Adding new attribute to Grouper psp provisioning

Use Case:

I want to update the ldap attribute name affiliations using grouper psp provisioning.

The following tasks needs to performed to add a new attribute to Grouper psp provisioning. They are

1. Create Attribute Definition

Create the new attribute definition as a etc:attribute:affiliations

 1.1 Open the Grouper Command Prompt.

   Go to the apiBinary-2.1.5/bin directory and execute the gsh.sh file.

  1.2 Restart the Grouper Session

grouperSession = GrouperSession.startRootSession();

1.3 Search the Grouper Folder

folder = StemFinder.findByName(grouperSession, "etc:attribute",true)

1.4 Create the Grouper Attribute Definition

attributeDef = folder.addChildAttributeDef("affiliations", AttributeDefType.attr);

// assigning to member object

attributeDef.setAssignToMember(true);

// this attribute is a multivalued attribute

attributeDef.setMultiValued(true);

// setting the data type

attributeDef.setValueType(AttributeDefValueType.string);

//Assign to multiple objects

attributeDef.setMultiAssignable(true);

attributeDef.store();

In the above example attribute definition name is affiliations. If you want to use different attribute definition name replace affiliations with your own attribute definition name.

2. Adding Attribute Name

attrName = folder.addChildAttributeDefName(attributeDef,"affiliations","affiliations");

In the above example attribute name is affiliations. If you want to use different attribute name replace affiliations with your own attribute name.

3. Adding psp affiliation attribute in psp.xml file

Go to the apiBinary-2.1.5/conf directory and edit the psp.xml file and add the following. 

<!-- Provision a member's affiliation triggered by the grouper change log. -->

  <pso id="affiliation">

    <!-- The ldap member DN calculated from the member  change log events. -->

    <identifier

      ref="changeLogAffiliationMemberDn"

      targetId="ldap"

      containerId="${edu.internet2.middleware.psp.peopleBaseDn}" />

    <!-- The ldap member "objectClass" attribute. No existing values will be deleted since retainAll is true. -->

    <attribute

      name="objectClass"

      ref="memberObjectclass"

      retainAll="true" />

    <!-- The ldap attribute "affiliations" to provision the person object . -->

    <attribute

      name="affiliations"

            ref="affiliationchangeLogMember" />

  </pso>

I have used ref attributes in the above psp.xml file. These references are available in the psp-resolver.xml file. Please follow the section 4. Defining Data Connectors and 5. Defining attribute Definitions.

4. Defining the Data Connectors 

Go to the apiBinary-2.1.5/conf directory and edit the psp-resolver.xml file and add the following data connectors and these connectors are retrieve data from the grouper_change_log_entry table. I have used the variables like category,attributeAssignType and action  in the filters sction. These variables are available in the grouper_change_log_type table and according to your assignment object(member or group or membership etc), you can change.  They are

4.1 Retrieving the affiliations Data from the Change Log

<!-- Defining the DataConnector to retrieve the change log entry based on the category=attributeAssignValue and attributeAssignType="member" -->

<resolver:DataConnector

    id="MemberAttributeAssignValueChangeLogDataConnector"

    xsi:type="psp-grouper-changelog:ChangeLogDataConnector">

    <!-- The AND filter matches both child filters. -->

    <grouper:Filter xsi:type="grouper:AND">

      <!-- The ChangeLogEntry filter matches change log entries with the given category. -->

      <grouper:Filter

        xsi:type="psp-grouper-changelog:ChangeLogEntry"

        category="attributeAssignValue" />

      <!-- The ChangeLogAttributeAssignType filter matches change log entries with the given attribute assign type. -->

      <grouper:Filter

        xsi:type="psp-grouper-changelog:ChangeLogAttributeAssignType"

        attributeAssignType="member" />

    </grouper:Filter>

</resolver:DataConnector>

4.2 Retrieving the affiliations Data Add Operation to build the Ldap DN

 <!-- Retrieving the Add attribute value from the change log entry-->

 <resolver:DataConnector

    id="AddAffiliationChangeLogDataConnector"

    xsi:type="psp-grouper-changelog:ChangeLogDataConnector">

    <!-- The ChangeLogEntry filter matches change log entries with the given category and action. -->

