edu.internet2.middleware.grouper.pspng

Class LdapGroupProvisioner

java.lang.Object

edu.internet2.middleware.grouper.pspng.Provisioner<ConfigurationClass,LdapUser,LdapGroup>

edu.internet2.middleware.grouper.pspng.LdapProvisioner<LdapGroupProvisionerConfiguration>

edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner

public class LdapGroupProvisioner
extends LdapProvisioner<LdapGroupProvisionerConfiguration>

This class is the workhorse for provisioning LDAP groups from grouper.

Field Summary

Fields inherited from class edu.internet2.middleware.grouper.pspng.LdapProvisioner

ldapSystem, schemaRelatedLdapErrors

Fields inherited from class edu.internet2.middleware.grouper.pspng.Provisioner

activeProvisioner, config, fullSyncMode, LOG, provisionerConfigName, provisionerDisplayName

Constructor Summary

Constructors

Constructor and Description
LdapGroupProvisioner(String provisionerName, LdapGroupProvisionerConfiguration config, boolean fullSyncMode)

Method Summary

Modifier and Type	Method and Description
protected void	addMembership(GrouperGroupInfo grouperGroupInfo, LdapGroup ldapGroup, Subject subject, LdapUser ldapUser) Action method that handles membership additions where a person-subject is added to a group.
protected LdapGroup	createGroup(GrouperGroupInfo grouperGroup, Collection<Subject> initialMembers) Provisioning a new Group in the target system.
protected void	deleteGroup(GrouperGroupInfo grouperGroupInfo, LdapGroup ldapGroup) Action method that handles group removal.
protected void	deleteMembership(GrouperGroupInfo grouperGroupInfo, LdapGroup ldapGroup, Subject subject, LdapUser ldapUser) Abstract action method that handles membership removals.
protected void	doFullSync_cleanupExtraGroups(JobStatistics stats) This method's responsibility is find extra groups within Grouper's responsibility that exist in the target system.
protected boolean	doFullSync(GrouperGroupInfo grouperGroupInfo, LdapGroup ldapGroup, Set<Subject> correctSubjects, Map<Subject,LdapUser> tsUserMap, Set<LdapUser> correctTSUsers, JobStatistics stats) This method's responsibility is to make sure that group's only provisioned memberships are those of correctSubjects.
protected Map<GrouperGroupInfo,LdapGroup>	fetchTargetSystemGroups(Collection<GrouperGroupInfo> grouperGroupsToFetch) This fetches group information from the target system.
static Class<? extends ProvisionerConfiguration>	getPropertyClass()
protected void	scheduleGroupModification(GrouperGroupInfo grouperGroupInfo, LdapGroup ldapGroup, org.ldaptive.AttributeModificationType modType, Collection<String> membershipValuesToChange)
protected LdapGroup	updateGroupFromTemplate(GrouperGroupInfo grouperGroupInfo, LdapGroup existingLdapGroup) This method compares the existing LdapGroup to how the groupCreationTemplate might have changed due to group changes (eg, a changed group name) or due to template changes

Methods inherited from class edu.internet2.middleware.grouper.pspng.LdapProvisioner

createOuInExistingLocation, createUser, ensureLdapOusExist, ensureLdapOusExist, fetchTargetSystemUsers, finishCoordination, finishProvisioningBatch, getLdapSystem, getUserLdapFilter, isStringDnEscaped, isStringEscapedForLdapFilter, isWorkItemMakingChange, performLdapAdd, populateJexlMap, sanityCheckDnAttributesOfLdif, scheduleLdapModification, stringHasBeenDnEscaped, stringHasBeenLdapFilterEscaped

