Skip to content

Instantly share code, notes, and snippets.

@khazelton

khazelton/Annotated LDAP Connector.xml

Last active March 6, 2020 15:37
Show Gist options
  • Save khazelton/9f0102b3b156b5260520f30ebe3661cc to your computer and use it in GitHub Desktop.
Save khazelton/9f0102b3b156b5260520f30ebe3661cc to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Annotated LDAP Connector.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright (c) 2019 Evolveum and contributors
~
~ This work is dual-licensed under the Apache License 2.0
~ and European Union Public License. See LICENSE file for details.
-->
<!--x OID generated by mP, done at resource creation time (import resource connection; Will honor one if it
s already provided x-->
<resource oid="0a37121f-d515-4a23-9b6d-554c5ef61272"
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3' xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
xmlns:my="http://whatever.com/my" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3"
xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
<!--x what shows up in the UI --> <name>LDAP (directory)</name>
<connectorRef type="ConnectorType">
<filter>
<q:equal>
<q:path>c:connectorType</q:path>
<q:value>com.evolveum.polygon.connector.ldap.LdapConnector</q:value>
</q:equal>
</filter>
</connectorRef>
<connectorConfiguration
xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
xmlns:icfcldap="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector">
<icfc:configurationProperties
xmlns:icfcldap="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector">
<!--x 636 ldaps or TLS to 389: Lay out the options; Channel binding (TLS-based) will soon be required by Microsoft x--> <icfcldap:port>389</icfcldap:port>
!!! <!--x LDAP server name Most likely an FQDN in real deployments
<x--> <icfcldap:host>directory</icfcldap:host; could use an IP adress as below, but not recommended>
<!-- <icfcldap:host>192.168.56.101</icfcldap:host> -->
<!--x x--> <icfcldap:baseContext>dc=internet2,dc=edu</icfcldap:baseContext>
<!--x Ideally this should be a service account (cn=midpoint, ou=services...) mP service) x--> <icfcldap:bindDn>cn=Directory Manager</icfcldap:bindDn>
<!--x x--> <icfcldap:bindPassword>
<!--x will get encrypted at import x--> <t:clearValue>password</t:clearValue>
</icfcldap:bindPassword>
389ds ns;;; varies by server <!--x uuid of the LDAP entries the non-mutable identifier, server managed, depends on the particular LDAP server x--> <icfcldap:uidAttribute>nsUniqueId</icfcldap:uidAttribute>
<!--x does server support it; performance issues w diff strategies x--> ? <icfcldap:pagingStrategy>spr</icfcldap:pagingStrategy> <!-- spr? -->
<!--x look at examples to see, AD global dir, etc. x--><!-- <icfcldap:vlvSortAttribute>uid</icfcldap:vlvSortAttribute> -->
varies by server & what you're trying to do; attrs to bringn back regardless <icfcldap:operationalAttributes>memberOf</icfcldap:operationalAttributes>
OpenLDAP memberof is managed by overlay <icfcldap:operationalAttributes>createTimestamp</icfcldap:operationalAttributes>
<icfcldap:operationalAttributes>nsAccountLock</icfcldap:operationalAttributes>
389DS doesn't support <!-- >icfcldap:usePermissiveModify>always</icfcldap:usePermissiveModify>
Diff strokes... <icfcldap:passwordHashAlgorithm>SSHA</icfcldap:passwordHashAlgorithm -->
<!-- >icfcldap:vlvSortAttribute>uid</icfcldap:vlvSortAttribute> <icfcldap:vlvSortOrderingRule>2.5.13.3</icfcldap:vlvSortOrderingRule -->
</icfc:configurationProperties>
<icfc:resultsHandlerConfiguration>
<!--x make sure these are set to false; Inside resource, accounts, resource view doesn't show attrs if this is set to true x--> <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
<!--x x--> <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
<!--x x--> <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
</icfc:resultsHandlerConfiguration>
</connectorConfiguration>
<schema>
<generationConstraints>
constrains what OCs come back; What role if any does it play in provisioning? <generateObjectClass>ri:inetOrgPerson</generateObjectClass>
dn or group name? isMemberOf: friendly grouper-like name on the person; memberOf is a DN <!--x setting object classesx--> <generateObjectClass>ri:eduPerson</generateObjectClass>
<!--x reference dn, x--><generateObjectClass>ri:groupOfUniqueNames</generateObjectClass>
<generateObjectClass>ri:groupOfNames</generateObjectClass>
<generateObjectClass>ri:organizationalUnit</generateObjectClass>
</generationConstraints>
</schema>
<schemaHandling>
<objectType>
<kind>account</kind>
<displayName>Normal Account</displayName>
<default>true</default>
<objectClass>ri:inetOrgPerson</objectClass>
<auxiliaryObjectClass>ri:eduPerson</auxiliaryObjectClass>
<attribute>
<ref>ri:dn</ref>
<displayName>Distinguished Name</displayName>
<limitations>
<minOccurs>0</minOccurs>
</limitations>
<tolerant>false</tolerant>
<matchingRule>mr:distinguishedName</matchingRule>
<outbound>
<strength>strong</strength>
<source>
<path>name</path>
</source>
<expression>
<script>
<code>
'uid=' + name + ',ou=People,dc=internet2,dc=edu'
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:cn</ref>
<displayName>Common Name</displayName>
<limitations>
<minOccurs>0</minOccurs>
</limitations>
<tolerant>false</tolerant>
<outbound>
<strength>strong</strength>
<source>
<path>fullName</path>
</source>
</outbound>
</attribute>
<attribute>
<ref>ri:sn</ref>
<displayName>Surname</displayName>
<limitations>
<minOccurs>0</minOccurs>
</limitations>
<tolerant>false</tolerant>
<outbound>
<strength>strong</strength>
<source>
<path>familyName</path>
</source>
</outbound>
</attribute>
<attribute>
<ref>ri:givenName</ref>
<displayName>Given Name</displayName>
<limitations>
<minOccurs>0</minOccurs>
</limitations>
<tolerant>false</tolerant>
<outbound>
<strength>strong</strength>
<source>
<path>givenName</path>
</source>
</outbound>
</attribute>
<attribute>
<!--x x--> <ref>ri:uid</ref>
<displayName>Login Name</displayName>
<tolerant>false</tolerant>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>strong</strength>
<source>
<!--x x--> <path>name</path>
</source>
</outbound>
</attribute>
<attribute>
<ref>ri:mail</ref>
<displayName>Mail</displayName>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<tolerant>false</tolerant>
<outbound>
<strength>strong</strength>
<source>
<path>emailAddress</path>
</source>
</outbound>
</attribute>
<attribute>
<ref>ri:employeeNumber</ref>
<tolerant>false</tolerant>
<outbound>
<strength>strong</strength>
<source>
<path>employeeNumber</path>
</source>
</outbound>
</attribute>
<attribute>
<ref>ri:businessCategory</ref>
<tolerant>false</tolerant>
</attribute>
<!-- <attribute>
<ref>ri:eduPersonAffiliation</ref>
<outbound>
<strength>strong</strength>
<source>
<path>extension/rawAffiliation</path>
</source>
</outbound>
<tolerant>false</tolerant>
</attribute> -->
<!--x x--> ? <association>
<tolerant>false</tolerant>
<ref>ri:group</ref>
<kind>entitlement</kind>
<intent>group</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:uniqueMember</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
</association>
<protected>
<filter>
<q:equal>
<q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#distinguishedName</q:matching>
<q:path>attributes/ri:dn</q:path>
<!--x x--> <q:value>cn=root,dc=internet2,dc=edu</q:value>
</q:equal>
</filter>
</protected>
<credentials>
<password>
<outbound/>
</password>
</credentials>
</objectType>
<!-- mP tries to put empty groups out there, but OpenLDAP won't accept empty groups, so you have to put "nobody" in empty groups; enhance this? -->
<objectType>
<kind>entitlement</kind>
<intent>group</intent>
<displayName>LDAP Group</displayName>
<objectClass>ri:groupOfUniqueNames</objectClass>
<attribute>
<ref>ri:uniqueMember</ref>
<matchingRule>mr:distinguishedName</matchingRule>
<fetchStrategy>minimal</fetchStrategy>
</attribute>
<attribute>
<ref>ri:dn</ref>
<matchingRule>mr:distinguishedName</matchingRule>
<outbound>
<strength>strong</strength>
<source>
<path>extension/ldapDn</path>
</source>
</outbound>
</attribute>
<attribute>
<ref>ri:cn</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<path>identifier</path>
</source>
</outbound>
</attribute>
<attribute>
<ref>ri:uniqueMember</ref>
<matchingRule>mr:distinguishedName</matchingRule>
<fetchStrategy>minimal</fetchStrategy>
</attribute>
</objectType>
</schemaHandling>
<synchronization>
<objectSynchronization>
<enabled>true</enabled>
<correlation>
<q:equal>
<q:path>name</q:path>
<expression>
<path>
declare namespace ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3";
$projection/attributes/ri:uid
</path>
</expression>
</q:equal>
</correlation>
<reaction>
<situation>linked</situation>
<synchronize>true</synchronize>
</reaction>
<reaction>
<situation>deleted</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
</action>
</reaction>
<reaction>
<situation>unlinked</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
</action>
</reaction>
<reaction>
<situation>unmatched</situation>
</reaction>
</objectSynchronization>
<objectSynchronization>
<name>group sync</name>
<objectClass>ri:groupOfUniqueNames</objectClass>
<kind>entitlement</kind>
<intent>group</intent>
<focusType>OrgType</focusType>
<enabled>true</enabled>
<condition>
<script>
<code>
import javax.naming.ldap.*
dn = new LdapName(basic.getAttributeValue(projection, 'http://midpoint.evolveum.com/xml/ns/public/resource/instance-3', 'dn'))
<!--x start x--> dn.startsWith(new
<!-- which OUs get synced --> LdapName('ou=Affiliations,ou=Groups,dc=internet2,dc=edu')) ||
dn.startsWith(new LdapName('ou=Courses,ou=Groups,dc=internet2,dc=edu')) ||
dn.startsWith(new LdapName('ou=generic,ou=Groups,dc=internet2,dc=edu')) ||
dn.startsWith(new LdapName('ou=midpoint,ou=Groups,dc=internet2,dc=edu'))
<!--x end x-->
</code>
</script>
</condition>
<correlation>
<q:equal>
<q:path>extension/ldapDn</q:path>
<expression>
<path>$projection/attributes/ri:dn</path>
</expression>
</q:equal>
</correlation>
<reaction>
<situation>linked</situation>
<synchronize>true</synchronize>
</reaction>
<reaction>
<situation>deleted</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
</action>
</reaction>
<reaction>
<situation>unlinked</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
</action>
</reaction>
<reaction>
<situation>unmatched</situation>
</reaction>
</objectSynchronization>
</synchronization>
<consistency>
<avoidDuplicateValues>true</avoidDuplicateValues>
</consistency>
</resource>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment