grouper-users - Re: [grouper-users] Grouper Filters not working as expected
Subject: Grouper Users - Open Discussion List
List archive
- From: Mark Cairney <>
- To:
- Subject: Re: [grouper-users] Grouper Filters not working as expected
- Date: Tue, 11 Nov 2014 13:09:00 +0000
Nevermind, I think I've cracked it with some interesting (ab)use of
nested OR filters. I've attached my psp-resolver.xml config for
reference in case anyone can spot any glaring issues with what I've done.
On 11/11/14 10:57, Mark Cairney wrote:
> Hi,
>
> We're getting there with our PSP config however in order to tidy things
> up a bit I'm wanting to only export specified stems. Looking at the
> grouper wiki pages the grouper:Filter rules look to be the tool for the
> job so I've created config similar to:
>
> <resolver:DataConnector
> id="GroupWithoutMermbershipsDataConnector"
> xsi:type="grouper:GroupDataConnector">
>
> <grouper:Filter xsi:type="grouper:OR">
> <!-- The GroupInStem filter matches groups which are
> children of the given stem. -->
> <grouper:Filter
> xsi:type="grouper:GroupInStem"
> name="adhoc"
> scope="SUB" />
> <grouper:Filter
> xsi:type="grouper:GroupInStem"
> name="affiliations"
> scope="SUB" />
> <grouper:Filter
> xsi:type="grouper:GroupInStem"
> name="courses"
> scope="SUB" />
> <grouper:Filter
> xsi:type="grouper:GroupInStem"
> name="org"
> scope="SUB" />
> <grouper:Filter
> xsi:type="grouper:GroupInStem"
> name="pos"
> scope="SUB" />
> </grouper:Filter>
>
> </resolver:DataConnector>
>
>
> However when I run my bulkSync it errors out with:
>
> Caused by: org.xml.sax.SAXParseException; lineNumber: 45; columnNumber:
> 23; cvc-complex-type.2.4.d: Invalid content was found starting with
> element 'grouper:Filter'. No child element is expected at this point.
>
> Having re-checked the documentation it looks like Grouper filters are
> limited to 2 child elements.
>
> Removing the "grouper:OR" element and it's corresponding
> </grouper:Filter> throws a different error:
>
> Caused by: org.xml.sax.SAXParseException; lineNumber: 39; columnNumber:
> 23; cvc-complex-type.2.4.a: Invalid content was found starting with
> element 'grouper:Filter'. One of
> '{"http://grouper.internet2.edu/shibboleth/2.0":Attribute}' is expected.
>
>
> Is it possible to have a filter match only specific named stems or will
> I have to construct some horrific nested "OR" filter to do what I want?
>
>
--
/****************************
Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh
Tel: 0131 650 6565
Email:
PGP: 0x435A9621
*******************************/
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
<?xml version="1.0" encoding="UTF-8"?> <AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:resolver="urn:mace:shibboleth:2.0:resolver" xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc" xmlns:grouper="http://grouper.internet2.edu/shibboleth/2.0"; xmlns:psp="http://grouper.internet2.edu/psp"; xmlns:psp-grouper-ldap="http://grouper.internet2.edu/psp-grouper-ldap"; xmlns:psp-grouper-changelog="http://grouper.internet2.edu/psp-grouper-changelog"; xmlns:psp-grouper-source="http://grouper.internet2.edu/psp-grouper-source"; xsi:schemaLocation=" urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd http://grouper.internet2.edu/shibboleth/2.0 classpath:/schema/shibboleth-2.0-grouper.xsd http://grouper.internet2.edu/psp classpath:/schema/psp.xsd http://grouper.internet2.edu/psp-grouper-ldap classpath:/schema/psp-grouper-ldap.xsd http://grouper.internet2.edu/psp-grouper-changelog classpath:/schema/psp-grouper-changelog.xsd http://grouper.internet2.edu/psp-grouper-source classpath:/schema/psp-grouper-source.xsd"> <!-- Grouper data connectors. --> <!-- The GroupDataConnector returns attributes representing the group whose name is the principal name. The returned group must be a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. Groups under the "etc" stem are omitted. --> <resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector"> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:GroupInStem" name="adhoc" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:GroupInStem" name="affiliations" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:GroupInStem" name="courses" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:GroupInStem" name="org" scope="SUB" /> <grouper:Filter xsi:type="grouper:GroupInStem" name="pos" scope="SUB" /> </grouper:Filter> </grouper:Filter> </grouper:Filter> </grouper:Filter> <!-- The "members" attribute values are equivalent to group.getMembers(). --> <grouper:Attribute id="members" /> <!-- The "groups" attribute values are equivalent to group.getGroups(). --> <grouper:Attribute id="groups" /> </resolver:DataConnector> <!-- The GroupWithoutMermbershipsDataConnector returns attributes representing the group whose name is the principal name. The returned group must be a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. Groups under the "etc" stem are omitted. No memberships (groups or members) should be returned by this data connector to improve performance of identifier resolution. --> <resolver:DataConnector id="GroupWithoutMermbershipsDataConnector" xsi:type="grouper:GroupDataConnector"> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:GroupInStem" name="adhoc" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:GroupInStem" name="affiliations" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:GroupInStem" name="courses" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:GroupInStem" name="org" scope="SUB" /> <grouper:Filter xsi:type="grouper:GroupInStem" name="pos" scope="SUB" /> </grouper:Filter> </grouper:Filter> </grouper:Filter> </grouper:Filter> </resolver:DataConnector> <!-- The StemDataConnector returns attributes representing the stem whose name is the principal name. The returned stem must be a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. The "etc" stem and all children are omitted. --> <resolver:DataConnector id="StemDataConnector" xsi:type="grouper:StemDataConnector"> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <!-- Comment out base stem <grouper:Filter xsi:type="grouper:StemInStem" name="${edu.internet2.middleware.psp.baseStem}" scope="SUB" /> --> <!-- The StemNameExact filter matches stems with the given name. --> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:StemNameExact" name="adhoc" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:StemNameExact" name="affiliations" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:StemNameExact" name="course" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:StemNameExact" name="org" /> <grouper:Filter xsi:type="grouper:StemNameExact" name="pos" /> </grouper:Filter> </grouper:Filter> </grouper:Filter> </grouper:Filter> </resolver:DataConnector> <!-- The MemberDataConnector returns attributes representing the member whose subject id or identifier is the principal name. --> <resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector"> <grouper:Filter xsi:type="grouper:MemberSource" sourceId="sourceId" /> <grouper:Attribute id="id" source="sourceId" /> </resolver:DataConnector> <resolver:DataConnector id="LDAPMemberPersonLookup" xsi:type="dc:LDAPDirectory" ldapURL="${edu.vt.middleware.ldap.ldapUrl}" baseDN="${edu.internet2.middleware.psp.peopleBaseDn}" principal="${edu.vt.middleware.ldap.bindDn}" principalCredential="${edu.vt.middleware.ldap.bindCredential}" maxResultSize="1"> <dc:FilterTemplate> <![CDATA[ (&(eduniIdmsID=${requestContext.principalName})(objectclass=person)) ]]> </dc:FilterTemplate> </resolver:DataConnector> <!--<resolver:DataConnector id="MemberDataConnector" xsi:type="dc:LDAPDirectory" ldapUrl="${edu.vt.middleware.ldap.ldapUrl}" baseDN="${edu.internet2.middleware.psp.peopleBaseDn}" principidal="${edu.vt.middleware.ldap.bindDn}" principalCredential="${edu.vt.middleware.ldap.bindCredential}" lowerCaseAttributeNames="true"> </resolver:DataConnector>--> <!-- Returns a single "groupNames" attribute whose values are the names of all groups matching the filter. The groups returned are children of the stem whose name is the edu.internet2.middleware.psp.baseStem property. Groups under the "etc" stem are omitted. --> <resolver:DataConnector id="AllGroupNamesConnector" xsi:type="psp-grouper-source:AllGroupNamesDataConnector"> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:GroupInStem" name="adhoc" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:GroupInStem" name="affiliations" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:GroupInStem" name="courses" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:GroupInStem" name="org" scope="SUB" /> <grouper:Filter xsi:type="grouper:GroupInStem" name="pos" scope="SUB" /> </grouper:Filter> </grouper:Filter> </grouper:Filter> </grouper:Filter> </resolver:DataConnector> <!-- The names of all groups matching the data connector filter. --> <resolver:AttributeDefinition id="groupNames" xsi:type="ad:Simple"> <resolver:Dependency ref="AllGroupNamesConnector" /> </resolver:AttributeDefinition> <!