Versions Compared

Old Version 148

changes.mady.by.user Sebastien Gagne

Saved on

compared with

New Version 149

changes.mady.by.user Tom Zeller

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The optional <identifyingAttribute/> of a provisioned object has two purposes : (1) to determine the schema entity of target objects returned from a lookup or search request and (2) to be converted to a query when searching a target for all identifiers. If <identifyingAttribute/> is not present, the provisioned object will be ignored during bulk requests.

Code Block
xml
xml
titlepsp.xml identifying attribute
<!-- Identifies ldap group objects which exist on the target by objectClass attribute value. -->
<identifyingAttribute
   name="objectClass"
   value="groupOfNames" />

(1) The provisioning service provider needs to map provisioned object identifiers to provisioned objects (schema entities).

For example, given a lookup request for the id "edu", the psp needs to know if "edu" is a group or a stem. Given the following configuration, if the provisioned object with id "edu" has an "objectclass" attribute with value "organizationalUnit", then the schema entity is "stem". If the provisioned object with id "edu" has an "objectclass" attribute with value "groupOfNames", then the schema entity is "group".

The psp evaluates all <identifyingAttribute/> elements, only one should match, otherwise an exception is thrown.

Code Block
xml
xml
titlepsp.xml identifying attribute

<pso id="stem">

  <!-- The ldap organizational unit DN. -->
  <identifier
    ref="stemDn"
    targetId="ldap"
    containerId="${edu.internet2.middleware.psp.groupsBaseDn}" />

  <!-- Identifies stem objects which exist on the target by objectclass attribute value. -->
  <identifyingAttribute
    name="objectclass"
    value="organizationalUnit" />
</pso>

<pso id="group">
  <!-- The ldap group DN. -->
  <identifier
    ref="groupDn"
    targetId="ldap"
    containerId="${edu.internet2.middleware.psp.groupsBaseDn}" />

  <!-- Identifies stem objects which exist on the target by objectclass attribute value. -->
  <identifyingAttribute
    name="objectclass"
    value="groupOfNames" />
</pso>

(2) In order to synchronize all objects during bulkCalc requests, the psp needs to know the identifiers of all provisioned objects (schema entities) on a target for which the psp is authoritative. The psp uses <identifyingAttribute/> and <identifier containerId="..."/> elements to create SPMLv2 search requests.

For example, in the configuration example above, the psp will perform an ldap search with filter "(objectClass=organizationalUnit)" to retrieve the identifiers of all provisioned stems as well as an ldap search with filter "(objectclass=groupOfNames)" to retrieve the identifiers of all provisioned objects. The base of each search will be the containerId of the <identifier/> element.

Configure PSP : Alternate Identifier

...