grouper-users - Re: [grouper-users] PSP configuration- multiple named stems
Subject: Grouper Users - Open Discussion List
List archive
- From: Mark Cairney <>
- To:
- Subject: Re: [grouper-users] PSP configuration- multiple named stems
- Date: Fri, 05 Sep 2014 10:53:41 +0100
OK I'm trying to proceed with the simplest case i.e. no baseStem set.
The process is still on-going but I'm seeing a lot of errors being
generated which seem to fall into 2 types. So far it's been running for
about 13 hours with no changes yet being made to the LDAP server.
1.
2014-09-05 00:00:00,025: [main] ERROR Psp.execute(1187) - - Psp 'psp' -
Diff
DiffResponse[id=1C5998B7-EB74-4D38-8DB8-94E251A07174,status=failure,error=noSuchIdentifier,errorMessages={Unable
to calculate provisioned object.},requestID=2014/09/04-23:59:59.742]
2014-09-05 00:00:00,025: [main] ERROR Psp.execute(1189) - - Psp 'psp' -
Diff XML:
<psp:diffResponse xmlns:psp='http://grouper.internet2.edu/psp'
status='failure' requestID='2014/09/04-23:59:59.742'
error='noSuchIdentifier'>
<errorMessage>Unable to calculate provisioned object.</errorMessage>
<psp:id ID='1C5998B7-EB74-4D38-8DB8-94E251A07174'/>
</psp:diffResponse>
(this looks like it's just complaining about not being able to find a
match for that ID. Given the Dev LDAP server is simply a clone of one of
our Test ones this doesn't worry/surprise me too much as we haven't done
a full sync of the user accounts on both).
2.
2014-09-05 00:58:00,539: [main] ERROR Psp.doesIdentifierExist(445) - -
The lookup response is not a success
'LookupResponse[pso=<null>,status=failure,error=customError,errorMessages={Unable
to determine schema entity for
uid=******,ou=people,ou=central,dc=authorise-dev,dc=ed,dc=ac,dc=uk},requestID=2014/09/05-00:58:00.533]'
Should I be worrying about these errors? I'm also wondering if I've
choosed the wrong example set for my config as I run an OpenLDAP server
but looking at the config there's a whole bunch of attributes we don't
currently have like "isMemberOf, hasMember, seeAlso" etc. I've just
spotted an "eduMember.schema" file so I've added that to the server and
re-started the bulkSync. In the meantime my config files are attached in
case there's anywhere obvious I'm going wrong.
On 03/09/14 09:25, Mark Cairney wrote:
> OK that sounds equally as complicated- I'm even having trouble picturing
> what the config looks like in my head. Ultimately what I'd like to have
> is Grouper exporting only specified stems (e.g.
> affiliations,courses,org) to an individual target LDAP server.
>
> I've been pointed in the direction of some docs + powerpoints by Bryan,
> looking through this it looks like this could be do-able using Group
> Filters in the GroupDataConnector in psp-resolver.xml. This is likely to
> result in the group OU's changing but we may have to live with that as
> they are themselves a result of us provisioning each stem individually
> on Grouper 1.5 which was a workaround to do this.
>
> I'm probably trying to run before I can walk anyway so I'll proceed with
> a base config to provision all stems on Dev and once that's working look
> at this side of things.
>
> Kind regards,
>
> Mark
>
> On 02/09/14 16:10, David Langenberg wrote:
>> Hi Mark,
>>
>> Even in the multiple case, you'll still have one ldap.properties, but
>> you'll now also have the individual ldap connector configs. I don't think
>> there's going to be a sane way to break up the configs unfortunately.
>>
>> Dave
>>
>>
>> On Tue, Sep 2, 2014 at 3:47 AM, Mark Cairney
>> <>
>> wrote:
>>
>>> Hi,
>>>
>>> We're looking to upgrade from our existing 1.5 install to 2.2 and this
>>> means moving from LDAPPC to PSP.
>>>
>>> In our current setup which I'd like to replicate we a subset of stems
>>> provisioned, each of which has it's own separate ldappc.xml file.
>>>
>>> Looking at the examples there is a multiple openLDAP example so my
>>> current thinking is to have multiple "ldap.properties" files for each
>>> stem. Is this possible/ sensible?
>>>
>>> We use the "memberOf" overlay so we would only be looking to export the
>>> groups and their members.
>>>
>>> I'll admit that having not looked much at Grouper since we initially got
>>> it working the new approach seems to have a baffling amount of
>>> configuration options and files so a helping hand would be appreciated :-)
>>>
>>> Kind regards,
>>>
>>> Mark
>>>
>>> --
>>> /****************************
>>>
>>> Mark Cairney
>>> ITI UNIX Section
>>> Information Services
>>> University of Edinburgh
>>>
>>> Tel: 0131 650 6565
>>> Email:
>>>
>>> PGP: 0x435A9621
>>>
>>> *******************************/
>>>
>>> The University of Edinburgh is a charitable body, registered in
>>> Scotland, with registration number SC005336.
