edu.internet2.middleware.grouper.pspng

Class LdapProvisioner<ConfigurationClass extends LdapProvisionerConfiguration>

java.lang.Object

edu.internet2.middleware.grouper.pspng.Provisioner<ConfigurationClass,LdapUser,LdapGroup>

edu.internet2.middleware.grouper.pspng.LdapProvisioner<ConfigurationClass>

Direct Known Subclasses:

LdapAttributeProvisioner, LdapGroupProvisioner

public abstract class LdapProvisioner<ConfigurationClass extends LdapProvisionerConfiguration>
extends Provisioner<ConfigurationClass,LdapUser,LdapGroup>

This (abstract) class consolidates the common aspects of provisioning to LDAP-based targets. This includes -Configuring and building (ldaptive) LDAP connection pools -PersonSubject-to-LdapObject searching and caching. -Consolidating/Batching ldap modifications into as few modifications as possible.

Field Summary

Fields

Modifier and Type	Field and Description
protected LdapSystem	ldapSystem
static Set<org.ldaptive.ResultCode>	schemaRelatedLdapErrors LDAP ResultCodes that might occur from a schema-related violation, for example when the last member is removed from an LdapGroup that requires a member

Fields inherited from class edu.internet2.middleware.grouper.pspng.Provisioner

activeProvisioner, config, fullSyncMode, LOG, provisionerConfigName, provisionerDisplayName

Constructor Summary

Constructors

Constructor and Description
LdapProvisioner(String provisionerName, ConfigurationClass config, boolean fullSyncMode)

Method Summary

Modifier and Type	Method and Description
protected void	createOuInExistingLocation(com.unboundid.ldap.sdk.DN ouDn) This function creates an OU with the provided DN with the OU-Creation ldif template.
protected LdapUser	createUser(Subject personSubject) Provisioning a new User account in the target system.
protected void	ensureLdapOusExist(com.unboundid.ldap.sdk.DN dn) Internal worker function called by ensureLdapOusExist(dnString, wholeDnIsTheOu).
void	ensureLdapOusExist(String dnString, boolean wholeDnIsTheOu) Public way to create any missing OUs.
protected Map<Subject,LdapUser>	fetchTargetSystemUsers(Collection<Subject> subjectsToFetch) Find the subjects in the ldap server.
void	finishCoordination(List<ProvisioningWorkItem> workItems, boolean wasSuccessful) Provisioning is over.
void	finishProvisioningBatch(List<ProvisioningWorkItem> workItems) This implements the LDAP Modifications that were scheduled with schedulLdapModification.
protected LdapSystem	getLdapSystem()
protected org.ldaptive.SearchFilter	getUserLdapFilter(Subject subject)
boolean	isStringDnEscaped(String dnString) Has this string already been dn-escaped as determined by whether stringHasBeenDnEscaped(...) was called for it.
boolean	isStringEscapedForLdapFilter(String filterString) Has this string already been escaped as an ldap filter, as determined by whether stringHasBeenLdapFilterEscaped(...) was called for it.
protected boolean	isWorkItemMakingChange(ProvisioningWorkItem workItem, String dn, String attributeName, String provisioningAttributeValue)
protected void	performLdapAdd(org.ldaptive.LdapEntry entryToAdd) Perform an LDAP ADD after making sure the new object's OU exists.
protected void	populateJexlMap(String expression, Map<String,Object> variableMap, Subject subject, LdapUser ldapUser, GrouperGroupInfo grouperGroupInfo, LdapGroup ldapGroup) Overridable method to put group and subject information into the Jexl map for use during evaluation.
protected String	sanityCheckDnAttributesOfLdif(String ldif, String ldifSourceFormat, Object... ldifSourceArgs) Look at attributes that are supposed to store DNs and make sure they are escaped and/or parsable
protected void	scheduleLdapModification(org.ldaptive.ModifyRequest operation) Note that the given ProvisioningWorkItem needs the given ModifyRequest done.
static void	stringHasBeenDnEscaped(String dnString) Note that the given dn string has already been escaped, in particular any commas or equal signs in the components of the dn have been escaped.
static void	stringHasBeenLdapFilterEscaped(String ldapFilterValue) Note that the given string has already been escaped as an ldap filter, in particular any (,),* have been escaped.

