Technical Tip
Search
Share This
Act Now!
Who's online
Tag Cloud
Access Control
eDirectory
GroupWise
Identity & Security Management
Identity Manager
Linux
Linux
NetWare
Open Enterprise Server
Open Workgroup Suite
Security
SUSE Linux
SUSE Linux 10.0
SUSE Linux Enterprise
SUSE Linux Enterprise 10
SUSE Linux Enterprise Desktop
SUSE Linux Enterprise Server
User Management
Workgroup
ZENworks
Quick Poll
How quickly do you buy new electronic gadgets?
9%
I like to be the first one to have anything new.
10%
I like to wait until they work out all the kinks.
31%
I like to wait until the price comes down.
41%
I wait until I really need the new functionality.
8%
I wait till someone gives it to me as a gift.
Votes: 150
- 3 comments
- 3294
- Older polls
User login
Setting Up a Loopback Driver with a Group Entitlement for eDirectory
tip
Reads:
622
Score:
Problem
A Forum reader recently asked:
"I'm trying to mirror what the AD Group Entitlement is doing, except for Groups in eDirectory. I created the Loopback driver and created an entitlement named "Group" underneath that. The entitlement is an exact match of the AD entitlement and seems to be working fine with setting up the RBE. The only thing in the filter is the DirXML-EntitlementRef on the
Subscriber Channel set to Notify. I'm trying to figure out what I'm doing wrong or missing in the add/remove from group logic.
It's selecting the correct RBE; I'm just not sure how to get it to select the correct group."
And here's the response from Father Ramon ...
Solution
Setting up a loopback driver with a group entitlement for eDirectory is significantly different than for the AD driver. Here is an export of a configuration that works:
<driver-configuration dn="GroupEntitlementLoopback.DriverSet.novell"
driver-set-dn="DriverSet.novell" name="GroupEntitlementLoopback">
<attributes>
<application-schema>
<schema-def/>
</application-schema>
<configuration-manifest>
<manifest>
<capability name="entitlements"/>
</manifest>
</configuration-manifest>
<global-config-values>
<configuration-values>
<definitions/>
</configuration-values>
</global-config-values>
<driver-filter-xml>
<filter>
<filter-class class-name="User" publisher="sync"
publisher-create-homedir="true" publisher-track-template-member="false"
subscriber="sync">
<filter-attr attr-name="DirXML-EntitlementRef"
from-all-classes="true" merge-authority="edir" publisher="ignore"
publisher-optimize-modify="true" subscriber="notify"/>
</filter-class>
</filter>
</driver-filter-xml>
<java-module
value="com.novell.nds.dirxml.driver.loopback.LoopbackDriverShim"/>
<driver-start-option value="1"/>
<driver-cache-limit value="0"/>
<shim-config-info-xml/>
<driver-password-query/>
<shim-auth-password-query/>
</attributes>
<children>
<publisher name="Publisher">
<attributes/>
<children/>
</publisher>
<subscriber name="Subscriber">
<attributes>
<command-transformation-rule
dn="EntitlementsCommandTransformation.Subscriber.GroupEntitlementLoopback.DriverSet.novell"/>
<event-transformation-rule
dn="EventTransformation.Subscriber.GroupEntitlementLoopback.DriverSet.novell"/>
</attributes>
<children>
<rule name="EntitlementsCommandTransformation">
<policy>
<rule>
<description>Check for group membership being granted or
revoked</description>
<conditions>
<or>
<if-operation op="equal">add</if-operation>
<if-operation op="equal">modify</if-operation>
</or>
</conditions>
<actions>
<do-for-each>
<arg-node-set>
<token-removed-entitlement name="Groups"/>
</arg-node-set>
<arg-actions>
<do-remove-src-attr-value name="Group Membership">
<arg-value type="dn">
<token-local-variable name="current-node"/>
</arg-value>
</do-remove-src-attr-value>
<do-remove-src-attr-value name="Security Equals">
<arg-value type="dn">
<token-local-variable name="current-node"/>
</arg-value>
</do-remove-src-attr-value>
</arg-actions>
</do-for-each>
<do-for-each>
<arg-node-set>
<token-added-entitlement name="Groups"/>
</arg-node-set>
<arg-actions>
<do-add-src-attr-value name="Group Membership">
<arg-value type="dn">
<token-local-variable name="current-node"/>
</arg-value>
</do-add-src-attr-value>
<do-add-src-attr-value name="Security Equals">
<arg-value type="dn">
<token-local-variable name="current-node"/>
</arg-value>
</do-add-src-attr-value>
</arg-actions>
</do-for-each>
<do-veto/>
</actions>
</rule>
</policy>
</rule>
<rule name="EventTransformation">
<policy>
<rule>
<description>Veto any operation but add, modify, and
sync</description>
<conditions>
<and>
<if-operation op="not-equal">add</if-operation>
<if-operation op="not-equal">modify</if-operation>
<if-operation op="not-equal">sync</if-operation>
</and>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>
<rule>
<description>Manufacture association of none available</description>
<conditions>
<and>
<if-association op="not-available"/>
</and>
</conditions>
<actions>
<do-set-local-variable name="assoc">
<arg-string>
<token-src-attr name="GUID"/>
</arg-string>
</do-set-local-variable>
<do-add-association>
<arg-dn>
<token-src-dn/>
</arg-dn>
<arg-association>
<token-local-variable name="assoc"/>
</arg-association>
</do-add-association>
<do-set-op-association>
<arg-association>
<token-local-variable name="assoc"/>
</arg-association>
</do-set-op-association>
</actions>
</rule>
</policy>
</rule>
</children>
</subscriber>
<entitlement-definition name="Groups">
<entitlement conflict-resolution="union" description="Groups in
Identity Vault" display-name="Identity Vault Groups" name="Group">
<values>
<query-app>
<query-xml>
<nds dtd-version="2.0">
<input>
<query class-name="Group" scope="subtree">
<search-class class-name="Group"/>
<read-attr attr-name="Description"/>
<read-attr attr-name="CN"/>
</query>
</input>
</nds>
</query-xml>
<result-set>
<display-name>
<token-attr attr-name="CN"/>
</display-name>
<description>
<token-attr attr-name="Description"/>
</description>
<ent-value>
<token-src-dn/>
</ent-value>
</result-set>
</query-app>
</values>
</entitlement>
</entitlement-definition>
</children>
<global-config-values>
<configuration-values>
<definitions/>
</configuration-values>
</global-config-values>
</driver-configuration>
<
0