>>>
>>>
>>
>>
>
--
/****************************
Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh
Tel: 0131 650 6565
Email:
PGP: 0x435A9621
*******************************/
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
<?xml version="1.0" encoding="utf-8"?> <!-- Provisioning Service Provider (PSP) configuration. --> <!-- A <pso /> is a Provisioning Service Object. The authoritative and allSourceIdentifiersRef attributes control the provisioning of all source and target objects. If authoritative is "true", orphan objects will be deleted. Orphan objects exist on a target without a corresponding source object. The allSourceIdentifiersRef attribute refers to an attribute resolver definition whose values are all source identifiers applicable to this provisioned object. --> <!-- <pso id="entityName" authoritative="[true|false]" allSourceIdentifiersRef="attributeDefinitionID" /> --> <!-- The pso identifier refers to an attribute resolver definition. The targetId must match the id of a provisioning service target in psp-services.xml. The containerId is the string id of the pso identifier containing these objects. --> <!-- <identifier ref="attributeDefinitionID" targetId="targetId" containerId="containerId"/> --> <!-- The identifying attribute has two purposes : (1) to determine the schema entity of target objects returned from a lookup or search request and (2) to be converted to a query to search a target for all identifiers. If the identifying attribute is not present, the pso will be ignored during bulk requests. --> <!-- <identifyingAttribute name="attributeName" value="attributeValue" /> --> <!-- The alternate identifier refers to an attribute resolver definition, and is the previous (old) identifier of an object after it has been renamed. --> <!-- <alternateIdentifier ref="attributeDefinitionID" /> --> <!-- A provisioned attribute refers to an attribute resolver definition. --> <!-- <attribute name="attributeName" ref="attributeDefinitionID" /> --> <!-- References to the identifiers of other objects. --> <!-- <references name="attributeName"> <reference ... /> </references> --> <!-- A reference to the identifier of an object refers to an attribute resolver definition. --> <!-- <reference ref="attributeDefinitionID" toObject="psoId" /> --> <psp xmlns="http://grouper.internet2.edu/psp"; xmlns:psp="http://grouper.internet2.edu/psp"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://grouper.internet2.edu/psp classpath:/schema/psp.xsd"> <!-- Provision a grouper stem as an ldap organizational unit. --> <pso id="stem" authoritative="true" allSourceIdentifiersRef="stemNames"> <!-- The ldap organizational unit DN. --> <identifier ref="stemDn" targetId="ldap" containerId="${edu.internet2.middleware.psp.groupsBaseDn}" /> <!-- Identifies stem objects which exist on the target by objectclass attribute value. --> <identifyingAttribute name="objectclass" value="organizationalUnit" /> <!-- The "old" ldap organizational unit DN calculated from stem update change log events. --> <alternateIdentifier ref="stemDnAlternateChangeLog" /> <!-- The ldap organizational unit "objectClass" attribute. --> <attribute name="objectClass" ref="stemObjectclass" /> <!-- The ldap organizational unit "ou" attribute. --> <attribute name="ou" ref="stemOu" /> <!-- The ldap organizational unit "description" attribute. --> <attribute name="description" ref="stemDescription" /> <!-- The ldap gid attribute --> <attribute name="gidNumber" ref="gid" /> <!-- The ldap organizational unit "seeAlso" attribute. --> <attribute name="seeAlso" ref="stemSeeAlso" /> </pso> <!-- Provision a grouper group as an ldap group. --> <pso id="group" authoritative="true" allSourceIdentifiersRef="groupNames"> <!-- The ldap group DN. --> <identifier ref="groupDn" targetId="ldap" containerId="${edu.internet2.middleware.psp.groupsBaseDn}" /> <!-- Identifies ldap group objects which exist on the target by objectClass attribute value. --> <identifyingAttribute name="objectClass" value="${edu.internet2.middleware.psp.groupObjectClass}" /> <!-- The "old" ldap group DN if a group has been renamed. --> <alternateIdentifier ref="groupDnAlternate" /> <!-- The "old" ldap group DN calculated from group update change log events. --> <alternateIdentifier ref="groupDnAlternateChangeLog" /> <!-- The ldap group "objectClass" attribute. No existing values will be deleted since retainAll is true. --> <attribute name="objectClass" ref="groupObjectclass" retainAll="true" /> <!-- The ldap group "cn" attribute. --> <attribute name="cn" /> <!-- The ldap group "description" attribute. --> <attribute name="description" ref="displayExtension" /> <!-- The ldap group "hasMember" attribute includes the names of the groups that are members of the group. --> <!-- The ldap group "hasMember" attribute includes the ids of the subjects that are members of the group. --> <attribute name="hasMember" ref="hasMember" /> <!-- The ldap group "isMemberOf" attribute consists of the names of the groups that the group is a member of. --> <attribute name="isMemberOf" ref="groupIsMemberOf" /> <!-- The ldap group "mailLocalAddress" attribute. --> <!--<attribute name="mailLocalAddress" />--> <!-- The ldap group "member" attribute. --> <!-- The value of emptyValue is provisioned when the group has no members. --> <references name="member" emptyValue=""> <reference ref="membersLdap" toObject="member" /> <reference ref="membersGsa" toObject="group" /> </references> </pso> <!-- Provision isMemberOf attribute for members which are ldap persons. --> <pso id="member" allSourceIdentifiersRef="memberSubjectIds"> <!-- The ldap member DN. --> <identifier ref="memberDn" targetId="ldap" containerId="${edu.internet2.middleware.psp.peopleBaseDn}" /> <!-- Identifies member objects which exist on the target by objectclass attribute value. --> <identifyingAttribute name="objectclass" value="person" /> <!-- The ldap member "objectClass" attribute. No existing values will be deleted since retainAll is true. --> <attribute name="objectClass" ref="memberObjectclass" retainAll="true" /> <!-- The ldap member "isMemberOf" attribute consisting of the names of the groups that this member is a member of. --> <attribute name="isMemberOf" ref="memberIsMemberOf" /> </pso> <!