Multiple DataConnector Precedence Order

IAM David Bantz dabantz at alaska.edu
Mon Apr 4 14:28:49 EDT 2016 

>
>    <resolver:AttributeDefinition id="UDCID" xsi:type="Script" xmlns=
"urn:mace:shibboleth:2.0:resolver:ad">

        <resolver:Dependency ref="myLDAP" />

        <resolver:Dependency ref="uaADLDAP" />

        <resolver:Dependency ref="EDIRemployeeNumber" />

        <resolver:Dependency ref="ADemployeeNumber" />

        <resolver:AttributeEncoder xsi:type="SAML1String" xmlns=
"urn:mace:shibboleth:2.0:attribute:encoder"

                name="https://iam.alaska.edu/trac/wiki/IamUaArp#UDCID" />

        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns=
"urn:mace:shibboleth:2.0:attribute:encoder"

                name="https://iam.alaska.edu/trac/wiki/IamUaArp#UDCID"
friendlyName="UDCID" />

<!-- Script attempts to provide UDCID if AD and/or EDIR return value of
employeeNumber  -->

<!-- If neither directory has a value in the attribute for UDCID, UDCID
will have null value and not be released -->

<!-- Script presumes employeeNumber is single-valued directory attribute in
edir and AD -->

<!-- debug-level log messages contain directory values and final attribute
value-->

        <Script>

          <![CDATA[




  importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);

        importPackage(Packages.org.slf4j);

        logger =
LoggerFactory.getLogger("edu.internet2.middleware.shibboleth.resolver.Script.scriptTest");

        logger.debug("Starting UDCID Attribute Resolver Script:");

        if (UDCID == null)

             {UDCID = new BasicAttribute("UDCID");}

      <!-- If there is a value of employeeNumber from AD, use that for
UDCID  -->

        if (typeof ADemployeeNumber != "undefined" && ADemployeeNumber !=
null && ADemployeeNumber.getValues().size() !=0)

             {  logger.debug("UA AD LDAP UDCID Values: " +
ADemployeeNumber.getValues());

                UDCID.getValues().add(ADemployeeNumber.getValues().get(0))

             }

     <!-- If there isn't a value of employeeNumber from AD, use a value
from EDIR -->

       else

            { if (typeof EDIRemployeeNumber != "undefined" &&
EDIRemployeeNumber != null && EDIRemployeeNumber.getValues().size() !=0)

                {   logger.debug("Oracle (EDIR) LDAP UDCID Values: " +
EDIRemployeeNumber.getValues());


  UDCID.getValues().add(EDIRemployeeNumber.getValues().get(0))

                }

             }

        logger.debug("Completed UDCID value: " + UDCID.getValues());


       ]]>
     </Script>

        </resolver:AttributeDefinition>

On Fri, Apr 1, 2016 at 7:20 PM, Mr. Christopher Bland <chris at fdu.edu> wrote:

> Hi David,
>
> Your solution sounds like the best option during the migration since we
> are starting to create AD only users.  If you are willing to provide a
> sample attribute definition I would greatly appreciate it as well as any
> who looks at this tread in the future.
>
> -Chris
>
>
> On Mar 31, 2016, at 1:22 PM, IAM David Bantz <dabantz at alaska.edu> wrote:
>
> This isn't too hard to build in a scripted attribute - we do exactly this
> with sources MS AD and Oracle LDAP sources: map attribute to the preferred
> source attribute if it exists, otherwise to the secondary source. (happy to
> provide our example if requested)
>
> David Bantz
> UA OIT IAM
>
>
>
>
>
>
>
> On Thu, Mar 31, 2016 at 5:50 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
>
>> > My organization is in the process of moving a new Directory Server.  As
>> such I
>> > have configure DataConnector for each.  What I have started to notice
>> that
>> > for a subset of users that have had information updated in the new
>> system I
>> > am getting multivalued attributes for things like surname.  ex
>> Directory 1 has
>> > Surname=Smith, Directory 2 has Surname=Smith Sr.  This would result in
>> the
>> > attribute Surname=Smith;Smith Sr.
>> >
>> > Is there any way to say Directory 1 is authoritative for Surname since
>> I cannot
>> > prevent both Directories from responding?
>>
>> Not without your own logic to do it. Generally you should have one
>> directory be a failover for the other, not access both.
>>
>> -- Scott
>>
>> --
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160404/42b4917f/attachment.html>

More information about the users mailing list