From e5270b8a73c335ac25ed6f8455c2061761a1ee67 Mon Sep 17 00:00:00 2001
From: Pavol Mederly <mederly@evolveum.com>
Date: Tue, 28 Aug 2018 18:34:49 +0200
Subject: [PATCH] Optimize Grouper LiveSync, clean things up

---
 .../tasks/task-import-grouper.xml             |  26 ++
 .../tasks/task-import-sis-courses.xml         |   5 +-
 .../tasks/task-import-sis-persons.xml         |   2 +-
 .../tasks/task-livesync-grouper.xml           |  29 ++
 .../container_files/seed-data/demo.backup     | 274 ------------------
 .../container_files/seed-data/demo.gsh        |   7 +
 .../res/grouper/SchemaScript.groovy           |  91 ------
 .../res/grouper/SearchScript.groovy           | 101 -------
 .../res/grouper/TestScript.groovy             |  38 ---
 .../res/grouper2/SyncScript.groovy            |  56 ++--
 10 files changed, 103 insertions(+), 526 deletions(-)
 create mode 100644 grouper-midpoint/midpoint-objects-manual/tasks/task-import-grouper.xml
 create mode 100644 grouper-midpoint/midpoint-objects-manual/tasks/task-livesync-grouper.xml
 delete mode 100644 grouper-midpoint/mp-gr/grouper-data/container_files/seed-data/demo.backup
 delete mode 100644 grouper-midpoint/mp-gr/midpoint-server/container_files/res/grouper/SchemaScript.groovy
 delete mode 100644 grouper-midpoint/mp-gr/midpoint-server/container_files/res/grouper/SearchScript.groovy
 delete mode 100644 grouper-midpoint/mp-gr/midpoint-server/container_files/res/grouper/TestScript.groovy

diff --git a/grouper-midpoint/midpoint-objects-manual/tasks/task-import-grouper.xml b/grouper-midpoint/midpoint-objects-manual/tasks/task-import-grouper.xml
new file mode 100644
index 0000000..387731d
--- /dev/null
+++ b/grouper-midpoint/midpoint-objects-manual/tasks/task-import-grouper.xml
@@ -0,0 +1,26 @@
+<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+      xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+      xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+      xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+      oid="617fec0c-f7a6-4f91-89d0-395fb8878edd">
+   <name>Import from Grouper</name>
+   <extension xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3">
+      <mext:kind>account</mext:kind>
+      <mext:objectclass>ri:AccountObjectClass</mext:objectclass>
+   </extension>
+   <taskIdentifier>1535468542646-0-1</taskIdentifier>
+   <ownerRef oid="00000000-0000-0000-0000-000000000002"
+             relation="org:default"
+             type="c:UserType"><!-- administrator --></ownerRef>
+   <executionStatus>runable</executionStatus>
+   <category>ImportingAccounts</category>
+   <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/import/handler-3</handlerUri>
+   <objectRef oid="6dcb84f5-bf82-4931-9072-fbdf87f96442"
+              relation="org:default"
+              type="c:ResourceType"><!-- Grouper SQL NEW --></objectRef>
+   <recurrence>single</recurrence>
+   <binding>loose</binding>
+</task>
diff --git a/grouper-midpoint/midpoint-objects-manual/tasks/task-import-sis-courses.xml b/grouper-midpoint/midpoint-objects-manual/tasks/task-import-sis-courses.xml
index 9aca2fb..99d395b 100644
--- a/grouper-midpoint/midpoint-objects-manual/tasks/task-import-sis-courses.xml
+++ b/grouper-midpoint/midpoint-objects-manual/tasks/task-import-sis-courses.xml
@@ -5,9 +5,8 @@
       xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
       xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
       xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
-      oid="b73a2e66-8233-4c20-928f-acb30027b33e"
-      version="151">
-   <name>Import SIS courses</name>
+      oid="b73a2e66-8233-4c20-928f-acb30027b33e">
+   <name>Import from SIS courses</name>
    <extension xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:type="c:ExtensionType">
diff --git a/grouper-midpoint/midpoint-objects-manual/tasks/task-import-sis-persons.xml b/grouper-midpoint/midpoint-objects-manual/tasks/task-import-sis-persons.xml
index 1fb2e20..d345eee 100644
--- a/grouper-midpoint/midpoint-objects-manual/tasks/task-import-sis-persons.xml
+++ b/grouper-midpoint/midpoint-objects-manual/tasks/task-import-sis-persons.xml
@@ -6,7 +6,7 @@
       xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
       xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
       oid="22c2a3d0-0961-4255-9eec-c550a79aeaaa">
-   <name>Import SIS persons</name>
+   <name>Import from SIS persons</name>
    <extension xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:type="c:ExtensionType">
diff --git a/grouper-midpoint/midpoint-objects-manual/tasks/task-livesync-grouper.xml b/grouper-midpoint/midpoint-objects-manual/tasks/task-livesync-grouper.xml
new file mode 100644
index 0000000..365d007
--- /dev/null
+++ b/grouper-midpoint/midpoint-objects-manual/tasks/task-livesync-grouper.xml
@@ -0,0 +1,29 @@
