Config property | Value | Description |
---|
provisioner.pspng_oneprod.provisionerName | One prod LDAP flat | Friendly provisioner name for configId: pspng_oneprod In this case its the same |
provisioner.pspng_oneprod.class | edu.internet2.middleware.grouper.app.ldapProvisioning.LdapSync | Provisioner class. All LDAP provisioners have this value |
provisioner.pspng_oneprod.ldapExternalSystemConfigId | oneProdAd | Config ID of the LDAP external system to provision to |
provisioner.pspng_oneprod.ldapProvisioningType | groupMemberships | Can be groupMemberships (group objects with an attribute of users), or userAttributes (user objects with an attribute of groups) |
provisioner.pspng_oneprod.subjectSourcesToProvision | pennperson | Only provision subjects in this sourceId |
provisioner.pspng_oneprod.groupSearchBaseDn | OU=Grouper,OU=365Groups,DC=one,DC=upenn,DC=edu | When searching groups in LDAP use this baseDN |
provisioner.pspng_oneprod.userSearchBaseDn | DC=one,DC=upenn,DC=edu | When searching for users in LDAP use this baseDN |
provisioner.pspng_oneprod.common.entityLink.memberToId2 | ${targetEntity.retrieveAttributeValue('dn')} | Cache the user DN in database |
provisioner.pspng_oneprod.common.groupLink.groupToId2 | ${targetGroup.retrieveAttributeValue('dn')} | Cache the group DN in database |
provisioner.pspng_oneprod.grouperToTargetTranslationMembership.scriptCount | 1 | 1 membership translation |
provisioner.pspng_oneprod.grouperToTargetTranslationMembership.0.script |
Code Block |
---|
${if (!grouperUtil.isBlank(gcGrouperSyncMember.getMemberToId2()) {
grouperTargetGroup.addAttributeValueForMembership('member', gcGrouperSyncMember.getMemberToId2());
}
} |
| If there is a user DN, then put that in the group "member" multivalued attribute |
provisioner.pspng_oneprod.grouperToTargetTranslationGroup.scriptCount | 2 | Two group translations |
provisioner.pspng_oneprod.grouperToTargetTranslationGroup.0.script |
Code Block |
---|
${grouperTargetGroup.assignAttribute('gidNumber', grouperProvisioningGroup.getIdIndex(); } |
| First group script. Put the idIndex number into the gidNumber attribute in the group in ldap |
provisioner.pspng_oneprod.grouperToTargetTranslationGroup.1.script |
Code Block |
---|
${grouperTargetGroup.assignAttribute('dn', 'cn=' + grouperProvisioningGroup.getName() + ',OU=Grouper,OU=365Groups,DC=one,DC=upenn,DC=edu'); } |
| Second group script, assign the cached dn to the dn attribute |
provisioner.pspng_oneprod.targetGroupTargetIdAttribute | gidNumber | Linking groups (knowing which ones to compare) from target to grouper is done with the gidNumber attribute |
provisioner.pspng_oneprod.grouperToTargetTranslationGroupCreateOnly.scriptCount | 3 | Three translations to run when creating groups |
provisioner.pspng_oneprod.grouperToTargetTranslationGroupCreateOnly.0.script |
Code Block |
---|
${grouperTargetGroup.assignAttributeValue('dn', 'cn=' + grouperProvisioningGroup.getName()
+ ',OU=Grouper,OU=365Groups,DC=one,DC=upenn,DC=edu'); } |
| Make a flat DN where all groups are in an OU and the cn is the group name fully qualified. Note in my grouper there is a rule to keep extensions alphanumeric |
provisioner.pspng_oneprod.grouperToTargetTranslationGroupCreateOnly.1.script |
Code Block |
---|
${grouperTargetGroup.assignAttributeValue('cn', grouperProvisioningGroup.getName()); } |
| Set the CN to be the group name fully qualified |
provisioner.pspng_oneprod.grouperToTargetTranslationGroupCreateOnly.2.script |
Code Block |
---|
${grouperTargetGroup.assignAttributeValue('objectClass', grouperUtil.toSet('group')); } |
| object class is group (multivalued with one value) |
provisioner.pspng_oneprod.groupSearchAllFilter
| objectclass=group | when searching for all groups, use this filter |
provisioner.pspng_oneprod.userSearchAllFilter | employeeID=* | when searching for all users use this filter |
provisioner.pspng_oneprod.userSearchFilter |
Code Block |
---|
employeeID=${grouperProvisioningEntity.getSubjectId()} |
| when searching one user, this is filter |
provisioner.pspng_oneprod.groupSearchFilter |
Code Block |
---|
(&(objectclass=group) (gidNumber=${grouperProvisioningGroup.retrieveAttributeValue('gidNumber')})) |
| when searching one group, this is filter |
provisioner.pspng_oneprod.userSearchAttributes | dn | we dont need much when searching users, just dn |
provisioner.pspng_oneprod.groupSearchAttributes | dn,gidNumber | attributes for groups to retrieve |
provisioner.pspng_oneprod.createEntities | false | dont create users |
provisioner.pspng_oneprod.deleteEntities | false | dont delete users |
provisioner.pspng_oneprod.createGroups | true | yes create missing groups |
provisioner.pspng_oneprod.deleteGroups | true | yes delete groups which shouldnt be there |
provisioner.pspng_oneprod.groupAttributeNameForMemberships | member | attribute to put users in |