Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] PSP update samAccountName

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] PSP update samAccountName


Chronological Thread 
  • From: Andrew Morgan <>
  • To: David Langenberg <>
  • Cc: Gouper Users <>
  • Subject: Re: [grouper-users] PSP update samAccountName
  • Date: Wed, 10 Jun 2015 16:38:32 -0700 (PDT)

On Wed, 10 Jun 2015, David Langenberg wrote:

Have you looked at:

https://github.com/Internet2/grouper-psp/blob/master/psp-example-grouper-to-active-directory/src/test/resources/psp.xml

For sAMAccountName config? The PSO needs to reference both the DN and the
ChangeLogDN resolvers (so that renames work off the changelog). If you
bulkSync does the sAMAccountName change? If so, then there's your problem
(lack of the ChangeLogDN as an AlternateIdentifier on the PSO.

I do have both resolver references:

<!-- Provision a grouper group as an AD group. -->
<pso id="ADgroup"
authoritative="true"
allSourceIdentifiersRef="groupNames">

<!-- The AD group DN. -->
<identifier ref="ADgroupDn" targetId="activeDirectory"
containerId="${edu.internet2.middleware.psp.ADgroupsBaseDn}" />

<!-- Identifies AD group objects which exist on the target by objectClass
attribute value. -->
<identifyingAttribute name="objectClass"
value="${edu.internet2.middleware.psp.ADgroupObjectClass}" />

<!-- The "old" AD group DN if a group has been renamed. -->
<alternateIdentifier ref="ADgroupDnAlternate" />

<!-- The "old" AD group DN calculated from group update change log events.
-->
<alternateIdentifier ref="ADgroupDnAlternateChangeLog" />

<!-- The AD group "objectClass" attribute. -->
<attribute name="objectClass" ref="ADgroupObjectClass" />

<!-- The AD group "cn" attribute. -->
<attribute name="cn" />

<!-- The AD group "description" attribute. -->
<attribute name="description" ref="groupDescription" />

<!-- See http://ldapwiki.willeke.com/wiki/SamAccountName. -->
<attribute name="samAccountName" ref="testsamAccountName" />

<!-- The AD group "member" attribute. -->
<references name="member" caseSensitive="false">
<reference ref="membersLdap" toObject="ADmember" />
<reference ref="membersGsa" toObject="group" />
</references>
</pso>


The DN ("cn" attribute) is being correctly updated during bulksync and changelog operations.

The samAccountName is the complete group ID with path (for example "psp:osu:org:iam:folder1newid:andy10" with the colons replaced with underscores. The samAccountName is correctly updated during bulksync but not during changelog operations.

My "testsamAccountName" attribute definition:

<resolver:AttributeDefinition
id="testsamAccountName"
xsi:type="ad:Script"
sourceAttributeID="name">
<resolver:Dependency ref="GroupWithoutMembershipsDataConnector" />
<resolver:Dependency ref="UpdateGroupNameChangeLogDataConnector" />
<ad:Script><![CDATA[

importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
// Create the attribute to be returned.
testsamAccountName = new BasicAttribute("testsamAccountName");
tmp = new BasicAttribute("tmp");

if (name.getValues().size() > 0) {
// Strip the baseStem off the front
var regex =
/^${edu.internet2.middleware.psp.baseStem}:/;
var tmp = new String(name.getValues().get(0));
var tmp2 = tmp.replace(regex, "");

testsamAccountName.getValues().add(tmp2.replace(/:/g,"_"));
}
]]></ad:Script>
</resolver:AttributeDefinition>


Why are the DN and "cn" attribute updated, but the samAccountName attribute is not updated?

Andy



Archive powered by MHonArc 2.6.16.

Top of Page