Last active
March 6, 2020 15:37
-
-
Save khazelton/9f0102b3b156b5260520f30ebe3661cc to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!-- | |
~ Copyright (c) 2019 Evolveum and contributors | |
~ | |
~ This work is dual-licensed under the Apache License 2.0 | |
~ and European Union Public License. See LICENSE file for details. | |
--> | |
<!--x OID generated by mP, done at resource creation time (import resource connection; Will honor one if it | |
s already provided x--> | |
<resource oid="0a37121f-d515-4a23-9b6d-554c5ef61272" | |
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" | |
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" | |
xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3' xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" | |
xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3" | |
xmlns:my="http://whatever.com/my" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" | |
xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3" | |
xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3"> | |
<!--x what shows up in the UI --> <name>LDAP (directory)</name> | |
<connectorRef type="ConnectorType"> | |
<filter> | |
<q:equal> | |
<q:path>c:connectorType</q:path> | |
<q:value>com.evolveum.polygon.connector.ldap.LdapConnector</q:value> | |
</q:equal> | |
</filter> | |
</connectorRef> | |
<connectorConfiguration | |
xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3" | |
xmlns:icfcldap="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector"> | |
<icfc:configurationProperties | |
xmlns:icfcldap="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector"> | |
<!--x 636 ldaps or TLS to 389: Lay out the options; Channel binding (TLS-based) will soon be required by Microsoft x--> <icfcldap:port>389</icfcldap:port> | |
!!! <!--x LDAP server name Most likely an FQDN in real deployments | |
<x--> <icfcldap:host>directory</icfcldap:host; could use an IP adress as below, but not recommended> | |
<!-- <icfcldap:host>192.168.56.101</icfcldap:host> --> | |
<!--x x--> <icfcldap:baseContext>dc=internet2,dc=edu</icfcldap:baseContext> | |
<!--x Ideally this should be a service account (cn=midpoint, ou=services...) mP service) x--> <icfcldap:bindDn>cn=Directory Manager</icfcldap:bindDn> | |
<!--x x--> <icfcldap:bindPassword> | |
<!--x will get encrypted at import x--> <t:clearValue>password</t:clearValue> | |
</icfcldap:bindPassword> | |
389ds ns;;; varies by server <!--x uuid of the LDAP entries the non-mutable identifier, server managed, depends on the particular LDAP server x--> <icfcldap:uidAttribute>nsUniqueId</icfcldap:uidAttribute> | |
<!--x does server support it; performance issues w diff strategies x--> ? <icfcldap:pagingStrategy>spr</icfcldap:pagingStrategy> <!-- spr? --> | |
<!--x look at examples to see, AD global dir, etc. x--><!-- <icfcldap:vlvSortAttribute>uid</icfcldap:vlvSortAttribute> --> | |
varies by server & what you're trying to do; attrs to bringn back regardless <icfcldap:operationalAttributes>memberOf</icfcldap:operationalAttributes> | |
OpenLDAP memberof is managed by overlay <icfcldap:operationalAttributes>createTimestamp</icfcldap:operationalAttributes> | |
<icfcldap:operationalAttributes>nsAccountLock</icfcldap:operationalAttributes> | |
389DS doesn't support <!-- >icfcldap:usePermissiveModify>always</icfcldap:usePermissiveModify> | |
Diff strokes... <icfcldap:passwordHashAlgorithm>SSHA</icfcldap:passwordHashAlgorithm --> | |
<!-- >icfcldap:vlvSortAttribute>uid</icfcldap:vlvSortAttribute> <icfcldap:vlvSortOrderingRule>2.5.13.3</icfcldap:vlvSortOrderingRule --> | |
</icfc:configurationProperties> | |
<icfc:resultsHandlerConfiguration> | |
<!--x make sure these are set to false; Inside resource, accounts, resource view doesn't show attrs if this is set to true x--> <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler> | |
<!--x x--> <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler> | |
<!--x x--> <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler> | |
</icfc:resultsHandlerConfiguration> | |
