Novell Home

Setting Up a Loopback Driver with a Group Entitlement for eDirectory

Novell Cool Solutions: Tip

Digg This - Slashdot This

Posted: 5 Jul 2007
 

Problem

A Forum reader recently asked:

"I'm trying to mirror what the AD Group Entitlement is doing, except for Groups in eDirectory. I created the Loopback driver and created an entitlement named "Group" underneath that. The entitlement is an exact match of the AD entitlement and seems to be working fine with setting up the RBE. The only thing in the filter is the DirXML-EntitlementRef on the Subscriber Channel set to Notify. I'm trying to figure out what I'm doing wrong or missing in the add/remove from group logic.

It's selecting the correct RBE; I'm just not sure how to get it to select the correct group."

And here's the response from Father Ramon ...

Solution

Setting up a loopback driver with a group entitlement for eDirectory is significantly different than for the AD driver. Here is an export of a configuration that works:

<driver-configuration dn="GroupEntitlementLoopback.DriverSet.novell" 
driver-set-dn="DriverSet.novell" name="GroupEntitlementLoopback">
  <attributes>
   <application-schema>
    <schema-def/>
   </application-schema>
   <configuration-manifest>
    <manifest>
     <capability name="entitlements"/>
    </manifest>
   </configuration-manifest>
   <global-config-values>
    <configuration-values>
     <definitions/>
    </configuration-values>
   </global-config-values>
   <driver-filter-xml>
    <filter>
     <filter-class class-name="User" publisher="sync" 
publisher-create-homedir="true" publisher-track-template-member="false" 
subscriber="sync">
      <filter-attr attr-name="DirXML-EntitlementRef" 
from-all-classes="true" merge-authority="edir" publisher="ignore" 
publisher-optimize-modify="true" subscriber="notify"/>
     </filter-class>
    </filter>
   </driver-filter-xml>
   <java-module 
value="com.novell.nds.dirxml.driver.loopback.LoopbackDriverShim"/>
   <driver-start-option value="1"/>
   <driver-cache-limit value="0"/>
   <shim-config-info-xml/>
   <driver-password-query/>
   <shim-auth-password-query/>
  </attributes>
  <children>
   <publisher name="Publisher">
    <attributes/>
    <children/>
   </publisher>
   <subscriber name="Subscriber">
    <attributes>
     <command-transformation-rule 
dn="EntitlementsCommandTransformation.Subscriber.GroupEntitlementLoopback.DriverSet.novell"/>
     <event-transformation-rule 
dn="EventTransformation.Subscriber.GroupEntitlementLoopback.DriverSet.novell"/>
    </attributes>
    <children>
     <rule name="EntitlementsCommandTransformation">
      <policy>
       <rule>
        <description>Check for group membership being granted or 
revoked</description>
        <conditions>
         <or>
          <if-operation op="equal">add</if-operation>
          <if-operation op="equal">modify</if-operation>
         </or>
        </conditions>
        <actions>
         <do-for-each>
          <arg-node-set>
           <token-removed-entitlement name="Groups"/>
          </arg-node-set>
          <arg-actions>
           <do-remove-src-attr-value name="Group Membership">
            <arg-value type="dn">
             <token-local-variable name="current-node"/>
            </arg-value>
           </do-remove-src-attr-value>
           <do-remove-src-attr-value name="Security Equals">
            <arg-value type="dn">
             <token-local-variable name="current-node"/>
            </arg-value>
           </do-remove-src-attr-value>
          </arg-actions>
         </do-for-each>
         <do-for-each>
          <arg-node-set>
           <token-added-entitlement name="Groups"/>
          </arg-node-set>
          <arg-actions>
           <do-add-src-attr-value name="Group Membership">
            <arg-value type="dn">
             <token-local-variable name="current-node"/>
            </arg-value>
           </do-add-src-attr-value>
           <do-add-src-attr-value name="Security Equals">
            <arg-value type="dn">
             <token-local-variable name="current-node"/>
            </arg-value>
           </do-add-src-attr-value>
          </arg-actions>
         </do-for-each>
         <do-veto/>
        </actions>
       </rule>
      </policy>
     </rule>
     <rule name="EventTransformation">
      <policy>
       <rule>
        <description>Veto any operation but add, modify, and 
sync</description>
        <conditions>
         <and>
          <if-operation op="not-equal">add</if-operation>
          <if-operation op="not-equal">modify</if-operation>
          <if-operation op="not-equal">sync</if-operation>
         </and>
        </conditions>
        <actions>
         <do-veto/>
        </actions>
       </rule>
       <rule>
        <description>Manufacture association of none available</description>
        <conditions>
         <and>
          <if-association op="not-available"/>
         </and>
        </conditions>
        <actions>
         <do-set-local-variable name="assoc">
          <arg-string>
           <token-src-attr name="GUID"/>
          </arg-string>
         </do-set-local-variable>
         <do-add-association>
          <arg-dn>
           <token-src-dn/>
          </arg-dn>
          <arg-association>
           <token-local-variable name="assoc"/>
          </arg-association>
         </do-add-association>
         <do-set-op-association>
          <arg-association>
           <token-local-variable name="assoc"/>
          </arg-association>
         </do-set-op-association>
        </actions>
       </rule>
      </policy>
     </rule>
    </children>
   </subscriber>
   <entitlement-definition name="Groups">
    <entitlement conflict-resolution="union" description="Groups in 
Identity Vault" display-name="Identity Vault Groups" name="Group">
     <values>
      <query-app>
       <query-xml>
        <nds dtd-version="2.0">
         <input>
          <query class-name="Group" scope="subtree">
           <search-class class-name="Group"/>
           <read-attr attr-name="Description"/>
           <read-attr attr-name="CN"/>
          </query>
         </input>
        </nds>
       </query-xml>
       <result-set>
        <display-name>
         <token-attr attr-name="CN"/>
        </display-name>
        <description>
         <token-attr attr-name="Description"/>
        </description>
        <ent-value>
         <token-src-dn/>
        </ent-value>
       </result-set>
      </query-app>
     </values>
    </entitlement>
   </entitlement-definition>
  </children>
  <global-config-values>
   <configuration-values>
    <definitions/>
   </configuration-values>
  </global-config-values>
</driver-configuration>


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell