGroupSubjectName.getValues().add(subjectName.getValues().get(0)); } } } ]]></ad:Script> </resolver:AttributeDefinition> <!-- The value of the "changeLogMembershipLdapSubjectId" attribute is the subject identifier of the "ldap" source member of a membership change log entry. --> <resolver:AttributeDefinition id="changeLogMembershipLdapSubjectId" xsi:type="ad:Script"> <resolver:Dependency ref="AddMembershipChangeLogDataConnector" /> <resolver:Dependency ref="DeleteMembershipChangeLogDataConnector" /> <ad:Script><![CDATA[ // Import Shibboleth attribute provider. importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); // Create the attribute to be returned. changeLogMembershipLdapSubjectId = new BasicAttribute("changeLogMembershipLdapSubjectId"); // Return 'subjectId' attribute values if the 'sourceId' attribute is 'ldap'. if (typeof sourceId != "undefined" && sourceId != null ){ if (sourceId.getValues().contains("jdbc")) { if (typeof subjectId != "undefined" && subjectId != null ){ changeLogMembershipLdapSubjectId.getValues().add(subjectId.getValues().get(0)); } } } ]]></ad:Script> </resolver:AttributeDefinition> </AttributeResolver>
<?xml version="1.0" encoding="utf-8"?>
<!--
Grouper's subject resolver configuration
$Id: sources.example.xml,v 1.8 2009-08-11 20:18:09 mchyzer Exp $
-->
<sources>
<source adapterClass="edu.internet2.middleware.grouper.GrouperSourceAdapter">
<id>g:gsa</id>
<name>Grouper: Group Source Adapter</name>
<type>group</type>
<init-param>
<param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>
<param-value>${subject.getAttributeValue('name')},${subject.getAttributeValue('displayName')},${subject.getAttributeValue('alternateName')}</param-value>
</init-param>
<init-param>
<param-name>sortAttribute0</param-name>
<param-value>name</param-value>
</init-param>
<init-param>
<param-name>searchAttribute0</param-name>
<param-value>searchAttribute0</param-value>
</init-param>
<internal-attribute>searchAttribute0</internal-attribute>
</source>
<!-- Group Subject Resolver -->
<!--
NOTE: It is recommended that you **not** change the default
values for this source adapter.
-->
<source adapterClass="edu.internet2.middleware.grouper.entity.EntitySourceAdapter">
<id>grouperEntities</id>
<name>Grouper: Entity Source Adapter</name>
<type>application</type>
<init-param>
<param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>
<!-- TODO add attribute for subject identifier -->
<param-value>${subject.getAttributeValue('name')},${subject.getAttributeValue('displayName')},${subject.getAttributeValue('alternateName')}</param-value>
</init-param>
<init-param>
<param-name>sortAttribute0</param-name>
<param-value>name</param-value>
</init-param>
<init-param>
<param-name>searchAttribute0</param-name>
<param-value>searchAttribute0</param-value>
</init-param>
<internal-attribute>searchAttribute0</internal-attribute>
</source>
<!-- Entity Subject Resolver -->
<source adapterClass="edu.internet2.middleware.subject.provider.LdapSourceAdapter">
<id>ldap</id>
<name>LdapSourceAdapter</name>
<type>person</type>
<!-- Note that most of the ldap configuration is in the properties file.