+<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+      xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+      xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+      xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+      oid="87ffce52-717a-4205-ba01-0a698f0deaee">
+   <name>LiveSync from Grouper</name>
+   <extension xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
+              xmlns:gen437="http://midpoint.evolveum.com/xml/ns/public/provisioning/liveSync-3"
+              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:type="c:ExtensionType">
+      <mext:kind>account</mext:kind>
+      <mext:objectclass>ri:AccountObjectClass</mext:objectclass>
+   </extension>
+   <taskIdentifier>1535465478027-0-1</taskIdentifier>
+   <ownerRef oid="00000000-0000-0000-0000-000000000002"
+             relation="org:default"
+             type="c:UserType"><!-- administrator --></ownerRef>
+   <executionStatus>runnable</executionStatus>
+   <category>LiveSynchronization</category>
+   <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/live-sync/handler-3</handlerUri>
+   <objectRef oid="6dcb84f5-bf82-4931-9072-fbdf87f96442"
+              relation="org:default"
+              type="c:ResourceType"><!-- Grouper SQL NEW --></objectRef>
+   <recurrence>single</recurrence>
+   <binding>loose</binding>
+</task>
diff --git a/grouper-midpoint/mp-gr/grouper-data/container_files/seed-data/demo.backup b/grouper-midpoint/mp-gr/grouper-data/container_files/seed-data/demo.backup
deleted file mode 100644
index 276bd22..0000000
--- a/grouper-midpoint/mp-gr/grouper-data/container_files/seed-data/demo.backup
+++ /dev/null
@@ -1,274 +0,0 @@
-gs = GrouperSession.startRootSession();
-#addRootStem("basis", "basis");
-addRootStem("ref", "ref");
-#addRootStem("bundle", "bundle");
-#addRootStem("app", "app");
-#addRootStem("org", "org");
-#testStem = addRootStem("test", "test");
-
-addStem("ref", "course", "course")
-
-#addGroup("etc","coursesLoader", "coursesLoader");
-#groupAddType("etc:coursesLoader", "grouperLoader");
-#setGroupAttr("etc:coursesLoader", "grouperLoaderDbName", "grouper");
-#setGroupAttr("etc:coursesLoader", "grouperLoaderType", "SQL_GROUP_LIST");
-#setGroupAttr("etc:coursesLoader", "grouperLoaderScheduleType", "CRON");
-#setGroupAttr("etc:coursesLoader", "grouperLoaderQuartzCron", "0 * * * * ?");
-#setGroupAttr("etc:coursesLoader", "grouperLoaderQuartzCron", "0 * * * * ?");
-#setGroupAttr("etc:coursesLoader", "grouperLoaderQuery", "select distinct id as SUBJECT_IDENTIFIER, 'ldap' as SUBJECT_SOURCE_ID, CONCAT('ref:course:', courseID) as GROUP_NAME from SIS_Courses");
-
-addStem("ref", "affiliation", "affiliation")
-#folder = StemFinder.findByName(gs, "ref:affiliation");
-#AttributeAssign attributeAssign = folder.getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();
-#AttributeValueDelegate attributeValueDelegate = attributeAssign.getAttributeValueDelegate();
-#attributeValueDelegate.assignValue(RuleUtils.ruleActAsSubjectSourceIdName(), "g:isa");
-#attributeValueDelegate.assignValue(RuleUtils.ruleActAsSubjectIdName(), "GrouperSystem");
-#attributeValueDelegate.assignValue(RuleUtils.ruleCheckTypeName(), RuleCheckType.groupCreate.name());
-#attributeValueDelegate.assignValue(RuleUtils.ruleCheckStemScopeName(), Stem.Scope.SUB.name());
-#attributeValueDelegate.assignValue(RuleUtils.ruleThenElName(),'${ruleElUtils.assignGroupPrivilege(groupId, "g:gsa", groupId, null, "read")}');
-
-group = new GroupSave(gs).assignName("etc:affiliationLoader").assignCreateParentStemsIfNotExist(true).save();
-group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign();
-attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true);
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_GROUPS_FROM_ATTRIBUTES");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "demo");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(eduPersonAffiliation=*)");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=People,dc=internet2,dc=edu");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "uid");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSourceIdName(), "ldap");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupAttributeName(), "eduPersonAffiliation");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId");
-#attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), '${subjectAttributes["subjectId"]}');
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupNameExpressionName(), 'ref:affiliation:${groupAttribute}_systemOfRecord');
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupDisplayNameExpressionName(), '${groupAttribute} system of record');
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupTypesName(), "addIncludeExclude");
-
-group = new GroupSave(gs).assignName("etc:deptLoader").assignCreateParentStemsIfNotExist(true).save();
-group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign();
-attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true);
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_GROUPS_FROM_ATTRIBUTES");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "demo");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(businessCategory=*)");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=People,dc=internet2,dc=edu");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "uid");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSourceIdName(), "ldap");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupAttributeName(), "businessCategory");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId");
-#attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), '${subjectAttributes["subjectId"]}');
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupNameExpressionName(), 'ref:dept:${groupAttribute}');
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupDisplayNameExpressionName(), '${groupAttribute}');
-
-group = new GroupSave(gs).assignName("etc:coursesLoader").assignCreateParentStemsIfNotExist(true).save();
-group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign();
-attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true);
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_GROUP_LIST");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(cn=*)");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=Courses,ou=Groups,dc=internet2,dc=edu");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "demo");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSourceIdName(), "ldap");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), '${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}');
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "uniqueMember");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapExtraAttributesName(), "cn");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupNameExpressionName(), 'ref:course:${groupAttributes["cn"]}');
-
-group = GroupFinder.findByName(gs, "etc:sysadmingroup", true);
-group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign();
-attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true);
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_SIMPLE");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(cn=sysadmingroup)");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=Groups,dc=internet2,dc=edu");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "demo");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSourceIdName(), "ldap");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), '${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}');
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "uniqueMember");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId");
-
-
-#addGroup("bundle", "default_services", "default_services");
-#addGroup("bundle", "student_services", "student_services");
-#addGroup("bundle", "employee_services", "employee_services");
-
-#addStem("ref", "student", "student");
-#addStem("ref:student", "class", "class");
-#addGroup("ref:student:class", "freshmen", "freshmen");
-#addGroup("ref:student:class", "sophomore", "sophomore");
-#addGroup("ref:student:class", "junior", "junior");
-#addGroup("ref:student:class", "senior", "senior");
-#addGroup("ref:student:class", "graduate", "graduate");
-#addGroup("ref:student:class", "doctorate", "doctorate");
-
-#addGroup("ref:student", "finaid", "finaid");
-#addStem("ref:student", "athlete", "athlete");
-#addGroup("ref:student:athlete", "baseball", "baseball");
-#addGroup("ref:student:athlete", "basketball", "basketball");
-#addGroup("ref:student:athlete", "football", "football");
-#addGroup("ref:student:athlete", "soccer", "soccer");
-#addGroup("ref:student:athlete", "volleyball", "volleyball");
-
-#addStem("ref", "employee", "employee");
-#addGroup("ref:employee", "fulltime", "fulltime");
-#addGroup("ref:employee", "parttime", "parttime");
-#addGroup("ref:employee", "tenured", "tenured");
-#addGroup("ref:employee", "emeritus", "emeritus");
-
-#addStem("ref", "alumni", "alumni");
-
-#addStem("ref", "role", "role");
-#addGroup("ref:role", "president", "president");
-#addGroup("ref:role", "provost", "provost");
-#addGroup("ref:role", "deptSecretary", "deptSecretary");
-#addGroup("ref:role", "dean", "dean");
-#addGroup("ref:role", "director", "director");
-#addGroup("ref:role", "custodian", "custodian");
-#addGroup("ref:role", "deptChair", "deptChair");
-#addGroup("ref:role", "faculty", "faculty");
-#addGroup("ref:role", "programmer", "programmer");
-#addGroup("ref:role", "programSpecialist", "programSpecialist");
-#addGroup("ref:role", "recruiter", "recruiter");
-#addGroup("ref:role", "coach", "coach");
-#addGroup("ref:role", "vicePresident", "vicePresident");
-