-- Returns a single "stemNames" attribute whose values are the names of all stems matching the filter. The stems returned are children of the stem whose name is the edu.internet2.middleware.psp.baseStem property. The "etc" stem and all children are omitted. --> <resolver:DataConnector id="AllStemNamesConnector" xsi:type="psp-grouper-source:AllStemNamesDataConnector"> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <!-- The StemInStem filter matches stems which are children of the given stem. --> <!-- Comment out base stem <grouper:Filter xsi:type="grouper:StemInStem" name="${edu.internet2.middleware.psp.baseStem}" scope="SUB" /> --> <!-- The StemNameExact filter matches stems with the given name. --> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:StemNameExact" name="adhoc" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:StemNameExact" name="affiliations" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:StemNameExact" name="course" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:StemNameExact" name="org" /> <grouper:Filter xsi:type="grouper:StemNameExact" name="pos" /> </grouper:Filter> </grouper:Filter> </grouper:Filter> </grouper:Filter> </resolver:DataConnector> <!-- The names of all stems matching the data connector filter. --> <resolver:AttributeDefinition id="stemNames" xsi:type="ad:Simple"> <resolver:Dependency ref="AllStemNamesConnector" /> </resolver:AttributeDefinition> <!-- ChangeLogDataConnectors return attributes representing the change log entry whose sequence number is the principal name. --> <!-- Returns change log attributes representing the deletion of a stem. --> <resolver:DataConnector id="DeleteStemChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="stem" action="deleteStem" /> </resolver:DataConnector> <!-- Returns change log attributes representing the changing of a stem's name. --> <resolver:DataConnector id="UpdateStemNameChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The AND filter matches both child filters. --> <grouper:Filter xsi:type="grouper:AND"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="stem" action="updateStem" /> <!-- The ChangeLogExactAttribute filter matches change log entries with the given attribute and value. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogExactAttribute" name="propertyChanged" value="name" /> </grouper:Filter> </resolver:DataConnector> <!-- Returns change log attributes representing the changing of a stem's description. --> <resolver:DataConnector id="UpdateStemDescriptionChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The AND filter matches both child filters. --> <grouper:Filter xsi:type="grouper:AND"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="stem" action="updateStem" /> <!-- The ChangeLogExactAttribute filter matches change log entries with the given attribute and value. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogExactAttribute" name="propertyChanged" value="description" /> </grouper:Filter> </resolver:DataConnector> <!-- Returns change log attributes representing the deletion of a group. --> <resolver:DataConnector id="DeleteGroupChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="group" action="deleteGroup" /> </resolver:DataConnector> <!-- Returns change log attributes representing the changing of a group's name. --> <resolver:DataConnector id="UpdateGroupNameChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The AND filter matches both child filters. --> <grouper:Filter xsi:type="grouper:AND"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="group" action="updateGroup" /> <!-- The ChangeLogExactAttribute filter matches change log entries with the given attribute and value. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogExactAttribute" name="propertyChanged" value="name" /> </grouper:Filter> </resolver:DataConnector> <!-- Returns change log attributes representing the changing of a group's description. --> <resolver:DataConnector id="UpdateGroupDescriptionChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The AND filter matches both child filters. --> <grouper:Filter xsi:type="grouper:AND"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="group" action="updateGroup" /> <!-- The ChangeLogExactAttribute filter matches change log entries with the given attribute and value. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogExactAttribute" name="propertyChanged" value="description" /> </grouper:Filter> </resolver:DataConnector> <!