-- Provision a group membership triggered by the grouper change log. --> <pso id="groupMembership"> <!-- The ldap group DN calculated from membership change log events. --> <identifier ref="changeLogMembershipGroupDn" targetId="ldap" containerId="${edu.internet2.middleware.psp.groupsBaseDn}" /> <attribute name="hasMember" ref="changeLogMembershipSubjectName" /> <!-- The ldap group "member" attribute. --> <references name="member"> <reference ref="changeLogMembershipLdapSubjectId" toObject="member" /> <reference ref="changeLogMembershipGroupSubjectName" toObject="group" /> </references> </pso> <!-- Provision a member's membership triggered by the grouper change log. --> <pso id="memberMembership"> <!-- The ldap group DN calculated from membership change log events. --> <identifier ref="changeLogMembershipMemberDn" targetId="ldap" containerId="${edu.internet2.middleware.psp.peopleBaseDn}" /> <!-- The ldap member "objectClass" attribute. No existing values will be deleted since retainAll is true. --> <attribute name="objectClass" ref="memberObjectclass" retainAll="true" /> <!-- The ldap member "isMemberOf" attribute consisting of the names of the groups that this member is a member of. --> <attribute name="isMemberOf" ref="changeLogMembershipGroupName" /> </pso> <!-- Provision a group's membership triggered by the grouper change log. --> <pso id="groupMemberMembership"> <!-- The ldap group DN calculated from membership change log events. --> <identifier ref="changeLogMembershipGroupMemberDn" targetId="ldap" containerId="${edu.internet2.middleware.psp.groupsBaseDn}" /> <!-- The ldap member "objectClass" attribute. No existing values will be deleted since retainAll is true. --> <attribute name="objectClass" ref="memberObjectclass" retainAll="true" /> <!-- The ldap member "isMemberOf" attribute consisting of the names of the groups that this member is a member of. --> <attribute name="isMemberOf" ref="changeLogMembershipGroupName" /> </pso> </psp>
<?xml version="1.0" encoding="UTF-8"?> <AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:resolver="urn:mace:shibboleth:2.0:resolver" xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc" xmlns:grouper="http://grouper.internet2.edu/shibboleth/2.0"; xmlns:psp="http://grouper.internet2.edu/psp"; xmlns:psp-grouper-ldap="http://grouper.internet2.edu/psp-grouper-ldap"; xmlns:psp-grouper-changelog="http://grouper.internet2.edu/psp-grouper-changelog"; xmlns:psp-grouper-source="http://grouper.internet2.edu/psp-grouper-source"; xsi:schemaLocation=" urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd http://grouper.internet2.edu/shibboleth/2.0 classpath:/schema/shibboleth-2.0-grouper.xsd http://grouper.internet2.edu/psp classpath:/schema/psp.xsd http://grouper.internet2.edu/psp-grouper-ldap classpath:/schema/psp-grouper-ldap.xsd http://grouper.internet2.edu/psp-grouper-changelog classpath:/schema/psp-grouper-changelog.xsd http://grouper.internet2.edu/psp-grouper-source classpath:/schema/psp-grouper-source.xsd"> <!-- Grouper data connectors. --> <!-- The GroupDataConnector returns attributes representing the group whose name is the principal name. The returned group must be a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. Groups under the "etc" stem are omitted. --> <resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector"> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:MINUS"> <!-- The GroupInStem filter matches groups which are children of the given stem. --> <grouper:Filter xsi:type="grouper:GroupInStem" name="${edu.internet2.middleware.psp.baseStem}" scope="SUB" /> <grouper:Filter xsi:type="grouper:GroupInStem" name="etc" scope="SUB" /> </grouper:Filter> <!-- The "members" attribute values are equivalent to group.getMembers(). --> <grouper:Attribute id="members" /> <!-- The "groups" attribute values are equivalent to group.getGroups(). --> <grouper:Attribute id="groups" /> <!-- The "etc:attribute:mailLocalAddress" attribute framework definition. --> <!-- <grouper:Attribute id="etc:attribute:mailLocalAddress" /> --> </resolver:DataConnector> <!-- The GroupWithoutMermbershipsDataConnector returns attributes representing the group whose name is the principal name. The returned group must be a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. Groups under the "etc" stem are omitted. No memberships (groups or members) should be returned by this data connector to improve performance of identifier resolution. --> <resolver:DataConnector id="GroupWithoutMermbershipsDataConnector" xsi:type="grouper:GroupDataConnector"> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:MINUS"> <!-- The GroupInStem filter matches groups which are children of the given stem. --> <grouper:Filter xsi:type="grouper:GroupInStem" name="${edu.internet2.middleware.psp.baseStem}" scope="SUB" /> <grouper:Filter xsi:type="grouper:GroupInStem" name="etc" scope="SUB" /> </grouper:Filter> </resolver:DataConnector> <!-- The StemDataConnector returns attributes representing the stem whose name is the principal name. The returned stem must be a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. The "etc" stem and all children are omitted. --> <resolver:DataConnector id="StemDataConnector" xsi:type="grouper:StemDataConnector"> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:MINUS"> <!-- The StemInStem filter matches stems which are children of the given stem. --> <grouper:Filter xsi:type="grouper:StemInStem" name="${edu.internet2.middleware.psp.baseStem}" scope="SUB" /> <!-- The OR filter matches stems which match either the first or second child filter. --> <grouper:Filter xsi:type="grouper:OR"> <!-- The StemInStem filter matches stems which are children of the given stem. --> <grouper:Filter xsi:type="grouper:StemInStem" name="etc" scope="SUB" /> <!-- The StemNameExact filter matches stems with the given name. --> <grouper:Filter xsi:type="grouper:StemNameExact" name="etc" /> </grouper:Filter> </grouper:Filter> <!-- The "etc:attribute:mailLocalAddress" attribute framework definition. --> <!--<grouper:Attribute id="etc:attribute:seeAlso" />--> </resolver:DataConnector> <!-- The MemberDataConnector returns attributes representing the member whose subject id or identifier is the principal name. --> <resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector"> <!