with one exception 401.1 should be complete.

base/Dockerfile

@@ -1,6 +1,6 @@
 FROM unicon/shibboleth-idp:3.3.3 as idp 
 
-FROM tier/grouper:2.4.0-a0-u0-w0-p0-test
+FROM tier/grouper:2.4.0-a2-u0-w0-p0-test
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>" \
       Vendor="TIER" \

base/container_files/conf/grouper-loader.properties

@@ -37,7 +37,7 @@
 #note the URL should start with ldap: or ldaps: if it is SSL.  
 #It should contain the server and port (optional if not default), and baseDn,
 #e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu
-ldap.demo.url = ldap://localhost:389/dc=internet2,dc=edu
+ldap.demo.url = ldap://localhost:389/
 
 #optional, if authenticated
 ldap.demo.user = cn=root,dc=internet2,dc=edu

base/container_files/conf/subject.properties

@@ -55,20 +55,20 @@ subjectApi.source.ldap.param.subjectIdentifierAttribute0.value = employeeNumber
 #  Each subject has one and only on ID.  Returns one result when searching for one ID.
 subjectApi.source.ldap.search.searchSubject.param.filter.value = (&(uid=%TERM%)(objectclass=person))
 subjectApi.source.ldap.search.searchSubject.param.scope.value = SUBTREE_SCOPE
-subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people
+subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=internet2,dc=edu
 
 #searchSubjectByIdentifier: find a subject by identifier.  Identifier is anything that uniquely
 #  identifies the user, e.g. jsmith or jsmith@institution.edu.
 #  Subjects can have multiple identifiers.  Note: it is nice to have if identifiers are unique
 #  even across sources.  Returns one result when searching for one identifier.
 subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(employeeNumber=%TERM%)(objectclass=person))
 subjectApi.source.ldap.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE
-subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people
+subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people,dc=internet2,dc=edu
 
 #   search: find subjects by free form search.  Returns multiple results.
 
 subjectApi.source.ldap.search.search.param.filter.value = (&(|(|(uid=%TERM%)(cn=*%TERM%*))(uid=%TERM%*))(objectclass=person))
 subjectApi.source.ldap.search.search.param.scope.value = SUBTREE_SCOPE
-subjectApi.source.ldap.search.search.param.base.value = ou=people
+subjectApi.source.ldap.search.search.param.base.value = ou=people,dc=internet2,dc=edu
 
 subjectApi.source.ldap.internalAttributes = searchAttribute0

ex401/class-files/CisoQuestionalUsers.txt

@@ -0,0 +1,15 @@
+ahenderson36
+cpeterson37
+jclark39
+kbrown62
+tpeterson63
+pjohnson64
+aroberts95
+sdavis107
+mhenderson109
+jvales117
+sgrady139
+mprice142
+mwilliams144
+lpeterson153
+mvales154

ex401/ex401.1.1/container_files/grouper-loader.properties

@@ -37,7 +37,7 @@
 #note the URL should start with ldap: or ldaps: if it is SSL.  
 #It should contain the server and port (optional if not default), and baseDn,
 #e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu
-ldap.demo.url = ldap://localhost:389/dc=internet2,dc=edu
+ldap.demo.url = ldap://localhost:389/
 
 #optional, if authenticated
 ldap.demo.user = cn=root,dc=internet2,dc=edu

ex401/ex401.1.1/container_files/seed-data/bootstrap.gsh

@@ -4,7 +4,7 @@ addRootStem("ref", "ref");
 addRootStem("bundle", "bundle");
 addRootStem("app", "app");
 addRootStem("org", "org");
-testStem = addRootStem("test", "test");
+addRootStem("test", "test");
 
 addGroup("etc","rolesLoader", "Roles Loader");
 groupAddType("etc:rolesLoader", "grouperLoader");

ex401/ex401.1.1/container_files/subject.properties

@@ -17,7 +17,7 @@ subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value =
 subjectApi.source.ldap.param.sortAttribute0.value = cn
 subjectApi.source.ldap.param.searchAttribute0.value = searchAttribute0
 subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value = ${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('employeeNumber'), "")}
-subjectApi.source.ldap.param.subjectVirtualAttribute_1_displayName.value = ${subject.getAttributeValueOrCommaSeparated('cn') + ' (' + subject.getAttributeValueOrCommaSeparated('title') + ')'}
+subjectApi.source.ldap.param.subjectVirtualAttribute_1_displayName.value = ${subject.getAttributeValueOrCommaSeparated('cn') + ' (' + subject.getAttributeValueOrCommaSeparated('uid') + ', ' + subject.getAttributeValueOrCommaSeparated('title') + ')'}
 
 # STATUS SECTION for searches to filter out inactives and allow
 # the user to filter by status with e.g. status=all
@@ -56,21 +56,21 @@ subjectApi.source.ldap.param.subjectIdentifierAttribute0.value = employeeNumber
 #  Each subject has one and only on ID.  Returns one result when searching for one ID.
 subjectApi.source.ldap.search.searchSubject.param.filter.value = (&(uid=%TERM%)(objectclass=person))
 subjectApi.source.ldap.search.searchSubject.param.scope.value = SUBTREE_SCOPE
-subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people
+subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=internet2,dc=edu
 
 #searchSubjectByIdentifier: find a subject by identifier.  Identifier is anything that uniquely
 #  identifies the user, e.g. jsmith or jsmith@institution.edu.
 #  Subjects can have multiple identifiers.  Note: it is nice to have if identifiers are unique
 #  even across sources.  Returns one result when searching for one identifier.
 subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(employeeNumber=%TERM%)(objectclass=person))
 subjectApi.source.ldap.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE
-subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people
+subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people,dc=internet2,dc=edu
 
 #   search: find subjects by free form search.  Returns multiple results.
 
 subjectApi.source.ldap.search.search.param.filter.value = (&(|(|(uid=%TERM%)(cn=*%TERM%*))(uid=%TERM%*))(objectclass=person))
 subjectApi.source.ldap.search.search.param.scope.value = SUBTREE_SCOPE
-subjectApi.source.ldap.search.search.param.base.value = ou=people
+subjectApi.source.ldap.search.search.param.base.value = ou=people,dc=internet2,dc=edu
 
 subjectApi.source.ldap.attributes = givenName, sn, cn, uid, mail, employeeNumber, title
 subjectApi.source.ldap.internalAttributes = searchAttribute0

ex401/ex401.1.2/container_files/seed-data/bootstrap.gsh

@@ -3,7 +3,7 @@ gs = GrouperSession.startRootSession();
 addStem("test", "vpn", "vpn");
 
 //Create a loader job to pull in the VPN users assigned in the directory.
-group = new GroupSave(gs).assignName("test:vpn:vpn_access").assignCreateParentStemsIfNotExist(true).save();
+group = new GroupSave(gs).assignName("test:vpn:vpn_legacy").assignCreateParentStemsIfNotExist(true).save();
 group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign();
 attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true);
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?");
@@ -22,18 +22,18 @@ addGroup("ref", "student", "student");
 
 //Create the groups that do the grouper math to analyze the tables.
 addGroup("test:vpn", "vpn_faculty", "vpn_faculty");
-addComposite("test:vpn:vpn_faculty", CompositeType.INTERSECTION, "test:vpn:vpn_access", "ref:faculty");
+addComposite("test:vpn:vpn_faculty", CompositeType.INTERSECTION, "test:vpn:vpn_legacy", "ref:faculty");
 
 addGroup("test:vpn", "vpn_employees", "vpn_employees");
-addComposite("test:vpn:vpn_employees", CompositeType.INTERSECTION, "test:vpn:vpn_access", "ref:staff");
+addComposite("test:vpn:vpn_employees", CompositeType.INTERSECTION, "test:vpn:vpn_legacy", "ref:staff");
 
 addGroup("test:vpn", "vpn_students", "vpn_students");
-addComposite("test:vpn:vpn_students", CompositeType.INTERSECTION, "test:vpn:vpn_access", "ref:student");
+addComposite("test:vpn:vpn_students", CompositeType.INTERSECTION, "test:vpn:vpn_legacy", "ref:student");
 
