From 0a56b12a27a377f56a886e9f4428e599a04b2625 Mon Sep 17 00:00:00 2001
From: Pavol Mederly <mederly@evolveum.com>
Date: Sun, 12 Aug 2018 01:09:13 +0200
Subject: [PATCH] Add first grouper<->midpoint demo files

First attempt at grouper<->midpoint interconnection
demonstration. There's "OpenLDAP edu" resource used
to import users into midPoint and "Grouper SQL" resource
used to import group membership information from Grouper.

Work in progress. Very limited functionality as for now.
---
 .../objects/resources/ldap-edu.xml            | 233 ++++++++++++++++++
 .../objects/resources/scriptedsql-grouper.xml | 132 ++++++++++
 grouper-midpoint-demo/schema/user-schema.xsd  |  22 ++
 .../scriptedsql/grouper/SchemaScript.groovy   |  91 +++++++
 .../scriptedsql/grouper/SearchScript.groovy   |  79 ++++++
 .../scriptedsql/grouper/TestScript.groovy     |  38 +++
 6 files changed, 595 insertions(+)
 create mode 100644 grouper-midpoint-demo/objects/resources/ldap-edu.xml
 create mode 100644 grouper-midpoint-demo/objects/resources/scriptedsql-grouper.xml
 create mode 100644 grouper-midpoint-demo/schema/user-schema.xsd
 create mode 100644 grouper-midpoint-demo/scriptedsql/grouper/SchemaScript.groovy
 create mode 100644 grouper-midpoint-demo/scriptedsql/grouper/SearchScript.groovy
 create mode 100644 grouper-midpoint-demo/scriptedsql/grouper/TestScript.groovy

diff --git a/grouper-midpoint-demo/objects/resources/ldap-edu.xml b/grouper-midpoint-demo/objects/resources/ldap-edu.xml
new file mode 100644
index 0000000..b8f1e0f
--- /dev/null
+++ b/grouper-midpoint-demo/objects/resources/ldap-edu.xml
@@ -0,0 +1,233 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- ~ Copyright (c) 2010-2017 Evolveum ~ ~ Licensed under the Apache License, 
+	Version 2.0 (the "License"); ~ you may not use this file except in compliance 
+	with the License. ~ You may obtain a copy of the License at ~ ~ http://www.apache.org/licenses/LICENSE-2.0 
+	~ ~ Unless required by applicable law or agreed to in writing, software ~ 
+	distributed under the License is distributed on an "AS IS" BASIS, ~ WITHOUT 
+	WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ~ See the 
+	License for the specific language governing permissions and ~ limitations 
+	under the License. -->
+
+
+<objects xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3' xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+	xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+	xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
+	xmlns:my="http://whatever.com/my" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+	xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3"
+	xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
+
+	<resource oid="18eceda9-b6cd-4bdd-a06b-e77d4fddf975">
+
+		<name>OpenLDAP edu</name>
+
+		<connectorRef type="ConnectorType">
+			<filter>
+				<q:equal>
+					<q:path>c:connectorType</q:path>
+					<q:value>com.evolveum.polygon.connector.ldap.LdapConnector</q:value>
+				</q:equal>
+			</filter>
+		</connectorRef>
+
+		<connectorConfiguration
+			xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
+			xmlns:icfcldap="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector">
+			<icfc:configurationProperties>
+				<icfcldap:port>389</icfcldap:port>
+				<icfcldap:host>grouper</icfcldap:host>
+				<icfcldap:baseContext>dc=internet2,dc=edu</icfcldap:baseContext>
+				<icfcldap:bindDn>cn=root,dc=internet2,dc=edu</icfcldap:bindDn>
