| Config property | Value | Description |
|---|
| provisioner.pspng_oneprod.provisionerName | One prod LDAP flat | Friendly provisioner name for configId: pspng_oneprod In this case its the same |
| provisioner.pspng_oneprod.class | edu.internet2.middleware.grouper.app.ldapProvisioning.LdapSync | Provisioner class. All LDAP provisioners have this value |
| provisioner.pspng_oneprod.ldapExternalSystemConfigId | oneProdAd | Config ID of the LDAP external system to provision to |
| provisioner.pspng_oneprod.ldapProvisioningType | groupMemberships | Can be groupMemberships (group objects with an attribute of users), or userAttributes (user objects with an attribute of groups) |
| provisioner.pspng_oneprod.subjectSourcesToProvision | pennperson | Only provision subjects in this sourceId |
| provisioner.pspng_oneprod.groupSearchBaseDn | OU=Grouper,OU=365Groups,DC=one,DC=upenn,DC=edu | When searching groups in LDAP use this baseDN |
| provisioner.pspng_oneprod.userSearchBaseDn | DC=one,DC=upenn,DC=edu | When searching for users in LDAP use this baseDN |
| provisioner.pspng_oneprod.common.entityLink.memberToId2 | ${targetEntity.retrieveAttributeValue('dn')} | Cache the user DN in database |
| provisioner.pspng_oneprod.common.groupLink.groupToId2 | ${targetGroup.retrieveAttributeValue('dn')} | Cache the group DN in database |
| provisioner.pspng_oneprod.grouperToTargetTranslationMembership.scriptCount | 1 | 1 membership translation |
| provisioner.pspng_oneprod.grouperToTargetTranslationMembership.0.script |
| Code Block |
|---|
${if (!grouperUtil.isBlank(gcGrouperSyncMember.getMemberToId2())) {
grouperTargetGroup.addAttributeValueForMembership('member', gcGrouperSyncMember.getMemberToId2());
}
} |
| If there is a user DN, then put that in the group "member" multivalued attribute |
| provisioner.pspng_oneprod.grouperToTargetTranslationEntity.scriptCount | 2 |
|
| provisioner.pspng_oneprod.grouperToTargetTranslationEntity.0.script | ${grouperTargetEntity.assignAttributeValue('employeeID', grouperProvisioningEntity.getSubjectId())} |
|
| provisioner.pspng_oneprod.grouperToTargetTranslationEntity.1.script | ${grouperTargetEntity.assignAttributeValue('dn', gcGrouperSyncMember.getMemberToId2() )} |
|
| provisioner.pspng_oneprod.grouperToTargetTranslationGroup.scriptCount | 23 | Two group translations |
| provisioner.pspng_oneprod.grouperToTargetTranslationGroup.0.script |
| Code Block |
|---|
${grouperTargetGroup.assignAttributeValue('gidNumber', grouperProvisioningGroup.getIdIndex(); } |
| First group script. Put the idIndex number into the gidNumber attribute in the group in ldap |
| provisioner.pspng_oneprod.grouperToTargetTranslationGroup.1.script |
| Code Block |
|---|
${grouperTargetGroup.assignAttributeValue('dn', 'cn=' + grouperProvisioningGroup.getName() + ',OU=Grouper,OU=365Groups,DC=one,DC=upenn,DC=edu'); } |
| Second group script, assign the cached dn to the dn attribute |
| provisioner.pspng_oneprod.grouperToTargetTranslationGroup.2.script |
| Code Block |
|---|
${grouperTargetGroup.setId(grouperProvisioningGroup.getName()); } |
| This target DAO needs an ID set for groups, this is the primary key of the groups table |
| provisioner.pspng_oneprod.groupTargetIdAttribute | gidNumber | Linking groups (knowing which ones to compare) from target to grouper is done with the gidNumber attribute |
| provisioner.pspng_oneprod.entityTargetIdAttribute | employeeID | Link entities (knowing which ones to compare) from target to grouper, done with employeeID attribute |
| provisioner.pspng_oneprod.grouperToTargetTranslationGroupCreateOnly.scriptCount | 3 | Three translations to run when creating groups |
| provisioner.pspng_oneprod.grouperToTargetTranslationGroupCreateOnly.0.script |
| Code Block |
|---|
${grouperTargetGroup.assignAttributeValue('dn', 'cn=' + grouperProvisioningGroup.getName()
+ ',OU=Grouper,OU=365Groups,DC=one,DC=upenn,DC=edu'); } |
| Make a flat DN where all groups are in an OU and the cn is the group name fully qualified. Note in my grouper there is a rule to keep extensions alphanumeric |
| provisioner.pspng_oneprod.grouperToTargetTranslationGroupCreateOnly.1.script |
| Code Block |
|---|
${grouperTargetGroup.assignAttributeValue('cn', grouperProvisioningGroup.getName()); } |
| Set the CN to be the group name fully qualified |
| provisioner.pspng_oneprod.grouperToTargetTranslationGroupCreateOnly.2.script |
| Code Block |
|---|
${grouperTargetGroup.assignAttributeValue('objectClass', grouperUtil.toSet('group')); } |
| object class is group (multivalued with one value) |
provisioner.pspng_oneprod.groupSearchAllFilter
| objectclass=group | when searching for all groups, use this filter |
| provisioner.pspng_oneprod.userSearchAllFilter | employeeID=* | when searching for all users use this filter |
| provisioner.pspng_oneprod.userSearchFilter |
| Code Block |
|---|
employeeID=${targetEntity.retrieveAttributeValue('employeeID')} |
| when searching one user, this is filter |
| provisioner.pspng_oneprod.groupSearchFilter |
| Code Block |
|---|
(&(objectclass=group) (gidNumber=${targetGroup.retrieveAttributeValue('gidNumber')})) |
| when searching one group, this is filter |
| provisioner.pspng_oneprod.userSearchAttributes | dn | we dont need much when searching users, just dn |
| provisioner.pspng_oneprod.groupSearchAttributes | dn,gidNumber | attributes for groups to retrieve |
| provisioner.pspng_oneprod.createEntities | false | dont create users |
| provisioner.pspng_oneprod.deleteEntities | false | dont delete users |
| provisioner.pspng_oneprod.createGroups | true | yes create missing groups |
| provisioner.pspng_oneprod.deleteGroups | true | yes delete groups which shouldnt be there |
| provisioner.pspng_oneprod.groupAttributeNameForMemberships | member | attribute to put users in |