Provisioning config
Config property | Value | Description |
---|---|---|
provisioner.pspng_oneprod.provisionerName | One prod LDAP flat | Friendly provisioner name for configId: pspng_oneprod In this case its the same |
provisioner.pspng_oneprod.class | edu.internet2.middleware.grouper.app.ldapProvisioning.LdapSync | Provisioner class. All LDAP provisioners have this value |
provisioner.pspng_oneprod.ldapExternalSystemConfigId | oneProdAd | Config ID of the LDAP external system to provision to |
provisioner.pspng_oneprod.ldapProvisioningType | groupMemberships | Can be groupMemberships (group objects with an attribute of users), or userAttributes (user objects with an attribute of groups) |
provisioner.pspng_oneprod.subjectSourcesToProvision | pennperson | Only provision subjects in this sourceId |
provisioner.pspng_oneprod.groupSearchBaseDn | OU=Grouper,OU=365Groups,DC=one,DC=upenn,DC=edu | When searching groups in LDAP use this baseDN |
provisioner.pspng_oneprod.userSearchBaseDn | DC=one,DC=upenn,DC=edu | When searching for users in LDAP use this baseDN |
provisioner.pspng_oneprod.common.entityLink.memberToId2 | ${targetEntity.retrieveAttributeValue('dn')} | Cache the user DN in database |
provisioner.pspng_oneprod.common.groupLink.groupToId2 | ${targetGroup.retrieveAttributeValue('dn')} | Cache the group DN in database |
provisioner.pspng_oneprod.grouperToTargetTranslationMembership.scriptCount | 1 | 1 membership translation |
provisioner.pspng_oneprod.grouperToTargetTranslationMembership.0.script | ${if (!grouperUtil.isBlank(gcGrouperSyncMember.getMemberToId2())) { grouperTargetGroup.addAttributeValueForMembership('member', gcGrouperSyncMember.getMemberToId2()); } } | If there is a user DN, then put that in the group "member" multivalued attribute |
provisioner.pspng_oneprod.grouperToTargetTranslationEntity.scriptCount | 2 | |
provisioner.pspng_oneprod.grouperToTargetTranslationEntity.0.script | ${grouperTargetEntity.assignAttributeValue('employeeID', grouperProvisioningEntity.getSubjectId())} | |
provisioner.pspng_oneprod.grouperToTargetTranslationEntity.1.script | ${grouperTargetEntity.assignAttributeValue('dn', gcGrouperSyncMember.getMemberToId2() )} | |
provisioner.pspng_oneprod.grouperToTargetTranslationGroup.scriptCount | 2 | Two group translations |
provisioner.pspng_oneprod.grouperToTargetTranslationGroup.0.script | ${grouperTargetGroup.assignAttributeValue('gidNumber', grouperProvisioningGroup.getIdIndex(); } | First group script. Put the idIndex number into the gidNumber attribute in the group in ldap |
provisioner.pspng_oneprod.grouperToTargetTranslationGroup.1.script | ${grouperTargetGroup.assignAttributeValue('dn', 'cn=' + grouperProvisioningGroup.getName() + ',OU=Grouper,OU=365Groups,DC=one,DC=upenn,DC=edu'); } | Second group script, assign the cached dn to the dn attribute |
provisioner.pspng_oneprod.groupTargetIdAttribute | gidNumber | Linking groups (knowing which ones to compare) from target to grouper is done with the gidNumber attribute |
provisioner.pspng_oneprod.entityTargetIdAttribute | employeeID | Link entities (knowing which ones to compare) from target to grouper, done with employeeID attribute |
provisioner.pspng_oneprod.grouperToTargetTranslationGroupCreateOnly.scriptCount | 3 | Three translations to run when creating groups |
provisioner.pspng_oneprod.grouperToTargetTranslationGroupCreateOnly.0.script | ${grouperTargetGroup.assignAttributeValue('dn', 'cn=' + grouperProvisioningGroup.getName() + ',OU=Grouper,OU=365Groups,DC=one,DC=upenn,DC=edu'); } | Make a flat DN where all groups are in an OU and the cn is the group name fully qualified. Note in my grouper there is a rule to keep extensions alphanumeric |
provisioner.pspng_oneprod.grouperToTargetTranslationGroupCreateOnly.1.script | ${grouperTargetGroup.assignAttributeValue('cn', grouperProvisioningGroup.getName()); } | Set the CN to be the group name fully qualified |
provisioner.pspng_oneprod.grouperToTargetTranslationGroupCreateOnly.2.script | ${grouperTargetGroup.assignAttributeValue('objectClass', grouperUtil.toSet('group')); } | object class is group (multivalued with one value) |
provisioner.pspng_oneprod.groupSearchAllFilter | objectclass=group | when searching for all groups, use this filter |
provisioner.pspng_oneprod.userSearchAllFilter | employeeID=* | when searching for all users use this filter |
provisioner.pspng_oneprod.userSearchFilter | employeeID=${targetEntity.retrieveAttributeValue('employeeID')} | when searching one user, this is filter |
provisioner.pspng_oneprod.groupSearchFilter | (&(objectclass=group) (gidNumber=${targetGroup.retrieveAttributeValue('gidNumber')})) | when searching one group, this is filter |
provisioner.pspng_oneprod.userSearchAttributes | dn | we dont need much when searching users, just dn |
provisioner.pspng_oneprod.groupSearchAttributes | dn,gidNumber | attributes for groups to retrieve |
provisioner.pspng_oneprod.createEntities | false | dont create users |
provisioner.pspng_oneprod.deleteEntities | false | dont delete users |
provisioner.pspng_oneprod.createGroups | true | yes create missing groups |
provisioner.pspng_oneprod.deleteGroups | true | yes delete groups which shouldnt be there |
provisioner.pspng_oneprod.groupAttributeNameForMemberships | member | attribute to put users in |
PSPNG config (legacy)
changeLog.consumer.pspng_oneprod.groupSearchAttributes = cn,gidNumber,samAccountName,objectclass changeLog.consumer.pspng_oneprod.userSearchFilter = employeeID=${subject.id} changeLog.consumer.pspng_oneprod.allGroupsSearchFilter = objectclass=group changeLog.consumer.pspng_oneprod.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: group||gidNumber: ${group.idIndex} changeLog.consumer.pspng_oneprod.singleGroupSearchFilter = (&(objectclass=group)(gidNumber=${idIndex})) changeLog.consumer.pspng_oneprod.groupSearchBaseDn = OU=Grouper,OU=365Groups,DC=one,DC=upenn,DC=edu changeLog.consumer.pspng_oneprod.userSearchBaseDn = DC=one,DC=upenn,DC=edu changeLog.consumer.pspng_oneprod.grouperIsAuthoritative = true changeLog.consumer.pspng_oneprod.userSearchAttributes = dn,cn,uid,mail,samAccountName, uidNumber,objectclass,employeeID changeLog.consumer.pspng_oneprod.ldapPoolName = oneProdAd changeLog.consumer.pspng_oneprod.isActiveDirectory = true changeLog.consumer.pspng_oneprod.memberAttributeValueFormat = ${ldapUser.getDn()} changeLog.consumer.pspng_oneprod.memberAttributeName = member changeLog.consumer.pspng_oneprod.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner