Article
Search
Share This
Most Popular
User login
Setting Up a Loopback Driver with a Group Entitlement for eDirectory
article
Reads:
2530
Score:
Problem
A Forum reader recently asked:
"I'm trying to mirror what the AD Group Entitlement is doing, except for Groups in eDirectory. I created the Loopback driver and created an entitlement named "Group" underneath that. The entitlement is an exact match of the AD entitlement and seems to be working fine with setting up the RBE. The only thing in the filter is the DirXML-EntitlementRef on the
Subscriber Channel set to Notify. I'm trying to figure out what I'm doing wrong or missing in the add/remove from group logic.
It's selecting the correct RBE; I'm just not sure how to get it to select the correct group."
And here's the response from Father Ramon ...
Solution
Setting up a loopback driver with a group entitlement for eDirectory is significantly different than for the AD driver. Here is an export of a configuration that works:
<driver-configuration dn="GroupEntitlementLoopback.DriverSet.novell"
driver-set-dn="DriverSet.novell" name="GroupEntitlementLoopback">
<attributes>
<application-schema>
<schema-def/>
</application-schema>
<configuration-manifest>
<manifest>
<capability name="entitlements"/>
</manifest>
</configuration-manifest>
<global-config-values>
<configuration-values>
<definitions/>
</configuration-values>
</global-config-values>
<driver-filter-xml>
<filter>
<filter-class class-name="User" publisher="sync"
publisher-create-homedir="true" publisher-track-template-member="false"
subscriber="sync">
<filter-attr attr-name="DirXML-EntitlementRef"
from-all-classes="true" merge-authority="edir" publisher="ignore"
publisher-optimize-modify="true" subscriber="notify"/>
</filter-class>
</filter>
</driver-filter-xml>
<java-module
value="com.novell.nds.dirxml.driver.loopback.LoopbackDriverShim"/>
<driver-start-option value="1"/>
<driver-cache-limit value="0"/>
<shim-config-info-xml/>
<driver-password-query/>
<shim-auth-password-query/>
</attributes>
<children>
<publisher name="Publisher">
<attributes/>
<children/>
</publisher>
<subscriber name="Subscriber">
<attributes>
<command-transformation-rule
dn="EntitlementsCommandTransformation.Subscriber.GroupEntitlementLoopback.DriverSet.novell"/>
<event-transformation-rule
dn="EventTransformation.Subscriber.GroupEntitlementLoopback.DriverSet.novell"/>
</attributes>
<children>
<rule name="EntitlementsCommandTransformation">
<policy>
<rule>
<description>Check for group membership being granted or
revoked</description>
<conditions>
<or>
<if-operation op="equal">add</if-operation>
<if-operation op="equal">modify</if-operation>
</or>
</conditions>
<actions>
<do-for-each>
<arg-node-set>
<token-removed-entitlement name="Groups"/>
</arg-node-set>
<arg-actions>
<do-remove-src-attr-value name="Group Membership">
<arg-value type="dn">
<token-local-variable name="current-node"/>
</arg-value>
</do-remove-src-attr-value>
<do-remove-src-attr-value name="Security Equals">
<arg-value type="dn">
<token-local-variable name="current-node"/>
</arg-value>
</do-remove-src-attr-value>
</arg-actions>
</do-for-each>
<do-for-each>
<arg-node-set>
<token-added-entitlement name="Groups"/>
</arg-node-set>
<arg-actions>
<do-add-src-attr-value name="Group Membership">
<arg-value type="dn">
<token-local-variable name="current-node"/>
</arg-value>
</do-add-src-attr-value>
<do-add-src-attr-value name="Security Equals">
<arg-value type="dn">
<token-local-variable name="current-node"/>
</arg-value>
</do-add-src-attr-value>
</arg-actions>
</do-for-each>
<do-veto/>
</actions>
</rule>
</policy>
</rule>
<rule name="EventTransformation">
<policy>
<rule>
<description>Veto any operation but add, modify, and
sync</description>
<conditions>
<and>
<if-operation op="not-equal">add</if-operation>
<if-operation op="not-equal">modify</if-operation>
<if-operation op="not-equal">sync</if-operation>
</and>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>
<rule>
<description>Manufacture association of none available</description>
<conditions>
<and>
<if-association op="not-available"/>
</and>
</conditions>
<actions>
<do-set-local-variable name="assoc">
<arg-string>
<token-src-attr name="GUID"/>
</arg-string>
</do-set-local-variable>
<do-add-association>
<arg-dn>
<token-src-dn/>
</arg-dn>
<arg-association>
<token-local-variable name="assoc"/>
</arg-association>
</do-add-association>
<do-set-op-association>
<arg-association>
<token-local-variable name="assoc"/>
</arg-association>
</do-set-op-association>
</actions>
</rule>
</policy>
</rule>
</children>
</subscriber>
<entitlement-definition name="Groups">
<entitlement conflict-resolution="union" description="Groups in
Identity Vault" display-name="Identity Vault Groups" name="Group">
<values>
<query-app>
<query-xml>
<nds dtd-version="2.0">
<input>
<query class-name="Group" scope="subtree">
<search-class class-name="Group"/>
<read-attr attr-name="Description"/>
<read-attr attr-name="CN"/>
</query>
</input>
</nds>
</query-xml>
<result-set>
<display-name>
<token-attr attr-name="CN"/>
</display-name>
<description>
<token-attr attr-name="Description"/>
</description>
<ent-value>
<token-src-dn/>
</ent-value>
</result-set>
</query-app>
</values>
</entitlement>
</entitlement-definition>
</children>
<global-config-values>
<configuration-values>
<definitions/>
</configuration-values>
</global-config-values>
</driver-configuration>
0