-- Returns change log attributes representing a membership addition. --> <resolver:DataConnector id="AddMembershipChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="membership" action="addMembership" /> </resolver:DataConnector> <!-- Returns change log attributes representing a membership deletion. --> <resolver:DataConnector id="DeleteMembershipChangeLogDataConnector" xsi:type="psp-grouper-changelog:ChangeLogDataConnector"> <!-- The ChangeLogEntry filter matches change log entries with the given category and action. --> <grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="membership" action="deleteMembership" /> </resolver:DataConnector> <!-- Static data connector. --> <resolver:DataConnector id="StaticDataConnector" xsi:type="dc:Static"> <!-- Group LDAP objectclass. --> <dc:Attribute id="staticGroupObjectclass"> <dc:Value>top</dc:Value> <dc:Value>${edu.internet2.middleware.psp.groupObjectClass}</dc:Value> <dc:Value>posixGroup</dc:Value> <!-- <dc:Value>eduMember</dc:Value> --> </dc:Attribute> <!-- Stem LDAP objectclass. --> <dc:Attribute id="staticStemObjectclass"> <dc:Value>top</dc:Value> <dc:Value>organizationalUnit</dc:Value> </dc:Attribute> <!-- The member LDAP eduMember objectclass. --> <dc:Attribute id="memberObjectclass"> <dc:Value>eduMember</dc:Value> </dc:Attribute> </resolver:DataConnector> <!-- Stem identifier and attributes. --> <!-- The LDAP DN of a stem. For example, "ou=stemExtension,ou=groups,dc=example,dc=edu". --> <resolver:AttributeDefinition id="stemDn" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="bushy" sourceAttributeID="stemNameInStem" rdnAttributeName="ou" stemRdnAttributeName="ou" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <!-- Dependencies which return a "stemNameInStem" attribute whose value is the stem name. --> <resolver:Dependency ref="stemNameInStem" /> </resolver:AttributeDefinition> <!-- The value of the "stemNameInStem" attribute is the name of a stem. The name of the stem is returned only if the stem is a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. If the edu.internet2.middleware.psp.baseStem property is the root stem, stems under the "etc" stem are omitted. --> <resolver:AttributeDefinition id="stemNameInStem" xsi:type="grouper:FilteredName" sourceAttributeID="name"> <!-- Dependencies which return a "name" attribute whose value is the stem name. --> <resolver:Dependency ref="StemDataConnector" /> <resolver:Dependency ref="DeleteStemChangeLogDataConnector" /> <resolver:Dependency ref="UpdateStemNameChangeLogDataConnector" /> <resolver:Dependency ref="UpdateStemDescriptionChangeLogDataConnector" /> <!-- The MINUS filter matches names which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:NameInStem" name="adhoc" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:NameInStem" name="affiliations" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:NameInStem" name="courses" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:NameInStem" name="org" scope="SUB" /> <grouper:Filter xsi:type="grouper:NameInStem" name="pos" scope="SUB" /> </grouper:Filter> </grouper:Filter> </grouper:Filter> </grouper:Filter> <!-- The NameExact filter matches names with the given name. --> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:NameExact" name="adhoc" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:NameExact" name="affiliations" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:NameExact" name="courses" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:NameExact" name="org" /> <grouper:Filter xsi:type="grouper:NameExact" name="pos" /> </grouper:Filter> </grouper:Filter> </grouper:Filter> </grouper:Filter> </grouper:Filter> <!-- StemName and StemExact OR filter terminated --> </resolver:AttributeDefinition> <!-- The alternate LDAP DN of a stem via the change log. For example, the DN of a stem before it is renamed. --> <resolver:AttributeDefinition id="stemDnAlternateChangeLog" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="bushy" sourceAttributeID="propertyOldValue" rdnAttributeName="ou" stemRdnAttributeName="ou" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <!-- Dependency which returns a "propertyOldValue" attribute whose value is the old stem name. --> <resolver:Dependency ref="UpdateStemNameChangeLogDataConnector" /> </resolver:AttributeDefinition> <!-- The stem objectclass attribute. If a change log entry is resolved, do not return dependencies from the static data connector. --> <resolver:AttributeDefinition id="stemObjectclass" xsi:type="ad:Script" language="rhino-nonjdk"> <resolver:Dependency ref="StaticDataConnector" /> <resolver:Dependency ref="UpdateStemNameChangeLogDataConnector" /> <resolver:Dependency ref="UpdateStemDescriptionChangeLogDataConnector" /> <!-- <resolver:Dependency ref="AttributeAssignValueChangeLogDataConnector" /> --> <ad:Script><![CDATA[ // Import Shibboleth attribute provider. // load("nashorn:mozilla_compat.js"); importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); // BasicAttribute = Java.type("edu.internet2.middleware.shibboleth.common.attribute.provider"); // Create the attribute to be returned. stemObjectclass = new BasicAttribute("stemObjectclass"); // Include values from 'staticStemObjectclass' if a change log entry is not being processed. if (typeof changeLogCategory != "undefined" && changeLogCategory != null) { // return nothing } else { stemObjectclass.getValues().addAll(staticStemObjectclass.getValues()); } ]]></ad:Script> </resolver:AttributeDefinition> <!-- The value of stem "stemOu" attribute is the stem extension. --> <resolver:AttributeDefinition id="stemOu" xsi:type="ad:Simple" sourceAttributeID="extension"> <resolver:Dependency ref="StemDataConnector" /> </resolver:AttributeDefinition> <!-- The value of the stem "description" attribute is the stem description. --> <resolver:AttributeDefinition id="stemDescription" xsi:type="ad:Simple" sourceAttributeID="description"> <resolver:Dependency ref="StemDataConnector" /> <resolver:Dependency ref="UpdateStemDescriptionChangeLogDataConnector" /> </resolver:AttributeDefinition> <!-- Group identifier and attributes. --> <!-- The LDAP DN of a group. For example, "cn=groupExtension,ou=stem,ou=groups,dc=example,dc=edu". --> <resolver:AttributeDefinition id="groupDn" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="${edu.internet2.middleware.psp.structure}" sourceAttributeID="groupNameInStem" rdnAttributeName="cn" stemRdnAttributeName="ou" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <!-- Dependencies which return a "groupNameInStem" attribute whose value is the group name. --> <resolver:Dependency ref="groupNameInStem" /> </resolver:AttributeDefinition> <!-- The value of the "groupNameInStem" attribute is the name of a group. The name of the group is returned only if the group is a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. If the edu.internet2.middleware.psp.baseStem property is the root stem, groups under the "etc" stem are omitted. --> <resolver:AttributeDefinition id="groupNameInStem" xsi:type="grouper:FilteredName" sourceAttributeID="name"> <!-- Dependencies which return a "name" attribute whose value is the group name. --> <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" /> <resolver:Dependency ref="DeleteGroupChangeLogDataConnector" /> <resolver:Dependency ref="UpdateGroupNameChangeLogDataConnector" /> <resolver:Dependency ref="UpdateGroupDescriptionChangeLogDataConnector" /> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:NameInStem" name="adhoc" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:NameInStem" name="affiliations" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:NameInStem" name="courses" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:NameInStem" name="org" scope="SUB" /> <grouper:Filter xsi:type="grouper:NameInStem" name="pos" scope="SUB" /> </grouper:Filter> </grouper:Filter> </grouper:Filter> </grouper:Filter> </resolver:AttributeDefinition> <!-- The alternate LDAP DN of a group. For example, the DN of a group before it is renamed. --> <resolver:AttributeDefinition id="groupDnAlternate" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="${edu.internet2.middleware.psp.structure}" sourceAttributeID="alternateName" rdnAttributeName="cn" stemRdnAttributeName="ou" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <!-- Dependency which returns an "alternateName" attribute whose value is the old group name. --> <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" /> </resolver:AttributeDefinition> <!-- The alternate LDAP DN of a group via the change log. For example, the DN of a group before it is renamed. --> <resolver:AttributeDefinition id="groupDnAlternateChangeLog" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="${edu.internet2.middleware.psp.structure}" sourceAttributeID="propertyOldValue" rdnAttributeName="cn" stemRdnAttributeName="ou" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <!-- Dependency which returns a "propertyOldValue" attribute whose value is the old group name. --> <resolver:Dependency ref="UpdateGroupNameChangeLogDataConnector" /> </resolver:AttributeDefinition> <!-- The group objectclass attribute. If a change log entry is resolved, do not return dependencies from the static data connector unless the change log entry is a membership change. --> <resolver:AttributeDefinition id="groupObjectclass" xsi:type="ad:Script" language="rhino-nonjdk"> <resolver:Dependency ref="StaticDataConnector" /> <resolver:Dependency ref="AddMembershipChangeLogDataConnector" /> <resolver:Dependency ref="DeleteMembershipChangeLogDataConnector" /> <resolver:Dependency ref="UpdateGroupNameChangeLogDataConnector" /> <resolver:Dependency ref="UpdateGroupDescriptionChangeLogDataConnector" /> <!-- <resolver:Dependency ref="AttributeAssignValueChangeLogDataConnector" /> --> <ad:Script><![CDATA[ // Import Shibboleth attribute provider. //load("nashorn:mozilla_compat.js"); importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); //BasicAttribute = Java.type("edu.internet2.middleware.shibboleth.common.attribute.provider"); // Create the attribute to be returned. groupObjectclass = new BasicAttribute("groupObjectclass"); // Include values from 'staticGroupObjectClass' if the change log category is 'membership'. if (typeof changeLogCategory != "undefined" && changeLogCategory != null) { if (changeLogCategory.getValues().contains("membership")) { groupObjectclass.getValues().addAll(staticGroupObjectclass.getValues()); } // Include values from 'staticGroupObjectClass' if a change log entry is not being processed. } else { groupObjectclass.getValues().addAll(staticGroupObjectclass.getValues()); } ]]></ad:Script> </resolver:AttributeDefinition> <!-- The group objectclass attribute with eduMember. --> <resolver:AttributeDefinition id="groupObjectclassEduMember" xsi:type="ad:Simple"> <resolver:Dependency ref="StaticDataConnector" /> </resolver:AttributeDefinition> <!-- The value of the group "cn" attribute is the group extension. --> <!-- If the group DN structure is "bushy" the sourceAttributeID should be "extension". --> <!-- If the group DN structure is "flat" the sourceAttributeID should be "name". --> <resolver:AttributeDefinition id="cn" xsi:type="ad:Simple" sourceAttributeID="${edu.internet2.middleware.psp.cnSourceAttributeID}"> <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" /> </resolver:AttributeDefinition> <!-- The value of the group "description" attribute is the group description. --> <resolver:AttributeDefinition id="groupDescription" xsi:type="ad:Simple" sourceAttributeID="description"> <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" /> <resolver:Dependency ref="UpdateGroupDescriptionChangeLogDataConnector" /> </resolver:AttributeDefinition> <!-- The value of the group "gidNumber" attribute is the group gid (UNIX gid). --> <resolver:AttributeDefinition id="groupgidNumber" xsi:type="ad:Simple" sourceAttributeID="gid"> <resolver:Dependency ref="GroupWithoutMermbershipsDataConnector" /> </resolver:AttributeDefinition> <!-- The values of the "membersLdap" attribute are the subject ids of group members from the "ldap" source. --> <resolver:AttributeDefinition id="membersLdap" xsi:type="grouper:Member" sourceAttributeID="members"> <resolver:Dependency ref="GroupDataConnector" /> <!-- The values of the "id" attribute are the identifiers of subjects whose source id is "ldap". --> <grouper:Attribute id="id" source="sourceId" /> </resolver:AttributeDefinition> <!-- The values of the "membersGsa" attribute are the names of group members which are grouper groups. --> <resolver:AttributeDefinition id="membersGsa" xsi:type="grouper:Member" sourceAttributeID="members"> <resolver:Dependency ref="GroupDataConnector" /> <!-- The values of the "name" attribute are the names of groups whose source is "g:gsa". --> <grouper:Attribute id="name" source="g:gsa" /> </resolver:AttributeDefinition> <!-- Member identifier. --> <!-- The LDAP DN of a member. The value of this attribute is the "dn" of subjects whose source id is "ldap". <resolver:AttributeDefinition id="memberDn" xsi:type="grouper:Member" sourceAttributeID="members"> <resolver:Dependency ref="MemberDataConnector" /> <grouper:Attribute id="id" source="sourceId"/> </resolver:AttributeDefinition> --> <resolver:AttributeDefinition id="memberDn" xsi:type="psp:PSOIdentifier" sourceAttributeID="entryDN"> <resolver:Dependency ref="LDAPMemberPersonLookup" /> </resolver:AttributeDefinition> <!-- Change log group membership. --> <!-- The value of the "changeLogMembershipGroupDn" attribute is a pso identifier whose ID is the ldap DN of the group of a membership change log entry. --> <resolver:AttributeDefinition id="changeLogMembershipGroupDn" xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier" structure="${edu.internet2.middleware.psp.structure}" sourceAttributeID="changeLogMembershipGroupName" rdnAttributeName="cn" stemRdnAttributeName="ou" baseDn="${edu.internet2.middleware.psp.groupsBaseDn}" baseStem="${edu.internet2.middleware.psp.baseStem}"> <resolver:Dependency ref="changeLogMembershipGroupName" /> </resolver:AttributeDefinition> <!-- The value of the "changeLogMembershipGroupName" attribute is the name of the group of a membership change log entry. The name of the group is returned only if the group is a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. If the edu.internet2.middleware.psp.baseStem property is the root stem, groups under the "etc" stem are omitted. --> <resolver:AttributeDefinition id="changeLogMembershipGroupName" xsi:type="grouper:FilteredName" sourceAttributeID="groupName"> <resolver:Dependency ref="AddMembershipChangeLogDataConnector" /> <resolver:Dependency ref="DeleteMembershipChangeLogDataConnector" /> <!-- The MINUS filter matches stems which match the first child filter and not the second. --> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:NameInStem" name="adhoc" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:NameInStem" name="affiliations" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:NameInStem" name="courses" scope="SUB" /> <grouper:Filter xsi:type="grouper:OR"> <grouper:Filter xsi:type="grouper:NameInStem" name="org" scope="SUB" /> <grouper:Filter xsi:type="grouper:NameInStem" name="pos" scope="SUB" /> </grouper:Filter> </grouper:Filter> </grouper:Filter> </grouper:Filter> </resolver:AttributeDefinition> <!-- The value of the "changeLogMembershipGroupSubjectName" attribute is the name of the group member of a membership change log entry. --> <resolver:AttributeDefinition id="changeLogMembershipGroupSubjectName" xsi:type="ad:Script" language="rhino-nonjdk"> <resolver:Dependency ref="AddMembershipChangeLogDataConnector" /> <resolver:Dependency ref="DeleteMembershipChangeLogDataConnector" /> <ad:Script><![CDATA[ // Import Shibboleth attribute provider. //load("nashorn:mozilla_compat.js"); importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); // BasicAttribute = Java.type("edu.internet2.middleware.shibboleth.common.attribute.provider"); // Create the attribute to be returned. changeLogMembershipGroupSubjectName = new BasicAttribute("changeLogMembershipGroupSubjectName"); // Return 'subjectName' attribute values if the 'sourceId' attribute is 'g:gsa'. if (typeof sourceId != "undefined" && sourceId != null ){ if (sourceId.getValues().contains("g:gsa")) { if (typeof subjectName != "undefined" && subjectName != null ){ changeLogMembershipGroupSubjectName.getValues().add(subjectName.getValues().get(0)); } } } ]]></ad:Script> </resolver:AttributeDefinition> <!-- The value of the "changeLogMembershipLdapSubjectId" attribute is the subject identifier of the "ldap" source member of a membership change log entry. --> <resolver:AttributeDefinition id="changeLogMembershipLdapSubjectId" xsi:type="ad:Script" language="rhino-nonjdk"> <resolver:Dependency ref="AddMembershipChangeLogDataConnector" /> <resolver:Dependency ref="DeleteMembershipChangeLogDataConnector" /> <ad:Script><![CDATA[ // Import Shibboleth attribute provider. // load("nashorn:mozilla_compat.js"); importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); // BasicAttribute = Java.type("edu.internet2.middleware.shibboleth.common.attribute.provider"); // Create the attribute to be returned. changeLogMembershipLdapSubjectId = new BasicAttribute("changeLogMembershipLdapSubjectId"); // Return 'subjectId' attribute values if the 'sourceId' attribute is 'ldap'. if (typeof sourceId != "undefined" && sourceId != null ){ // if (sourceId.getValues().contains("ldap")) { // Our sourceId is "sourceId" if (sourceId.getValues().contains("sourceId")) { if (typeof subjectId != "undefined" && subjectId != null ){ changeLogMembershipLdapSubjectId.getValues().add(subjectId.getValues().get(0)); } } } ]]></ad:Script> </resolver:AttributeDefinition> </AttributeResolver>
Attachment:
signature.asc
Description: OpenPGP digital signature
- [grouper-users] Grouper Filters not working as expected, Mark Cairney, 11/11/2014
- Re: [grouper-users] Grouper Filters not working as expected, Mark Cairney, 11/11/2014
- Re: [grouper-users] Grouper Filters not working as expected, David Langenberg, 11/11/2014
- Re: [grouper-users] Grouper Filters not working as expected, Mark Cairney, 11/11/2014
Archive powered by MHonArc 2.6.16.