Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Selective provisioning (via attribute) of group info into LDAP

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Selective provisioning (via attribute) of group info into LDAP


Chronological Thread 
  • From: "Peter St. Onge" <>
  • To: "" <>
  • Subject: [grouper-users] Selective provisioning (via attribute) of group info into LDAP
  • Date: Tue, 17 Nov 2015 19:43:13 -0500

Hello,

I'm trying to tie an attribute to a group (let's call it UTLDAP) and have that attribute be used by the PSP to decide whether or not it should be provisioned to LDAP

I'm trying to follow the progression in this exchange:

https://lists.internet2.edu/sympa/arc/grouper-users/2013-06/msg00055.html

I can successfully run gsh to compute a bulkCalc of our (relatively small) set of groups, but there is a desire to ensure that we only provision the groups that we really need to expose to LDAP. It looks so far like both the 'UTLDAP' groups (groups that have the 'UTLDAP' set) provisioned and those that don't have it set are being provisioned.

Our attributes are defined in etc:attribute and in the New UI I have:

etc:attribute:UTLDAPAttributeDef (one big gear)
etc:attribute:UTLDAP (one big gear and two small ones)

From what I understand this doesn't seem to be that rare a use-case, but I suspect I'm searching using the wrong terminology.

Any pointers or suggestions appreciated.

Thanks! -- p

Here's the top part of [psp-resolver.xml]
<!-- The GroupDataConnector returns attributes representing the group whose name is the principal name. The returned group
must be a child of the stem whose name is the edu.internet2.middleware.psp.baseStem property. Groups under the "etc" stem
are omitted. -->
<resolver:DataConnector
id="GroupDataConnector"
xsi:type="grouper:GroupDataConnector">
<!-- The MINUS filter matches stems which match the first child filter and not the second. -->
<grouper:Filter xsi:type="grouper:MINUS">
<!-- The GroupInStem filter matches groups which are children of the given stem. -->
<grouper:Filter
xsi:type="grouper:GroupInStem"
name="${edu.internet2.middleware.psp.baseStem}"
scope="SUB" />
<!-- START 2015-11-NOV-17 17:31 - Filter on Attribute for Selective Provision to LDAP -->
<grouper:Filter xsi:type="grouper:OR">
<!-- END 2015-11-NOV-17 17:31 - Filter on Attribute for Selective Provision to UTLDAP -->
<grouper:Filter
xsi:type="grouper:GroupInStem"
name="etc"
scope="SUB" />
<!-- START 2015-11-NOV-17 17:31 - Filter on Attribute for Selective Provision to UTLDAP -->
<grouper:Filter
xsi:type="grouper:GroupExactAttribute"
name="UTLDAP"
value="yes" />
</grouper:Filter>
<!-- END 2015-11-NOV-17 17:31 - Filter on Attribute for Provision to UTLDAP -->
</grouper:Filter>
<!-- The "members" attribute values are equivalent to group.getMembers(). -->
<grouper:Attribute id="members" />
<!-- The "groups" attribute values are equivalent to group.getGroups(). -->
<grouper:Attribute id="groups" />
<!-- The "etc:attribute:mailLocalAddress" attribute framework definition. -->
<grouper:Attribute id="etc:attribute:mailLocalAddress" />
<!-- START 2015-11-NOV-17 17:31 - Filter on Attribute for Selective Provision to LDAP -->
<grouper:Attribute id="etc:attribute:UTLDAP" />
<!-- END 2015-11-NOV-17 17:31 - Filter on Attribute for Selective Provision to UTLDAP -->
</resolver:DataConnector>






--
Peter St. Onge




  • [grouper-users] Selective provisioning (via attribute) of group info into LDAP, Peter St. Onge, 11/18/2015

Archive powered by MHonArc 2.6.16.

Top of Page