Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

canvas-demo-techex17/midpoint/ldap-resource-sync-advanced.xml

Go to file
 
 
Cannot retrieve contributors at this time
522 lines (477 sloc) 21.8 KB
Raw Blame
Open in GitHub Desktop
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright (c) 2010-2015 Evolveum
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<!--
This file is an example of Resource definition. It defines an LDAP resource
using an Identity Connector Framework LDAP connector. It contains configuration
for use with stock OpenDJ and OpenDS servers.
This resource definition contains also definition to enable synchronization and
especially an expression that is using a lookup of value from an configuration
object.
-->
<objects xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
xmlns:my="http://whatever.com/my"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">
<resource oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a2">
<!-- Resource name. It will be displayed in GUI. -->
<name>Localhost LDAP - Origin</name>
<description>
LDAP resource using an Identity Connector Framework LDAP connector. It contains configuration
for use with stock OpenDJ and OpenDS servers.
This resource definition contains also definition to enable synchronization and
especially an expression that is using a lookup of value from an configuration
object.
</description>
<connectorRef type="ConnectorType">
<description>
Reference to the ICF LDAP connector. This is dynamic reference, it will be translated to
OID during import.
</description>
<filter>
<q:equal>
<q:path>c:connectorType</q:path>
<q:value>com.evolveum.polygon.connector.ldap.LdapConnector</q:value>
</q:equal>
</filter>
</connectorRef>
<!-- Configuration section contains configuration of the connector,
such as hostnames and passwords -->
<connectorConfiguration>
<icfc:configurationProperties
xmlns:icfcldap="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector">
<icfcldap:port>389</icfcldap:port>
<icfcldap:host>tier-demo-ldap</icfcldap:host>
<icfcldap:baseContext>dc=example,dc=edu</icfcldap:baseContext>
<icfcldap:bindDn>cn=admin,dc=example,dc=edu</icfcldap:bindDn>
<icfcldap:bindPassword>
<t:clearValue>password</t:clearValue>
</icfcldap:bindPassword>
<icfcldap:pagingStrategy>auto</icfcldap:pagingStrategy>
<icfcldap:vlvSortAttribute>entryUUID</icfcldap:vlvSortAttribute>
<!-- <icfcldap:accountOperationalAttributes>ds-pwp-account-disabled</icfcldap:accountOperationalAttributes>-->
<icfcldap:operationalAttributes>ds-pwp-account-disabled</icfcldap:operationalAttributes>
<icfcldap:operationalAttributes>isMemberOf</icfcldap:operationalAttributes>
</icfc:configurationProperties>
<icfc:connectorPoolConfiguration>
<icfc:minEvictableIdleTimeMillis>120000</icfc:minEvictableIdleTimeMillis>
<icfc:minIdle>1</icfc:minIdle>
<icfc:maxIdle>10</icfc:maxIdle>
<icfc:maxObjects>10</icfc:maxObjects>
<icfc:maxWait>150000</icfc:maxWait>
</icfc:connectorPoolConfiguration>
<icfc:producerBufferSize>100</icfc:producerBufferSize>
<icfc:timeouts>
<icfc:create>-1</icfc:create>
<icfc:get>-1</icfc:get>
<icfc:update>-1</icfc:update>
<icfc:delete>-1</icfc:delete>
<icfc:test>-1</icfc:test>
<icfc:scriptOnConnector>-1</icfc:scriptOnConnector>
<icfc:scriptOnResource>-1</icfc:scriptOnResource>
<icfc:authentication>-1</icfc:authentication>
<icfc:search>-1</icfc:search>
<icfc:validate>-1</icfc:validate>
<icfc:sync>-1</icfc:sync>
<icfc:schema>-1</icfc:schema>
</icfc:timeouts>
<icfc:resultsHandlerConfiguration>
<icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
<icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
</icfc:resultsHandlerConfiguration>
</connectorConfiguration>
<schema>
<!-- workaround to MID-2723 -->
<generationConstraints>
<generateObjectClass>ri:inetOrgPerson</generateObjectClass>
<generateObjectClass>ri:groupOfUniqueNames</generateObjectClass>
<generateObjectClass>ri:groupOfNames</generateObjectClass>
<generateObjectClass>ri:organizationalUnit</generateObjectClass>
</generationConstraints>
</schema>
<!-- Resource Schema Handling definition.
This part defines how the schema defined above will be used by
midPoint. It defines expressions and limitations for individual
schema attributes.
The expressions that describe both inbound and outbound flow of
the attributes are defined in this section.
This is the part where most of the customization takes place.
-->
<schemaHandling>
<objectType>
<displayName>Default Account</displayName>
<default>true</default>
<objectClass>ri:inetOrgPerson</objectClass>
<attribute>
<ref>ri:dn</ref>
<displayName>Distinguished Name</displayName>
<limitations>
<minOccurs>0</minOccurs>
<access>
<read>true</read>
<add>true</add>
<modify>false</modify>
</access>
</limitations>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<path>$user/name</path>
</source>
<expression>
<script>
<!-- No explicit script language was specified. It means that this is Groovy -->
<code>
'uid=' + name + iterationToken + ',ou=people,dc=example,dc=com'
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:entryUUID</ref>
<displayName>Entry UUID</displayName>
<limitations>
<access>
<read>true</read>
</access>
</limitations>
</attribute>
<attribute>
<ref>ri:cn</ref>
<displayName>Common Name</displayName>
<limitations>
<minOccurs>0</minOccurs>
<access>
<read>true</read>
<add>true</add>
<modify>true</modify>
</access>
</limitations>
<outbound>
<source>
<path>$user/fullName</path>
</source>
</outbound>
<inbound>
<target>
<path>$user/fullName</path>
</target>
</inbound>
</attribute>
<attribute>
<ref>ri:sn</ref>
<displayName>Surname</displayName>
<limitations>
<minOccurs>0</minOccurs>
</limitations>
<outbound>
<source>
<!-- The path can be shorteden like this. $user is a default source "context" in outbound -->
<path>familyName</path>
</source>
</outbound>
<inbound>
<target>
<!-- The path can be shorteden like this. $user is a default target "context" in inbound -->
<path>familyName</path>
</target>
</inbound>
</attribute>
<attribute>
<ref>ri:givenName</ref>
<displayName>Given Name</displayName>
<outbound>
<source>
<!-- Full namespace prefixes can be used in the path -->
<path>$c:user/c:givenName</path>
</source>
</outbound>
<inbound>
<target>
<path>$c:user/c:givenName</path>
</target>
</inbound>
</attribute>
<attribute>
<ref>ri:uid</ref>
<displayName>Login Name</displayName>
<limitations>
<access>
<read>true</read>
<add>true</add>
</access>
</limitations>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<source>
<description>Source may have description</description>
<path>$user/name</path>
</source>
<!-- We need to put iterationToken here as well, otherwise effect described in MID-2139 occurs -->
<expression>
<script>
<code>name + iterationToken</code>
</script>
</expression>
</outbound>
<inbound>
<target>
<description>Targets may have description</description>
<path>$c:user/c:name</path>
</target>
</inbound>
</attribute>
<attribute>
<ref>ri:description</ref>
<outbound>
<strength>weak</strength>
<expression>
<description>Expression that assigns a fixed value</description>
<value>Created by IDM</value>
</expression>
</outbound>
<inbound>
<target>
<!-- Namespace prefixes can be also declared inside a path -->
<path>
declare namespace my="http://whatever.com/my";
$c:user/c:extension/my:description
</path>
</target>
</inbound>
</attribute>
<attribute>
<ref>ri:l</ref>
<outbound>
<expression>
<variable xmlns:my="http://whatever.com/my">
<name>my:defaultLocation</name>
<value>middle of nowhere</value>
</variable>
<script>
<description>XPath expression that is using a variable declared above</description>
<language>http://www.w3.org/TR/xpath/</language>
<returnType>scalar</returnType>
<code xmlns:my="http://whatever.com/my">
$my:defaultLocation
</code>
</script>
</expression>
</outbound>
</attribute>
<iteration>
<maxIterations>5</maxIterations>
</iteration>
<protected>
<filter>
<q:equal>
<q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#distinguishedName</q:matching>
<q:path>attributes/ri:dn</q:path>
<q:value>uid=idm,ou=Administrators,dc=example,dc=com</q:value>
</q:equal>
</filter>
</protected>
<activation>
<administrativeStatus>
<outbound/>
<inbound>
<strength>weak</strength>
<expression>
<asIs/>
</expression>
</inbound>
</administrativeStatus>
</activation>
<credentials>
<password>
<outbound>
<expression>
<asIs/>
</expression>
</outbound>
<inbound>
<strength>weak</strength>
<expression>
<generate/>
</expression>
</inbound>
</password>
</credentials>
</objectType>
</schemaHandling>
<capabilities xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
<configured>
<cap:activation>
<cap:status>
<cap:attribute>ri:ds-pwp-account-disabled</cap:attribute>
<cap:enableValue/>
<cap:disableValue>true</cap:disableValue>
</cap:status>
</cap:activation>
</configured>
</capabilities>
<!--
Synchronization section describes the synchronization policy, timing,
reactions and similar synchronization settings.