+				<icfcldap:bindPassword>
+					<t:clearValue>password</t:clearValue>
+				</icfcldap:bindPassword>
+				<icfcldap:usePermissiveModify>always</icfcldap:usePermissiveModify>
+				<icfcldap:pagingStrategy>spr</icfcldap:pagingStrategy>
+				<icfcldap:passwordHashAlgorithm>SSHA</icfcldap:passwordHashAlgorithm>
+				<!-- >icfcldap:vlvSortAttribute>uid</icfcldap:vlvSortAttribute> <icfcldap:vlvSortOrderingRule>2.5.13.3</icfcldap:vlvSortOrderingRule -->
+				<icfcldap:operationalAttributes>memberOf</icfcldap:operationalAttributes>
+				<icfcldap:operationalAttributes>createTimestamp</icfcldap:operationalAttributes>
+			</icfc:configurationProperties>
+			<icfc:resultsHandlerConfiguration>
+				<icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
+				<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
+				<icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
+			</icfc:resultsHandlerConfiguration>
+		</connectorConfiguration>
+
+		<schema>
+			<generationConstraints>
+				<generateObjectClass>ri:inetOrgPerson</generateObjectClass>
+				<generateObjectClass>ri:eduPerson</generateObjectClass>
+				<generateObjectClass>ri:groupOfUniqueNames</generateObjectClass>
+				<generateObjectClass>ri:groupOfNames</generateObjectClass>
+				<generateObjectClass>ri:organizationalUnit</generateObjectClass>
+			</generationConstraints>
+		</schema>
+
+		<schemaHandling>
+			<objectType>
+				<kind>account</kind>
+				<displayName>Normal Account</displayName>
+				<default>true</default>
+				<objectClass>ri:inetOrgPerson</objectClass>
+				<auxiliaryObjectClass>ri:eduPerson</auxiliaryObjectClass>
+				<attribute>
+					<ref>ri:dn</ref>
+					<displayName>Distinguished Name</displayName>
+					<limitations>
+						<minOccurs>0</minOccurs>
+					</limitations>
+					<matchingRule>mr:stringIgnoreCase</matchingRule>
+				</attribute>
+				<attribute>
+					<ref>ri:entryUUID</ref>
+					<displayName>Entry UUID</displayName>
+					<limitations>
+						<access>
+							<read>true</read>
+							<add>false</add>
+							<modify>true</modify>
+						</access>
+					</limitations>
+					<matchingRule>mr:stringIgnoreCase</matchingRule>
+				</attribute>
+				<attribute>
+					<ref>ri:cn</ref>
+					<displayName>Common Name</displayName>
+					<limitations>
+						<minOccurs>0</minOccurs>
+					</limitations>
+					<inbound>
+						<target>
+							<path>fullName</path>
+						</target>
+					</inbound>
+				</attribute>
+				<attribute>
+					<ref>ri:sn</ref>
+					<displayName>Surname</displayName>
+					<limitations>
+						<minOccurs>0</minOccurs>
+					</limitations>
+					<inbound>
+						<target>
+							<path>familyName</path>
+						</target>
+					</inbound>
+				</attribute>
+				<attribute>
+					<ref>ri:givenName</ref>
+					<displayName>Given Name</displayName>
+					<inbound>
+						<target>
+							<path>givenName</path>
+						</target>
+					</inbound>
+				</attribute>
+				<attribute>
+					<ref>ri:uid</ref>
+					<displayName>Login Name</displayName>
+					<matchingRule>mr:stringIgnoreCase</matchingRule>
+					<inbound>
+						<target>
+							<path>name</path>
+						</target>
+					</inbound>
+				</attribute>
+				<attribute>
+					<ref>ri:mail</ref>
+					<displayName>Mail</displayName>
+					<matchingRule>mr:stringIgnoreCase</matchingRule>
+					<inbound>
+						<target>
+							<path>emailAddress</path>
+						</target>
+					</inbound>
+				</attribute>
+				<attribute>
+					<ref>ri:employeeNumber</ref>
+					<inbound>
+						<target>
+							<path>employeeNumber</path>
+						</target>
+					</inbound>
+				</attribute>
+				<attribute>
+					<ref>ri:businessCategory</ref>
+					<inbound>
+						<target>
+							<path>extension/ldap_businessCategory</path>
+						</target>
+					</inbound>
+				</attribute>
+				<attribute>
+					<ref>ri:eduPersonAffiliation</ref>
+					<inbound>
+						<target>
+							<path>extension/ldap_eduPersonAffiliation</path>
+						</target>
+					</inbound>
+				</attribute>
+				<protected>
+					<filter>
+						<q:equal>
+							<q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#stringIgnoreCase</q:matching>
+							<q:path>attributes/ri:dn</q:path>
+							<q:value>cn=root,dc=internet2,dc=edu</q:value>
+						</q:equal>
+					</filter>
+				</protected>
+			</objectType>
+
+		</schemaHandling>
+
+		<synchronization>
+			<objectSynchronization>
+				<enabled>true</enabled>
+
+				<correlation>
+					<q:equal>
+						<q:path>name</q:path>
+						<expression>
+							<path>
+								declare namespace ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3";
+								$account/attributes/ri:uid
+							</path>
+						</expression>
+					</q:equal>
+				</correlation>
+
+				<reaction>
+					<situation>linked</situation>
+					<synchronize>true</synchronize>
+				</reaction>
+				<reaction>
+					<situation>deleted</situation>
+					<synchronize>true</synchronize>
+					<action>
+						<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
+					</action>
+				</reaction>
+
+				<reaction>
+					<situation>unlinked</situation>
+					<synchronize>true</synchronize>
+					<action>
+						<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
+					</action>
+				</reaction>
+				<reaction>
+					<situation>unmatched</situation>
+					<synchronize>true</synchronize>
+					<action>
+						<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
+					</action>
+				</reaction>
+			</objectSynchronization>
+		</synchronization>
+
+	</resource>
+
+</objects>
diff --git a/grouper-midpoint-demo/objects/resources/scriptedsql-grouper.xml b/grouper-midpoint-demo/objects/resources/scriptedsql-grouper.xml
new file mode 100644
index 0000000..9a2e8e6
--- /dev/null
+++ b/grouper-midpoint-demo/objects/resources/scriptedsql-grouper.xml
@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<c:resource oid="ef2bc95b-76e0-48e2-86d6-3d4f02d420db" xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+	xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3" xmlns:my="http://myself.me/schemas/whatever" xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
+
+	<c:name>Grouper SQL</c:name>
+
+	<connectorRef type="ConnectorType">
+		<filter>
+			<q:equal>
+				<q:path>connectorType</q:path>
+				<q:value>net.tirasa.connid.bundles.db.scriptedsql.ScriptedSQLConnector</q:value>
+			</q:equal>
+		</filter>
+	</connectorRef>
+
+	<c:connectorConfiguration>
+
+		<icfc:configurationProperties 
+			xmlns:icscscriptedsql="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/net.tirasa.connid.bundles.db.scriptedsql/net.tirasa.connid.bundles.db.scriptedsql.ScriptedSQLConnector">
+			<icscscriptedsql:host>grouper</icscscriptedsql:host>
+			<icscscriptedsql:port>3306</icscscriptedsql:port>
+			<icscscriptedsql:quoting></icscscriptedsql:quoting>
+			<icscscriptedsql:user>root</icscscriptedsql:user>
+			<icscscriptedsql:password>
+				<clearValue></clearValue>
+			</icscscriptedsql:password>
