Grouper Users - Open Discussion List

[David Langenberg <>]

Have you looked at:

https://github.com/Internet2/grouper-psp/blob/master/psp-example-grouper-to-active-directory/src/test/resources/psp.xml

For sAMAccountName config?  The PSO needs to reference both the DN and the ChangeLogDN resolvers (so that renames work off the changelog).  If you bulkSync does the sAMAccountName change?  If so, then there's your problem (lack of the ChangeLogDN as an AlternateIdentifier on the PSO.

Dave

On Tue, Jun 9, 2015 at 7:30 PM, Andrew Morgan <> wrote:

I'm having trouble configuring the PSP to update the AD samAccountName attribute when a group's ID (name) is changed.  I'm building the samAccountName value on the fly using a script.  When I change a group's ID, the cn attribute is correctly updated.  However, the samAccountName is unchanged.

In psp.xml:

    <attribute
      name="samAccountName" />


In psp-resolver.xml:

  <resolver:AttributeDefinition
        id="samAccountName"
        xsi:type="ad:Script"
        sourceAttributeID="groupNameInStem">
        <resolver:Dependency ref="groupNameInStem" />
        <ad:Script><![CDATA[
                importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
                // Create the attribute to be returned.
                samAccountName = new BasicAttribute("samAccountName");
                tmp = new BasicAttribute("tmp");

                if(groupNameInStem.getValues().size() > 0){
                        // Strip the baseStem off the front
                        var regex = /^${edu.internet2.middleware.psp.baseStem}:/;
                        var tmp = new String(groupNameInStem.getValues().get(0));
                        var tmp2 = tmp.replace(regex, "");
                        samAccountName.getValues().add(tmp2.replace(/:/g,"_"));
                }
        ]]></ad:Script>
   </resolver:AttributeDefinition>


The log messages show no change in samAccountName being generated by the PSP.

I'm guessing I have something wrong with the resolver:Dependency refs, but I've been looking at these config files for so long.

Does anyone have a working config with the right dependencies?  The active directory example included with the PSP doesn't even have samAccountName in psp-resolver.xml!

I promise to document a working configuration when I'm done.  :)

Thanks,
        Andy

--

David Langenberg

Identity & Access Management Architect

The University of Chicago