-- Return members from the "ldap" source only. --> <grouper:Filter xsi:type="grouper:MemberSource" sourceId="sourceId" /> <!-- Return the "dn" attribute of members whose subject source id is "ldap". --> <grouper:Attribute id="dn" source="sourceId" /> <!-- The "groups" attribute values are equivalent to member.getGroups(). --> <grouper:Attribute id="groups" /> </resolver:DataConnector> <!-- Returns a single "groupNames" attribute whose values are the names of all groups matching the filter. The groups returned are children of the stem whose name is the edu.internet2.middleware.psp.baseStem property. Groups under the "etc" stem are omitted. --> <resolver:DataConnector id="AllGroupNamesConnector" xsi:type="psp-grouper-source:AllGroupNamesDataConnector"> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:MINUS"> <!-- The GroupInStem filter matches groups which are children of the given stem. --> <grouper:Filter xsi:type="grouper:GroupInStem" name="${edu.internet2.middleware.psp.baseStem}" scope="SUB" /> <grouper:Filter xsi:type="grouper:GroupInStem" name="etc" scope="SUB" /> </grouper:Filter> </resolver:DataConnector> <!-- The names of all groups matching the data connector filter. --> <resolver:AttributeDefinition id="groupNames" xsi:type="ad:Simple"> <resolver:Dependency ref="AllGroupNamesConnector" /> </resolver:AttributeDefinition> <!-- Returns a single "stemNames" attribute whose values are the names of all stems matching the filter. The stems returned are children of the stem whose name is the edu.internet2.middleware.psp.baseStem property. The "etc" stem and all children are omitted. --> <resolver:DataConnector id="AllStemNamesConnector" xsi:type="psp-grouper-source:AllStemNamesDataConnector"> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:MINUS"> <!-- The StemInStem filter matches stems which are children of the given stem. --> <grouper:Filter xsi:type="grouper:StemInStem" name="${edu.internet2.middleware.psp.baseStem}" scope="SUB" /> <!-- The OR filter matches stems which match either the first or second child filter. --> <grouper:Filter xsi:type="grouper:OR"> <!-- The StemInStem filter matches stems which are children of the given stem. --> <grouper:Filter xsi:type="grouper:StemInStem" name="etc" scope="SUB" /> <!-- The StemNameExact filter matches stems with the given name. --> <grouper:Filter xsi:type="grouper:StemNameExact" name="etc" /> </grouper:Filter> </grouper:Filter> </resolver:DataConnector> <!-- The names of all stems matching the data connector filter. --> <resolver:AttributeDefinition id="stemNames" xsi:type="ad:Simple"> <resolver:Dependency ref="AllStemNamesConnector" /> </resolver:AttributeDefinition> <!-- Returns a single "memberSubjectIds" attribute whose values are the subject ids of all members matching the filter. --> <resolver:DataConnector id="AllMemberSubjectIdsConnector" xsi:type="psp-grouper-source:AllMemberSubjectIdsDataConnector"> <grouper:Filter xsi:type="grouper:MemberSource" sourceId="sourceId" /> </resolver:DataConnector> <!-- The subject ids of all members matching the data connector filter. --> <resolver:AttributeDefinition id="memberSubjectIds" xsi:type="ad:Simple"> <resolver:Dependency ref="AllMemberSubjectIdsConnector" /> </resolver:AttributeDefinition> <!-- ChangeLogDataConnectors return attributes representing the change log entry whose sequence number is the principal name. --> <!-- Returns change log attributes representing the deletion of a stem. --> <resolver:DataConnector id="DeleteStemChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="stem" action="deleteStem" /> </resolver:DataConnector> <!-- Returns change log attributes representing the changing of a stem's name. --> <resolver:DataConnector id="UpdateStemNameChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The AND filter matches both child filters. --> <grouper:Filter xsi:type="grouper:AND"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="stem" action="updateStem" /> <!-- The ChangeLogExactAttribute filter matches change log entries with the given attribute and value. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogExactAttribute" name="propertyChanged" value="name" /> </grouper:Filter> </resolver:DataConnector> <!-- Returns change log attributes representing the changing of a stem's description. --> <resolver:DataConnector id="UpdateStemDescriptionChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The AND filter matches both child filters. --> <grouper:Filter xsi:type="grouper:AND"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="stem" action="updateStem" /> <!-- The ChangeLogExactAttribute filter matches change log entries with the given attribute and value. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogExactAttribute" name="propertyChanged" value="description" /> </grouper:Filter> </resolver:DataConnector> <!-- Returns change log attributes representing the deletion of a group. --> <resolver:DataConnector id="DeleteGroupChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="group" action="deleteGroup" /> </resolver:DataConnector> <!-- Returns change log attributes representing the changing of a group's name. --> <resolver:DataConnector id="UpdateGroupNameChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The AND filter matches both child filters. --> <grouper:Filter xsi:type="grouper:AND"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="group" action="updateGroup" /> <!-- The ChangeLogExactAttribute filter matches change log entries with the given attribute and value. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogExactAttribute" name="propertyChanged" value="name" /> </grouper:Filter> </resolver:DataConnector> <!-- Returns change log attributes representing the changing of a group's description. --> <resolver:DataConnector id="UpdateGroupDescriptionChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The AND filter matches both child filters. --> <grouper:Filter xsi:type="grouper:AND"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="group" action="updateGroup" /> <!-- The ChangeLogExactAttribute filter matches change log entries with the given attribute and value. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogExactAttribute" name="propertyChanged" value="description" /> </grouper:Filter> </resolver:DataConnector> <!-- Returns change log attributes representing a membership addition. --> <resolver:DataConnector id="AddMembershipChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="membership" action="addMembership" /> </resolver:DataConnector> <!-- Returns change log attributes representing a membership deletion. --> <resolver:DataConnector id="DeleteMembershipChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="membership" action="deleteMembership" /> </resolver:DataConnector> <!-- Returns change log attributes representing attribute value assignment to a group. --> <resolver:DataConnector id="GroupAttributeAssignValueChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The AND filter matches both child filters. --> <grouper:Filter xsi:type="grouper:AND"> <!-- The ChangeLogEntry filter matches change log entries with the given category. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="attributeAssignValue" /> <!-- The ChangeLogAttributeAssignType filter matches change log entries with the given attribute assign type. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogAttributeAssignType" attributeAssignType="group" /> </grouper:Filter> </resolver:DataConnector> <!-- Returns change log attributes representing attribute value assignment to a stem. --> <resolver:DataConnector id="StemAttributeAssignValueChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The AND filter matches both child filters. --> <grouper:Filter xsi:type="grouper:AND"> <!-- The ChangeLogEntry filter matches change log entries with the given category. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="attributeAssignValue" /> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogAttributeAssignType" attributeAssignType="stem" /> </grouper:Filter> </resolver:DataConnector> <!-- Static data connector. --> <resolver:DataConnector id="StaticDataConnector" xsi:type="dc:Static"> <!-- Group LDAP objectclass. --> <dc:Attribute id="staticGroupObjectclass"> <dc:Value>top</dc:Value> <dc:Value>${edu.internet2.middleware.psp.groupObjectClass}</dc:Value> <dc:Value>eduMember</dc:Value> </dc:Attribute> <!-- Stem LDAP objectclass. --> <dc:Attribute id="staticStemObjectclass"> <dc:Value>top</dc:Value> <dc:Value>organizationalUnit</dc:Value> </dc:Attribute> <!-- The member LDAP eduMember objectclass. --> <dc:Attribute id="memberObjectclass"> <dc:Value>eduMember</dc:Value> </dc:Attribute> </resolver:DataConnector> <!-- Stem identifier and attributes. --> <!-- The LDAP DN of a stem. For example, "ou=stemExtension,ou=groups,dc=example,dc=edu". --> <resolver:AttributeDefinition id="stemDn" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="bushy" sourceAttributeID="stemNameInStem" rdnAttributeName="ou" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <!-- Dependencies which return a "stemNameInStem" attribute whose value is the stem name. --> <resolver:Dependency ref="stemNameInStem" /> </resolver:AttributeDefinition> <!-- The value of the "stemNameInStem" attribute is the name of the stem of a change log entry. The name of the stem is returned only if the stem is a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. If the edu.internet2.middleware.psp.baseStem property is the root stem, stems under the "etc" stem are omitted. --> <resolver:AttributeDefinition id="stemNameInStem" xsi:type="grouper:FilteredName" sourceAttributeID="name"> <!-- Dependencies which return a "name" attribute whose value is the stem name. --> <resolver:Dependency ref="StemDataConnector" /> <resolver:Dependency ref="DeleteStemChangeLogDataConnector" /> <resolver:Dependency ref="UpdateStemNameChangeLogDataConnector" /> <resolver:Dependency ref="UpdateStemDescriptionChangeLogDataConnector" /> <resolver:Dependency ref="StemAttributeAssignValueChangeLogDataConnector" /> <!-- The MINUS filter matches names which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:MINUS"> <!-- The NameInStem filter matches names which are children of the given stem. --> <grouper:Filter xsi:type="grouper:NameInStem" name="${edu.internet2.middleware.psp.baseStem}" scope="SUB" /> <!-- The OR filter matches names which match either the first or second child filter. --> <grouper:Filter xsi:type="grouper:OR"> <!-- The NameInStem filter matches names which are children of the given stem. --> <grouper:Filter xsi:type="grouper:NameInStem" name="etc" scope="SUB" /> <!-- The NameExact filter matches names with the given name. --> <grouper:Filter xsi:type="grouper:NameExact" name="etc" /> </grouper:Filter> </grouper:Filter> </resolver:AttributeDefinition> <!-- The alternate LDAP DN of a stem via the change log. For example, the DN of a stem before it is renamed. --> <resolver:AttributeDefinition id="stemDnAlternateChangeLog" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="bushy" sourceAttributeID="propertyOldValue" rdnAttributeName="ou" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <!-- Dependency which returns a "propertyOldValue" attribute whose value is the old stem name. --> <resolver:Dependency ref="UpdateStemNameChangeLogDataConnector" /> </resolver:AttributeDefinition> <!-- The stem objectclass attribute. If a change log entry is resolved, do not return dependencies from the static data connector. --> <resolver:AttributeDefinition id="stemObjectclass" xsi:type="ad:Script"> <resolver:Dependency ref="StaticDataConnector" /> <resolver:Dependency ref="UpdateStemNameChangeLogDataConnector" /> <resolver:Dependency ref="UpdateStemDescriptionChangeLogDataConnector" /> <!-- <resolver:Dependency ref="StemAttributeAssignValueChangeLogDataConnector" /> --> <ad:Script><![CDATA[ // Import Shibboleth attribute provider. load("nashorn:mozilla_compat.js"); importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); // Create the attribute to be returned. stemObjectclass = new BasicAttribute("stemObjectclass"); // Include values from 'staticStemObjectclass' if a change log entry is not being processed. if (typeof changeLogCategory != "undefined" && changeLogCategory != null) { // return nothing } else { stemObjectclass.getValues().addAll(staticStemObjectclass.getValues()); } ]]></ad:Script> </resolver:AttributeDefinition> <!