+			<icscscriptedsql:database>grouper</icscscriptedsql:database>
+			<!-- >icscscriptedsql:clearTextPasswordToScript>true</icscscriptedsql:clearTextPasswordToScript -->
+			<icscscriptedsql:scriptingLanguage>GROOVY</icscscriptedsql:scriptingLanguage>
+
+			<icscscriptedsql:searchScriptFileName>/opt/midpoint/var/res/SearchScript.groovy</icscscriptedsql:searchScriptFileName>
+			<icscscriptedsql:testScriptFileName>/opt/midpoint/var/res/TestScript.groovy</icscscriptedsql:testScriptFileName>
+			<icscscriptedsql:schemaScriptFileName>/opt/midpoint/var/res/SchemaScript.groovy</icscscriptedsql:schemaScriptFileName>
+			
+			<icscscriptedsql:reloadScriptOnExecution>true</icscscriptedsql:reloadScriptOnExecution>
+			<!-- >icscscriptedsql:syncScriptFileName>/opt/midpoint/var/res/SyncScript.groovy</icscscriptedsql:syncScriptFileName -->
+
+			<icscscriptedsql:validConnectionQuery></icscscriptedsql:validConnectionQuery>
+			<icscscriptedsql:jndiProperties></icscscriptedsql:jndiProperties>
+
+			<icscscriptedsql:jdbcDriver>org.mariadb.jdbc.Driver</icscscriptedsql:jdbcDriver>
+			<icscscriptedsql:jdbcUrlTemplate>jdbc:mysql://%h:%p/%d?useUnicode=true&amp;characterEncoding=utf8&amp;connectionCollation=utf8_bin</icscscriptedsql:jdbcUrlTemplate>
+			<icscscriptedsql:enableEmptyString>true</icscscriptedsql:enableEmptyString>
+			<icscscriptedsql:rethrowAllSQLExceptions>true</icscscriptedsql:rethrowAllSQLExceptions>
+			<icscscriptedsql:nativeTimestamps>false</icscscriptedsql:nativeTimestamps>
+			<icscscriptedsql:allNative>false</icscscriptedsql:allNative>
+			<!--<icscscriptedsql:changeLogColumn>timestamp</icscscriptedsql:changeLogColumn> -->
+			<icscscriptedsql:datasource></icscscriptedsql:datasource>
+		</icfc:configurationProperties>
+
+		<!-- Generic ICF configuration -->
+
+	</c:connectorConfiguration>
+
+	<schemaHandling>
+		<objectType>
+			<kind>account</kind>
+			<displayName>Normal Account</displayName>
+			<default>true</default>
+			<objectClass>ri:AccountObjectClass</objectClass>
+			<attribute>
+				<ref>ri:subject_id</ref>
+				<displayName>Subject ID</displayName>
+			</attribute>
+			<attribute>
+				<ref>ri:subject_identifier0</ref>
+				<displayName>Subject Identifier</displayName>
+			</attribute>
+			<attribute>
+				<ref>ri:name</ref>
+				<displayName>Name</displayName>
+			</attribute>
+			<attribute>
+				<ref>ri:group</ref>
+				<displayName>Subject Groups</displayName>
+				<inbound>
+					<target>
+						<path>extension/grouper_group</path>
+					</target>
+				</inbound>
+			</attribute>
+		</objectType>
+	</schemaHandling>
+
+	<synchronization>
+		<objectSynchronization>
+			<enabled>true</enabled>
+
+			<correlation>
+				<q:equal>
+					<q:path>employeeNumber</q:path>
+					<expression>
+						<path>
+							declare namespace ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3";
+							$account/attributes/ri:subject_identifier0
+						</path>
+					</expression>
+				</q:equal>
+			</correlation>
+
+			<reaction>
+				<situation>linked</situation>
+				<synchronize>true</synchronize>
+			</reaction>
+			<reaction>
+				<situation>deleted</situation>
+				<synchronize>true</synchronize>
+				<action>
+					<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
+				</action>
+			</reaction>
+
+			<reaction>
+				<situation>unlinked</situation>
+				<synchronize>true</synchronize>
+				<action>
+					<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
+				</action>
+			</reaction>
+			<reaction>
