From a833bb583c87441cf16ddc8d4ff99c2c05d9230a Mon Sep 17 00:00:00 2001 From: John Gasper Date: Wed, 19 Sep 2018 22:50:34 -0700 Subject: [PATCH] ex401.2.* generally complete --- README.md | 7 ++ .../class-files/AthleticDeptartmentUsers.txt | 15 ++++ ex401/class-files/Non-facultyBannerUsers.txt | 35 +++++++++ ex401/data-generator.html | 78 ++++++++++++++++--- .../container_files/seed-data/bootstrap.gsh | 15 ++++ .../container_files/seed-data/users.ldif | 1 + .../container_files/seed-data/bootstrap.gsh | 2 +- .../container_files/grouper-loader.properties | 12 +-- .../idp/conf/authn/general-authn.xml | 11 ++- .../idp/conf/authn/mfa-authn-config.xml | 2 +- .../container_files/seed-data/bootstrap.gsh | 28 ++++++- .../container_files/seed-data/bootstrap.gsh | 36 +++++++++ .../container_files/seed-data/bootstrap.gsh | 3 +- .../container_files/seed-data/bootstrap.gsh | 10 +++ .../container_files/grouper-loader.properties | 8 +- full-demo/container_files/subject.properties | 6 +- manualBuild.sh | 1 + 17 files changed, 237 insertions(+), 33 deletions(-) create mode 100644 ex401/class-files/AthleticDeptartmentUsers.txt create mode 100644 ex401/class-files/Non-facultyBannerUsers.txt diff --git a/README.md b/README.md index 320fd41..3a4390b 100644 --- a/README.md +++ b/README.md @@ -26,11 +26,18 @@ Current tags: - ex401.1.3 - ex401.1.4 - ex401.1.5 +- ex401.1.6 - ex401.1.end - ex401.2.1 - ex401.2.2 - ex401.2.3 - ex401.2.4 +- ex401.2.5 +- ex401.2.6 +- ex401.2.7 +- ex401.2.8 +- ex401.2.9 +- ex401.2.end Browse to `https://localhost/grouper` for Grouper. There is also an app that dumps the SP user attributes at `https://localhost/app`. diff --git a/ex401/class-files/AthleticDeptartmentUsers.txt b/ex401/class-files/AthleticDeptartmentUsers.txt new file mode 100644 index 0000000..ee2d78a --- /dev/null +++ b/ex401/class-files/AthleticDeptartmentUsers.txt @@ -0,0 +1,15 @@ +jdavis4 +ldavis5 +janderson13 +rdavis16 +cthompson28 +ahenderson36 +amorrison42 +pthompson61 +bsmith65 +jlangenberg100 +nscott103 +jprice108 +jvales117 +mmartinez133 +mgrady137 diff --git a/ex401/class-files/Non-facultyBannerUsers.txt b/ex401/class-files/Non-facultyBannerUsers.txt new file mode 100644 index 0000000..deda9d5 --- /dev/null +++ b/ex401/class-files/Non-facultyBannerUsers.txt @@ -0,0 +1,35 @@ +nscott103 +jprice108 +mnielson143 +mvales154 +wclark159 +kthompson169 +athompson183 +sanderson191 +jlangenberg194 +jwhite222 +rwilliams230 +pwilliams242 +lprice328 +dgrady331 +edoe348 +svales366 +mhenderson377 +mlewis390 +mroberts391 +llopez398 +amorrison406 +janderson459 +wmartinez487 +lvales502 +cvales514 +jprice523 +rvales544 +iprice563 +bmartinez592 +jnielson598 +amartinez605 +dprice607 +mbutler632 +lbutler643 +dmartinez657 diff --git a/ex401/data-generator.html b/ex401/data-generator.html index 838156f..70b82a4 100644 --- a/ex401/data-generator.html +++ b/ex401/data-generator.html @@ -54,7 +54,7 @@ var departments = ["Computer Science", "Engineering", "Business", "Accounting", "Law", "Physical Education", "Language Arts", "Financial Aid", - "Information Technology", "Advising", "Purchasing", "Account Payable" + "Information Technology", "Advising", "Purchasing", "Accounts Payable" ]; var affiliations = ["student", "staff", "faculty", "alum", "community"]; @@ -94,18 +94,23 @@ //Add additional randomized characteristics sets here; //keep the ordering the same to maintain deterministic capabilities between runs + + //Assign departments for (index = 0; index < people.length; ++index) { people[index]["department"] = departments[rng.nextRange(0, departments.length)]; } + //Assign affiliations for (index = 0; index < people.length; ++index) { people[index]["affiliations"] = selectUnduplicated(affiliations, 2); } + //Assign titles/primary affiliations for (index = 0; index < people.length; ++index) { people[index]["title"] = rankAffiliations(people[index].affiliations); } + //Create Course Enrollments for (index = 0; index < people.length; ++index) { people[index]["courses"] = []; if (people[index]["affiliations"].indexOf("student") > -1 @@ -114,14 +119,22 @@ } } + //Create vpn_users for (index = 0; index < people.length; ++index) { people[index].vpn_user = people[index].affiliations.indexOf('staff') >= 0 || people[index].affiliations.indexOf('faculty') >= 0 ? - (rng.nextFloat() > 0.20): //grab most faculty and staff + (rng.nextFloat() > 0.1): //grab most faculty and staff rng.nextFloat() > 0.9; // and only a few others } + //Create vpn users ldap group makeQuestionableVpnUsersLists(people); + //Create Athletics users + makeAthleticsUsersLists(people); + + //Create lists of non-faculty (staff) banner users + makeNonFacultyBannerUsersLists(people); + console.log(people); //Generate Output @@ -170,9 +183,6 @@ output += "eduPersonAffiliation: " + person.affiliations[i] + "\n"; } - /*if (person.vpn_user == 1) {} - output += "member: cn=vpn_users,ou=Groups,dc=internet2,dc=edu\n"; -*/ return output + "\n"; } @@ -303,9 +313,44 @@ } } - document.getElementById('csv').value = csvOutput; - document.getElementById('gsh').value = gshOutput; + document.getElementById('vpnCsv').value = csvOutput; + document.getElementById('vpnGsh').value = gshOutput; } + + function makeAthleticsUsersLists(people) { + var csvOutput = ""; + var gshOutput = 'addGroup("app:mfa:ref", "athletics_dept", "athletics_dept");\n'; + var sampleCount = 15; + + for (i = 0; i < people.length && sampleCount > 0; i++) { + if (people[i].affiliations.indexOf('staff') >= 0 & rng.nextFloat() > 0.75) { + csvOutput = csvOutput + people[i].uid + "\n"; + gshOutput = gshOutput + 'addMember("app:mfa:ref:athletics_dept","' + people[i].uid + '");\n'; + sampleCount--; + } + } + + document.getElementById('athleticsCsv').value = csvOutput; + document.getElementById('athleticsGsh').value = gshOutput; + } + + function makeNonFacultyBannerUsersLists(people) { + var csvOutput = ""; + var gshOutput = 'addGroup("app:mfa:ref", "NonFacultyBannerINB", "NonFacultyBannerINB");\n'; + var sampleCount = 35; + + for (i = 100; i < people.length && sampleCount > 0; i++) { + if (people[i].affiliations.indexOf('staff') >= 0 & rng.nextFloat() > 0.75) { + csvOutput = csvOutput + people[i].uid + "\n"; + gshOutput = gshOutput + 'addMember("app:mfa:ref:NonFacultyBannerINB","' + people[i].uid + '");\n'; + sampleCount--; + } + } + + document.getElementById('bannerCsv').value = csvOutput; + document.getElementById('bannerGsh').value = gshOutput; + } + @@ -318,16 +363,29 @@

- Ldif:

+ Ldif:

Sql:

- Questionable VPN Users CSV:

+ Questionable VPN Users CSV:

+

+

+ Questionable VPN Users GSH:

+

+ +

+ Athletic Dept CSV:

+

+

+ Atheltics Dept GSH:

+

+

+ Non-faculty Banner Users CSV:

- Questionable VPN Users GSH:

+ Non-faculty Banner Users GSH:

diff --git a/ex401/ex401.1.1/container_files/seed-data/bootstrap.gsh b/ex401/ex401.1.1/container_files/seed-data/bootstrap.gsh index 064c258..0b53733 100644 --- a/ex401/ex401.1.1/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.1.1/container_files/seed-data/bootstrap.gsh @@ -14,3 +14,18 @@ setGroupAttr("etc:rolesLoader", "grouperLoaderScheduleType", "CRON"); setGroupAttr("etc:rolesLoader", "grouperLoaderQuartzCron", "0 * * * * ?"); setGroupAttr("etc:rolesLoader", "grouperLoaderQuartzCron", "0 * * * * ?"); setGroupAttr("etc:rolesLoader", "grouperLoaderQuery", "select distinct id as SUBJECT_IDENTIFIER, 'ldap' as SUBJECT_SOURCE_ID, CONCAT('ref:', role) as GROUP_NAME from HR_PEOPLE_ROLES"); + +group = new GroupSave(gs).assignName("etc:deptLoader").assignCreateParentStemsIfNotExist(true).save(); +group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign(); +attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true); +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?"); +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_GROUPS_FROM_ATTRIBUTES"); +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "demo"); +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(businessCategory=*)"); +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=People,dc=internet2,dc=edu"); +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "uid"); +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupAttributeName(), "businessCategory"); +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId"); +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), '${subjectAttributes["subjectId"]}'); +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupNameExpressionName(), 'ref:dept:${groupAttribute}'); +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupDisplayNameExpressionName(), '${groupAttribute}'); diff --git a/ex401/ex401.1.1/container_files/seed-data/users.ldif b/ex401/ex401.1.1/container_files/seed-data/users.ldif index 3df53ea..75b79c5 100644 --- a/ex401/ex401.1.1/container_files/seed-data/users.ldif +++ b/ex401/ex401.1.1/container_files/seed-data/users.ldif @@ -17963,3 +17963,4 @@ member: uid=tjohnson985,ou=people,dc=internet2,dc=edu member: uid=elopez987,ou=people,dc=internet2,dc=edu member: uid=kvales993,ou=people,dc=internet2,dc=edu member: uid=cgasper998,ou=people,dc=internet2,dc=edu + diff --git a/ex401/ex401.1.2/container_files/seed-data/bootstrap.gsh b/ex401/ex401.1.2/container_files/seed-data/bootstrap.gsh index b6bed23..295faab 100644 --- a/ex401/ex401.1.2/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.1.2/container_files/seed-data/bootstrap.gsh @@ -10,7 +10,7 @@ attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperL attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_SIMPLE"); attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "demo"); attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(cn=vpn_users)"); -attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=groups"); +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=groups,dc=internet2,dc=edu"); attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "member"); attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId"); attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), "\${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}"); diff --git a/ex401/ex401.2.3/container_files/grouper-loader.properties b/ex401/ex401.2.3/container_files/grouper-loader.properties index 792789e..70b4351 100644 --- a/ex401/ex401.2.3/container_files/grouper-loader.properties +++ b/ex401/ex401.2.3/container_files/grouper-loader.properties @@ -37,7 +37,7 @@ #note the URL should start with ldap: or ldaps: if it is SSL. #It should contain the server and port (optional if not default), and baseDn, #e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu -ldap.demo.url = ldap://localhost:389/dc=internet2,dc=edu +ldap.demo.url = ldap://localhost:389/ #optional, if authenticated ldap.demo.user = cn=root,dc=internet2,dc=edu @@ -79,12 +79,12 @@ changeLog.consumer.pspng_groupOfNames.ldapPoolName = demo changeLog.consumer.pspng_groupOfNames.supportsEmptyGroups = false changeLog.consumer.pspng_groupOfNames.memberAttributeName = member changeLog.consumer.pspng_groupOfNames.memberAttributeValueFormat = ${ldapUser.getDn()} -changeLog.consumer.pspng_groupOfNames.groupSearchBaseDn = ou=groups +changeLog.consumer.pspng_groupOfNames.groupSearchBaseDn = ou=groups,dc=internet2,dc=edu changeLog.consumer.pspng_groupOfNames.allGroupsSearchFilter = objectclass=groupOfNames changeLog.consumer.pspng_groupOfNames.singleGroupSearchFilter = (&(objectclass=groupOfNames)(cn=${group.name})) changeLog.consumer.pspng_groupOfNames.groupSearchAttributes = cn,objectclass changeLog.consumer.pspng_groupOfNames.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: groupOfNames -changeLog.consumer.pspng_groupOfNames.userSearchBaseDn = ou=people +changeLog.consumer.pspng_groupOfNames.userSearchBaseDn = ou=people,dc=internet2,dc=edu changeLog.consumer.pspng_groupOfNames.userSearchFilter = uid=${subject.id} changeLog.consumer.pspng_groupOfNames.grouperIsAuthoritative = true @@ -94,7 +94,7 @@ changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.ps changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ? changeLog.consumer.pspng_entitlements.ldapPoolName = demo changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement -changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = urn:mace:example.edu:${group.extension} -changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people +changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.extension.equalsIgnoreCase('app:mfa:mfa_enabled') ? 'http://tier.internet2.edu/mfa/enabled' : 'urn:mace:example.edu:' + group.extension} +changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id} -changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=urn:mace:example.edu: +changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=* diff --git a/ex401/ex401.2.4/container_files/idp/conf/authn/general-authn.xml b/ex401/ex401.2.4/container_files/idp/conf/authn/general-authn.xml index d171696..152d8e2 100644 --- a/ex401/ex401.2.4/container_files/idp/conf/authn/general-authn.xml +++ b/ex401/ex401.2.4/container_files/idp/conf/authn/general-authn.xml @@ -122,9 +122,9 @@ + c:classRef="https://refeds.org/profile/mfa" /> + c:method="https://refeds.org/profile/mfa" /> @@ -136,7 +136,7 @@ The list below almost certainly requires changes, and should generally be the union of any of the separate factors you combine in your particular MFA flow rules. The example corresponds to the example in mfa-authn-config.xml that - combines IPAddress with Password. + combines GaspoMFA with Password. --> @@ -148,6 +148,11 @@ c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> + + + diff --git a/ex401/ex401.2.4/container_files/idp/conf/authn/mfa-authn-config.xml b/ex401/ex401.2.4/container_files/idp/conf/authn/mfa-authn-config.xml index 3121865..ad07ce9 100644 --- a/ex401/ex401.2.4/container_files/idp/conf/authn/mfa-authn-config.xml +++ b/ex401/ex401.2.4/container_files/idp/conf/authn/mfa-authn-config.xml @@ -83,7 +83,7 @@ // Check for an attribute that authorizes use of first factor. attribute = resCtx.getResolvedIdPAttributes().get("eduPersonEntitlement"); valueType = Java.type("net.shibboleth.idp.attribute.StringAttributeValue"); - if (attribute != null && attribute.getValues().contains(new valueType("urn:mace:example.edu:mfa_enabled"))) { + if (attribute != null && attribute.getValues().contains(new valueType("http://tier.internet2.edu/mfa/enabled"))) { nextFlow = "authn/Gaspo"; } diff --git a/ex401/ex401.2.5/container_files/seed-data/bootstrap.gsh b/ex401/ex401.2.5/container_files/seed-data/bootstrap.gsh index 1699e8e..6a82a24 100644 --- a/ex401/ex401.2.5/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.2.5/container_files/seed-data/bootstrap.gsh @@ -1,11 +1,31 @@ gs = GrouperSession.startRootSession(); + addStem("ref", "dept", "dept"); -addGroup("ref:dept", "its", "its"); -addMember("app:mfa:mfa_enabled_allow", "ref:dept:its"); +addGroup("ref:dept", "Information Technology", "Information Technology"); +addMember("app:mfa:mfa_enabled_allow", "ref:dept:Information Technology"); addGroup("app:mfa:ref", "mfa_bypass", "mfa_bypass"); -addGroup("app:mfa:ref", "athletics", "athletics"); addMember("app:mfa:mfa_enabled_deny", "app:mfa:ref:mfa_bypass"); -addMember("app:mfa:mfa_enabled_allow", "app:mfa:ref:athletics"); \ No newline at end of file + + +addGroup("app:mfa:ref", "athletics_dept", "athletics_dept"); +addMember("app:mfa:ref:athletics_dept","jdavis4"); +addMember("app:mfa:ref:athletics_dept","ldavis5"); +addMember("app:mfa:ref:athletics_dept","janderson13"); +addMember("app:mfa:ref:athletics_dept","rdavis16"); +addMember("app:mfa:ref:athletics_dept","cthompson28"); +addMember("app:mfa:ref:athletics_dept","ahenderson36"); +addMember("app:mfa:ref:athletics_dept","amorrison42"); +addMember("app:mfa:ref:athletics_dept","pthompson61"); +addMember("app:mfa:ref:athletics_dept","bsmith65"); +addMember("app:mfa:ref:athletics_dept","jlangenberg100"); +addMember("app:mfa:ref:athletics_dept","nscott103"); +addMember("app:mfa:ref:athletics_dept","jprice108"); +addMember("app:mfa:ref:athletics_dept","jvales117"); +addMember("app:mfa:ref:athletics_dept","mmartinez133"); +addMember("app:mfa:ref:athletics_dept","mgrady137"); + + +addMember("app:mfa:mfa_enabled_allow", "app:mfa:ref:athletics_dept"); diff --git a/ex401/ex401.2.6/container_files/seed-data/bootstrap.gsh b/ex401/ex401.2.6/container_files/seed-data/bootstrap.gsh index 279613c..7343c7c 100644 --- a/ex401/ex401.2.6/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.2.6/container_files/seed-data/bootstrap.gsh @@ -1,4 +1,40 @@ gs = GrouperSession.startRootSession(); addGroup("app:mfa:ref", "NonFacultyBannerINB", "NonFacultyBannerINB"); +addMember("app:mfa:ref:NonFacultyBannerINB","jprice108"); +addMember("app:mfa:ref:NonFacultyBannerINB","mnielson143"); +addMember("app:mfa:ref:NonFacultyBannerINB","mvales154"); +addMember("app:mfa:ref:NonFacultyBannerINB","wclark159"); +addMember("app:mfa:ref:NonFacultyBannerINB","kthompson169"); +addMember("app:mfa:ref:NonFacultyBannerINB","athompson183"); +addMember("app:mfa:ref:NonFacultyBannerINB","sanderson191"); +addMember("app:mfa:ref:NonFacultyBannerINB","jlangenberg194"); +addMember("app:mfa:ref:NonFacultyBannerINB","jwhite222"); +addMember("app:mfa:ref:NonFacultyBannerINB","rwilliams230"); +addMember("app:mfa:ref:NonFacultyBannerINB","pwilliams242"); +addMember("app:mfa:ref:NonFacultyBannerINB","lprice328"); +addMember("app:mfa:ref:NonFacultyBannerINB","dgrady331"); +addMember("app:mfa:ref:NonFacultyBannerINB","edoe348"); +addMember("app:mfa:ref:NonFacultyBannerINB","svales366"); +addMember("app:mfa:ref:NonFacultyBannerINB","mhenderson377"); +addMember("app:mfa:ref:NonFacultyBannerINB","mlewis390"); +addMember("app:mfa:ref:NonFacultyBannerINB","mroberts391"); +addMember("app:mfa:ref:NonFacultyBannerINB","llopez398"); +addMember("app:mfa:ref:NonFacultyBannerINB","amorrison406"); +addMember("app:mfa:ref:NonFacultyBannerINB","janderson459"); +addMember("app:mfa:ref:NonFacultyBannerINB","wmartinez487"); +addMember("app:mfa:ref:NonFacultyBannerINB","lvales502"); +addMember("app:mfa:ref:NonFacultyBannerINB","cvales514"); +addMember("app:mfa:ref:NonFacultyBannerINB","jprice523"); +addMember("app:mfa:ref:NonFacultyBannerINB","rvales544"); +addMember("app:mfa:ref:NonFacultyBannerINB","iprice563"); +addMember("app:mfa:ref:NonFacultyBannerINB","bmartinez592"); +addMember("app:mfa:ref:NonFacultyBannerINB","jnielson598"); +addMember("app:mfa:ref:NonFacultyBannerINB","amartinez605"); +addMember("app:mfa:ref:NonFacultyBannerINB","dprice607"); +addMember("app:mfa:ref:NonFacultyBannerINB","mbutler632"); +addMember("app:mfa:ref:NonFacultyBannerINB","lbutler643"); +addMember("app:mfa:ref:NonFacultyBannerINB","dmartinez657"); + + addMember("app:mfa:mfa_enabled_allow", "app:mfa:ref:NonFacultyBannerINB"); \ No newline at end of file diff --git a/ex401/ex401.2.9/container_files/seed-data/bootstrap.gsh b/ex401/ex401.2.9/container_files/seed-data/bootstrap.gsh index 60808f7..45fe101 100644 --- a/ex401/ex401.2.9/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.2.9/container_files/seed-data/bootstrap.gsh @@ -2,6 +2,7 @@ gs = GrouperSession.startRootSession(); addStem("app:mfa", "basis", "basis"); addGroup("app:mfa:basis", "bypass", "bypass"); -addComposite("app:mfa:ref:mfa_opt_in_access", CompositeType.COMPLEMENT, "app:mfa:basis:bypass", "app:mfa:ref:opt-in"); addGroup("app:mfa:ref", "bypass-not-opt-in", "bypass-not-opt-in"); +addComposite("app:mfa:ref:bypass-not-opt-in", CompositeType.COMPLEMENT, "app:mfa:basis:bypass", "app:mfa:ref:mfa_opt_in"); + addMember("app:mfa:mfa_enabled_deny", "app:mfa:ref:bypass-not-opt-in"); \ No newline at end of file diff --git a/ex401/ex401.2.end/container_files/seed-data/bootstrap.gsh b/ex401/ex401.2.end/container_files/seed-data/bootstrap.gsh index e3d5848..1289355 100644 --- a/ex401/ex401.2.end/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.2.end/container_files/seed-data/bootstrap.gsh @@ -3,3 +3,13 @@ gs = GrouperSession.startRootSession(); addMember("app:mfa:mfa_enabled_allow", "ref:faculty"); addMember("app:mfa:mfa_enabled_allow", "ref:staff"); addMember("app:mfa:mfa_enabled_allow", "ref:student"); + +delGroup("app:mfa:ref:pilot"); +delGroup("app:mfa:ref:mfa_opt_in_access"); +delGroup("app:mfa:ref:mfa_opt_in_access_allow"); +delGroup("app:mfa:ref:mfa_opt_in_access_deny"); +delGroup("app:mfa:ref:mfa_opt_in"); +delGroup("app:mfa:ref:bypass-not-opt-in"); +delGroup("app:mfa:ref:BannerUsersMinusFaculty"); +delGroup("app:mfa:ref:NonFacultyBannerINB"); +delGroup("app:mfa:ref:athletics_dept"); \ No newline at end of file diff --git a/full-demo/container_files/grouper-loader.properties b/full-demo/container_files/grouper-loader.properties index 3c4194e..fbf9c2b 100644 --- a/full-demo/container_files/grouper-loader.properties +++ b/full-demo/container_files/grouper-loader.properties @@ -37,7 +37,7 @@ #note the URL should start with ldap: or ldaps: if it is SSL. #It should contain the server and port (optional if not default), and baseDn, #e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu -ldap.demo.url = ldap://localhost:389/dc=internet2,dc=edu +ldap.demo.url = ldap://localhost:389/ #optional, if authenticated ldap.demo.user = cn=root,dc=internet2,dc=edu @@ -80,12 +80,12 @@ changeLog.consumer.pspng_groupOfUniqueNames.supportsEmptyGroups = false changeLog.consumer.pspng_groupOfUniqueNames.memberAttributeName = uniqueMember # changeLog.consumer.pspng_groupOfUniqueNames.memberAttributeValueFormat = ${ldapUser.getStringValue("uid")} changeLog.consumer.pspng_groupOfUniqueNames.memberAttributeValueFormat = ${ldapUser.getDn()} -changeLog.consumer.pspng_groupOfUniqueNames.groupSearchBaseDn = ou=groups +changeLog.consumer.pspng_groupOfUniqueNames.groupSearchBaseDn = ou=groups,dc=internet2,dc=edu changeLog.consumer.pspng_groupOfUniqueNames.allGroupsSearchFilter = objectclass=groupOfUniqueNames changeLog.consumer.pspng_groupOfUniqueNames.singleGroupSearchFilter = (&(objectclass=groupOfUniqueNames)(cn=${group.name})) changeLog.consumer.pspng_groupOfUniqueNames.groupSearchAttributes = cn,objectclass changeLog.consumer.pspng_groupOfUniqueNames.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: groupOfUniqueNames -changeLog.consumer.pspng_groupOfUniqueNames.userSearchBaseDn = ou=people +changeLog.consumer.pspng_groupOfUniqueNames.userSearchBaseDn = ou=people,dc=internet2,dc=edu changeLog.consumer.pspng_groupOfUniqueNames.userSearchFilter = uid=${subject.id} changeLog.consumer.pspng_groupOfUniqueNames.grouperIsAuthoritative = true changeLog.consumer.pspng_groupOfUniqueNames.provisionedAttributeName = eduPersonEntitlement @@ -98,6 +98,6 @@ changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ? changeLog.consumer.pspng_entitlements.ldapPoolName = demo changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = urn:mace:example.edu:${group.extension} -changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people +changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id} changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=urn:mace:example.edu: diff --git a/full-demo/container_files/subject.properties b/full-demo/container_files/subject.properties index d899efd..fcdbbc4 100644 --- a/full-demo/container_files/subject.properties +++ b/full-demo/container_files/subject.properties @@ -55,7 +55,7 @@ subjectApi.source.ldap.param.subjectIdentifierAttribute0.value = employeeNumber # Each subject has one and only on ID. Returns one result when searching for one ID. subjectApi.source.ldap.search.searchSubject.param.filter.value = (&(uid=%TERM%)(objectclass=person)) subjectApi.source.ldap.search.searchSubject.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people +subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=internet2,dc=edu #searchSubjectByIdentifier: find a subject by identifier. Identifier is anything that uniquely # identifies the user, e.g. jsmith or jsmith@institution.edu. @@ -63,13 +63,13 @@ subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people # even across sources. Returns one result when searching for one identifier. subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(employeeNumber=%TERM%)(objectclass=person)) subjectApi.source.ldap.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people +subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people,dc=internet2,dc=edu # search: find subjects by free form search. Returns multiple results. subjectApi.source.ldap.search.search.param.filter.value = (&(|(|(uid=%TERM%)(cn=*%TERM%*))(uid=%TERM%*))(objectclass=person)) subjectApi.source.ldap.search.search.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.search.param.base.value = ou=people +subjectApi.source.ldap.search.search.param.base.value = ou=people,dc=internet2,dc=edu subjectApi.source.ldap.attributes = givenName, sn, uid, mail, employeeNumber subjectApi.source.ldap.internalAttributes = searchAttribute0 diff --git a/manualBuild.sh b/manualBuild.sh index 5398f46..8697884 100755 --- a/manualBuild.sh +++ b/manualBuild.sh @@ -16,6 +16,7 @@ docker build --pull --tag=tier/grouper-training-env:base base/ \ && docker build --tag=tier/grouper-training-env:ex401.2.7 ex401/ex401.2.7 \ && docker build --tag=tier/grouper-training-env:ex401.2.8 ex401/ex401.2.8 \ && docker build --tag=tier/grouper-training-env:ex401.2.9 ex401/ex401.2.9 \ +&& docker build --tag=tier/grouper-training-env:ex401.2.end ex401/ex401.2.end \ && docker build --tag=tier/grouper-training-env:ex401.3.1 ex401/ex401.3.1 \ && docker build --tag=tier/grouper-training-env:ex401.3.2 ex401/ex401.3.2 \ && docker build --tag=tier/grouper-training-env:ex401.3.3 ex401/ex401.3.3 \