    <grouper:Filter

      xsi:type="psp-grouper-changelog:ChangeLogEntry"

      category="attributeAssignValue"

      action="addAttributeAssignValue" />

  </resolver:DataConnector>

4.2 Retrieving the affiliations Data Delete Operation to build the Ldap DN

<!-- Retrieving the Deleted Value from the Change Log Entry  -->

<resolver:DataConnector

    id="DeleteAffiliationChangeLogDataConnector"

    xsi:type="psp-grouper-changelog:ChangeLogDataConnector">

    <!-- The ChangeLogEntry filter matches change log entries with the given category and action. -->

    <grouper:Filter

      xsi:type="psp-grouper-changelog:ChangeLogEntry"

      category="attributeAssignValue"

      action="deleteAttributeAssignValue" />

  </resolver:DataConnector>

5. Defining Attribute Definitions

Go to the apiBinary-2.1.5/conf directory and edit the psp-resolver.xml file and add the following attribute definitions to retrieve data from the data connectors and alto calculate the distinguished name (dn). They are

5.1  affiliationchangeLogMember attribute definition

<!-- Defining the  affiliationTemp attribute to retrive the etc:attribute:affiliations attribute -->

<resolver:AttributeDefinition id="affiliationTemp" sourceAttributeID="etc:attribute:affiliations" xsi:type="ad:Simple">

        <resolver:Dependency ref="MemberDataConnector"/>

<resolver:Dependency ref="MemberAttributeAssignValueChangeLogDataConnector"/>

</resolver:AttributeDefinition>

<!-- Populating the affiliation attribute to affiliationchangeLogMember  -->

<resolver:AttributeDefinition id="affiliationchangeLogMember" xsi:type="ad:Script" sourceAttributeID="affiliationTemp">

<resolver:Dependency ref="MemberDataConnector"/>

<resolver:Dependency ref="affiliationTemp"/>

<resolver:Dependency ref="MemberAttributeAssignValueChangeLogDataConnector"/>

<ad:Script>

<![CDATA[

importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);

importPackage(Packages.java.lang);

affiliationchangeLogMember = new BasicAttribute("affiliationchangeLogMember");

if(affiliationTemp != null && affiliationTemp.getValues().size()==1)

{

value= affiliationTemp.getValues().get(0);

System.out.println("nvoking the Affiliation Package  "+value);

if(value != null)

{

affiliationchangeLogMember.getValues().add(value);

}

}

]]>

</ad:Script>

</resolver:AttributeDefinition>

<!-- Getting the etc:attribute:affiliation attribute data value End -->

5.2 changeLogAffiliationMemberDn attribute definition

<!-- Building the Ldap DN Based on the member and Subject ID Start -->

 <resolver:AttributeDefinition

    id="changeLogAffiliationMemberDn"

    xsi:type="psp:PSOIdentifier"

    sourceAttributeID="changeLogAffiliationMembershipLdapSubjectDn">

    <resolver:Dependency ref="changeLogAffiliationMembershipLdapSubjectDn" />

  </resolver:AttributeDefinition>

  <!-- The value of the "changeLogMembershipLdapSubjectDn" attribute is the value of the memberSubjectId in the grouper change log entry-->

  <resolver:AttributeDefinition

    id="changeLogAffiliationMembershipLdapSubjectDn"

    xsi:type="ad:Script">

    <resolver:Dependency ref="AddAffiliationChangeLogDataConnector" />

    <resolver:Dependency ref="DeleteAffiliationChangeLogDataConnector" />

    <ad:Script><![CDATA[

        importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);

importPackage(Packages.java.lang);

importPackage(Packages.edu.internet2.middleware.grouper);