Methods inherited from class edu.internet2.middleware.grouper.pspng.Provisioner

addMembership, allGroupsForProvisionerFromCache, allGroupsForProvisionerFromCacheClear, cacheGroup, checkAttributeDefinitions, createGroup, deleteGroup, deleteMembership, doFullSync_cleanupExtraGroups, doFullSync, evaluateJexlExpression, fetchTargetSystemGroup, fetchTargetSystemGroups, fetchTargetSystemGroupsInBatches, fetchTargetSystemUser, filterWorkItems, filterWorkItems2, flushCachesIfNecessary, getAllGroupsForProvisioner, getAllGroupsForProvisioner2, getConfig, getConfigName, getCurrentWorkItem, getDisplayName, getGroupInfo, getGroupInfoOfExistingGroup, getGroupInfoOfExistingGroup, getGroupJexlMap, getJobStatistics, getPropertyClass, getSubject, getSubjectCacheKey, getSubjectCacheKey, getTargetSystemUser, groupNameToMillisAndProvisionable, isFullSyncMode, provisionBatchOfItems, provisionItem, setCurrentWorkItem, setJobStatistics, shouldGroupBeProvisioned, shouldGroupBeProvisionedConsiderCache, shouldLogAboutMissingSubjects, shouldWorkItemBeProcessed, startCoordination, startProvisioningBatch, toString, uncacheAllGroups, uncacheGroup, warnAboutCacheSizeConcerns, workItemMightChangeGroupSelection

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

ldapSystem

protected LdapSystem ldapSystem

schemaRelatedLdapErrors

public static Set<org.ldaptive.ResultCode> schemaRelatedLdapErrors

LDAP ResultCodes that might occur from a schema-related violation, for example when the last member is removed from an LdapGroup that requires a member

Constructor Detail

LdapProvisioner

public LdapProvisioner(String provisionerName,
                       ConfigurationClass config,
                       boolean fullSyncMode)

Method Detail

stringHasBeenDnEscaped

public static void stringHasBeenDnEscaped(String dnString)

Note that the given dn string has already been escaped, in particular any commas or equal signs in the components of the dn have been escaped. These strings can be later checked with isStringDnEscaped See RDN.toMinimallyEncodedString(), PspJexlUtils.bushyDn

Parameters:

dnString -

isStringDnEscaped

public boolean isStringDnEscaped(String dnString)

Has this string already been dn-escaped as determined by whether stringHasBeenDnEscaped(...) was called for it.

Parameters:

dnString -

Returns:

stringHasBeenLdapFilterEscaped

public static void stringHasBeenLdapFilterEscaped(String ldapFilterValue)

Note that the given string has already been escaped as an ldap filter, in particular any (,),* have been escaped. These strings can be later checked with isStringLdapFilterEscaped See PspJexlUtils.escapeLdapFilter

Parameters:

ldapFilterValue -

isStringEscapedForLdapFilter

public boolean isStringEscapedForLdapFilter(String filterString)

Has this string already been escaped as an ldap filter, as determined by whether stringHasBeenLdapFilterEscaped(...) was called for it.

Parameters:

filterString -

Returns:

finishCoordination

public void finishCoordination(List<ProvisioningWorkItem> workItems,
                               boolean wasSuccessful)

Description copied from class: Provisioner

Provisioning is over. Time to unlock in order to allow other full- or incremental-sync to occur on them

Overrides:

finishCoordination in class Provisioner<ConfigurationClass extends LdapProvisionerConfiguration,LdapUser,LdapGroup>

fetchTargetSystemUsers

protected Map<Subject,LdapUser> fetchTargetSystemUsers(Collection<Subject> subjectsToFetch)
                                                throws PspException

Find the subjects in the ldap server. If account-creation is enabled with createMissingAccounts, this will create missing entries.

Specified by:

fetchTargetSystemUsers in class Provisioner<ConfigurationClass extends LdapProvisionerConfiguration,LdapUser,LdapGroup>

Parameters:

subjectsToFetch -

Returns:

Throws:

PspException

getUserLdapFilter

protected org.ldaptive.SearchFilter getUserLdapFilter(Subject subject)
                                               throws PspException

Throws:

PspException

createUser

protected LdapUser createUser(Subject personSubject)
                       throws PspException

Description copied from class: Provisioner

Provisioning a new User account in the target system. This must be overridden in provisioner subclasses that support creating user accounts. This is more used for provisioning testing, but can be supported in production when provisioning can be done with just the information stored in a grouper Subject.

Overrides:

createUser in class Provisioner<ConfigurationClass extends LdapProvisionerConfiguration,LdapUser,LdapGroup>

Returns:

Throws:

PspException

sanityCheckDnAttributesOfLdif

protected String sanityCheckDnAttributesOfLdif(String ldif,
                                               String ldifSourceFormat,
                                               Object... ldifSourceArgs)
                                        throws PspException

Look at attributes that are supposed to store DNs and make sure they are escaped and/or parsable

Parameters:

ldif -

Returns:

Presently this just returns the input ldif. Hopefully this can someday help cleanup dn-escaping problems

Throws:

PspException

populateJexlMap

protected void populateJexlMap(String expression,
                               Map<String,Object> variableMap,
                               Subject subject,
                               LdapUser ldapUser,
                               GrouperGroupInfo grouperGroupInfo,
                               LdapGroup ldapGroup)

Description copied from class: Provisioner

Overridable method to put group and subject information into the Jexl map for use during evaluation. If you override this, make sure to call super().populateElMap so the standard mappings will be included in addition to those you're adding.

Overrides:

populateJexlMap in class Provisioner<ConfigurationClass extends LdapProvisionerConfiguration,LdapUser,LdapGroup>

variableMap - Map that will eventually be provided in Jexl evalutions

scheduleLdapModification

protected void scheduleLdapModification(org.ldaptive.ModifyRequest operation)

Note that the given ProvisioningWorkItem needs the given ModifyRequest done. These are not done right away so that multiple modifications can be implemented together in batches. For example, LDAP servers can generally process a single ldap modification that adds 10 values to an attribute MUCH faster than processing 10 single-value Modify-Add operations.

Parameters:

operation -

finishProvisioningBatch

public void finishProvisioningBatch(List<ProvisioningWorkItem> workItems)
                             throws PspException

This implements the LDAP Modifications that were scheduled with schedulLdapModification. Those scheduled changes are stored within the ProvisioningWorkItems that are passed around. In order to be fast, we first try to coalesce the changes across ProvisioningWorkItems. If all the fancy, coalescing LDAP-implementation fails, each workItem's LDAP operations will be done individually so problems will be tracked down to specific workItem(s).

Overrides:

finishProvisioningBatch in class Provisioner<ConfigurationClass extends LdapProvisionerConfiguration,LdapUser,LdapGroup>

Throws:

PspException

isWorkItemMakingChange

protected boolean isWorkItemMakingChange(ProvisioningWorkItem workItem,
                                         String dn,
                                         String attributeName,
                                         String provisioningAttributeValue)

getLdapSystem

protected LdapSystem getLdapSystem()
                            throws PspException

Throws:

PspException

ensureLdapOusExist

public void ensureLdapOusExist(String dnString,
                               boolean wholeDnIsTheOu)
                        throws PspException

Public way to create any missing OUs.

Parameters:

dnString -

wholeDnIsTheOu - false: The top of the DN is not an OU (eg, cn=group,ou=folder1,ou=folder2,dc=example). true: The top of the DN is an OU (eg, ou=folder1, ou=folder2, dc=example).

Throws:

PspException

ensureLdapOusExist

protected void ensureLdapOusExist(com.unboundid.ldap.sdk.DN dn)
                           throws PspException

Internal worker function called by ensureLdapOusExist(dnString, wholeDnIsTheOu). This function reads a dn and if it doesn't already exist, then it makes sure the parent dn exists (with a recursive call) and then creates an ou at the dn location by calling createOuInExistingLocation(dn).

Parameters:

dn -

Throws:

PspException

createOuInExistingLocation

protected void createOuInExistingLocation(com.unboundid.ldap.sdk.DN ouDn)
                                   throws PspException

This function creates an OU with the provided DN with the OU-Creation ldif template. This function assumes that the parent DN of ouDn exists. In other words, this function will not try to create any parent OUs.

Parameters:

ouDn -

Throws:

PspException

performLdapAdd

protected void performLdapAdd(org.ldaptive.LdapEntry entryToAdd)
                       throws PspException

Perform an LDAP ADD after making sure the new object's OU exists.

Parameters:

entryToAdd -

Throws:

PspException