上篇 midpoint源码阅读八(使用示例:多租户用户管理四——示例操作步骤) 介绍了如何使用该示例的配置文件将环境搭建好,本篇将通过分析其配置文件,说明系统中的组织、用户是如何关联创建的。
1、组织结构
官网对组织结构(Organizational Structure)的介绍地址:https://wiki.evolveum.com/display/midPoint/Organizational+Structure
<objects xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
<org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
oid="0271f2da-f77b-4a27-9a80-832f7f2f99e4"
version="0">
<!--midpoint中唯一标识(组织名称)-->
<name>CUSTOMERS</name>
<activation>
<effectiveStatus>enabled</effectiveStatus>
<enableTimestamp>2016-02-05T10:22:40.341+01:00</enableTimestamp>
</activation>
<!--用户看的组织名称-->
<displayName>Customers</displayName>
<!--数据源中的组织唯一标识,用于同步-->
<identifier>0001</identifier>
<!--用于标识组织的用途(该字段值根据自己的业务自定义-->
<orgType>functional</orgType>
</org>
</objects>2、数据字典
定义了员工类型
<lookupTable oid="5783c174-d141-11e4-bb29-001e8c717e5b"
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:piracy='http://midpoint.evolveum.com/xml/ns/samples/piracy'>
<name>Employee Type</name>
<row>
<!--键-->
<key>customer-admin</key>
<!--值-->
<label>customer-admin</label>
</row>
<row>
<key>customer-user</key>
<label>customer-user</label>
</row>
</lookupTable>3、资源配置文件
连接器的配置可以参看官网手册:https://wiki.evolveum.com/display/midPoint/Resource+Configuration
①入站映射(inbound)(同步数据到midpoint)
我们来看看crm-simulation-sync.xml文件,学习midpoint中资源的配置
该文件说明了如何将源中数据同步到midpoint中。
<c:resource oid="b2911718-cbe3-11e5-b1ea-3c970e44b9e2">
<!-- 资源名称 -->
<c:name>CRM Simulation</c:name>
<!-- CSV文件连接器定义 -->
<connectorRef type="ConnectorType">
<filter>
<q:equal>
<q:path>c:connectorType</q:path>
<q:value>com.evolveum.polygon.csvfile.CSVFileConnector</q:value>
</q:equal>
</filter>
</connectorRef>
<!-- 连接器的配置 -->
<c:connectorConfiguration>
<icfc:configurationProperties
xmlns:icfccsvfile="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-csvfile/com.evolveum.polygon.csvfile.CSVFileConnector">
<icfccsvfile:filePath>C://ProjectIntelljIdea//midpoint//samples//stories//multitenant-idm-saas//misc//midpoint-crm-flatfile.csv</icfccsvfile:filePath>
<icfccsvfile:encoding>utf-8</icfccsvfile:encoding>
<icfccsvfile:valueQualifier>"</icfccsvfile:valueQualifier>
<icfccsvfile:fieldDelimiter>,</icfccsvfile:fieldDelimiter>
<icfccsvfile:multivalueDelimiter>;</icfccsvfile:multivalueDelimiter>
<icfccsvfile:usingMultivalue>false</icfccsvfile:usingMultivalue>
<icfccsvfile:uniqueAttribute>name</icfccsvfile:uniqueAttribute>
</icfc:configurationProperties>
</c:connectorConfiguration>
<!-- Resource Schema Handling definition.
官网文档为:https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling
该部分定义了该资源在midpoint中如何被使用,以及该资源中可读的条目的自定义属性,
该属性用于inbound(数据源中的数据如何存入到midpoint中)、outbound(midpoint中的数据如何同步到数据源中)
-->
<schemaHandling>
<!-- 数据源中的数据定义,其告诉midpoint如何同步数据源的数据-->
<objectType>
<displayName>Default Account</displayName>
<default>true</default>
<!-- 对象类型,它是数据源中存在的数据类型(一般midpoint中无该类型定义),用于outbound时,数据源知道如何处理数据 -->
<objectClass>ri:AccountObjectClass</objectClass>
<attribute>
<ref>icfs:uid</ref>
<displayName>Entry UUID</displayName>
<!-- 该属性的访问控制 -->
<limitations>
<access>
<read>true</read>
</access>
</limitations>
</attribute>
<attribute>
<ref>icfs:name</ref>
<displayName>Name</displayName>
<limitations>
<minOccurs>0</minOccurs>
<access>
<read>true</read>
<add>false</add>
<modify>false</modify>
</access>
</limitations>
<!--数据同步到midpoint时,数据源中该条记录的 name属性 同步到 UserType的name属性中-->
<inbound>
<target>
<path>$user/name</path>
</target>
</inbound>
<!--数据同步到midpoint时,同时将UserType的employeeType属性设置为customer-admin-->
<inbound>
<expression>
<value>customer-admin</value>
</expression>
<target>
<path>$user/employeeType</path>
</target>
</inbound>
</attribute>
........
<attribute>
<ref>ri:customerName</ref>
<displayName>Customer Name (Organization)</displayName>
<description>Definition of customerName attribute handling.</description>
<limitations>
<access>
<read>true</read>
<add>false</add>
<modify>false</modify>
</access>
</limitations>
<inbound>
<target>
<path>$user/organizationalUnit</path>
</target>
</inbound>
</attribute>
<attribute>
<ref>ri:customerDisplayName</ref>
<displayName>Customer Display Name (Organization)</displayName>
<description>Definition of customerDisplayName attribute handling.</description>
<limitations>
<access>
<read>true</read>
<add>false</add>
<modify>false</modify>
</access>
</limitations>
<inbound>
<target>
<path>$user/organization</path>
</target>
</inbound>
</attribute>
<attribute>
<ref>ri:customerContact</ref>
<displayName>Customer Contact (Email)</displayName>
<description>Definition of customerContact attribute handling.</description>
<limitations>
<access>
<read>true</read>
<add>false</add>
<modify>false</modify>
</access>
</limitations>
<inbound>
<target>
<path>$user/emailAddress</path>
</target>
</inbound>
</attribute>
<activation>
<administrativeStatus>
<inbound/>
</administrativeStatus>
</activation>
<!--密码-->
<credentials>
<password>
<inbound>
<strength>weak</strength>
<expression>
<generate/>
</expression>
</inbound>
</password>
</credentials>
</objectType>
</schemaHandling>
<!--定义了该资源 midpoint能进行什么样的操作-->
<capabilities xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
<configured>
<cap:activation>
<cap:status>
<cap:attribute>ri:disabled</cap:attribute>
<cap:enableValue>false</cap:enableValue>
<cap:disableValue>true</cap:disableValue>
</cap:status>
</cap:activation>
<cap:delete>
<cap:enabled>false</cap:enabled>
</cap:delete>
</configured>
</capabilities>
<synchronization>
<objectSynchronization>
<enabled>true</enabled>
<correlation>
<q:description>
Correlation expression is a search query.
Following search query will look for users that have "name"
equal to the "name" attribute of the account. Simply speaking,
it will look for match in usernames in the IDM and the resource.
The correlation rule always looks for users, so it will not match
any other object type.
</q:description>
<q:equal>
<q:path>c:name</q:path>
<expression>
<path>
declare namespace icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3";
$account/attributes/icfs:name
</path>
</expression>
</q:equal>
</correlation>
<reaction>
<situation>linked</situation>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#modifyUser</handlerUri>
</action>
</reaction>
<reaction>
<situation>deleted</situation>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlinkAccount</handlerUri>
</action>
</reaction>
<reaction>
<situation>unlinked</situation>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#linkAccount</handlerUri>
</action>
</reaction>
<reaction>
<situation>unmatched</situation>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser</handlerUri>
</action>
</reaction>
</objectSynchronization>
</synchronization>
</c:resource>该资源定义,官网给出的整体图如下:
②出站映射(outbound)(从midpoint同步数据到数据源)
下面来看看openldap-customers.xml文件,该文件说明的是 如何把midpoint中的数据创建到openldap中
<resource oid="40be7fa0-cbec-11e5-926a-3c970e44b9e2">
<!-- Resource name. It will be displayed in GUI. -->
<name>OpenLDAP for Customers</name>
<description>
LDAP resource using a ConnId LDAP connector. It contains configuration
for use with OpenLDAP servers.
</description>
<connectorRef type="ConnectorType">
<description>
Reference to the OpenICF LDAP connector. This is dynamic reference, it will be translated to
OID during import.