-- The value of stem "stemOu" attribute is the stem extension. --> <resolver:AttributeDefinition id="stemOu" xsi:type="ad:Simple" sourceAttributeID="extension"> <resolver:Dependency ref="StemDataConnector" /> </resolver:AttributeDefinition> <!-- The value of the stem "description" attribute is the stem description. --> <resolver:AttributeDefinition id="stemDescription" xsi:type="ad:Simple" sourceAttributeID="description"> <resolver:Dependency ref="StemDataConnector" /> <resolver:Dependency ref="UpdateStemDescriptionChangeLogDataConnector" /> </resolver:AttributeDefinition> <!-- The stem "seeAlso" attribute. --> <resolver:AttributeDefinition id="stemSeeAlso" xsi:type="ad:Simple" sourceAttributeID="etc:attribute:seeAlso"> <resolver:Dependency ref="StemDataConnector" /> </resolver:AttributeDefinition> <!-- Group identifier and attributes. --> <!-- The LDAP DN of a group. For example, "cn=groupExtension,ou=stem,ou=groups,dc=example,dc=edu". --> <resolver:AttributeDefinition id="groupDn" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="${edu.internet2.middleware.psp.structure}" sourceAttributeID="groupNameInStem" rdnAttributeName="cn" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <!-- Dependencies which return a "groupNameInStem" attribute whose value is the group name. --> <resolver:Dependency ref="groupNameInStem" /> </resolver:AttributeDefinition> <!-- The value of the "groupNameInStem" attribute is the name of the group of a change log entry. The name of the group is returned only if the group is a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. If the edu.internet2.middleware.psp.baseStem property is the root stem, groups under the "etc" stem are omitted. --> <resolver:AttributeDefinition id="groupNameInStem" xsi:type="grouper:FilteredName" sourceAttributeID="name"> <!-- Dependencies which return a "name" attribute whose value is the group name. --> <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" /> <resolver:Dependency ref="DeleteGroupChangeLogDataConnector" /> <resolver:Dependency ref="UpdateGroupNameChangeLogDataConnector" /> <resolver:Dependency ref="UpdateGroupDescriptionChangeLogDataConnector" /> <resolver:Dependency ref="GroupAttributeAssignValueChangeLogDataConnector" /> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:MINUS"> <!-- The GroupInStem filter matches groups which are children of the given stem. --> <grouper:Filter xsi:type="grouper:NameInStem" name="${edu.internet2.middleware.psp.baseStem}" scope="SUB" /> <grouper:Filter xsi:type="grouper:NameInStem" name="etc" scope="SUB" /> </grouper:Filter> </resolver:AttributeDefinition> <!-- The alternate LDAP DN of a group. For example, the DN of a group before it is renamed. --> <resolver:AttributeDefinition id="groupDnAlternate" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="${edu.internet2.middleware.psp.structure}" sourceAttributeID="alternateName" rdnAttributeName="cn" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <!-- Dependency which returns an "alternateName" attribute whose value is the old group name. --> <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" /> </resolver:AttributeDefinition> <!-- The alternate LDAP DN of a group via the change log. For example, the DN of a group before it is renamed. --> <resolver:AttributeDefinition id="groupDnAlternateChangeLog" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="${edu.internet2.middleware.psp.structure}" sourceAttributeID="propertyOldValue" rdnAttributeName="cn" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <!-- Dependency which returns a "propertyOldValue" attribute whose value is the old group name. --> <resolver:Dependency ref="UpdateGroupNameChangeLogDataConnector" /> </resolver:AttributeDefinition> <!-- The group objectclass attribute. If an attribute assign value change log entry is being processed, do not return dependencies from the static data connector. --> <resolver:AttributeDefinition id="groupObjectclass" xsi:type="ad:Script"> <resolver:Dependency ref="StaticDataConnector" /> <!--<resolver:Dependency ref="inetLocalMailRecipientObjectclass" />--> <resolver:Dependency ref="GroupAttributeAssignValueChangeLogDataConnector" /> <ad:Script><![CDATA[ // Import Shibboleth attribute provider. load("nashorn:mozilla_compat.js"); importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); // Create the attribute to be returned. groupObjectclass = new BasicAttribute("groupObjectclass"); // Include values from 'staticGroupObjectClass' if the change log category is not 'attributeAssignValue'. if (typeof changeLogCategory != "undefined" && changeLogCategory != null) { if (!changeLogCategory.getValues().contains("attributeAssignValue")) { groupObjectclass.getValues().addAll(staticGroupObjectclass.getValues()); } // Include values from 'staticGroupObjectClass' if a change log entry is not being processed. } else { groupObjectclass.getValues().addAll(staticGroupObjectclass.getValues()); } // Include values from 'inetLocalMailRecipientObjectclass' attribute. //if (typeof inetLocalMailRecipientObjectclass != "undefined" && inetLocalMailRecipientObjectclass != null) { // if (!inetLocalMailRecipientObjectclass.getValues().isEmpty()) { // groupObjectclass.getValues().addAll(inetLocalMailRecipientObjectclass.getValues()); // } //} ]]></ad:Script> </resolver:AttributeDefinition> <!-- The value of the "inetLocalMailRecipientObjectclass" attribute is "inetLocalMailRecipient" if the "mailLocalAddress" attribute is not empty. <resolver:AttributeDefinition id="inetLocalMailRecipientObjectclass" sourceAttributeID="mailLocalAddress" xsi:type="ad:Script"> <resolver:Dependency ref="mailLocalAddress" /> <ad:Script><![CDATA[ // Import Shibboleth attribute provider. load("nashorn:mozilla_compat.js"); importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); // Create the attribute to be returned. inetLocalMailRecipientObjectclass = new BasicAttribute("inetLocalMailRecipientObjectclass"); // Return value 'inetLocalMailRecipient' if 'mailLocalAddress' is not empty. if (typeof mailLocalAddress != "undefined" && mailLocalAddress != null) { if (!mailLocalAddress.getValues().isEmpty()) { inetLocalMailRecipientObjectclass.getValues().add("inetLocalMailRecipient"); } } ]]></ad:Script> </resolver:AttributeDefinition>--> <!