Grouper Users - Open Discussion List

[David Langenberg <>]

Yeah, that should work.  Try turning up the logging on edu.internet2.middleware.shibboleth and seeing if that script is firing during the update?

Dave

On Wed, Jun 10, 2015 at 5:38 PM, Andrew Morgan <> wrote:

On Wed, 10 Jun 2015, David Langenberg wrote:

Have you looked at:

https://github.com/Internet2/grouper-psp/blob/master/psp-example-grouper-to-active-directory/src/test/resources/psp.xml

For sAMAccountName config?  The PSO needs to reference both the DN and the
ChangeLogDN resolvers (so that renames work off the changelog).  If you
bulkSync does the sAMAccountName change?  If so, then there's your problem
(lack of the ChangeLogDN as an AlternateIdentifier on the PSO.

I do have both resolver references:

  <!-- Provision a grouper group as an AD group. -->
  <pso id="ADgroup"
    authoritative="true"
    allSourceIdentifiersRef="groupNames">

    <!-- The AD group DN. -->
    <identifier ref="ADgroupDn" targetId="activeDirectory"
      containerId="${edu.internet2.middleware.psp.ADgroupsBaseDn}" />

    <!-- Identifies AD group objects which exist on the target by objectClass attribute value. -->
    <identifyingAttribute name="objectClass"
      value="${edu.internet2.middleware.psp.ADgroupObjectClass}" />

    <!-- The "old" AD group DN if a group has been renamed. -->
    <alternateIdentifier ref="ADgroupDnAlternate" />

    <!-- The "old" AD group DN calculated from group update change log events. -->
    <alternateIdentifier ref="ADgroupDnAlternateChangeLog" />

    <!-- The AD group "objectClass" attribute. -->
    <attribute name="objectClass" ref="ADgroupObjectClass" />

    <!-- The AD group "cn" attribute. -->
    <attribute name="cn" />

    <!-- The AD group "description" attribute. -->
    <attribute name="description" ref="groupDescription" />

    <!-- See http://ldapwiki.willeke.com/wiki/SamAccountName. -->
    <attribute name="samAccountName" ref="testsamAccountName" />

    <!-- The AD group "member" attribute. -->
    <references name="member" caseSensitive="false">
      <reference ref="membersLdap" toObject="ADmember" />
      <reference ref="membersGsa" toObject="group" />
    </references>
  </pso>


The DN ("cn" attribute) is being correctly updated during bulksync and changelog operations.

The samAccountName is the complete group ID with path (for example "psp:osu:org:iam:folder1newid:andy10" with the colons replaced with underscores.  The samAccountName is correctly updated during bulksync but not during changelog operations.

My "testsamAccountName" attribute definition:

  <resolver:AttributeDefinition
    id="testsamAccountName"
    xsi:type="ad:Script"
    sourceAttributeID="name">
    <resolver:Dependency ref="GroupWithoutMembershipsDataConnector" />
    <resolver:Dependency ref="UpdateGroupNameChangeLogDataConnector" />
        <ad:Script><![CDATA[
                importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
                // Create the attribute to be returned.
                testsamAccountName = new BasicAttribute("testsamAccountName");
                tmp = new BasicAttribute("tmp");

                if (name.getValues().size() > 0) {
                        // Strip the baseStem off the front
                        var regex = /^${edu.internet2.middleware.psp.baseStem}:/;
                        var tmp = new String(name.getValues().get(0));
                        var tmp2 = tmp.replace(regex, "");
                        testsamAccountName.getValues().add(tmp2.replace(/:/g,"_"));
                }
        ]]></ad:Script>
  </resolver:AttributeDefinition>


Why are the DN and "cn" attribute updated, but the samAccountName attribute is not updated?

        Andy

--

David Langenberg

Identity & Access Management Architect

The University of Chicago