-#addMember("bundle:student_services", "ref:student:class:freshmen");
-#addMember("bundle:student_services", "ref:student:class:sophomore");
-#addMember("bundle:student_services", "ref:student:class:junior");
-#addMember("bundle:student_services", "ref:student:class:senior");
-#addMember("bundle:student_services", "ref:student:class:graduate");
-#addMember("bundle:student_services", "ref:student:class:doctorate");
-
-#addStem("org", "admissions", "admissions");
-#addStem("org:admissions", "etc", "etc");
-#addGroup("org:admissions:etc", "admissions_admin", "admissions_admin");
-#grantPriv("org:admissions", "org:admissions:etc:admissions_admin", NamingPrivilege.STEM);
-#addStem("org:admissions", "ref", "ref");
-#addStem("org:admissions", "app", "app");
-
-#addStem("org", "bursar", "bursar");
-#addStem("org:bursar", "etc", "etc");
-#addGroup("org:bursar:etc", "bursar_admin", "bursar_admin");
-#grantPriv("org:bursar", "org:bursar:etc:bursar_admin", NamingPrivilege.STEM);
-#addStem("org:bursar", "ref", "ref");
-#addStem("org:bursar", "app", "app");
-
-#addStem("org", "business", "business");
-#addStem("org:business", "etc", "etc");
-#addGroup("org:business:etc", "business_admin", "business_admin");
-#grantPriv("org:business", "org:business:etc:business_admin", NamingPrivilege.STEM);
-#addStem("org:business", "ref", "ref");
-#addStem("org:business", "app", "app");
-
-#addStem("org", "computerscience", "computerscience");
-#addStem("org:computerscience", "etc", "etc");
-#addGroup("org:computerscience:etc", "computerscience_admin", "computerscience_admin");
-#grantPriv("org:computerscience", "org:computerscience:etc:computerscience_admin", NamingPrivilege.STEM);
-#addStem("org:computerscience", "ref", "ref");
-#addStem("org:computerscience", "app", "app");
-
-#addStem("org", "education", "education");
-#addStem("org:education", "etc", "etc");
-#addGroup("org:education:etc", "education_admin", "education_admin");
-#grantPriv("org:education", "org:education:etc:education_admin", NamingPrivilege.STEM);
-#addStem("org:education", "ref", "ref");
-#addStem("org:education", "app", "app");
-
-#addStem("org", "psychology", "psychology");
-#addStem("org:psychology", "etc", "etc");
-#addGroup("org:psychology:etc", "psychology_admin", "psychology_admin");
-#grantPriv("org:psychology", "org:psychology:etc:psychology_admin", NamingPrivilege.STEM);
-#addStem("org:psychology", "ref", "ref");
-#addStem("org:psychology", "app", "app");
-
-#addStem("org", "physicaleducation", "physicaleducation");
-#addStem("org:physicaleducation", "etc", "etc");
-#addGroup("org:physicaleducation:etc", "physicaleducation_admin", "physicaleducation_admin");
-#grantPriv("org:physicaleducation", "org:physicaleducation:etc:physicaleducation_admin", NamingPrivilege.STEM);
-#addStem("org:physicaleducation", "ref", "ref");
-#2addStem("org:physicaleducation", "app", "app");
-
-#addStem("org", "humanresources", "humanresources");
-#addStem("org:humanresources", "etc", "etc");
-#addGroup("org:humanresources:etc", "humanresources_admin", "humanresources_admin");
-#grantPriv("org:humanresources", "org:humanresources:etc:humanresources_admin", NamingPrivilege.STEM);
-#addStem("org:humanresources", "ref", "ref");
-#addStem("org:humanresources", "app", "app");
-
-
-
-#banner=addStem("app", "banner", "banner");
-#addStem("app:banner", "etc", "etc");
-#addGroup("app:banner:etc", "banner_admin", "banner_admin");
-#grantPriv("app:banner", "app:banner:etc:banner_admin", NamingPrivilege.STEM);
-#addGroup("app:banner", "banner_user_allow", "banner_user_allow");
-#addGroup("app:banner", "banner_user_deny", "banner_user_deny");
-#addGroup("app:banner", "banner_user", "banner_user");
-#addComposite("app:banner:banner_user", CompositeType.UNION, "app:banner:banner_user_allow", "app:banner:banner_user_deny")
-
-#portal = addStem("app", "portal", "portal");
-#addStem("app:portal", "etc", "etc");
-#addGroup("app:portal:etc", "portal_admin", "portal_admin");
-#grantPriv("app:portal", "app:portal:etc:portal_admin", NamingPrivilege.STEM);
-#addGroup("app:portal", "portal_user_allow", "portal_user_allow");
-#addGroup("app:portal", "portal_user_deny", "portal_user_deny");
-#addGroup("app:portal", "portal_user", "portal_user");
-#addComposite("app:portal:portal_user", CompositeType.UNION, "app:portal:portal_user_allow", "app:portal:portal_user_deny")
-
-#addStem("app", "vpn", "vpn");
-#addStem("app:vpn", "etc", "etc");
-#addGroup("app:vpn:etc", "vpn_admin", "vpn_admin");
-#grantPriv("app:vpn", "app:vpn:etc:vpn_admin", NamingPrivilege.STEM);
-#addGroup("app:vpn", "vpn_user_allow", "vpn_user_allow");
-#addGroup("app:vpn", "vpn_user_deny", "vpn_user_deny");
-#addGroup("app:vpn", "vpn_user", "vpn_user");
-#addComposite("app:vpn:vpn_user", CompositeType.UNION, "app:vpn:vpn_user_allow", "app:vpn:vpn_user_deny")
-
-
-## Setup some user favorites