Methods inherited from class edu.internet2.middleware.grouper.pspng.Provisioner

cacheGroup, evaluateJexlExpression, fetchTargetSystemGroup, fetchTargetSystemGroupsInBatches, fetchTargetSystemUser, filterWorkItems, flushCachesIfNecessary, getAllGroupsForProvisioner, getConfig, getConfigName, getCurrentWorkItem, getDisplayName, getGroupInfo, getGroupInfoOfExistingGroup, getGroupInfoOfExistingGroup, getGroupJexlMap, getSubject, getSubjectCacheKey, getSubjectCacheKey, getTargetSystemUser, isFullSyncMode, provisionBatchOfItems, provisionItem, setCurrentWorkItem, shouldGroupBeProvisioned, shouldLogAboutMissingSubjects, shouldWorkItemBeProcessed, startCoordination, startProvisioningBatch, toString, uncacheAllGroups, uncacheGroup, warnAboutCacheSizeConcerns, workItemShouldBeHandledByFullSyncOfEverything

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

LdapGroupProvisioner

public LdapGroupProvisioner(String provisionerName,
                            LdapGroupProvisionerConfiguration config,
                            boolean fullSyncMode)

Method Detail

getPropertyClass

public static Class<? extends ProvisionerConfiguration> getPropertyClass()

addMembership

protected void addMembership(GrouperGroupInfo grouperGroupInfo,
                             LdapGroup ldapGroup,
                             Subject subject,
                             LdapUser ldapUser)
                      throws PspException

Description copied from class: Provisioner

Action method that handles membership additions where a person-subject is added to a group. The top-level Provisioner class implementation is abstract, and, of course, this method is expected to be overridden by every provisioner subclass to accomplish something useful.

Specified by:

addMembership in class Provisioner<LdapGroupProvisionerConfiguration,LdapUser,LdapGroup>

Parameters:

grouperGroupInfo - The group to which the subject needs to be added as a member

ldapGroup - A TSGroupClass created for group by fetchTargetSystemGroup. This will be null for systems that do not need target system groups.

subject - The (person) subject that needs to be provisioned as a member of 'group'

ldapUser - A TSUserClass created for the subject by fetchTargetSystemUser. This will be null for systems that do not need target system users.

Throws:

PspException

scheduleGroupModification

protected void scheduleGroupModification(GrouperGroupInfo grouperGroupInfo,
                                         LdapGroup ldapGroup,
                                         org.ldaptive.AttributeModificationType modType,
                                         Collection<String> membershipValuesToChange)

deleteMembership

protected void deleteMembership(GrouperGroupInfo grouperGroupInfo,
                                LdapGroup ldapGroup,
                                Subject subject,
                                LdapUser ldapUser)
                         throws PspException

Description copied from class: Provisioner

Abstract action method that handles membership removals. Note: This method is called for MembershipDelete events for a non-group member.

Specified by:

deleteMembership in class Provisioner<LdapGroupProvisionerConfiguration,LdapUser,LdapGroup>

Parameters:

grouperGroupInfo - The group to which the subject needs to be removed as a member

ldapGroup - TSGroupClass for the 'group.' This is null for systems that do not need target-system group info

subject - The subject that needs to be deprovisioned as a member of 'group'

ldapUser - TSUserClass for the 'subject.' This is null for systems that do not need target-system user info

Throws:

PspException

doFullSync

protected boolean doFullSync(GrouperGroupInfo grouperGroupInfo,
                             LdapGroup ldapGroup,
                             Set<Subject> correctSubjects,
                             Map<Subject,LdapUser> tsUserMap,
                             Set<LdapUser> correctTSUsers,
                             JobStatistics stats)
                      throws PspException

Description copied from class: Provisioner

This method's responsibility is to make sure that group's only provisioned memberships are those of correctSubjects. Extra subjects should be removed. Before this is called, the following have occurred: -a ProvisioningWorkItem was created representing the whole Full Sync, and it was marked as the current provisioning item -StartProvisioningBatch was called -TSGroupClass- and TSUserClass-caches are populated with the group and CORRECT Subjects Also, remember that fullSyncMode=true for provisioners doing full-sync, so TargetSystemUsers and TargetSystemGroups should have the extra information needed to facilitate full syncs.

