Versions Compared

Old Version 7

changes.mady.by.user nrj17@ncl.ac.uk

Saved on

compared with

New Version Current

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This specific settings we enabled in this file for provisioning to the AD were setting the Group objectClass and allowing the provisioner to handle groups with a large number of members, this can be done with the following 2 settings.

Code Block

# Group objectClass for Active Directory# Group objectClass for Active Directory


groupObjectClass=group


# handle Active Directory groups with a large (>1500) number of members


edu.vt.middleware.ldap.searchResultHandlers=edu.internet2.middleware.ldappc.util.QuotedDnResultHandler,edu.vt.middleware.ldap.handler.FqdnSearchResultHandler,edu.internet2.middleware.ldappc.util.RangeSearchResultHandler

...

In order to be able to identify a user by both the scoped and un-scoped user name, we created a custom subject identifier in our sources.xml file named SAMA.

Code Block

<init-param>       
<!-- col which identifies the row, perhaps not subjectId -->       
<param-name>subjectIdentifierCol0</param-name>       
<param-value>loginname</param-value>     
</init-param>     
<init-param>       
<param-name>subjectIdentifierCol1</param-name>       
<param-value>SAMA</param-value>     
</init-param>          
<init-param>       
<param-name>subjectAttributeCol0</param-name>       
<param-value>SAMA</param-value>     
</init-param>     
<init-param>      
<param-name>subjectAttributeName0</param-name>       
<param-value>SAMA</param-value>     
</init-param>

...

In order for LDAPPCNG to provision subjects using the correct identifier, the MemberDataConnector and the SpmlDataConnector in the ldappc-resolver.xml file had to be amended to the following; 

Code Block

 <resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector">
    <grouper:Attribute id="groups" />
    <grouper:Attribute id="SAMA" source="jdbc" />
  </resolver:DataConnector>

<resolver:DataConnector id="SpmlDataConnector" provider="ldap-provider" xsi:type="ldappc:SPMLDataConnector"
    scope="subTree" base="${peopleOU}" returnData="identifier">
    <resolver:Dependency ref="MemberDataConnector" />
<ldappc:FilterTemplate>(sAMAccountName=${SAMA.get(0)})</ldappc:FilterTemplate>
  </resolver:DataConnector>

...

The defining of which groups need to be provisioned is done within the ldappc-resolver.xml file. In this example we only want groups that are located in "Applications:Filestores:ISS" to be provisioned into the AD. To do this you define GroupFilters in the GroupDataConnector and StemDataConnector.

Code Block

<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector">    
<grouper:GroupFilter xsi:type="grouper:StemName" name="Applications:Filestores:ISS" scope="SUB" />  
<grouper:Attribute id="members" />    
<grouper:Attribute id="groups" />  
</resolver:DataConnector>


<resolver:DataConnector id="StemDataConnector" xsi:type="grouper:StemDataConnector">   
<grouper:GroupFilter xsi:type="grouper:StemName" name="Applications:Filestores:ISS" scope="SUB" />
</resolver:DataConnector>

More details on filtering groups is documented here.

 

See Also

Newcastle University Intro Page