The filename can be a file in your classpath or an absolute pathname. -->
<init-param>
<param-name>ldapProperties_file</param-name>
<param-value>ldap.properties</param-value>
</init-param>
<init-param>
<param-name>Multiple_Results</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>sortAttribute0</param-name>
<param-value>cn</param-value>
</init-param>
<init-param>
<param-name>searchAttribute0</param-name>
<param-value>cn</param-value>
</init-param>
<init-param>
<param-name>SubjectID_AttributeType</param-name>
<param-value>cn</param-value>
</init-param>
<init-param>
<param-name>Name_AttributeType</param-name>
<param-value>displayName</param-value>
</init-param>
<init-param>
<param-name>Description_AttributeType</param-name>
<param-value>displayName</param-value>
</init-param>
<search>
<searchType>searchSubject</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(&(cn=%TERM%)(objectclass=person))
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>SUBTREE_SCOPE</param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>ou=Campus Users,DC=campus,DC=ncl,DC=ac,DC=uk</param-value>
</param>
</search>
<search>
<searchType>searchSubjectByIdentifier</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(&(cn=%TERM%)(objectclass=person))
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>SUBTREE_SCOPE</param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>ou=Campus Users,DC=campus,DC=ncl,DC=ac,DC=uk</param-value>
</param>
</search>
<!-- use the firstlastfilter to allow: last, first lookup -->
<search>
<searchType>search</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(&(cn=%TERM%)(objectclass=person))
</param-value>
</param>
<param>
<param-name>firstlastfilter</param-name>
<param-value>
(&(sn=%TERM%)(objectclass=person)))
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>SUBTREE_SCOPE</param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>ou=Campus Users,DC=campus,DC=ncl,DC=ac,DC=uk</param-value>
</param>
</search>
<init-param>
<param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>
<param-value>${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('sn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'),
"")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('mail'), "")}</param-value>
</init-param>
<init-param>
<param-name>sortAttribute0</param-name>
<param-value>cn</param-value>
</init-param>
<init-param>
<param-name>searchAttribute0</param-name>
<param-value>searchAttribute0</param-value>
</init-param>
<internal-attribute>searchAttribute0</internal-attribute>
///Attributes you would like to display when doing a search
<attribute>cn</attribute>
<attribute>displayName</attribute>
</source>
<source adapterClass="edu.internet2.middleware.grouper.subj.GrouperJdbcSourceAdapter2">
<id>jdbc</id>
<name>NCL_Users</name>
<type>person</type>
<init-param>
<param-name>jdbcConnectionProvider</param-name>
<param-value>edu.internet2.middleware.grouper.subj.GrouperJdbcConnectionProvider</param-value>
</init-param>
<init-param>
<param-name>dbTableOrView</param-name>
<param-value>NCL_Users</param-value>
</init-param>
<init-param>
<param-name>subjectIdCol</param-name>
<param-value>loginname</param-value>
</init-param>
<init-param>
<param-name>nameCol</param-name>
<param-value>surname</param-value>
</init-param>
<init-param>
<param-name>name2Col</param-name>
<param-value>forenames</param-value>
</init-param>
<init-param>
<param-name>descriptionCol</param-name>
<param-value>fullname</param-value>
</init-param>
<init-param>
<!-- search col where general searches take place, lower case -->
<param-name>lowerSearchCol</param-name>
<param-value>searchvalues</param-value>
</init-param>
<init-param>
<!-- optional col if you want the search results sorted in the API (note, UI might override) -->
<param-name>defaultSortCol</param-name>
<param-value>known_as</param-value>
</init-param>
<init-param>
<!-- col which identifies the row, perhaps not subjectId -->
<param-name>subjectIdentifierCol0</param-name>
<param-value>loginname</param-value>
</init-param>
<init-param>
<param-name>subjectIdentifierCol1</param-name>
<param-value>SAMA</param-value>
</init-param>
<!-- now you can count up from 0 to N of attributes for various cols -->
<init-param>
<param-name>subjectAttributeCol0</param-name>
<param-value>SAMA</param-value>
</init-param>
<init-param>
<param-name>subjectAttributeName0</param-name>
<param-value>SAMA</param-value>
</init-param>
<init-param>
<param-name>subjectAttributeCol1</param-name>
<param-value>searchvalues</param-value>
</init-param>
<init-param>
<param-name>subjectAttributeName1</param-name>
<param-value>emailaddress</param-value>
</init-param>
<init-param>
<param-name>subjectAttributeCol2</param-name>
<param-value>forenames</param-value>
</init-param>
<init-param>
<param-name>subjectAttributeName2</param-name>
<param-value>Forenames</param-value>
</init-param>
<init-param>
<param-name>sortAttribute0</param-name>
<param-value>SAMA</param-value>
</init-param>
<init-param>
<param-name>sortAttribute1</param-name>
<param-value>Forenames</param-value>
</init-param>
<init-param>
<param-name>searchAttribute0</param-name>
<param-value>emailaddress</param-value>
</init-param>
<internal-attribute>emailaddress</internal-attribute>
</source>
</sources>