-#subject = SubjectFinder.findById("banderson");
-#group = GroupFinder.findByName(gs, "etc:sysadmingroup", true);
-#GrouperUserDataApi.favoriteGroupAdd("etc:grouperUi:grouperUiUserData", subject, group);
-#
-#stem = StemFinder.findByName(gs, "org:computerscience", true);
-#GrouperUserDataApi.favoriteStemAdd("etc:grouperUi:grouperUiUserData", subject, stem);
-
-
-##Set up service definitions
-#AttributeDef appServiceDef = new AttributeDefSave(gs).assignCreateParentStemsIfNotExist(true).assignAttributeDefType(AttributeDefType.service).assignName("etc:apps:appsServiceDefinition").assignToStem(true).save();
-# 
-#AttributeDefName appService = new AttributeDefNameSave(gs, appServiceDef).assignCreateParentStemsIfNotExist(true).assignName("etc:apps:appsService").assignDisplayExtension("Central IT production Apps").save();
-#
-#banner.getAttributeDelegate().assignAttribute(appService);
-#portal.getAttributeDelegate().assignAttribute(appService);
-#
-#addMember("app:banner:banner_user_allow", "banderson");
-
-
-## Auto create the PSPNG attributes
-#edu.internet2.middleware.grouper.pspng.FullSyncProvisionerFactory.getFullSyncer("pspng_groupOfUniqueNames");
-#
-#
-#AttributeDef pspngAttributeDef = AttributeDefFinder.findByName("etc:pspng:provision_to_def", true);
-#AttributeDefName pspngAttribute = AttributeDefNameFinder.findByName("etc:pspng:provision_to", true);
-#AttributeAssignSave attributeAssignSave = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true);
-#
-##Assign the PSPNG attribute for the standard groups
-#attributeAssignSave.assignAttributeDefName(pspngAttribute);
-#attributeAssignSave.assignOwnerStem(testStem);
-#attributeAssignSave.addValue("pspng_groupOfUniqueNames");
-#attributeAssignSave.save();
-#
-##Assign the PSPNG attribute for the entitlements
-#AttributeAssignSave attributeAssignSave2 = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true);
-#attributeAssignSave2.assignAttributeDefName(pspngAttribute);
-#attributeAssignSave2.assignOwnerGroup(GroupFinder.findByName(gs, "app:vpn:vpn_user", true));
-#attributeAssignSave2.addValue("pspng_entitlements");
-#attributeAssignSave2.save();
-#
-#attributeAssignSave2 = new AttributeAssignSave(gs).assignPrintChangesToSystemOut(true);
-#attributeAssignSave2.assignAttributeDefName(pspngAttribute);
-#attributeAssignSave2.assignOwnerGroup(GroupFinder.findByName(gs, "app:banner:banner_user", true));
-#attributeAssignSave2.addValue("pspng_entitlements");
-#attributeAssignSave2.save();
diff --git a/grouper-midpoint/mp-gr/grouper-data/container_files/seed-data/demo.gsh b/grouper-midpoint/mp-gr/grouper-data/container_files/seed-data/demo.gsh
index e6b4db3..6e3c239 100644
--- a/grouper-midpoint/mp-gr/grouper-data/container_files/seed-data/demo.gsh
+++ b/grouper-midpoint/mp-gr/grouper-data/container_files/seed-data/demo.gsh
@@ -63,3 +63,10 @@ attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperL
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), '${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}');
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "uniqueMember");
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId");
+
+testGroup = new GroupSave(gs).assignName("etc:testGroup").assignCreateParentStemsIfNotExist(true).save();
+
+exportedGroups = new GroupSave(gs).assignName("etc:exportedGroups").assignCreateParentStemsIfNotExist(true).save();
+
+s = SubjectFinder.findById(testGroup.getId(), 'group', 'g:gsa');
+exportedGroups.addMember(s, false);
diff --git a/grouper-midpoint/mp-gr/midpoint-server/container_files/res/grouper/SchemaScript.groovy b/grouper-midpoint/mp-gr/midpoint-server/container_files/res/grouper/SchemaScript.groovy
deleted file mode 100644
index 857e6c1..0000000
--- a/grouper-midpoint/mp-gr/midpoint-server/container_files/res/grouper/SchemaScript.groovy
+++ /dev/null
@@ -1,91 +0,0 @@
-/* 
- * ====================
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
- * 
- * Copyright 2013 ForgeRock. All rights reserved.
- * 
- * The contents of this file are subject to the terms of the Common Development
- * and Distribution License("CDDL") (the "License").  You may not use this file
- * except in compliance with the License.
- * 
- * You can obtain a copy of the License at
- * http://opensource.org/licenses/cddl1.php
- * See the License for the specific language governing permissions and limitations
- * under the License.
- * 
- * When distributing the Covered Code, include this CDDL Header Notice in each file
- * and include the License file at http://opensource.org/licenses/cddl1.php.
- * If applicable, add the following below this CDDL Header, with the fields
- * enclosed by brackets [] replaced by your own identifying information:
- * "Portions Copyrighted [year] [name of copyright owner]"
- * ====================
- * Portions Copyrighted 2013 ConnId.
