Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
canvas-demo-techex17/midpoint/ldap-resource-sync-advanced.xml
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
522 lines (477 sloc)
21.8 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!-- | |
~ Copyright (c) 2010-2015 Evolveum | |
~ | |
~ Licensed under the Apache License, Version 2.0 (the "License"); | |
~ you may not use this file except in compliance with the License. | |
~ You may obtain a copy of the License at | |
~ | |
~ http://www.apache.org/licenses/LICENSE-2.0 | |
~ | |
~ Unless required by applicable law or agreed to in writing, software | |
~ distributed under the License is distributed on an "AS IS" BASIS, | |
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
~ See the License for the specific language governing permissions and | |
~ limitations under the License. | |
--> | |
<!-- | |
This file is an example of Resource definition. It defines an LDAP resource | |
using an Identity Connector Framework LDAP connector. It contains configuration | |
for use with stock OpenDJ and OpenDS servers. | |
This resource definition contains also definition to enable synchronization and | |
especially an expression that is using a lookup of value from an configuration | |
object. | |
--> | |
<objects xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" | |
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" | |
xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" | |
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" | |
xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3" | |
xmlns:my="http://whatever.com/my" | |
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" | |
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" | |
xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3"> | |
<resource oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a2"> | |
<!-- Resource name. It will be displayed in GUI. --> | |
<name>Localhost LDAP - Origin</name> | |
<description> | |
LDAP resource using an Identity Connector Framework LDAP connector. It contains configuration | |
for use with stock OpenDJ and OpenDS servers. | |
This resource definition contains also definition to enable synchronization and | |
especially an expression that is using a lookup of value from an configuration | |
object. | |
</description> | |
<connectorRef type="ConnectorType"> | |
<description> | |
Reference to the ICF LDAP connector. This is dynamic reference, it will be translated to | |
OID during import. | |
</description> | |
<filter> | |
<q:equal> | |
<q:path>c:connectorType</q:path> | |
<q:value>com.evolveum.polygon.connector.ldap.LdapConnector</q:value> | |
</q:equal> | |
</filter> | |
</connectorRef> | |
<!-- Configuration section contains configuration of the connector, | |
such as hostnames and passwords --> | |
<connectorConfiguration> | |
<icfc:configurationProperties | |
xmlns:icfcldap="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector"> | |
<icfcldap:port>389</icfcldap:port> | |
<icfcldap:host>tier-demo-ldap</icfcldap:host> | |
<icfcldap:baseContext>dc=example,dc=edu</icfcldap:baseContext> | |
<icfcldap:bindDn>cn=admin,dc=example,dc=edu</icfcldap:bindDn> | |
<icfcldap:bindPassword> | |
<t:clearValue>password</t:clearValue> | |
</icfcldap:bindPassword> | |
<icfcldap:pagingStrategy>auto</icfcldap:pagingStrategy> | |
<icfcldap:vlvSortAttribute>entryUUID</icfcldap:vlvSortAttribute> | |
<!-- <icfcldap:accountOperationalAttributes>ds-pwp-account-disabled</icfcldap:accountOperationalAttributes>--> | |
<icfcldap:operationalAttributes>ds-pwp-account-disabled</icfcldap:operationalAttributes> | |
<icfcldap:operationalAttributes>isMemberOf</icfcldap:operationalAttributes> | |
</icfc:configurationProperties> | |
<icfc:connectorPoolConfiguration> | |
<icfc:minEvictableIdleTimeMillis>120000</icfc:minEvictableIdleTimeMillis> | |
<icfc:minIdle>1</icfc:minIdle> | |
<icfc:maxIdle>10</icfc:maxIdle> | |
<icfc:maxObjects>10</icfc:maxObjects> | |
<icfc:maxWait>150000</icfc:maxWait> | |
</icfc:connectorPoolConfiguration> | |
<icfc:producerBufferSize>100</icfc:producerBufferSize> | |
<icfc:timeouts> | |
<icfc:create>-1</icfc:create> | |
<icfc:get>-1</icfc:get> | |
<icfc:update>-1</icfc:update> | |
<icfc:delete>-1</icfc:delete> | |
<icfc:test>-1</icfc:test> | |
<icfc:scriptOnConnector>-1</icfc:scriptOnConnector> | |
<icfc:scriptOnResource>-1</icfc:scriptOnResource> | |
<icfc:authentication>-1</icfc:authentication> | |
<icfc:search>-1</icfc:search> | |
<icfc:validate>-1</icfc:validate> | |
<icfc:sync>-1</icfc:sync> | |
<icfc:schema>-1</icfc:schema> | |
</icfc:timeouts> | |
<icfc:resultsHandlerConfiguration> | |
<icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler> | |
<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler> | |
<icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler> | |
</icfc:resultsHandlerConfiguration> | |
</connectorConfiguration> | |
<schema> | |
<!-- workaround to MID-2723 --> | |
<generationConstraints> | |
<generateObjectClass>ri:inetOrgPerson</generateObjectClass> | |
<generateObjectClass>ri:groupOfUniqueNames</generateObjectClass> | |
<generateObjectClass>ri:groupOfNames</generateObjectClass> | |
<generateObjectClass>ri:organizationalUnit</generateObjectClass> | |
</generationConstraints> | |
</schema> | |
<!-- Resource Schema Handling definition. | |
This part defines how the schema defined above will be used by | |
midPoint. It defines expressions and limitations for individual | |
schema attributes. | |
The expressions that describe both inbound and outbound flow of | |
the attributes are defined in this section. | |
This is the part where most of the customization takes place. | |
--> | |
<schemaHandling> | |
<objectType> | |
<displayName>Default Account</displayName> | |
<default>true</default> | |
<objectClass>ri:inetOrgPerson</objectClass> | |
<attribute> | |
<ref>ri:dn</ref> | |
<displayName>Distinguished Name</displayName> | |
<limitations> | |
<minOccurs>0</minOccurs> | |
<access> | |
<read>true</read> | |
<add>true</add> | |
<modify>false</modify> | |
</access> | |
</limitations> | |
<matchingRule>mr:stringIgnoreCase</matchingRule> | |
<outbound> | |
<strength>weak</strength> | |
<source> | |
<path>$user/name</path> | |
</source> | |
<expression> | |
<script> | |
<!-- No explicit script language was specified. It means that this is Groovy --> | |
<code> | |
'uid=' + name + iterationToken + ',ou=people,dc=example,dc=com' | |
</code> | |
</script> | |
</expression> | |
</outbound> | |
</attribute> | |
<attribute> | |
<ref>ri:entryUUID</ref> | |
<displayName>Entry UUID</displayName> | |
<limitations> | |
<access> | |
<read>true</read> | |
</access> | |
</limitations> | |
</attribute> | |
<attribute> | |
<ref>ri:cn</ref> | |
<displayName>Common Name</displayName> | |
<limitations> | |
<minOccurs>0</minOccurs> | |
<access> | |
<read>true</read> | |
<add>true</add> | |
<modify>true</modify> | |
</access> | |
</limitations> | |
<outbound> | |
<source> | |
<path>$user/fullName</path> | |
</source> | |
</outbound> | |
<inbound> | |
<target> | |
<path>$user/fullName</path> | |
</target> | |
</inbound> | |
</attribute> | |
<attribute> | |
<ref>ri:sn</ref> | |
<displayName>Surname</displayName> | |
<limitations> | |
<minOccurs>0</minOccurs> | |
</limitations> | |
<outbound> | |
<source> | |
<!-- The path can be shorteden like this. $user is a default source "context" in outbound --> | |
<path>familyName</path> | |
</source> | |
</outbound> | |
<inbound> | |
<target> | |
<!-- The path can be shorteden like this. $user is a default target "context" in inbound --> | |
<path>familyName</path> | |
</target> | |
</inbound> | |
</attribute> | |
<attribute> | |
<ref>ri:givenName</ref> | |
<displayName>Given Name</displayName> | |
<outbound> | |
<source> | |
<!-- Full namespace prefixes can be used in the path --> | |
<path>$c:user/c:givenName</path> | |
</source> | |
</outbound> | |
<inbound> | |
<target> | |
<path>$c:user/c:givenName</path> | |
</target> | |
</inbound> | |
</attribute> | |
<attribute> | |
<ref>ri:uid</ref> | |
<displayName>Login Name</displayName> | |
<limitations> | |
<access> | |
<read>true</read> | |
<add>true</add> | |
</access> | |
</limitations> | |