Specified by:

doFullSync in class Provisioner<LdapGroupProvisionerConfiguration,LdapUser,LdapGroup>

Parameters:

grouperGroupInfo - Grouper group to fully synchronize with target system

ldapGroup - TSGroupClass that maps to group.

correctSubjects - What subjects are members in the Grouper Registry

tsUserMap - Map of TargetSystemUsers which map to the correctSubjects. This will be empty for provisioners that do not use TargetSystemUsers.

correctTSUsers - A list of the TSUsers that correspond to correctSubjects. This might be a subset of the TSUsers in the tsUserMap.

stats - A holder of the number of changes the fullSync performs

Returns:

True when changes were made to target system

Throws:

PspException

updateGroupFromTemplate

protected LdapGroup updateGroupFromTemplate(GrouperGroupInfo grouperGroupInfo,
                                            LdapGroup existingLdapGroup)
                                     throws PspException

This method compares the existing LdapGroup to how the groupCreationTemplate might have changed due to group changes (eg, a changed group name) or due to template changes

Parameters:

grouperGroupInfo -

existingLdapGroup -

Returns:

An up-to-date LdapGroup: either existingLdapGroup if no changes were needed, or a newly-read group

Throws:

PspException

doFullSync_cleanupExtraGroups

protected void doFullSync_cleanupExtraGroups(JobStatistics stats)
                                      throws PspException

Description copied from class: Provisioner

This method's responsibility is find extra groups within Grouper's responsibility that exist in the target system. These extra groups should be removed. Note: This is only called when grouperIsAuthoritative=true in the provisioner's properties. To avoid deleting newly created groups, implementations should follow the following: 1) Read all the provisioned information 2) Read all the groups that should be provisioned (getAllGroupsForProvisioner()) 3) Fetch group information from system (fetchTargetSystemGroupsInBatches(allGroupsForProvisioner) (if TSGroup objects are relevant) 4) Compare (1) & (3) and delete anything extra in (1)

Specified by:

doFullSync_cleanupExtraGroups in class Provisioner<LdapGroupProvisionerConfiguration,LdapUser,LdapGroup>

Throws:

PspException

createGroup

protected LdapGroup createGroup(GrouperGroupInfo grouperGroup,
                                Collection<Subject> initialMembers)
                         throws PspException

Description copied from class: Provisioner

Provisioning a new Group in the target system. This must be overridden in provisioner subclasses that support creating groups. This will normally be called (with an empty members parameter) when provisioning-enabled groups are created in Grouper. However, when an empty group cannot be created (eg, an ldap group that _requires_ members) or when members are somehow already known, this may be called with a (non-empty) list of members.

Specified by:

createGroup in class Provisioner<LdapGroupProvisionerConfiguration,LdapUser,LdapGroup>

initialMembers - What members should in the provisioned group once the method completes. This is generally empty during incremental/changelog-based provisioning, but may list users at other times.

Returns:

Throws:

PspException

fetchTargetSystemGroups

protected Map<GrouperGroupInfo,LdapGroup> fetchTargetSystemGroups(Collection<GrouperGroupInfo> grouperGroupsToFetch)
                                                           throws PspException

Description copied from class: Provisioner

This fetches group information from the target system. Subclasses that have TSGroupClass information need to override this. Subclasses that do not need TSGroupClass information should just return either an empty map (Collections.EMPTY_MAP) or null;. Note: The signature of this method is designed for batch fetching. If you cannot fetch batches of information, then loop through the provided groups and build a resulting map.

Specified by:

fetchTargetSystemGroups in class Provisioner<LdapGroupProvisionerConfiguration,LdapUser,LdapGroup>

Returns:

Throws:

PspException

deleteGroup

protected void deleteGroup(GrouperGroupInfo grouperGroupInfo,
                           LdapGroup ldapGroup)
                    throws PspException

Description copied from class: Provisioner

Action method that handles group removal. The top-level Provisioner class implementation does nothing except log an error if the target system needs groups. This is expected to be overridden by subclasses if the target system needs groups, and do not call the super.deleteGroup version of this when you override it this

Specified by:

deleteGroup in class Provisioner<LdapGroupProvisionerConfiguration,LdapUser,LdapGroup>

Throws:

PspException