</connectorConfiguration> | |
<schema> | |
<generationConstraints> | |
constrains what OCs come back; What role if any does it play in provisioning? <generateObjectClass>ri:inetOrgPerson</generateObjectClass> | |
dn or group name? isMemberOf: friendly grouper-like name on the person; memberOf is a DN <!--x setting object classesx--> <generateObjectClass>ri:eduPerson</generateObjectClass> | |
<!--x reference dn, x--><generateObjectClass>ri:groupOfUniqueNames</generateObjectClass> | |
<generateObjectClass>ri:groupOfNames</generateObjectClass> | |
<generateObjectClass>ri:organizationalUnit</generateObjectClass> | |
</generationConstraints> | |
</schema> | |
<schemaHandling> | |
<objectType> | |
<kind>account</kind> | |
<displayName>Normal Account</displayName> | |
<default>true</default> | |
<objectClass>ri:inetOrgPerson</objectClass> | |
<auxiliaryObjectClass>ri:eduPerson</auxiliaryObjectClass> | |
<attribute> | |
<ref>ri:dn</ref> | |
<displayName>Distinguished Name</displayName> | |
<limitations> | |
<minOccurs>0</minOccurs> | |
</limitations> | |
<tolerant>false</tolerant> | |
<matchingRule>mr:distinguishedName</matchingRule> | |
<outbound> | |
<strength>strong</strength> | |
<source> | |
<path>name</path> | |
</source> | |
<expression> | |
<script> | |
<code> | |
'uid=' + name + ',ou=People,dc=internet2,dc=edu' | |
</code> | |
</script> | |
</expression> | |
</outbound> | |
</attribute> | |
<attribute> | |
<ref>ri:cn</ref> | |
<displayName>Common Name</displayName> | |
<limitations> | |
<minOccurs>0</minOccurs> | |
</limitations> | |
<tolerant>false</tolerant> | |
<outbound> | |
<strength>strong</strength> | |
<source> | |
<path>fullName</path> | |
</source> | |
</outbound> | |
</attribute> | |
<attribute> | |
<ref>ri:sn</ref> | |
<displayName>Surname</displayName> | |
<limitations> | |
<minOccurs>0</minOccurs> | |
</limitations> | |
<tolerant>false</tolerant> | |
<outbound> | |
<strength>strong</strength> | |
<source> | |
<path>familyName</path> | |
</source> | |
</outbound> | |
</attribute> | |
<attribute> | |
<ref>ri:givenName</ref> | |
<displayName>Given Name</displayName> | |
<limitations> | |
<minOccurs>0</minOccurs> | |
</limitations> | |
<tolerant>false</tolerant> | |
<outbound> | |
<strength>strong</strength> | |
<source> | |
<path>givenName</path> | |
</source> | |
</outbound> | |
</attribute> | |
<attribute> | |
<!--x x--> <ref>ri:uid</ref> | |
<displayName>Login Name</displayName> | |
<tolerant>false</tolerant> | |
<matchingRule>mr:stringIgnoreCase</matchingRule> | |
<outbound> | |
<strength>strong</strength> | |
<source> | |
<!--x x--> <path>name</path> | |
</source> | |
</outbound> | |
</attribute> | |
<attribute> | |
<ref>ri:mail</ref> | |
<displayName>Mail</displayName> | |
<matchingRule>mr:stringIgnoreCase</matchingRule> | |
<tolerant>false</tolerant> | |
<outbound> | |
<strength>strong</strength> | |
<source> | |
<path>emailAddress</path> | |
</source> | |
</outbound> | |
</attribute> | |
<attribute> | |
<ref>ri:employeeNumber</ref> | |
<tolerant>false</tolerant> | |
<outbound> | |
<strength>strong</strength> | |
<source> | |
<path>employeeNumber</path> | |
</source> | |
</outbound> | |
</attribute> | |
<attribute> | |
<ref>ri:businessCategory</ref> | |
<tolerant>false</tolerant> | |
</attribute> | |
<!-- <attribute> | |
<ref>ri:eduPersonAffiliation</ref> | |
<outbound> | |
<strength>strong</strength> | |
<source> | |
<path>extension/rawAffiliation</path> | |
</source> | |
</outbound> | |
<tolerant>false</tolerant> | |
</attribute> --> | |
<!--x x--> ? <association> | |
<tolerant>false</tolerant> | |
<ref>ri:group</ref> | |
<kind>entitlement</kind> | |
<intent>group</intent> | |
<direction>objectToSubject</direction> | |
<associationAttribute>ri:uniqueMember</associationAttribute> | |
<valueAttribute>ri:dn</valueAttribute> | |
</association> | |
<protected> | |
<filter> | |
<q:equal> | |
<q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#distinguishedName</q:matching> | |
<q:path>attributes/ri:dn</q:path> | |
<!--x x--> <q:value>cn=root,dc=internet2,dc=edu</q:value> | |
</q:equal> | |
</filter> | |
</protected> | |
<credentials> | |
<password> | |
<outbound/> | |
</password> | |
</credentials> | |
</objectType> | |
<!-- mP tries to put empty groups out there, but OpenLDAP won't accept empty groups, so you have to put "nobody" in empty groups; enhance this? --> | |
<objectType> | |
<kind>entitlement</kind> | |
<intent>group</intent> | |
<displayName>LDAP Group</displayName> | |
<objectClass>ri:groupOfUniqueNames</objectClass> | |
<attribute> | |
<ref>ri:uniqueMember</ref> | |
<matchingRule>mr:distinguishedName</matchingRule> | |
<fetchStrategy>minimal</fetchStrategy> | |
</attribute> | |
<attribute> | |
<ref>ri:dn</ref> | |
<matchingRule>mr:distinguishedName</matchingRule> | |
<outbound> | |
<strength>strong</strength> | |
<source> | |
<path>extension/ldapDn</path> | |
</source> | |
</outbound> | |
</attribute> | |
<attribute> | |
<ref>ri:cn</ref> | |
<matchingRule>mr:stringIgnoreCase</matchingRule> | |
<outbound> | |
<strength>weak</strength> | |
<source> | |
<path>identifier</path> | |
</source> | |
</outbound> | |
</attribute> | |
<attribute> | |
<ref>ri:uniqueMember</ref> | |
<matchingRule>mr:distinguishedName</matchingRule> | |
<fetchStrategy>minimal</fetchStrategy> | |
</attribute> | |
</objectType> | |
</schemaHandling> | |
<synchronization> | |
<objectSynchronization> | |
<enabled>true</enabled> | |
<correlation> | |
<q:equal> | |
<q:path>name</q:path> | |
<expression> | |
<path> | |
declare namespace ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"; | |
$projection/attributes/ri:uid | |
</path> | |
</expression> | |
</q:equal> | |
</correlation> | |
<reaction> | |
<situation>linked</situation> | |
<synchronize>true</synchronize> | |
</reaction> | |
<reaction> | |
<situation>deleted</situation> | |
<synchronize>true</synchronize> | |
<action> | |
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri> | |
</action> | |
</reaction> | |
<reaction> | |
<situation>unlinked</situation> | |
<synchronize>true</synchronize> | |
<action> | |
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri> | |
</action> | |
</reaction> | |
<reaction> | |
<situation>unmatched</situation> | |
</reaction> | |
</objectSynchronization> | |
<objectSynchronization> | |
<name>group sync</name> | |
<objectClass>ri:groupOfUniqueNames</objectClass> | |
<kind>entitlement</kind> | |
<intent>group</intent> | |
<focusType>OrgType</focusType> | |
<enabled>true</enabled> | |
<condition> | |
<script> | |
<code> | |
import javax.naming.ldap.* | |
dn = new LdapName(basic.getAttributeValue(projection, 'http://midpoint.evolveum.com/xml/ns/public/resource/instance-3', 'dn')) | |
<!--x start x--> dn.startsWith(new | |
<!-- which OUs get synced --> LdapName('ou=Affiliations,ou=Groups,dc=internet2,dc=edu')) || | |
dn.startsWith(new LdapName('ou=Courses,ou=Groups,dc=internet2,dc=edu')) || | |
dn.startsWith(new LdapName('ou=generic,ou=Groups,dc=internet2,dc=edu')) || | |
dn.startsWith(new LdapName('ou=midpoint,ou=Groups,dc=internet2,dc=edu')) | |
<!--x end x--> | |
</code> | |
</script> | |
</condition> | |
<correlation> | |
<q:equal> | |
<q:path>extension/ldapDn</q:path> | |
<expression> | |
<path>$projection/attributes/ri:dn</path> | |
</expression> | |
</q:equal> | |
</correlation> | |
<reaction> | |
<situation>linked</situation> | |
<synchronize>true</synchronize> | |
</reaction> | |
<reaction> | |
<situation>deleted</situation> | |
<synchronize>true</synchronize> | |
<action> | |
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri> | |
</action> | |
</reaction> | |
<reaction> | |
<situation>unlinked</situation> | |
<synchronize>true</synchronize> | |
<action> | |
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri> | |
</action> | |
</reaction> | |
<reaction> | |
<situation>unmatched</situation> | |
</reaction> | |
</objectSynchronization> | |
</synchronization> | |
<consistency> | |
<avoidDuplicateValues>true</avoidDuplicateValues> | |
</consistency> | |
</resource> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment