...
Note that if you want incremental to pick up new entity attributes, LDAP needs to have the modifyTimestamp (not implemented yet), or you could make an LDAP to SQL job (e.g. every 30 minutes) and then a trigger could maintain last_updated
Global entity attribute resolvers list page
Global entity attribute resolvers add SQL resolver page
Configuration options
Configuration section: Do you have entity attributes not in the subject source? True/False (default false)
...
Config item | Value | Show if | Description |
---|---|---|---|
Show entity attribute resolver | true/false | Have a separate section just like Membership configuration and it shows up before Membership configuration section | |
Resolve attributes with SQL | true/false | showEntityAttributeResolver == 'true' | If true show the next section |
Use global SQL resolver | true/false | showEntityAttributeResolver == 'true' && resolveAttributesWithSql == 'true' | (default false), if true then use a global resolver |
Global SQL resolver | myPeopleResolver | showEntityAttributeResolver == 'true' && resolveAttributesWithSql == 'true' && useGlobalSqlResolver == 'true' | Drop down of global SQL resolvers |
SQL config id | warehouse | showEntityAttributeResolver == 'true' && resolveAttributesWithSql == 'true' && useGlobalSqlResolver == 'false' | Drop down with SQL config ids - Db external system config ids dropdown |
Table or view name | my_people | showEntityAttributeResolver == 'true' && resolveAttributesWithSql == 'true' && useGlobalSqlResolver == 'false' | Table of user data, must have a subject source (optional), and matching/search col (required), and columns with single valued attributes |
Attribute names | name,description | showEntityAttributeResolver == 'true' && resolveAttributesWithSql == 'true' && useGlobalSqlResolver == 'false' | Comma separated list of columns you want to fetch and send to target system as attributes. |
Subject source id column | subject_source_id | showEntityAttributeResolver == 'true' && resolveAttributesWithSql = 'true' && useGlobalSqlResolver == 'false' | The subject source id column (optional) |
Subject search / matching column | employee_id | showEntityAttributeResolver == 'true' && resolveAttributesWithSql == 'true' && useGlobalSqlResolver == 'false' | Column that searches and matches an entity |
SQL mapping type | entityAttribute / translation | showEntityAttributeResolver == 'true' && resolveAttributesWithSql == 'true' && useGlobalSqlResolver == 'false' | Drop down of the mapping type |
SQL mapping entity attribute | subjectId | showEntityAttributeResolver == 'true' | If this is an entity attribute mapping type, pick the entity attribute from a drop down |
SQL mapping expression | ${grouperProvisioningEntity.retrieveAttributeValueString('uid')} | showEntityAttributeResolver == 'true' && resolveAttributesWithSql == 'true' && useGlobalSqlResolver == 'false' && sqlMappingType == 'translation' | If this is a translation write the expression (unescaped) (useGlobalResolver='false') |
Last updated column | last_updated | showEntityAttributeResolver == 'true' && resolveAttributesWithSql == 'true' && useGlobalSqlResolver == 'false' | If this is provided then the incremental provisioner will process people that have been recently updated (useGlobalResolver='false') |
Last updated type | timestamp | showEntityAttributeResolver == 'true' && resolveAttributesWithSql == 'true' && useGlobalSqlResolver == 'false' | Could be timestamp, millisSince1970 (useGlobalResolver='false') |
Select all SQL on full | true/false | showEntityAttributeResolver == 'true' && resolveAttributesWithSql == 'true' | (Default true), if select * from the table should occur on full runs. Set to false if only a small subset of the total entities in the table are provisionable (show for local or global resolver) |
Resolve attributes with LDAP | true/false | showEntityAttributeResolver == 'true' | If true show the next section |
Use global LDAP resolver | true/false | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap == 'true' | (default false), if true then use a global resolver |
Global LDAP resolver | myPeopleResolver | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap == 'true' && useGlobalLdapResolver == 'true' | Drop down of global LDAP resolvers |
LDAP | myAd | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap == 'true' && useGlobalLdapResolver == 'false' | Drop down with LDAP config ids |
Base DN | OU=users,DC=school,DC=edu | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap == 'true' && useGlobalLdapResolver == 'false' | Base DN for search |
Search scope | ONELEVEL_SCOPE, or SUBTREE_SCOPE (default) | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap == 'true' && useGlobalLdapResolver == 'false' | |
Filter part | (objectClass=person) | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap == 'true' && useGlobalLdapResolver == 'false' | If provided, this will be part of the full or individual filter |
Attributes | employeeID, name, org, extensionAttribute11, modifyTimestamp | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap == 'true' && useGlobalLdapResolver == 'false' | Attributes to retrieve (multi-valued attributes will be stored in appropriate structure) |
Multivalued ldap attributes | org,name | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap == 'true' && useGlobalLdapResolver == 'false' | Comma separated list of attributes that are multivalued |
LDAP matching / search attribute | employeeID | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap == 'true' && useGlobalLdapResolver == 'false' | LDAP attribute which is used to lookup and match an entity in Grouper |
LDAP mapping type | entityAttribute / translation | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap == 'true' && useGlobalLdapResolver == 'false' | Drop down of the mapping type |
LDAP mapping entity attribute | subjectId | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap == 'true' && useGlobalLdapResolver == 'false' | If this is an entity attribute mapping type, pick the entity attribute from a drop down |
LDAP matching expression | ${grouperProvisioningEntity.retrieveAttributeValueString('uid')} | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap == 'true' && useGlobalLdapResolver == 'false' | The value in Grouper that matches the LDAP data. This is not yet ldap escaped. In this case the filter to get one record would be generated as: (&(employeeID=${grouperUtil.ldapFilterEscape(grouperProvisioningEntity.retrieveAttributeValueString('uid'))})(objectClass=person)) |
Filter all LDAP on full | true/false | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap == 'true' | (Default true), if full filter should occur on full runs. Set to false if only a small subset of the total entities in the table are provisionable. In the above example, if this is true, the full filter would be: (&(employeeID=*)(objectClass=person)) |
Last updated attribute | modifyTimestamp | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap == 'true' && useGlobalLdapResolver == 'false' | If provided the incremental can poll for new records to process. e.g. the filter would be (openldap / edirectory) (&(employeeID=*)(objectClass=person)(modifyTimestamp>=20211119082103Z)) Active directory (&(employeeID=*)(objectClass=person)(modifyTimestamp>= 20211119163324.0Z)) |
LDAP last updated format | default / activeDirectory | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap == 'true' && useGlobalLdapResolver == 'false' | This is optional, if not selected it will select default 20211119082103Z for a non AD connection and activeDirectory 20211119163324.0Z for an active directory connection (which is selected in the external system) |
Global entity attribute resolvers
If you have global attribute resolvers (can be shared among provisioners or maybe other things too), configure in grouper.properties
...