Versions Compared

Old Version 28

changes.mady.by.user Keith Hazelton (internet2.edu)

Saved on

compared with

New Version 29

changes.mady.by.user Pavol Mederly (google.com)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
$ git clone -b laboratory https://github.internet2.edu/TIER/midPoint_container.git
$ cd midPoint_container
$ ./build.sh

The project consists of two several parts:

  • demo/complex demonstrates an approach that makes midPoint responsible for all the interfacing with source and target systems, and Grouper responsible for maintaining the group membership. This is the same approach as was used in demo/complex from the beginning.
  • demo/complex2 is an alternative design that makes Grouper responsible for getting membership information from source systems.
  • demo/complex2s is the same as complex2 but midPoint-Grouper interface is simplified (hence "2s").

Because these compositions use the same ports, only one of them can be running at the same time.

...

  1. Design option 1: All interfacing via midPoint
  2. Design option 2: SoR groups to Grouper
  3. Design option 2s: SoR groups to Grouper, simplified

Description of data processing

In this section we describe the overall processing of the data. It is common for both all design options. Differences are dealt with later.

...

To summarize the data representation in SIS:

WhatHowExample
personrow in SIS_PERSONS table# uid, surname, givenName, fullName, department, mail
'bgasper', 'Gasper', 'Bill', 'Bill Gasper', 'Business', 'bgasper@example.edu'
person's departmentdepartment columnBusiness
person's affiliationrows in SIS_AFFILIATIONS table

# uid, affiliation
'bgasper', 'alum'

person's coursesrows in SIS_COURSES table

# uid, surname, givenName, courseId
'bgasper', 'Gasper', 'Bill', 'CS251'
'bgasper', 'Gasper', 'Bill', 'MATH100'

(Actually, specific SQL representation is quite irrelevant, because SIS tables serve here only as a simplified version of a real academic information system.)

...

In midPoint the data is represented like this:

WhatHowExample
personuserbgasper
person's departmentuser → org (of subtype department; under Departments org)bgasper → Business
person's refined affiliationuser → org (of subtype affiliation; under Affiliations org)bgasper → Affiliation: faculty
person's coursesuser → org (of subtype course; under Courses org)bgasper → MATH100, CS251
person's mailing list membershipuser → org (of subtype mailing-list; under Mailing lists org)bgasper → Mailing list: chess, Mailing list: idm-fans
person's other membershipuser → org (of subtype generic-group; under Generic groups org)bgasper → test:volunteers, app:cs

An example:

  

Relation targets (departments, affiliations, courses, mailing lists, other groups) are modeled as midPoint organizations.

TODO some screenshots here

Data in Grouper

WhatHowExample
personsubject referencing LDAP entryuid=bgasper,ou=People,dc=internet2,dc=edu
person's departmentmembership in ref:dept:XXX groupref:dept:Business
person's affiliation (from SoR)membership in ref:affiliation:XXX_systemOfRecord groupsref:affiliation:alum_systemOfRecord
person's affiliation (refined)membership in ref:affiliation:XXX groupsref:affiliation:faculty
person's coursesmembership in ref:course:XXX groups

ref:course:MATH100, ref:course:CS251

mailing list membershipmembership in app:mailinglist:XXX groupsapp:mailinglist:chess, app:mailinglist:idm-fans
computer science course enrollmentmembership in app:cs group
any other membershipmembership in respective groupstest:volunteers

An example:

Target systems

...

Note

This resource is temporarily created as a CSV.

Data representation:

What

How

Example

person's record

A database table row (temporary a line in CSV)

bgasper,Bill,Gasper,Bill Gasper,bgasper@example.edu (temporary in CSV)

Target 2: Computer science students portal

All computer science students (enrolled in CSxxx courses) should have a record in this system, providing the following information: identifier (i.e. uid), name (i.e. fullName), mail, computer science courses enrolled in.

Data representation:

What

How

Example

person's record

A line in CSV file

dlangenberg61,Donna Langenberg,dlangenberg61@example.edu,CS251;CS252

Target 3: Generic mailing list application

...

Note

This resource is temporarily created as a CSV, represented as a set of (username,mail,list-of-mailing-lists) triples.

Data representation:

What

How

Example

mailing list membership

A line in CSV file (temporarily)

bgasper,bgasper@example.edu,chess;idm-fans

Of course, all this information required by targets 1-3 can be taken directly from LDAP. But we want here to simulate resources that need some extra processing (e.g. Box, Office365, and so on) leading to the use of a specific connector.

...

In order to provide information to a lot of other systems we need to maintain LDAP directory where each user has an eduPerson record with the following attributes or relations set (among others)

WhatHowExample
personeduPerson object with givenNamesncnmail containing corresponding information from sis_persons table i.e. givenNamesurnamefullNamemail, respectivelyuid=bgasper,ou=People,dc=internet2,dc=edu
person's departmentbusinessCategory attributeBusiness
person's affiliation (refined by inclusion/exclusion)group membership (in ou=Affiliations,ou=Groups,dc=internet2,dc=edu groups)cn=faculty,ou=Affiliations,ou=Groups,dc=internet2,dc=edu
person's coursesgroup membership (in ou=Courses,ou=Groups,dc=internet2,dc=edu groups)

cn=MATH100,ou=Courses,ou=Groups,dc=internet2,dc=edu

cn=CS251,ou=Courses,ou=Groups,dc=internet2,dc=edu

person's other Grouper groupsgroup membership (in ou=Generic,ou=Groups,dc=internet2,dc=edu groups)

cn=app:cs,ou=Generic,ou=Groups,dc=internet2,dc=edu

cn=app:mailinglist:chess,ou=Generic,ou=Groups,dc=internet2,dc=edu

cn=app:mailinglist:idm-fans,ou=Generic,ou=Groups,dc=internet2,dc=edu

cn=test:volunteers,ou=Generic,ou=Groups,dc=internet2,dc=edu

person's midPoint-managed groupsgroup membership (in ou=midpoint,ou=Groups,dc=internet2,dc=edu groups)cn=sysadmingroup,ou=midpoint,ou=Groups,dc=internet2,dc=edu

An example:

Design options

...

So in option 1 we have the following additional data items:

WhatWhereHowExample
person's affiliation (from SoR)midPointuser's rawAffiliation extension propertyalum
LDAPeduPersonAffiliation attributealum

TODO

Note: Although Option 1 resembles the demo/complex on the master branch, it is a bit different. For example, raw affiliation (taken from SoR) is not represented as midPoint role membership but only as rawAffiliation extension attribute. The membership in generic groups taken from Grouper is represented by midPoint org membership and LDAP group membership, not just by extension property value setting as was in original demo/complex scenario.