-- The value of the group "cn" attribute is the group extension. --> <!-- If the group DN structure is "bushy" the sourceAttributeID should be "extension". --> <!-- If the group DN structure is "flat" the sourceAttributeID should be "name". --> <resolver:AttributeDefinition id="cn" xsi:type="ad:Simple" sourceAttributeID="${edu.internet2.middleware.psp.cnSourceAttributeID}"> <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" /> </resolver:AttributeDefinition> <!-- The value of the group "description" attribute is the group description. --> <resolver:AttributeDefinition id="groupDescription" xsi:type="ad:Simple" sourceAttributeID="description"> <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" /> <resolver:Dependency ref="UpdateGroupDescriptionChangeLogDataConnector" /> </resolver:AttributeDefinition> <!-- The values of the group "hasMember" attribute include the names of the groups which are members of the group. --> <!-- The values of the group "hasMember" attribute include the ids of the subjects which are members of the group. --> <resolver:AttributeDefinition id="hasMember" xsi:type="grouper:Member" sourceAttributeID="members"> <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="name" source="ldap" /> <grouper:Attribute id="name" source="g:gsa" /> </resolver:AttributeDefinition> <!-- The values of the group "groupIsMemberOf" attribute are the names of the groups that the group is a member of. --> <resolver:AttributeDefinition id="groupIsMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups"> <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="name" /> </resolver:AttributeDefinition> <!-- The value of the group "mailLocalAddress" attribute is the group mailLocalAddress. <resolver:AttributeDefinition id="mailLocalAddress" xsi:type="ad:Simple" sourceAttributeID="etc:attribute:mailLocalAddress"> <resolver:Dependency ref="GroupDataConnector" /> <resolver:Dependency ref="GroupAttributeAssignValueChangeLogDataConnector" /> </resolver:AttributeDefinition>--> <!-- The values of the "membersLdap" attribute are the subject ids of group members from the "ldap" source. --> <resolver:AttributeDefinition id="membersLdap" xsi:type="grouper:Member" sourceAttributeID="members"> <resolver:Dependency ref="GroupDataConnector" /> <!-- The values of the "id" attribute are the identifiers of subjects whose source id is "ldap". --> <grouper:Attribute id="id" source="ldap" /> </resolver:AttributeDefinition> <!-- The values of the "membersGsa" attribute are the names of group members which are grouper groups. --> <resolver:AttributeDefinition id="membersGsa" xsi:type="grouper:Member" sourceAttributeID="members"> <resolver:Dependency ref="GroupDataConnector" /> <!-- The values of the "name" attribute are the names of groups whose source is "g:gsa". --> <grouper:Attribute id="name" source="g:gsa" /> </resolver:AttributeDefinition> <!-- Member identifier. --> <!-- Returns a member of an ldap group which is a person. --> <resolver:DataConnector id="LDAPMemberPersonLookup" xsi:type="dc:LDAPDirectory" ldapURL="${edu.vt.middleware.ldap.ldapUrl}" baseDN="${edu.internet2.middleware.psp.peopleBaseDn}" principal="${edu.vt.middleware.ldap.bindDn}" principalCredential="${edu.vt.middleware.ldap.bindCredential}" maxResultSize="1"> <dc:FilterTemplate> <![CDATA[ (&(eduniIdmsId=${requestContext.principalName})(objectclass=person)) ]]> </dc:FilterTemplate> </resolver:DataConnector> <!-- The LDAP DN of a member. The value of this attribute is the "dn" of subjects whose source id is "ldap". --> <resolver:AttributeDefinition id="memberDn" xsi:type="psp:PSOIdentifier" sourceAttributeID="entryDN"> <resolver:Dependency ref="LDAPMemberPersonLookup" /> </resolver:AttributeDefinition> <!-- The group objectclass attribute. --> <resolver:AttributeDefinition id="memberObjectclass" xsi:type="ad:Simple"> <resolver:Dependency ref="StaticDataConnector" /> </resolver:AttributeDefinition> <!-- The values of the member "memberIsMemberOf" attribute are the names of the groups that the member is a member of. --> <resolver:AttributeDefinition id="memberIsMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups"> <resolver:Dependency ref="MemberDataConnector" /> <grouper:Attribute id="name" /> </resolver:AttributeDefinition> <!-- Change log group membership. --> <!-- The value of the "changeLogMembershipGroupDn" attribute is a pso identifier whose ID is the ldap DN of the group of a membership change log entry. --> <resolver:AttributeDefinition id="changeLogMembershipGroupDn" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="${edu.internet2.middleware.psp.structure}" sourceAttributeID="changeLogMembershipGroupName" rdnAttributeName="cn" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <resolver:Dependency ref="changeLogMembershipGroupName" /> </resolver:AttributeDefinition> <!-- The value of the "changeLogMembershipGroupName" attribute is the name of the group of a membership change log entry. The name of the group is returned only if the group is a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. If the edu.internet2.middleware.psp.baseStem property is the root stem, groups under the "etc" stem are omitted. --> <resolver:AttributeDefinition id="changeLogMembershipGroupName" xsi:type="grouper:FilteredName" sourceAttributeID="groupName"> <resolver:Dependency ref="AddMembershipChangeLogDataConnector" /> <resolver:Dependency ref="DeleteMembershipChangeLogDataConnector" /> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:MINUS"> <!-- The NameInStem filter matches names which are children of the given stem. --> <grouper:Filter xsi:type="grouper:NameInStem" name="${edu.internet2.middleware.psp.baseStem}" scope="SUB" /> <grouper:Filter xsi:type="grouper:NameInStem" name="etc" scope="SUB" /> </grouper:Filter> </resolver:AttributeDefinition> <!