        // Defining the attribute definition

        changeLogAffiliationMembershipLdapSubjectDn = new BasicAttribute("changeLogAffiliationMembershipLdapSubjectDn");

        // checking the memberSubjectId and attributeAssignType are available in the chnagelog entry 

        if (typeof memberSubjectId != "undefined" && memberSubjectId != null ){

if(typeof attributeAssignType != "undefined" && attributeAssignType != null )

{

if(attributeAssignType.getValues().size() > 0)

{

 // checking the attributeAssignType is member then get the ldap dn from the ldap source.

if(attributeAssignType.getValues().contains("member"))

{

System.out.println("changeLogAffiliationMembershipLdapSubjectDn     " + memberSubjectId.getValues() );

data=SubjectFinder.findByIdAndSource(memberSubjectId.getValues().get(0),"ldap",false);

if(data != null && data.getAttributes().isEmpty()==false)

{

if(data.getAttributes().containsKey("dn"))

{

ldapuserdn = data.getAttributes().get("dn").iterator().next();

System.out.println("Getting the Data from the Ldap Source "+ldapuserdn);

changeLogAffiliationMembershipLdapSubjectDn.getValues().add(ldapuserdn);

}

}

else

{

System.out.println("No Object Found "+memberSubjectId.getValues().get(0));

}

}

}

}

        }

        else

        {

System.out.println("changeLogAffiliationMembershipLdapSubjectDn    subjectdn  "+changeLogAffiliationMembershipLdapSubjectDn );

}

    ]]></ad:Script>

  </resolver:AttributeDefinition>

I have used memberSubjectId and attributeAssignType variables in the scripting. These variables getting from the data connectors. The following variables are available in the data connectors for adding or deleting the member attribute in the change log entry. They are

ue,contextId=56dd5e5a2be84cfc8683a18f38829407] returning {id=id, attributeAssignId=attributeAssignId, attributeDefNameId=attributeDefNameId, attributeDefNameName=attributeDefNameName, value=value, valueType=valueType, actionName=actionName, changeLogCategory=changeLogCategory, sequenceNumber=sequenceNumber, createdOn=createdOn, etc:attribute:affiliations=etc:attribute:affiliations, attributeAssignType=attributeAssignType, memberSubjectId=memberSubjectId}

I have highlighted the variable names in the bold font.

6. Testing the psp-provisioning Add ldap attribute Value

Go to the apiBinary-2.1.5/bin directory and execute the gsh.sh file.

6.1 Restart the Grouper Session

grouperSession = GrouperSession.startRootSession();

6.2 Find the Member Object

subject = findSubject("test_member_uid9");

member = MemberFinder.findBySubject(grouperSession, subject);

6.3 Add the attribute affiliations value to the member object

 member.getAttributeValueDelegate().addValue("etc:attribute:affiliations","Student")

6.4 Executing the PSP Change Log

loaderRunOneJob("CHANGE_LOG_changeLogTempToChangeLog")

loaderRunOneJob("CHANGE_LOG_consumer_psp")

After executing the above step, the ldap attribute affiliations value is added to the person object uid=test_member_uid9,ou=people,dc=example,dc=edu

7. Testing the psp-provisioning Delete ldap attribute Value

Go to the apiBinary-2.1.5/bin directory and execute the gsh.sh file.

7.1 Restart the Grouper Session

grouperSession = GrouperSession.startRootSession();

7.2 Find the Member Object

subject = findSubject("test_member_uid9");

member = MemberFinder.findBySubject(grouperSession, subject);

7.3 Delete the attribute affiliations value to the member object

 member.getAttributeValueDelegate().deleteValue("etc:attribute:affiliations","Student")

7.4 Executing the PSP Change Log

loaderRunOneJob("CHANGE_LOG_changeLogTempToChangeLog")

loaderRunOneJob("CHANGE_LOG_consumer_psp")

After executing the above step, the ldap attribute affiliations value is deleted from the person object uid=test_member_uid9,ou=people,dc=example,dc=edu