Article
Search
Shameless Plugs
Most Popular
Who's online
User login
6270
Setting Up a Loopback Driver with a Group Entitlement for eDirectory
Problem
A Forum reader recently asked:
"I'm trying to mirror what the AD Group Entitlement is doing, except for Groups in eDirectory. I created the Loopback driver and created an entitlement named "Group" underneath that. The entitlement is an exact match of the AD entitlement and seems to be working fine with setting up the RBE. The only thing in the filter is the DirXML-EntitlementRef on the
Subscriber Channel set to Notify. I'm trying to figure out what I'm doing wrong or missing in the add/remove from group logic.
It's selecting the correct RBE; I'm just not sure how to get it to select the correct group."
And here's the response from Father Ramon ...
Solution
Setting up a loopback driver with a group entitlement for eDirectory is significantly different than for the AD driver. Here is an export of a configuration that works:
<driver-configuration dn="GroupEntitlementLoopback.DriverSet.novell"
driver-set-dn="DriverSet.novell" name="GroupEntitlementLoopback">
<attributes>
<application-schema>
<schema-def/>
</application-schema>
<configuration-manifest>
<manifest>
<capability name="entitlements"/>
</manifest>
</configuration-manifest>
<global-config-values>
<configuration-values>
<definitions/>
</configuration-values>
</global-config-values>
<driver-filter-xml>
<filter>
<filter-class class-name="User" publisher="sync"
publisher-create-homedir="true" publisher-track-template-member="false"
subscriber="sync">
<filter-attr attr-name="DirXML-EntitlementRef"
from-all-classes="true" merge-authority="edir" publisher="ignore"
publisher-optimize-modify="true" subscriber="notify"/>
</filter-class>
</filter>
</driver-filter-xml>
<java-module
value="com.novell.nds.dirxml.driver.loopback.LoopbackDriverShim"/>
<driver-start-option value="1"/>
<driver-cache-limit value="0"/>
<shim-config-info-xml/>
<driver-password-query/>
<shim-auth-password-query/>
</attributes>
<children>
<publisher name="Publisher">
<attributes/>
<children/>
</publisher>
<subscriber name="Subscriber">
<attributes>
<command-transformation-rule
dn="EntitlementsCommandTransformation.Subscriber.GroupEntitlementLoopback.DriverSet.novell"/>
<event-transformation-rule
dn="EventTransformation.Subscriber.GroupEntitlementLoopback.DriverSet.novell"/>
</attributes>
<children>
<rule name="EntitlementsCommandTransformation">
<policy>
<rule>
<description>Check for group membership being granted or
revoked</description>
<conditions>
<or>
<if-operation op="equal">add</if-operation>
<if-operation op="equal">modify</if-operation>
</or>
</conditions>
<actions>
<do-for-each>
<arg-node-set>
<token-removed-entitlement name="Groups"/>
</arg-node-set>
<arg-actions>
<do-remove-src-attr-value name="Group Membership">
<arg-value type="dn">
<token-local-variable name="current-node"/>
</arg-value>
</do-remove-src-attr-value>
<do-remove-src-attr-value name="Security Equals">
<arg-value type="dn">
<token-local-variable name="current-node"/>
</arg-value>
</do-remove-src-attr-value>
</arg-actions>
</do-for-each>
<do-for-each>
<arg-node-set>
<token-added-entitlement name="Groups"/>
</arg-node-set>
<arg-actions>
<do-add-src-attr-value name="Group Membership">
<arg-value type="dn">
<token-local-variable name="current-node"/>
</arg-value>
</do-add-src-attr-value>
<do-add-src-attr-value name="Security Equals">
<arg-value type="dn">
<token-local-variable name="current-node"/>
</arg-value>
</do-add-src-attr-value>
</arg-actions>
</do-for-each>
<do-veto/>
</actions>
</rule>
</policy>
</rule>
<rule name="EventTransformation">
<policy>
<rule>
<description>Veto any operation but add, modify, and
sync</description>
<conditions>
<and>
<if-operation op="not-equal">add</if-operation>
<if-operation op="not-equal">modify</if-operation>
<if-operation op="not-equal">sync</if-operation>
</and>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>
<rule>
<description>Manufacture association of none available</description>
<conditions>
<and>
<if-association op="not-available"/>
</and>
</conditions>
<actions>
<do-set-local-variable name="assoc">
<arg-string>
<token-src-attr name="GUID"/>
</arg-string>
</do-set-local-variable>
<do-add-association>
<arg-dn>
<token-src-dn/>
</arg-dn>
<arg-association>
<token-local-variable name="assoc"/>
</arg-association>
</do-add-association>
<do-set-op-association>
<arg-association>
<token-local-variable name="assoc"/>
</arg-association>
</do-set-op-association>
</actions>
</rule>
</policy>
</rule>
</children>
</subscriber>
<entitlement-definition name="Groups">
<entitlement conflict-resolution="union" description="Groups in
Identity Vault" display-name="Identity Vault Groups" name="Group">
<values>
<query-app>
<query-xml>
<nds dtd-version="2.0">
<input>
<query class-name="Group" scope="subtree">
<search-class class-name="Group"/>
<read-attr attr-name="Description"/>
<read-attr attr-name="CN"/>
</query>
</input>
</nds>
</query-xml>
<result-set>
<display-name>
<token-attr attr-name="CN"/>
</display-name>
<description>
<token-attr attr-name="Description"/>
</description>
<ent-value>
<token-src-dn/>
</ent-value>
</result-set>
</query-app>
</values>
</entitlement>
</entitlement-definition>
</children>
<global-config-values>
<configuration-values>
<definitions/>
</configuration-values>
</global-config-values>
</driver-configuration>
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.
Related Articles
User Comments
- Be the first to comment! To leave a comment you need to Login or Register
- 6270 reads
0