- */
-import org.identityconnectors.framework.common.objects.AttributeInfo;
-import org.identityconnectors.framework.common.objects.AttributeInfo.Flags;
-import org.identityconnectors.framework.common.objects.AttributeInfoBuilder;
-import org.identityconnectors.framework.common.objects.ObjectClassInfo;
-import org.identityconnectors.framework.common.objects.ObjectClassInfoBuilder;
-
-// Parameters:
-// The connector sends the following:
-// action: a string describing the action ("SCHEMA" here)
-// log: a handler to the Log facility
-// builder: SchemaBuilder instance for the connector
-//
-// The connector will make the final call to builder.build()
-// so the scipt just need to declare the different object types.
-
-// This sample shows how to create 3 basic ObjectTypes: __ACCOUNT__, __GROUP__ and organization.
-// Each of them contains one required attribute and normal String attributes
-
-
-log.info("Entering "+action+" Script");
-
-// Declare the __ACCOUNT__ attributes
-// Make the uid required
-uidAIB = new AttributeInfoBuilder("uid",String.class);
-uidAIB.setRequired(true);
-
-accAttrsInfo = new HashSet<AttributeInfo>();
-accAttrsInfo.add(uidAIB.build());
-accAttrsInfo.add(AttributeInfoBuilder.build("subject_id", String.class));
-accAttrsInfo.add(AttributeInfoBuilder.build("subject_identifier0", String.class));
-accAttrsInfo.add(AttributeInfoBuilder.build("sort_string0", String.class));
-accAttrsInfo.add(AttributeInfoBuilder.build("search_string0", String.class));
-accAttrsInfo.add(AttributeInfoBuilder.build("name", String.class));
-accAttrsInfo.add(AttributeInfoBuilder.build("description", String.class));
-accAttrsInfo.add(AttributeInfoBuilder.build("group", String.class, [Flags.MULTIVALUED] as Set));
-// Create the __ACCOUNT__ Object class
-final ObjectClassInfo ociAccount = new ObjectClassInfoBuilder().setType("__ACCOUNT__").addAllAttributeInfo(accAttrsInfo).build();
-builder.defineObjectClass(ociAccount);
-
-/*
-// Declare the __GROUP__ attributes
-// Make the gid required
-gidAIB = new AttributeInfoBuilder("gid",String.class);
-gidAIB.setRequired(true);
-
-grpAttrsInfo = new HashSet<AttributeInfo>();
-grpAttrsInfo.add(gidAIB.build());
-grpAttrsInfo.add(AttributeInfoBuilder.build("name", String.class));
-grpAttrsInfo.add(AttributeInfoBuilder.build("description", String.class));
-// Create the __GROUP__ Object class
-final ObjectClassInfo ociGroup = new ObjectClassInfoBuilder().setType("__GROUP__").addAllAttributeInfo(grpAttrsInfo).build();
-builder.defineObjectClass(ociGroup);
-
-
-// Declare the organization attributes
-// Make the name required
-nAIB = new AttributeInfoBuilder("name",String.class);
-nAIB.setRequired(true);
-
-orgAttrsInfo = new HashSet<AttributeInfo>();
-orgAttrsInfo.add(nAIB.build());
-orgAttrsInfo.add(AttributeInfoBuilder.build("description", String.class));
-// Create the organization Object class
-final ObjectClassInfo ociOrg = new ObjectClassInfoBuilder().setType("organization").addAllAttributeInfo(orgAttrsInfo).build();
-builder.defineObjectClass(ociOrg);
-*/
-
-log.info("Schema script done");
diff --git a/grouper-midpoint/mp-gr/midpoint-server/container_files/res/grouper/SearchScript.groovy b/grouper-midpoint/mp-gr/midpoint-server/container_files/res/grouper/SearchScript.groovy
deleted file mode 100644
index 801bfe1..0000000
--- a/grouper-midpoint/mp-gr/midpoint-server/container_files/res/grouper/SearchScript.groovy
+++ /dev/null
@@ -1,101 +0,0 @@
-/* 
- * ====================
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
- * 
- * Copyright 2013 ForgeRock. All rights reserved.
- * 
- * The contents of this file are subject to the terms of the Common Development
- * and Distribution License("CDDL") (the "License").  You may not use this file
- * except in compliance with the License.
- * 
- * You can obtain a copy of the License at
- * http://opensource.org/licenses/cddl1.php
- * See the License for the specific language governing permissions and limitations
- * under the License.
- * 
- * When distributing the Covered Code, include this CDDL Header Notice in each file
- * and include the License file at http://opensource.org/licenses/cddl1.php.
- * If applicable, add the following below this CDDL Header, with the fields
- * enclosed by brackets [] replaced by your own identifying information:
- * "Portions Copyrighted [year] [name of copyright owner]"
- * ====================
- * Portions Copyrighted 2013 ConnId.