-- The value of the "changeLogMembershipGroupSubjectName" attribute is the name of the group member of a membership change log entry. --> <resolver:AttributeDefinition id="changeLogMembershipGroupSubjectName" xsi:type="ad:Script"> <resolver:Dependency ref="AddMembershipChangeLogDataConnector" /> <resolver:Dependency ref="DeleteMembershipChangeLogDataConnector" /> <ad:Script><![CDATA[ // Import Shibboleth attribute provider. load("nashorn:mozilla_compat.js"); importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); // Create the attribute to be returned. changeLogMembershipGroupSubjectName = new BasicAttribute("changeLogMembershipGroupSubjectName"); // Return 'subjectName' attribute values if the 'sourceId' attribute is 'g:gsa'. if (typeof sourceId != "undefined" && sourceId != null ){ if (sourceId.getValues().contains("g:gsa")) { if (typeof subjectName != "undefined" && subjectName != null ){ changeLogMembershipGroupSubjectName.getValues().add(subjectName.getValues().get(0)); } } } ]]></ad:Script> </resolver:AttributeDefinition> <!-- The value of the "changeLogMembershipLdapSubjectId" attribute is the subject identifier of the "ldap" source member of a membership change log entry. --> <resolver:AttributeDefinition id="changeLogMembershipLdapSubjectId" xsi:type="ad:Script"> <resolver:Dependency ref="AddMembershipChangeLogDataConnector" /> <resolver:Dependency ref="DeleteMembershipChangeLogDataConnector" /> <ad:Script><![CDATA[ // Import Shibboleth attribute provider. load("nashorn:mozilla_compat.js"); importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); // Create the attribute to be returned. changeLogMembershipLdapSubjectId = new BasicAttribute("changeLogMembershipLdapSubjectId"); // Return 'subjectId' attribute values if the 'sourceId' attribute is 'ldap'. if (typeof sourceId != "undefined" && sourceId != null ){ if (sourceId.getValues().contains("ldap")) { if (typeof subjectId != "undefined" && subjectId != null ){ changeLogMembershipLdapSubjectId.getValues().add(subjectId.getValues().get(0)); } } } ]]></ad:Script> </resolver:AttributeDefinition> <!-- The value of the "changeLogMembershipSubjectName" attribute is the subject name of a membership change log entry. --> <resolver:AttributeDefinition id="changeLogMembershipSubjectName" xsi:type="ad:Simple" sourceAttributeID="subjectName"> <resolver:Dependency ref="AddMembershipChangeLogDataConnector" /> <resolver:Dependency ref="DeleteMembershipChangeLogDataConnector" /> </resolver:AttributeDefinition> <!-- Change log group member membership. --> <!-- The value of the "changeLogMembershipGroupMemberDn" attribute is a pso identifier whose ID is the ldap dn of the group member of a membership change log entry. --> <resolver:AttributeDefinition id="changeLogMembershipGroupMemberDn" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="${edu.internet2.middleware.psp.structure}" sourceAttributeID="changeLogMembershipGroupSubjectNameInStem" rdnAttributeName="cn" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <resolver:Dependency ref="changeLogMembershipGroupSubjectNameInStem" /> </resolver:AttributeDefinition> <!-- The value of the "changeLogMembershipGroupSubjectNameInStem" attribute is the name of the group member of a membership change log entry. The name of the group is returned only if the group is a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. If the edu.internet2.middleware.psp.baseStem property is the root stem, groups under the "etc" stem are omitted. --> <resolver:AttributeDefinition id="changeLogMembershipGroupSubjectNameInStem" xsi:type="grouper:FilteredName" sourceAttributeID="changeLogMembershipGroupSubjectName"> <resolver:Dependency ref="changeLogMembershipGroupSubjectName" /> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:MINUS"> <!-- The NameInStem filter matches names which are children of the given stem. --> <grouper:Filter xsi:type="grouper:NameInStem" name="${edu.internet2.middleware.psp.baseStem}" scope="SUB" /> <grouper:Filter xsi:type="grouper:NameInStem" name="etc" scope="SUB" /> </grouper:Filter> </resolver:AttributeDefinition> <!-- Change log member membership. --> <!-- The LDAP DN of a member. The value of this attribute is the "dn" of subjects whose source id is "ldap". --> <resolver:AttributeDefinition id="changeLogMembershipMemberDn" xsi:type="psp:PSOIdentifier" sourceAttributeID="changeLogMembershipLdapSubjectDn"> <resolver:Dependency ref="changeLogMembershipLdapSubjectDn" /> </resolver:AttributeDefinition> <!-- The value of the "changeLogMembershipLdapSubjectDn" attribute is the value of the "subjectdn" attribute for subjects from the "ldap" source. The "subjectdn" attribute value is the "dn" of subjects from the "ldap" source. --> <resolver:AttributeDefinition id="changeLogMembershipLdapSubjectDn" xsi:type="ad:Script"> <resolver:Dependency ref="AddMembershipChangeLogDataConnector" /> <resolver:Dependency ref="DeleteMembershipChangeLogDataConnector" /> <ad:Script><![CDATA[ load("nashorn:mozilla_compat.js"); importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); changeLogMembershipLdapSubjectDn = new BasicAttribute("changeLogMembershipLdapSubjectDn"); if (typeof sourceId != "undefined" && sourceId != null ){ if (sourceId.getValues().contains("ldap")) { if (typeof subjectdn != "undefined" && subjectdn != null ){ changeLogMembershipLdapSubjectDn.getValues().add(subjectdn.getValues().get(0)); } } } ]]></ad:Script> </resolver:AttributeDefinition> </AttributeResolver>
Attachment:
signature.asc
Description: OpenPGP digital signature
- [grouper-users] PSP configuration- multiple named stems, Mark Cairney, 09/02/2014
- Re: [grouper-users] PSP configuration- multiple named stems, David Langenberg, 09/02/2014
- Re: [grouper-users] PSP configuration- multiple named stems, Mark Cairney, 09/03/2014
- Re: [grouper-users] PSP configuration- multiple named stems, Mark Cairney, 09/05/2014
- Re: [grouper-users] PSP configuration- multiple named stems, David Langenberg, 09/05/2014
- Re: [grouper-users] PSP configuration- multiple named stems, Mark Cairney, 09/05/2014
- Re: [grouper-users] PSP configuration- multiple named stems, David Langenberg, 09/05/2014
- Re: [grouper-users] PSP configuration- multiple named stems, Mark Cairney, 09/05/2014
- Re: [grouper-users] PSP configuration- multiple named stems, David Langenberg, 09/05/2014
- Re: [grouper-users] PSP configuration- multiple named stems, Mark Cairney, 09/05/2014
- Re: [grouper-users] PSP configuration- multiple named stems, Mark Cairney, 09/03/2014
- Re: [grouper-users] PSP configuration- multiple named stems, David Langenberg, 09/02/2014
Archive powered by MHonArc 2.6.16.