</description>
<filter>
<q:equal>
<q:path>c:connectorType</q:path>
<q:value>com.evolveum.polygon.connector.ldap.LdapConnector</q:value>
</q:equal>
</filter>
</connectorRef>
<connectorConfiguration
xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
xmlns:icfcldap="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector">
<icfc:configurationProperties>
<icfcldap:port>389</icfcldap:port>
<icfcldap:host>xap.com</icfcldap:host>
<icfcldap:baseContext>ou=customers,dc=example,dc=com</icfcldap:baseContext>
<icfcldap:bindDn>cn=admin,dc=example,dc=com</icfcldap:bindDn>
<icfcldap:bindPassword><t:clearValue>zhl</t:clearValue></icfcldap:bindPassword>
<icfcldap:pagingStrategy>auto</icfcldap:pagingStrategy>
<icfcldap:passwordHashAlgorithm>SSHA</icfcldap:passwordHashAlgorithm>
<icfcldap:vlvSortAttribute>uid</icfcldap:vlvSortAttribute>
<icfcldap:vlvSortOrderingRule>2.5.13.3</icfcldap:vlvSortOrderingRule>
<icfcldap:operationalAttributes>memberOf</icfcldap:operationalAttributes>
<icfcldap:operationalAttributes>createTimestamp</icfcldap:operationalAttributes>
</icfc:configurationProperties>
<icfc:resultsHandlerConfiguration>
<icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
<icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
<icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
</icfc:resultsHandlerConfiguration>
</connectorConfiguration>
<schema>
<!--openldap中的类型 -->
<generationConstraints>
<generateObjectClass>ri:inetOrgPerson</generateObjectClass>
<generateObjectClass>ri:groupOfUniqueNames</generateObjectClass>
<generateObjectClass>ri:groupOfNames</generateObjectClass>
<generateObjectClass>ri:organizationalUnit</generateObjectClass>
</generationConstraints>
</schema>
<schemaHandling>
<!--用于将midpoint中的用户信息 创建成openldap中的账号 -->
<objectType>
<kind>account</kind>
<displayName>Normal Account</displayName>
<default>true</default>
<!--openldap中的类型 -->
<objectClass>ri:inetOrgPerson</objectClass>
<attribute>
<ref>ri:dn</ref>
<displayName>Distinguished Name</displayName>
<limitations>
<minOccurs>0</minOccurs>
<access>
<read>true</read>
<add>true</add>
<modify>true</modify>
</access>
</limitations>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<!--midpoint中的信息同步到openldap中,outbound 说明了 openldap中的 dn为 'uid=' + name + ',ou=' + organizationalUnit + ',ou=customers,dc=example,dc=com'-->
<outbound>
<source>
<path>$user/name</path>
</source>
<source>
<path>$user/organizationalUnit</path>
</source>
<expression>
<script>
<code>
'uid=' + name + ',ou=' + organizationalUnit + ',ou=customers,dc=example,dc=com'
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:entryUUID</ref>
<displayName>Entry UUID</displayName>
<limitations>
<access>
<read>true</read>
<add>false</add>
<modify>true</modify>
</access>
</limitations>
<matchingRule>mr:stringIgnoreCase</matchingRule>
</attribute>
<attribute>
<ref>ri:cn</ref>
<displayName>Common Name</displayName>
<limitations>
<minOccurs>0</minOccurs>
<access>
<read>true</read>
<add>true</add>
<modify>true</modify>
</access>
</limitations>
<outbound>
<source>
<path>$user/fullName</path>
</source>
</outbound>
</attribute>
<attribute>
<ref>ri:sn</ref>
<displayName>Surname</displayName>
<limitations>
<minOccurs>0</minOccurs>
</limitations>
<outbound>
<source>
<!-- The path can be shorteden like this. $user is a default source "context" in outbound -->
<path>familyName</path>
</source>
</outbound>
</attribute>
<attribute>
<ref>ri:givenName</ref>
<displayName>Given Name</displayName>
<outbound>
<source>
<!-- Full namespace prefixes can be used in the path -->
<path>$c:user/c:givenName</path>
</source>
</outbound>
</attribute>
<attribute>
<ref>ri:uid</ref>
<displayName>Login Name</displayName>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<description>Source may have description</description>
<path>$user/name</path>
</source>
<expression>
<script>
<code>name</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:description</ref>
<outbound>
<source>
<path>$user/description</path>
</source>
</outbound>
</attribute>
<attribute>
<ref>ri:l</ref>
<displayName>Location</displayName>
<outbound>
<source>
<path>$user/locality</path>
</source>
</outbound>
</attribute>
<attribute>
<ref>ri:employeeType</ref>
<displayName>Employee Type</displayName>
<tolerant>false</tolerant>
<outbound>
<source>
<path>$user/employeeType</path>
</source>
</outbound>
</attribute>
<association>
<ref>ri:group</ref>
