...
The optional <identifyingAttribute/>
of a provisioned object has two purposes : (1) to determine the schema entity of target objects returned from a lookup or search request and (2) to be converted to a query when searching a target for all identifiers. If <identifyingAttribute/>
is not present, the provisioned object will be ignored during bulk requests.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<!-- Identifies ldap group objects which exist on the target by objectClass attribute value. --> <identifyingAttribute name="objectClass" value="groupOfNames" /> |
(1) The provisioning service provider needs to map provisioned object identifiers to provisioned objects (schema entities).
For example, given a lookup request for the id "edu", the psp needs to know if "edu" is a group or a stem. Given the following configuration, if the provisioned object with id "edu" has an "objectclass" attribute with value "organizationalUnit", then the schema entity is "stem". If the provisioned object with id "edu" has an "objectclass" attribute with value "groupOfNames", then the schema entity is "group".
The psp evaluates all <identifyingAttribute/> elements, only one should match, otherwise an exception is thrown.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<pso id="stem">
<!-- The ldap organizational unit DN. -->
<identifier
ref="stemDn"
targetId="ldap"
containerId="${edu.internet2.middleware.psp.groupsBaseDn}" />
<!-- Identifies stem objects which exist on the target by objectclass attribute value. -->
<identifyingAttribute
name="objectclass"
value="organizationalUnit" />
</pso>
<pso id="group">
<!-- The ldap group DN. -->
<identifier
ref="groupDn"
targetId="ldap"
containerId="${edu.internet2.middleware.psp.groupsBaseDn}" />
<!-- Identifies stem objects which exist on the target by objectclass attribute value. -->
<identifyingAttribute
name="objectclass"
value="groupOfNames" />
</pso>
|
(2) In order to synchronize all objects during bulkCalc requests, the psp needs to know the identifiers of all provisioned objects (schema entities) on a target for which the psp is authoritative. The psp uses <identifyingAttribute/>
and <identifier containerId="..."/>
elements to create SPMLv2 search requests.
For example, in the configuration example above, the psp will perform an ldap search with filter "(objectClass=organizationalUnit)" to retrieve the identifiers of all provisioned stems as well as an ldap search with filter "(objectclass=groupOfNames)" to retrieve the identifiers of all provisioned objects. The base of each search will be the containerId of the <identifier/>
element.
Configure PSP : Alternate Identifier
...