 addGroup("test:vpn", "vpn_facstaffstudent", "vpn_facstaffstudent");
 addMember("test:vpn:vpn_facstaffstudent", "test:vpn:vpn_faculty");
 addMember("test:vpn:vpn_facstaffstudent", "test:vpn:vpn_employees");
 addMember("test:vpn:vpn_facstaffstudent", "test:vpn:vpn_students");
 
 addGroup("test:vpn", "other_cohorts", "other_cohorts");
-addComposite("test:vpn:other_cohorts", CompositeType.COMPLEMENT, "test:vpn:vpn_access", "test:vpn:vpn_facstaffstudent");
+addComposite("test:vpn:other_cohorts", CompositeType.COMPLEMENT, "test:vpn:vpn_legacy", "test:vpn:vpn_facstaffstudent");

ex401/ex401.1.3/container_files/seed-data/bootstrap.gsh

@@ -8,5 +8,4 @@ addGroup("app:vpn", "vpn_authorized", "vpn_authorized");
 
 addMember("app:vpn:vpn_authorized", "ref:faculty");
 addMember("app:vpn:vpn_authorized", "ref:staff");
-addMember("app:vpn:vpn_authorized", "ref:student");
 addMember("app:vpn:vpn_authorized", "app:vpn:ref:vpn_adhoc");

ex401/ex401.1.4/container_files/grouper-loader.properties

@@ -37,7 +37,7 @@
 #note the URL should start with ldap: or ldaps: if it is SSL.  
 #It should contain the server and port (optional if not default), and baseDn,
 #e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu
-ldap.demo.url = ldap://localhost:389/dc=internet2,dc=edu
+ldap.demo.url = ldap://localhost:389/
 
 #optional, if authenticated
 ldap.demo.user = cn=root,dc=internet2,dc=edu
@@ -79,11 +79,11 @@ changeLog.consumer.pspng_groupOfNames.ldapPoolName = demo
 changeLog.consumer.pspng_groupOfNames.supportsEmptyGroups = false
 changeLog.consumer.pspng_groupOfNames.memberAttributeName = member
 changeLog.consumer.pspng_groupOfNames.memberAttributeValueFormat = ${ldapUser.getDn()}
-changeLog.consumer.pspng_groupOfNames.groupSearchBaseDn = ou=groups
+changeLog.consumer.pspng_groupOfNames.groupSearchBaseDn = ou=groups,dc=internet2,dc=edu
 changeLog.consumer.pspng_groupOfNames.allGroupsSearchFilter = objectclass=groupOfNames
 changeLog.consumer.pspng_groupOfNames.singleGroupSearchFilter = (&(objectclass=groupOfNames)(cn=${group.name}))
 changeLog.consumer.pspng_groupOfNames.groupSearchAttributes = cn,objectclass
 changeLog.consumer.pspng_groupOfNames.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: groupOfNames
-changeLog.consumer.pspng_groupOfNames.userSearchBaseDn = ou=people
+changeLog.consumer.pspng_groupOfNames.userSearchBaseDn = ou=people,dc=internet2,dc=edu
 changeLog.consumer.pspng_groupOfNames.userSearchFilter = uid=${subject.id}
 changeLog.consumer.pspng_groupOfNames.grouperIsAuthoritative = true

ex401/ex401.1.4/container_files/seed-data/bootstrap.gsh

@@ -1,6 +1,6 @@
 gs = GrouperSession.startRootSession();
 
-//Assign the PSPNG attribute for the standard groups
+//Assign the PSPNG attribute for the standard groups (needs to match 401.1.5's reset)
 group = GroupFinder.findByName(gs, "app:vpn:vpn_authorized");
 
 # Auto create the PSPNG attributes

ex401/ex401.1.5/container_files/seed-data/bootstrap.gsh

@@ -3,29 +3,48 @@ gs = GrouperSession.startRootSession();
 addStem("ref", "iam", "iam");
 addGroup("ref:iam", "gobal_deny", "gobal_deny");
 
-addGroup("app:vpn", "vpn_permit", "vpn_permit");
+addGroup("app:vpn", "vpn_allow", "vpn_allow");
 addGroup("app:vpn", "vpn_deny", "vpn_deny");
 addMember("app:vpn:vpn_deny", "ref:iam:gobal_deny");
 
 group=addGroup("app:vpn:ref", "vpn_ajohnson409", "vpn_ajohnson409");
 group.setDescription("special project managed by ajohnson409");
 group.store();
-grantPriv("app:vpn:ref:vpn_ajohnson409", "ajohnson409", AccessPrivilege.ADMIN);
+
+addStem("app:vpn", "etc", "etc");
+addGroup("app:vpn:etc", "vpn_ajohnson409_mgr", "vpn_ajohnson409_mgr");
+addMember("app:vpn:etc:vpn_ajohnson409_mgr", "ajohnson409")
+grantPriv("app:vpn:ref:vpn_ajohnson409", "app:vpn:etc:vpn_ajohnson409_mgr", AccessPrivilege.ADMIN);
 
 group=addGroup("app:vpn:ref", "vpn_consultants", "vpn_consultants");
 group.setDescription("Consultants, must be approved by VP and have expiration date set");
 group.store();
 
+//Refactoring group membership
 delGroup("app:vpn:vpn_authorized");
 addGroup("app:vpn", "vpn_authorized", "vpn_authorized");
-addComposite("app:vpn:vpn_authorized", CompositeType.COMPLEMENT, "app:vpn:vpn_permit", "app:vpn:vpn_deny");
-
-addMember("app:vpn:vpn_permit", "ref:faculty");
-addMember("app:vpn:vpn_permit", "ref:staff");
-addMember("app:vpn:vpn_permit", "ref:student");
-addMember("app:vpn:vpn_permit", "app:vpn:ref:vpn_adhoc");
-addMember("app:vpn:vpn_permit", "app:vpn:ref:vpn_ajohnson409");
-addMember("app:vpn:vpn_permit", "app:vpn:ref:vpn_consultants");
+addComposite("app:vpn:vpn_authorized", CompositeType.COMPLEMENT, "app:vpn:vpn_allow", "app:vpn:vpn_deny");
+
+//Assign the PSPNG attribute for the standard groups (needs to match 401.1.4's initial settings)
+group = GroupFinder.findByName(gs, "app:vpn:vpn_authorized");
+
+# Auto create the PSPNG attributes
+# edu.internet2.middleware.grouper.pspng.FullSyncProvisionerFactory.getFullSyncer("pspng_groupOfNames");
+
+pspngAttribute = AttributeDefNameFinder.findByName("etc:pspng:provision_to", true);
+AttributeAssignSave attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true);
+attributeAssignSave.assignAttributeDefName(pspngAttribute);
+attributeAssignSave.assignOwnerGroup(group);
+attributeAssignSave.addValue("pspng_groupOfNames");
+attributeAssignSave.save();
+
+
+addMember("app:vpn:vpn_allow", "ref:faculty");
+addMember("app:vpn:vpn_allow", "ref:staff");
+addMember("app:vpn:vpn_allow", "ref:student");
+addMember("app:vpn:vpn_allow", "app:vpn:ref:vpn_adhoc");
+addMember("app:vpn:ref:vpn_adhoc", "app:vpn:ref:vpn_ajohnson409");
+addMember("app:vpn:ref:vpn_adhoc", "app:vpn:ref:vpn_consultants");
 
 
 //Assign the PSPNG attribute for the standard groups

ex401/ex401.1.end/container_files/seed-data/bootstrap.gsh

@@ -17,7 +17,6 @@ addMember("test:cisoQuestionableVpnUsersList","mwilliams144");
 addMember("test:cisoQuestionableVpnUsersList","lpeterson153");
 addMember("test:cisoQuestionableVpnUsersList","mvales154");
 
-
 addGroup("test", "whyvpnaccess", "Why Do They Have VPN Access");
 addComposite("test:whyvpnaccess", CompositeType.INTERSECTION, "app:vpn:vpn_authorized", "test:cisoQuestionableVpnUsersList");