+				<situation>unmatched</situation>
+				<synchronize>true</synchronize>
+				<!-- >action>
+					<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addFocus</handlerUri>
+				</action  -->
+			</reaction>
+		</objectSynchronization>
+	</synchronization>
+
+</c:resource>
+
diff --git a/grouper-midpoint-demo/schema/user-schema.xsd b/grouper-midpoint-demo/schema/user-schema.xsd
new file mode 100644
index 0000000..4b745f1
--- /dev/null
+++ b/grouper-midpoint-demo/schema/user-schema.xsd
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+
+<xsd:schema elementFormDefault="qualified"
+  targetNamespace="http://grouper-demo.tier.internet2.edu"
+  xmlns:tns="http://grouper-demo.tier.internet2.edu"
+  xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3"
+  xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+  xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+
+  <xsd:complexType name="UserExtensionType">
+    <xsd:annotation>
+      <xsd:appinfo>
+        <a:extension ref="c:UserType"/>
+      </xsd:appinfo>
+    </xsd:annotation>
+    <xsd:sequence>
+		<xsd:element name="ldap_eduPersonAffiliation" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>
+		<xsd:element name="ldap_businessCategory" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>
+		<xsd:element name="grouper_group" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>
+    </xsd:sequence>
+  </xsd:complexType>  
+</xsd:schema>
diff --git a/grouper-midpoint-demo/scriptedsql/grouper/SchemaScript.groovy b/grouper-midpoint-demo/scriptedsql/grouper/SchemaScript.groovy
new file mode 100644
index 0000000..857e6c1
--- /dev/null
+++ b/grouper-midpoint-demo/scriptedsql/grouper/SchemaScript.groovy
@@ -0,0 +1,91 @@
+/* 
+ * ====================
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ * 
+ * Copyright 2013 ForgeRock. All rights reserved.
+ * 
+ * The contents of this file are subject to the terms of the Common Development
+ * and Distribution License("CDDL") (the "License").  You may not use this file
+ * except in compliance with the License.
+ * 
+ * You can obtain a copy of the License at
+ * http://opensource.org/licenses/cddl1.php
+ * See the License for the specific language governing permissions and limitations
+ * under the License.
+ * 
+ * When distributing the Covered Code, include this CDDL Header Notice in each file
+ * and include the License file at http://opensource.org/licenses/cddl1.php.
+ * If applicable, add the following below this CDDL Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyrighted [year] [name of copyright owner]"
+ * ====================
+ * Portions Copyrighted 2013 ConnId.
+ */
+import org.identityconnectors.framework.common.objects.AttributeInfo;
+import org.identityconnectors.framework.common.objects.AttributeInfo.Flags;
+import org.identityconnectors.framework.common.objects.AttributeInfoBuilder;
+import org.identityconnectors.framework.common.objects.ObjectClassInfo;
+import org.identityconnectors.framework.common.objects.ObjectClassInfoBuilder;
+
+// Parameters:
+// The connector sends the following:
+// action: a string describing the action ("SCHEMA" here)
+// log: a handler to the Log facility
+// builder: SchemaBuilder instance for the connector
+//
+// The connector will make the final call to builder.build()
+// so the scipt just need to declare the different object types.
+
+// This sample shows how to create 3 basic ObjectTypes: __ACCOUNT__, __GROUP__ and organization.
+// Each of them contains one required attribute and normal String attributes
+
+
+log.info("Entering "+action+" Script");
+
+// Declare the __ACCOUNT__ attributes
+// Make the uid required
+uidAIB = new AttributeInfoBuilder("uid",String.class);
+uidAIB.setRequired(true);
+
+accAttrsInfo = new HashSet<AttributeInfo>();
+accAttrsInfo.add(uidAIB.build());
+accAttrsInfo.add(AttributeInfoBuilder.build("subject_id", String.class));
+accAttrsInfo.add(AttributeInfoBuilder.build("subject_identifier0", String.class));
+accAttrsInfo.add(AttributeInfoBuilder.build("sort_string0", String.class));
+accAttrsInfo.add(AttributeInfoBuilder.build("search_string0", String.class));
+accAttrsInfo.add(AttributeInfoBuilder.build("name", String.class));
+accAttrsInfo.add(AttributeInfoBuilder.build("description", String.class));
+accAttrsInfo.add(AttributeInfoBuilder.build("group", String.class, [Flags.MULTIVALUED] as Set));
+// Create the __ACCOUNT__ Object class
+final ObjectClassInfo ociAccount = new ObjectClassInfoBuilder().setType("__ACCOUNT__").addAllAttributeInfo(accAttrsInfo).build();
+builder.defineObjectClass(ociAccount);
+
+/*
+// Declare the __GROUP__ attributes
+// Make the gid required
+gidAIB = new AttributeInfoBuilder("gid",String.class);
+gidAIB.setRequired(true);
+
+grpAttrsInfo = new HashSet<AttributeInfo>();
+grpAttrsInfo.add(gidAIB.build());
+grpAttrsInfo.add(AttributeInfoBuilder.build("name", String.class));
+grpAttrsInfo.add(AttributeInfoBuilder.build("description", String.class));
+// Create the __GROUP__ Object class
+final ObjectClassInfo ociGroup = new ObjectClassInfoBuilder().setType("__GROUP__").addAllAttributeInfo(grpAttrsInfo).build();
+builder.defineObjectClass(ociGroup);
+
+
+// Declare the organization attributes
+// Make the name required
+nAIB = new AttributeInfoBuilder("name",String.class);
+nAIB.setRequired(true);
+
+orgAttrsInfo = new HashSet<AttributeInfo>();
+orgAttrsInfo.add(nAIB.build());
+orgAttrsInfo.add(AttributeInfoBuilder.build("description", String.class));
+// Create the organization Object class
+final ObjectClassInfo ociOrg = new ObjectClassInfoBuilder().setType("organization").addAllAttributeInfo(orgAttrsInfo).build();
+builder.defineObjectClass(ociOrg);
+*/
+
+log.info("Schema script done");
diff --git a/grouper-midpoint-demo/scriptedsql/grouper/SearchScript.groovy b/grouper-midpoint-demo/scriptedsql/grouper/SearchScript.groovy
new file mode 100644
index 0000000..5da1e92
--- /dev/null
+++ b/grouper-midpoint-demo/scriptedsql/grouper/SearchScript.groovy
@@ -0,0 +1,79 @@
+/* 
+ * ====================
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ * 
+ * Copyright 2013 ForgeRock. All rights reserved.
+ * 
+ * The contents of this file are subject to the terms of the Common Development
+ * and Distribution License("CDDL") (the "License").  You may not use this file
+ * except in compliance with the License.
+ * 
+ * You can obtain a copy of the License at
+ * http://opensource.org/licenses/cddl1.php
+ * See the License for the specific language governing permissions and limitations
+ * under the License.
+ * 
+ * When distributing the Covered Code, include this CDDL Header Notice in each file
+ * and include the License file at http://opensource.org/licenses/cddl1.php.
+ * If applicable, add the following below this CDDL Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyrighted [year] [name of copyright owner]"
+ * ====================
+ * Portions Copyrighted 2013 ConnId.
+ */
+import groovy.sql.Sql;
+import groovy.sql.DataSet;
+
+// Parameters:
+// The connector sends the following:
+// connection: handler to the SQL connection
+// objectClass: a String describing the Object class (__ACCOUNT__ / __GROUP__ / other)
+// action: a string describing the action ("SEARCH" here)
+// log: a handler to the Log facility
+// options: a handler to the OperationOptions Map
+// query: a handler to the Query Map
+//
+// The Query map describes the filter used.
