...
The psp change log consumer is like any other grouper change log consumer in that it processes change log entries.
The For each change log entry received, the psp change log consumer determines the change log category (for example "membership") and change log action (for example "addMembership") and either processes or ignores the change log entry. Supported change log categories and actions are coded in the psp change log consumer, take a look at the EventType enum. To support a change log category and action that is not supported by the provided psp change log consumer, you will need to provide your own implementation, probably by extending the psp change log consumer class. For help, ask the grouper-dev@internet2.edu listed.
Processing an "addMembership" change log entry results in a psp calc request, where the identifier (principal name) to be calculated is the change log sequence number :
...
The values of the "changeLogMembershipGroupDn" and "changeLogMembershipMemberDn" attributes are provisioned service object identifiers for the "groupMembership" and "memberMembership" provisioned service objects configured in psp.xml.
The "groupMembership" provisioned service object in psp.xml provisions the member attribute of a group calculated from an add or delete membership change log entry :
...
The "memberMembership" provisioned service object in psp.xml provisions the memberOf attribute of a member calculated from an add or delete membership change log entry :
...
The next step in processing by the psp after calculating resolving attributes via the attribute authority is to resolve references. The values of the "changeLogMembershipLdapSubjectId" and "changeLogMembershipGroupName" attributes are converted to identifiers by executing psp calc requests.
In the following example, the psp change log consumer resolves provisioned service object identifiers for the principal with name 'edu:groupA', which and returns an ldap dn 'cn=groupA,ou=edu,ou=groups,dc=example,dc=edu' :
...
In the following example, the psp change log consumer resolves provisioned service object identifiers for the principal with name 'test.subject.1', which and returns an ldap dn 'uid=test.subject.1,ou=people,dc=example,dc=edu' :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<psp:calcRequest returnData='identifier'>
<psp:id ID='test.subject.1'/>
<psp:schemaEntity targetID='ldap' entityName='member'/>
</psp:calcRequest>
<psp:calcResponse >
<psp:id ID='test.subject.1'/>
<psp:pso entityName='member'>
<psoID ID='uid=test.subject.1,ou=people,dc=example,dc=edu' targetID='ldap'/>
</psp:pso>
</psp:calcResponse>
|
In the psp examples which target When provisioning ldap directories, the member dn is either retrieved via an ldap grouper subject lookup or via the grouper subject source cache.
After resolving reference identifiers, a calc response is finally returned by the psp for the calc request for the principal whose name id is the change log sequence number. The calc response returned by the psp represents how an add or delete membership change log entry should be provisioned. For , for example :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<psp:calcRequest returnData='everything'>
<psp:id ID='change_log_sequence_number:344'/>
</psp:calcRequest>
<psp:calcResponse >
<psp:id ID='change_log_sequence_number:344'/>
<psp:pso entityName='groupMembership'>
<psoID ID='cn=groupA,ou=edu,ou=groups,dc=example,dc=edu' targetID='ldap'/>
<capabilityData ... >
<spmlref:reference typeOfReference='member' ...>
<spmlref:toPsoID ID='uid=test.subject.1,ou=people,dc=example,dc=edu' targetID='ldap'/>
</spmlref:reference>
</capabilityData>
</psp:pso>
<psp:pso entityName='memberMembership'>
<psoID ID='uid=test.subject.1,ou=people,dc=example,dc=edu' targetID='ldap'/>
<capabilityData ... >
<spmlref:reference typeOfReference='memberOf' ... >
<spmlref:toPsoID ID='cn=groupA,ou=edu,ou=groups,dc=example,dc=edu' targetID='ldap'/>
</spmlref:reference>
</capabilityData>
</psp:pso>
</psp:calcResponse>
|
The next step in change log entry processing by the psp change log consumer is to determine the difference between how each object should be provisioned (the calc response) and how the objects are each object is currently provisioned.
For example, for each reference that should or should not be provisioned for an add or delete membership change log entry, the psp change log consumer performs an spml 'hasReference' search. Of course, the spml 'hasReference' search must be supported by each provisioned target implementation.
...