Skip to content
Cannot retrieve contributors at this time
128 lines (111 sloc) 5.77 KB
~ Copyright (c) 2019 Evolveum and contributors
~ This work is dual-licensed under the Apache License 2.0
~ and European Union Public License. See LICENSE file for details.
<role xmlns=""
<description>A metarole for archetyped LDAP groups</description>
This metarole supports LDAP groups that correspond to appropriately archetyped
org objects.
The schema is the following:
org -> archetype -> this metarole
affiliation_member -> archetype affiliation -> metarole-ldap-group
or org-grouper-sysadmin -> archetype midpoint-group -> metarole-ldap-group
1) An org has appropriate archetype e.g. affiliation_member has an archetype of affiliation;
org-grouper-sysadmin has an archetype of midpoint-group.
2) This archetype defines LDAP root the particular class of orgs e.g.
ou=Affiliations,ou=Groups,dc=internet2,dc=edu for affiliations or
ou=midpoint,ou=Groups,dc=internet2,dc=edu for midPoint-defined groups.
3) To avoid code duplication, these archetypes delegate everything related
to LDAP to this metarole.
This metarole does the three things:
1) It ensures that extension/ldapDn is filled in for particular org object.
This property is then used by LDAP resource outbound mappings to provide
a value for ri:dn attribute.
The value of extension/ldapDn is determined as
cn=identifier (in org) + ldapRootDn (in archetype)
2) It ensures that appropriate group object is created in LDAP.
This is done by inducing a construction with kind=entitlement,
intent=group to the org object (i.e. inducement order=2).
3) It ensures that appropriate group membership is created in LDAP
for any user that has an assignment to the org object. This is done
by inducing a construction with default kind and intent (i.e. regular
account) to the user that has assigned the org object (i.e. inducement order=3).
<!-- Fills-in extension/ldapDn in org object -->
if (identifier == null) {
} else {
// identifier = e.g. 'member'
metarole = assignmentPath[-2].source // e.g. metarole-affiliation'metarole = {}', metarole)
if (metarole == null) {
throw new IllegalStateException('No metarole in assignment path: ' + assignmentPath)
'cn=' + identifier + ',' + basic.getExtensionPropertyValue(metarole, 'ldapRootDn')
<order>2</order> <!-- order=2 means the org object: org->archetype->metarole -->
<!-- Provides LDAP group for the org object -->
<resourceRef oid="0a37121f-d515-4a23-9b6d-554c5ef61272" relation="org:default" type="c:ResourceType" />
<order>2</order> <!-- order=2 means the org object: org->archetype->metarole -->
<!-- Provides LDAP group membership for the org object members (users) -->
<resourceRef oid="0a37121f-d515-4a23-9b6d-554c5ef61272" relation="org:default" type="c:ResourceType" />
<assignmentPathIndex>1</assignmentPathIndex> <!-- derive from the immediately assigned org -->
<order>3</order> <!-- order=3 means the user object; user has an assignment to the org: user->org->archetype->metarole -->
You can’t perform that action at this time.