+//
+// query = [ operation: "CONTAINS", left: attribute, right: "value", not: true/false ]
+// query = [ operation: "ENDSWITH", left: attribute, right: "value", not: true/false ]
+// query = [ operation: "STARTSWITH", left: attribute, right: "value", not: true/false ]
+// query = [ operation: "EQUALS", left: attribute, right: "value", not: true/false ]
+// query = [ operation: "GREATERTHAN", left: attribute, right: "value", not: true/false ]
+// query = [ operation: "GREATERTHANOREQUAL", left: attribute, right: "value", not: true/false ]
+// query = [ operation: "LESSTHAN", left: attribute, right: "value", not: true/false ]
+// query = [ operation: "LESSTHANOREQUAL", left: attribute, right: "value", not: true/false ]
+// query = null : then we assume we fetch everything
+//
+// AND and OR filter just embed a left/right couple of queries.
+// query = [ operation: "AND", left: query1, right: query2 ]
+// query = [ operation: "OR", left: query1, right: query2 ]
+//
+// Returns: A list of Maps. Each map describing one row.
+// !!!! Each Map must contain a '__UID__' and '__NAME__' attribute.
+// This is required to build a ConnectorObject.
+
+log.info("Entering "+action+" Script");
+
+def sql = new Sql(connection);
+def result = []
+def where = "";
+
+switch ( objectClass ) {
+    case "__ACCOUNT__":
+    sql.eachRow("select m.*, group_concat(distinct g.name) as groups from grouper_members m left join grouper_memberships_all_v gm on m.id=gm.member_id left join grouper_groups g on gm.owner_id=g.id group by m.id", {result.add([__UID__:it.id, __NAME__:it.subject_id, uid:it.id, subject_id:it.subject_id, subject_identifier0:it.subject_identifier0, sort_string0:it.sort_string0, search_string0:it.search_string0, name:it.name, description:it.description, group:it.groups?.tokenize(',')])} );
+    break
+
+/*    case "__GROUP__":
+    sql.eachRow("SELECT * FROM Groups" + where, {result.add([__UID__:it.name, __NAME__:it.name, gid:it.gid, ,description:it.description])} );
+    break
+
+    case "organization":
+    sql.eachRow("SELECT * FROM Organizations" + where, {result.add([__UID__:it.name, __NAME__:it.name, description:it.description])} );
+    break	*/
+
+    default:
+    result;
+}
+
+return result;
diff --git a/grouper-midpoint-demo/scriptedsql/grouper/TestScript.groovy b/grouper-midpoint-demo/scriptedsql/grouper/TestScript.groovy
new file mode 100644
index 0000000..a232c15
--- /dev/null
+++ b/grouper-midpoint-demo/scriptedsql/grouper/TestScript.groovy
@@ -0,0 +1,38 @@
+/* 
+ * ====================
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ * 
+ * Copyright 2013 ForgeRock. All rights reserved.
+ * 
+ * The contents of this file are subject to the terms of the Common Development
+ * and Distribution License("CDDL") (the "License").  You may not use this file
+ * except in compliance with the License.
+ * 
+ * You can obtain a copy of the License at
+ * http://opensource.org/licenses/cddl1.php
+ * See the License for the specific language governing permissions and limitations
+ * under the License.
+ * 
+ * When distributing the Covered Code, include this CDDL Header Notice in each file
+ * and include the License file at http://opensource.org/licenses/cddl1.php.
+ * If applicable, add the following below this CDDL Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyrighted [year] [name of copyright owner]"
+ * ====================
+ * Portions Copyrighted 2013 ConnId.
+ */
+import groovy.sql.Sql;
+import groovy.sql.DataSet;
+
+// Parameters:
+// The connector sends the following:
+// connection: handler to the SQL connection
+// action: a string describing the action ("TEST" here)
+// log: a handler to the Log facility
+
+log.info("Entering "+action+" Script");
+def sql = new Sql(connection);
+
+sql.eachRow("select * from grouper_members limit 10", { println it.subject_id } );
+
+