<?xml version="1.0" encoding="utf-8"?> <!-- Provisioning Service Provider (PSP) configuration. --> <!-- A <pso /> is a Provisioning Service Object. The authoritative and allSourceIdentifiersRef attributes control the provisioning of all source and target objects. If authoritative is "true", orphan objects will be deleted. Orphan objects exist on a target without a corresponding source object. The allSourceIdentifiersRef attribute refers to an attribute resolver definition whose values are all source identifiers applicable to this provisioned object. --> <!-- <pso id="entityName" authoritative="[true|false]" allSourceIdentifiersRef="attributeDefinitionID" /> --> <!-- The pso identifier refers to an attribute resolver definition. The targetId must match the id of a provisioning service target in psp-services.xml. The containerId is the string id of the pso identifier containing these objects. --> <!-- <identifier ref="attributeDefinitionID" targetId="targetId" containerId="containerId"/> --> <!-- The identifying attribute has two purposes : (1) to determine the schema entity of target objects returned from a lookup or search request and (2) to be converted to a query to search a target for all identifiers. If the identifying attribute is not present, the pso will be ignored during bulk requests. --> <!-- <identifyingAttribute name="attributeName" value="attributeValue" /> --> <!-- The alternate identifier refers to an attribute resolver definition, and is the previous (old) identifier of an object after it has been renamed. --> <!-- <alternateIdentifier ref="attributeDefinitionID" /> --> <!-- A provisioned attribute refers to an attribute resolver definition. --> <!-- <attribute name="attributeName" ref="attributeDefinitionID" /> --> <!-- References to the identifiers of other objects. --> <!-- <references name="attributeName"> <reference ... /> </references> --> <!-- A reference to the identifier of an object refers to an attribute resolver definition. --> <!-- <reference ref="attributeDefinitionID" toObject="psoId" /> --> <psp xmlns="http://grouper.internet2.edu/psp"; xmlns:psp="http://grouper.internet2.edu/psp"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://grouper.internet2.edu/psp classpath:/schema/psp.xsd"> <!-- Provision a grouper stem as an ldap organizational unit. --> <pso id="stem" authoritative="true" allSourceIdentifiersRef="stemNames"> <!-- The ldap organizational unit DN. --> <identifier ref="stemDn" targetId="ldap" containerId="${edu.internet2.middleware.psp.groupsBaseDn}" /> <!-- Identifies stem objects which exist on the target by objectclass attribute value. --> <identifyingAttribute name="objectclass" value="organizationalUnit" /> <!-- The "old" ldap organizational unit DN calculated from stem update change log events. --> <alternateIdentifier ref="stemDnAlternateChangeLog" /> <!-- The ldap organizational unit "objectClass" attribute. --> <attribute name="objectClass" ref="stemObjectclass" /> <!-- The ldap organizational unit "ou" attribute. --> <attribute name="ou" ref="stemOu" /> <!-- The ldap organizational unit "description" attribute. --> <attribute name="description" ref="stemDescription" /> </pso> <!-- Provision a grouper group as an ldap group. --> <pso id="group" authoritative="true" allSourceIdentifiersRef="groupNames"> <!-- The ldap group DN. --> <identifier ref="groupDn" targetId="ldap" containerId="${edu.internet2.middleware.psp.groupsBaseDn}" /> <!-- Identifies ldap group objects which exist on the target by objectClass attribute value. --> <identifyingAttribute name="objectClass" value="${edu.internet2.middleware.psp.groupObjectClass}" /> <!-- The "old" ldap group DN if a group has been renamed. --> <alternateIdentifier ref="groupDnAlternate" /> <!-- The "old" ldap group DN calculated from group update change log events. --> <alternateIdentifier ref="groupDnAlternateChangeLog" /> <!-- The ldap group "objectClass" attribute. --> <attribute name="objectClass" ref="groupObjectclass" /> <!-- The ldap group "cn" attribute. --> <attribute name="cn" /> <!-- The ldap group "description" attribute. --> <attribute name="description" ref="cn" /> <!-- See http://ldapwiki.willeke.com/wiki/SamAccountName. --> <attribute name="sAMAccountName" ref="cn" /> <!-- The ldap group "member" attribute. --> <references name="member" caseSensitive="false"> <reference ref="membersLdap" toObject="member" /> <reference ref="membersGsa" toObject="group" /> </references> </pso> <!-- Do not provision grouper members, but enable lookup. --> <pso id="member"> <!-- The ldap member DN. --> <identifier ref="memberDn" targetId="ldap" containerId="${edu.internet2.middleware.psp.peopleBaseDn}" /> <!-- Identifies member objects which exist on the target by objectclass attribute value. --> <identifyingAttribute name="objectclass" value="person" /> </pso> <!-- Provision a group membership triggered by the grouper change log. --> <pso id="groupMembership"> <!-- The ldap group DN calculated from membership change log events. --> <identifier ref="changeLogMembershipGroupDn" targetId="ldap" containerId="${edu.internet2.middleware.psp.groupsBaseDn}" /> <!-- The ldap group "member" attribute. --> <references name="member" caseSensitive="false"> <reference ref="changeLogMembershipLdapSubjectId" toObject="member" /> <reference ref="changeLogMembershipGroupSubjectName" toObject="group" /> </references> </pso> </psp>
- [grouper-users] PSP Configuration - JDBC subject source, Richard James, 12/17/2013
- [grouper-users] RE: PSP Configuration - JDBC subject source, Richard James, 12/17/2013
Archive powered by MHonArc 2.6.16.