...
This specific settings we enabled in this file for provisioning to the AD were setting the Group objectClass and allowing the provisioner to handle groups with a large number of members, this can be done with the following 2 settings.
Code Block |
---|
# Group objectClass for Active Directory# Group objectClass for Active Directory
groupObjectClass=group
# handle Active Directory groups with a large (>1500) number of members
edu.vt.middleware.ldap.searchResultHandlers=edu.internet2.middleware.ldappc.util.QuotedDnResultHandler,edu.vt.middleware.ldap.handler.FqdnSearchResultHandler,edu.internet2.middleware.ldappc.util.RangeSearchResultHandler
|
...
In order to be able to identify a user by both the scoped and un-scoped user name, we created a custom subject identifier in our sources.xml file named SAMA.
Code Block |
---|
<init-param>
<!-- col which identifies the row, perhaps not subjectId -->
<param-name>subjectIdentifierCol0</param-name>
<param-value>loginname</param-value>
</init-param>
<init-param>
<param-name>subjectIdentifierCol1</param-name>
<param-value>SAMA</param-value>
</init-param>
<init-param>
<param-name>subjectAttributeCol0</param-name>
<param-value>SAMA</param-value>
</init-param>
<init-param>
<param-name>subjectAttributeName0</param-name>
<param-value>SAMA</param-value>
</init-param>
|
...
In order for LDAPPCNG to provision subjects using the correct identifier, the MemberDataConnector and the SpmlDataConnector in the ldappc-resolver.xml file had to be amended to the following;
Code Block |
---|
<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector">
<grouper:Attribute id="groups" />
<grouper:Attribute id="SAMA" source="jdbc" />
</resolver:DataConnector>
<resolver:DataConnector id="SpmlDataConnector" provider="ldap-provider" xsi:type="ldappc:SPMLDataConnector"
scope="subTree" base="${peopleOU}" returnData="identifier">
<resolver:Dependency ref="MemberDataConnector" />
<ldappc:FilterTemplate>(sAMAccountName=${SAMA.get(0)})</ldappc:FilterTemplate>
</resolver:DataConnector>
|
...
The defining of which groups need to be provisioned is done within the ldappc-resolver.xml file. In this example we only want groups that are located in "Applications:Filestores:ISS" to be provisioned into the AD. To do this you define GroupFilters in the GroupDataConnector and StemDataConnector.
Code Block |
---|
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector">
<grouper:GroupFilter xsi:type="grouper:StemName" name="Applications:Filestores:ISS" scope="SUB" />
<grouper:Attribute id="members" />
<grouper:Attribute id="groups" />
</resolver:DataConnector>
<resolver:DataConnector id="StemDataConnector" xsi:type="grouper:StemDataConnector">
<grouper:GroupFilter xsi:type="grouper:StemName" name="Applications:Filestores:ISS" scope="SUB" />
</resolver:DataConnector>
|
More details on filtering groups is documented here.
See Also