-->
<synchronization>
<objectSynchronization>
<!--
The synchronization for this resource is enabled.
It means that the synchronization will react to changes detected by
the system (live sync task, discovery or reconciliation) -->
<enabled>true</enabled>
<correlation>
<q:description>
Correlation expression is a search query.
Following search query will look for users that have "name"
equal to the "uid" attribute of the account. Simply speaking,
it will look for match in usernames in the IDM and the resource.
The correlation rule always looks for users, so it will not match
any other object type.
</q:description>
<q:equal>
<q:path>c:name</q:path>
<expression>
<path>
declare namespace ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3";
$account/attributes/ri:uid
</path>
</expression>
</q:equal>
</correlation>
<!-- Confirmation rule may be here, but as the search above will
always return at most one match, the confirmation rule is not needed. -->
<!-- Following section describes reactions to a situations.
The setting here assumes that this resource is authoritative,
therefore all accounts created on the resource should be
reflected as new users in IDM.
See http://wiki.evolveum.com/display/midPoint/Synchronization+Situations
-->
<reaction>
<situation>linked</situation>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#modifyUser</handlerUri>
</action>
</reaction>
<reaction>
<situation>deleted</situation>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlinkAccount</handlerUri>
</action>
</reaction>
<reaction>
<situation>unlinked</situation>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#linkAccount</handlerUri>
</action>
</reaction>
<reaction>
<situation>unmatched</situation>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser</handlerUri>
</action>
</reaction>
</objectSynchronization>
</synchronization>
</resource>
<objectTemplate oid="c0c010c0-d34d-b33f-f00d-777111111111">
<name>Default User Template 1</name>
<description>
User Template Object.
This object is used when creating a new account, to set it up as needed.
</description>
<mapping>
<description>
Property mapping.
Defines how properties of user object are set up.
This specific definition sets a full name as a concatenation
of givenName and familyName.
</description>
<strength>weak</strength>
<source>
<path>$user/givenName</path>
</source>
<source>
<path>$user/familyName</path>
</source>
<expression>
<script>
<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
<code>
givenName + ' ' + familyName
</code>
</script>
</expression>
<target>
<path>fullName</path>
</target>
</mapping>
</objectTemplate>
<genericObject oid="c0c010c0-d34d-b33f-f00d-999111111111">
<name>My Sample Config Object</name>
<description>
Sample custom configuration object. Object of the genericObject type are
in fact free-form objects. They can contain almost any XML data in the
extension part. They are supposed to hold data structures that parametrize
the IDM custom business logic or IDM expressions.
</description>
<extension>
<!-- This additional level of depth (the "locations" element) is needed now
because current repository does not support generic multi-valued
properties. This might be fixed in next releases. -->
<!-- <my:locations>
Lookup table. The "key" attribute is a key, the element content
is a value. However, the data structure may be structured differently,
it depends on a specific XPath that is used for lookup (see the
definition of outbound expression for "l" attribute in the resource
definition above).
<my:location key="home">Here</my:location> -->
<!-- <my:location key="work">There</my:location> -->
<!-- <my:location key="somewhere">There there over the corner</my:location> -->
<!-- </my:locations> -->
</extension>
<!-- This is generic object, it must have an "application level" type.
However, this is not used in the current business logic. Can be anything. -->
<objectType>http://myself.me/schemas/objects#SampleConfigType</objectType>
</genericObject>
<task oid="91919191-76e0-59e2-86d6-3d4f02d3ffff">
<name>Synchronization: Grouper LDAP</name>
<description>
Definition of a live synchronization task. It will poll changelog and pull in changes
</description>
<taskIdentifier>91919191-76e0-59e2-86d6-3d4f02d3ffff</taskIdentifier>
<ownerRef oid="00000000-0000-0000-0000-000000000002"/>
<executionStatus>runnable</executionStatus>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/live-sync/handler-3</handlerUri>
<objectRef oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a2" type="ResourceType"/>
<recurrence>recurring</recurrence>
<binding>tight</binding>
<schedule>
<interval>5</interval>
</schedule>
</task>
</objects>