<matchingRule>mr:stringIgnoreCase</matchingRule> | |
<outbound> | |
<source> | |
<description>Source may have description</description> | |
<path>$user/name</path> | |
</source> | |
<!-- We need to put iterationToken here as well, otherwise effect described in MID-2139 occurs --> | |
<expression> | |
<script> | |
<code>name + iterationToken</code> | |
</script> | |
</expression> | |
</outbound> | |
<inbound> | |
<target> | |
<description>Targets may have description</description> | |
<path>$c:user/c:name</path> | |
</target> | |
</inbound> | |
</attribute> | |
<attribute> | |
<ref>ri:description</ref> | |
<outbound> | |
<strength>weak</strength> | |
<expression> | |
<description>Expression that assigns a fixed value</description> | |
<value>Created by IDM</value> | |
</expression> | |
</outbound> | |
<inbound> | |
<target> | |
<!-- Namespace prefixes can be also declared inside a path --> | |
<path> | |
declare namespace my="http://whatever.com/my"; | |
$c:user/c:extension/my:description | |
</path> | |
</target> | |
</inbound> | |
</attribute> | |
<attribute> | |
<ref>ri:l</ref> | |
<outbound> | |
<expression> | |
<variable xmlns:my="http://whatever.com/my"> | |
<name>my:defaultLocation</name> | |
<value>middle of nowhere</value> | |
</variable> | |
<script> | |
<description>XPath expression that is using a variable declared above</description> | |
<language>http://www.w3.org/TR/xpath/</language> | |
<returnType>scalar</returnType> | |
<code xmlns:my="http://whatever.com/my"> | |
$my:defaultLocation | |
</code> | |
</script> | |
</expression> | |
</outbound> | |
</attribute> | |
<iteration> | |
<maxIterations>5</maxIterations> | |
</iteration> | |
<protected> | |
<filter> | |
<q:equal> | |
<q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#distinguishedName</q:matching> | |
<q:path>attributes/ri:dn</q:path> | |
<q:value>uid=idm,ou=Administrators,dc=example,dc=com</q:value> | |
</q:equal> | |
</filter> | |
</protected> | |
<activation> | |
<administrativeStatus> | |
<outbound/> | |
<inbound> | |
<strength>weak</strength> | |
<expression> | |
<asIs/> | |
</expression> | |
</inbound> | |
</administrativeStatus> | |
</activation> | |
<credentials> | |
<password> | |
<outbound> | |
<expression> | |
<asIs/> | |
</expression> | |
</outbound> | |
<inbound> | |
<strength>weak</strength> | |
<expression> | |
<generate/> | |
</expression> | |
</inbound> | |
</password> | |
</credentials> | |
</objectType> | |
</schemaHandling> | |
<capabilities xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3"> | |
<configured> | |
<cap:activation> | |
<cap:status> | |
<cap:attribute>ri:ds-pwp-account-disabled</cap:attribute> | |
<cap:enableValue/> | |
<cap:disableValue>true</cap:disableValue> | |
</cap:status> | |
</cap:activation> | |
</configured> | |
</capabilities> | |
<!-- | |
Synchronization section describes the synchronization policy, timing, | |
reactions and similar synchronization settings. | |
--> | |
<synchronization> | |
<objectSynchronization> | |
<!-- | |
The synchronization for this resource is enabled. | |
It means that the synchronization will react to changes detected by | |
the system (live sync task, discovery or reconciliation) --> | |
<enabled>true</enabled> | |
<correlation> | |
<q:description> | |
Correlation expression is a search query. | |
Following search query will look for users that have "name" | |
equal to the "uid" attribute of the account. Simply speaking, | |
it will look for match in usernames in the IDM and the resource. | |
The correlation rule always looks for users, so it will not match | |
any other object type. | |
</q:description> | |
<q:equal> | |
<q:path>c:name</q:path> | |
<expression> | |
<path> | |
declare namespace ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"; | |
$account/attributes/ri:uid | |
</path> | |
</expression> | |
</q:equal> | |
</correlation> | |
<!-- Confirmation rule may be here, but as the search above will | |
always return at most one match, the confirmation rule is not needed. --> | |
<!-- Following section describes reactions to a situations. | |
The setting here assumes that this resource is authoritative, | |
therefore all accounts created on the resource should be | |
reflected as new users in IDM. | |
See http://wiki.evolveum.com/display/midPoint/Synchronization+Situations | |
--> | |
<reaction> | |
<situation>linked</situation> | |
<action> | |
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#modifyUser</handlerUri> | |
</action> | |
</reaction> | |
<reaction> | |
<situation>deleted</situation> | |
<action> | |
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlinkAccount</handlerUri> | |
</action> | |
</reaction> | |
<reaction> | |
<situation>unlinked</situation> | |
<action> | |
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#linkAccount</handlerUri> | |
</action> | |
</reaction> | |
<reaction> | |
<situation>unmatched</situation> | |
<action> | |
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser</handlerUri> | |
</action> | |
</reaction> | |
</objectSynchronization> | |
</synchronization> | |
</resource> | |
<objectTemplate oid="c0c010c0-d34d-b33f-f00d-777111111111"> | |
<name>Default User Template 1</name> | |
<description> | |
User Template Object. | |
This object is used when creating a new account, to set it up as needed. | |
</description> | |
<mapping> | |
<description> | |
Property mapping. | |
Defines how properties of user object are set up. | |
This specific definition sets a full name as a concatenation | |
of givenName and familyName. | |
</description> | |
<strength>weak</strength> | |
<source> | |
<path>$user/givenName</path> | |
</source> | |
<source> | |
<path>$user/familyName</path> | |
</source> | |
<expression> | |
<script> | |
<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language> | |
<code> | |
givenName + ' ' + familyName | |
</code> | |
</script> | |
</expression> | |
<target> | |
<path>fullName</path> | |
</target> | |
</mapping> | |
</objectTemplate> | |
<genericObject oid="c0c010c0-d34d-b33f-f00d-999111111111"> | |
<name>My Sample Config Object</name> | |
<description> | |
Sample custom configuration object. Object of the genericObject type are | |
in fact free-form objects. They can contain almost any XML data in the | |
extension part. They are supposed to hold data structures that parametrize | |
the IDM custom business logic or IDM expressions. | |
</description> | |
<extension> | |
<!-- This additional level of depth (the "locations" element) is needed now | |
because current repository does not support generic multi-valued | |
properties. This might be fixed in next releases. --> | |
<!-- <my:locations> | |
Lookup table. The "key" attribute is a key, the element content | |
is a value. However, the data structure may be structured differently, | |
it depends on a specific XPath that is used for lookup (see the | |
definition of outbound expression for "l" attribute in the resource | |
definition above). | |
<my:location key="home">Here</my:location> --> | |
<!-- <my:location key="work">There</my:location> --> | |
<!-- <my:location key="somewhere">There there over the corner</my:location> --> | |
<!-- </my:locations> --> | |
</extension> | |
<!-- This is generic object, it must have an "application level" type. | |
However, this is not used in the current business logic. Can be anything. --> | |
<objectType>http://myself.me/schemas/objects#SampleConfigType</objectType> | |
</genericObject> | |
<task oid="91919191-76e0-59e2-86d6-3d4f02d3ffff"> | |
<name>Synchronization: Grouper LDAP</name> | |
<description> | |
Definition of a live synchronization task. It will poll changelog and pull in changes | |
</description> | |
<taskIdentifier>91919191-76e0-59e2-86d6-3d4f02d3ffff</taskIdentifier> | |
<ownerRef oid="00000000-0000-0000-0000-000000000002"/> | |
<executionStatus>runnable</executionStatus> | |
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/live-sync/handler-3</handlerUri> | |
<objectRef oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a2" type="ResourceType"/> | |
<recurrence>recurring</recurrence> | |
<binding>tight</binding> | |
<schedule> | |
<interval>5</interval> | |
</schedule> | |
</task> | |
</objects> |