- */
-import groovy.sql.Sql;
-import groovy.sql.DataSet;
-
-// Parameters:
-// The connector sends the following:
-// connection: handler to the SQL connection
-// objectClass: a String describing the Object class (__ACCOUNT__ / __GROUP__ / other)
-// action: a string describing the action ("SEARCH" here)
-// log: a handler to the Log facility
-// options: a handler to the OperationOptions Map
-// query: a handler to the Query Map
-//
-// The Query map describes the filter used.
-//
-// query = [ operation: "CONTAINS", left: attribute, right: "value", not: true/false ]
-// query = [ operation: "ENDSWITH", left: attribute, right: "value", not: true/false ]
-// query = [ operation: "STARTSWITH", left: attribute, right: "value", not: true/false ]
-// query = [ operation: "EQUALS", left: attribute, right: "value", not: true/false ]
-// query = [ operation: "GREATERTHAN", left: attribute, right: "value", not: true/false ]
-// query = [ operation: "GREATERTHANOREQUAL", left: attribute, right: "value", not: true/false ]
-// query = [ operation: "LESSTHAN", left: attribute, right: "value", not: true/false ]
-// query = [ operation: "LESSTHANOREQUAL", left: attribute, right: "value", not: true/false ]
-// query = null : then we assume we fetch everything
-//
-// AND and OR filter just embed a left/right couple of queries.
-// query = [ operation: "AND", left: query1, right: query2 ]
-// query = [ operation: "OR", left: query1, right: query2 ]
-//
-// Returns: A list of Maps. Each map describing one row.
-// !!!! Each Map must contain a '__UID__' and '__NAME__' attribute.
-// This is required to build a ConnectorObject.
-
-log.info("Entering "+action+" Script");
-
-def sql = new Sql(connection);
-def result = []
-def where = "";
-
-switch ( objectClass ) {
-    case "__ACCOUNT__":
-    sql.eachRow("\
-select m.id, m.name, m.subject_id, m.subject_identifier0, m.sort_string0, m.search_string0, m.description, m.subject_source, group_concat(distinct g.name) as groups \
-from \
-    grouper_members m \
-        left join grouper_memberships_all_v gm on m.id=gm.member_id and gm.owner_id in \
-            (select m.subject_id \
-                from grouper_memberships gm join grouper_members m on gm.member_id=m.id \
-                where gm.owner_id = (select subject_id from grouper_members where name='etc:exportedGroups' and subject_type='group')) \
-        left join grouper_groups g on gm.owner_id=g.id \
-group by m.id \
-having \
-        subject_source = 'ldap';", 
-    {result.add(
-      [__UID__:it.id, 
-      __NAME__:it.subject_id, 
-      uid:it.id, 
-      subject_id:it.subject_id, 
-      subject_identifier0:it.subject_identifier0, 
-      sort_string0:it.sort_string0, 
-      search_string0:it.search_string0, 
-      name:it.name, 
-      description:it.description, 
-      group:it.groups?.tokenize(',')])} );
-    break
-
-/*    case "__GROUP__":
-    sql.eachRow("SELECT * FROM Groups" + where, {result.add([__UID__:it.name, __NAME__:it.name, gid:it.gid, ,description:it.description])} );
-    break
-
-    case "organization":
-    sql.eachRow("SELECT * FROM Organizations" + where, {result.add([__UID__:it.name, __NAME__:it.name, description:it.description])} );
-    break	*/
-
-    default:
-    result;
-}
-
-return result;
diff --git a/grouper-midpoint/mp-gr/midpoint-server/container_files/res/grouper/TestScript.groovy b/grouper-midpoint/mp-gr/midpoint-server/container_files/res/grouper/TestScript.groovy
deleted file mode 100644
index a232c15..0000000
--- a/grouper-midpoint/mp-gr/midpoint-server/container_files/res/grouper/TestScript.groovy
+++ /dev/null
@@ -1,38 +0,0 @@
-/* 
- * ====================
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
- * 
- * Copyright 2013 ForgeRock. All rights reserved.
- * 
- * The contents of this file are subject to the terms of the Common Development
- * and Distribution License("CDDL") (the "License").  You may not use this file
- * except in compliance with the License.
- * 
- * You can obtain a copy of the License at
- * http://opensource.org/licenses/cddl1.php
- * See the License for the specific language governing permissions and limitations
- * under the License.
- * 
- * When distributing the Covered Code, include this CDDL Header Notice in each file
- * and include the License file at http://opensource.org/licenses/cddl1.php.
- * If applicable, add the following below this CDDL Header, with the fields
- * enclosed by brackets [] replaced by your own identifying information:
- * "Portions Copyrighted [year] [name of copyright owner]"
- * ====================
- * Portions Copyrighted 2013 ConnId.
- */
-import groovy.sql.Sql;
-import groovy.sql.DataSet;
-
-// Parameters:
-// The connector sends the following:
-// connection: handler to the SQL connection
-// action: a string describing the action ("TEST" here)
-// log: a handler to the Log facility
-
-log.info("Entering "+action+" Script");
-def sql = new Sql(connection);
-
-sql.eachRow("select * from grouper_members limit 10", { println it.subject_id } );
-
-
diff --git a/grouper-midpoint/mp-gr/midpoint-server/container_files/res/grouper2/SyncScript.groovy b/grouper-midpoint/mp-gr/midpoint-server/container_files/res/grouper2/SyncScript.groovy
index c02e1d7..35062a9 100644
--- a/grouper-midpoint/mp-gr/midpoint-server/container_files/res/grouper2/SyncScript.groovy
+++ b/grouper-midpoint/mp-gr/midpoint-server/container_files/res/grouper2/SyncScript.groovy
@@ -52,25 +52,32 @@ import com.rabbitmq.client.*
 // "attributes":Map<String,List> of attributes name/values
 // ]
 
+def MQ_HOST = 'mq'
+def MQ_PORT = 5672
+def QUEUE = 'sampleQueue'
+def MAX_SQL_IN = 200			// maximum number of subject IDs in one SQL IN clause
+def MAX_CHANGED_USERS = 1000		// maximum number of changed users (approximate)
+def AUTO_ACKNOWLEDGE = true		// use 'false' only for testing
+
 log.info("Entering "+action+" Script");
 def sql = new Sql(connection);
 
 if (action.equalsIgnoreCase("GET_LATEST_SYNC_TOKEN")) {
-  return 0
+  return System.currentTimeMillis()
 } else if (action.equalsIgnoreCase("SYNC")) {
 
-
   factory = new ConnectionFactory()
-  factory.host = 'mq'
-  factory.port = 5672
+  factory.host = MQ_HOST
+  factory.port = MQ_PORT
   connection = factory.newConnection()
   channel = connection.createChannel()
   println 'RabbitMQ: conn=' + connection + ', channel=' + channel
 
   result = []
+  subjectsChanged = new HashSet()
 
   for (;;) {
-    response = channel.basicGet('sampleQueue', false)
+    response = channel.basicGet(QUEUE, AUTO_ACKNOWLEDGE)
     println 'got response: ' + response
     if (response == null) {
       break
@@ -94,7 +101,6 @@ if (action.equalsIgnoreCase("GET_LATEST_SYNC_TOKEN")) {
     }
 
     for (event in events) {
-
       type = event.eventType
       if (type != 'MEMBERSHIP_ADD' && type != 'MEMBERSHIP_DELETE') {
         println 'event type does not match, getting next message; type = ' + type
@@ -112,8 +118,21 @@ if (action.equalsIgnoreCase("GET_LATEST_SYNC_TOKEN")) {
         continue
       }
       println 'subject membership changed: ' + subjectId
+      subjectsChanged.add(subjectId)
+    }
+    if (subjectsChanged.size() >= MAX_CHANGED_USERS) {
+      println 'MAX_CHANGED_USERS reached, finishing fetching from MQ'
+      break
+    }
+  }
+
+  println 'subjects changed: ' + subjectsChanged
 
-      sql.eachRow("\
+  for (ids in subjectsChanged.asList().collate(MAX_SQL_IN)) {
+    idsIn = '(' + ids.collect { "'" + it + "'" }.join(',') + ')'
+    println 'idsIn = ' + idsIn
+
+    sql.eachRow("\
 select m.id, m.name, m.subject_id, m.subject_identifier0, m.sort_string0, m.search_string0, m.description, m.subject_source, m.subject_type, group_concat(distinct g.name) as groups \
 from \
     grouper_members m \
@@ -124,20 +143,21 @@ from \
         left join grouper_groups g on gm.owner_id=g.id \
 group by m.id \
 having \
-        subject_source = 'ldap' and subject_type = 'person' and subject_id = '" + subjectId + "'",
+        subject_source = 'ldap' and subject_type = 'person' and subject_id IN " + idsIn,
       {result.add(
         [operation:"CREATE_OR_UPDATE",
         token:System.currentTimeMillis(),
-        __UID__:it.id,
-        __NAME__:it.subject_id,
-        subject_id:it.subject_id,
-        subject_identifier0:it.subject_identifier0,
-        sort_string0:it.sort_string0,
-        search_string0:it.search_string0,
-        name:it.name,
-        description:it.description,
-        group:it.groups?.tokenize(',')])} )
-    }
+        uid:it.id,
+        attributes:[
+          __UID__:it.id,
+          __NAME__:it.subject_id,
+          subject_id:it.subject_id,
+          subject_identifier0:it.subject_identifier0,
+          sort_string0:it.sort_string0,
+          search_string0:it.search_string0,
+          name:it.name,
+          description:it.description,
+          group:it.groups?.tokenize(',')]])} )
   }
 
   channel.close()