<displayName>LDAP Group Membership</displayName>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<intent>group-org-admin</intent>
<intent>group-org-user</intent>
<intent>group-org-poweruser</intent>
<intent>group-custom</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:member</associationAttribute>
<valueAttribute>ri:dn</valueAttribute>
<explicitReferentialIntegrity>true</explicitReferentialIntegrity>
</association>
<iteration>
<maxIterations>5</maxIterations>
</iteration>
<protected>
<filter>
<q:equal>
<q:matching>http://prism.evolveum.com/xml/ns/public/matching-rule-3#stringIgnoreCase</q:matching>
<q:path>attributes/ri:dn</q:path>
<q:value>cn=idm,ou=Administrators,dc=example,dc=com</q:value>
</q:equal>
</filter>
</protected>
<activation>
<administrativeStatus>
<outbound/>
</administrativeStatus>
</activation>
<credentials>
<password>
<outbound>
<expression>
<asIs/>
</expression>
</outbound>
</password>
</credentials>
</objectType>
<!--用于将midpoint中的组织信息 创建成openldap中的组织 -->
<objectType>
<kind>generic</kind>
<intent>ou-customer</intent>
<displayName>Customer Organizational Unit</displayName>
<default>true</default>
<!--openldap中的类型 -->
<objectClass>ri:organizationalUnit</objectClass>
<attribute>
<ref>ri:dn</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<!-- Name cannot be weak. Changes in name trigger object rename. -->
<source>
<path>$focus/name</path>
</source>
<expression>
<script>
<code>
return 'ou=' + name + ',ou=customers,dc=example,dc=com'
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:ou</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<path>$focus/name</path>
</source>
</outbound>
</attribute>
<attribute>
<ref>ri:description</ref>
<outbound>
<source>
<path>description</path>
</source>
</outbound>
</attribute>
</objectType>
<!--用于创建openldap中的权限组中的成员 -->
<objectType>
<kind>entitlement</kind>
<intent>ldapGroup</intent>
<displayName>LDAP Group</displayName>
<default>true</default>
<!--openldap中的类型 -->
<objectClass>ri:groupOfNames</objectClass>
<attribute>
<ref>ri:member</ref>
<matchingRule>mr:distinguishedName</matchingRule>
<fetchStrategy>minimal</fetchStrategy>
</attribute>
<configuredCapabilities>
<cap:pagedSearch>
<cap:defaultSortField>ri:uid</cap:defaultSortField>
</cap:pagedSearch>
</configuredCapabilities>
</objectType>
<!--用于创建openldap中的权限组 xxx-powerusers -->
<objectType>
<kind>entitlement</kind>
<intent>group-org-poweruser</intent>
<displayName>LDAP Group - Power Users</displayName>
<objectClass>ri:groupOfNames</objectClass>
<attribute>
<ref>ri:dn</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<!-- Name cannot be weak. Changes in name trigger object rename. -->
<source>
<path>$focus/name</path>
</source>
<expression>
<script>
<code>
return 'cn=' + name + '-powerusers,ou=' + name + ',ou=customers,dc=example,dc=com'
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:member</ref>
<matchingRule>mr:distinguishedName</matchingRule>
<fetchStrategy>minimal</fetchStrategy>
<outbound>
<strength>strong</strength>
<!-- Workaround - groupOfNames MUST have at least one member. Even non-existent DN. -->
<expression>
<value>cn=dummy,o=whatever</value>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:cn</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<path>$focus/name</path>
</source>
<expression>
<script>
<code>return name + '-powerusers'</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:description</ref>
<outbound>
<source>
<path>description</path>
</source>
</outbound>
</attribute>
<dependency>
<kind>generic</kind>
<intent>ou-customer</intent>
<strictness>relaxed</strictness>
</dependency>
<configuredCapabilities>
<cap:pagedSearch>
<cap:defaultSortField>ri:uid</cap:defaultSortField>
</cap:pagedSearch>
</configuredCapabilities>
</objectType>
<!--用于创建openldap中的权限组 xxx-users -->
<objectType>
<kind>entitlement</kind>
<intent>group-org-user</intent>
<displayName>LDAP Group - Users</displayName>
<objectClass>ri:groupOfNames</objectClass>
<attribute>
<ref>ri:dn</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<!-- Name cannot be weak. Changes in name trigger object rename. -->
<source>
<path>$focus/name</path>
</source>
<expression>
<script>
<code>
return 'cn=' + name + '-users,ou=' + name + ',ou=customers,dc=example,dc=com'
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:member</ref>
<matchingRule>mr:distinguishedName</matchingRule>
<fetchStrategy>minimal</fetchStrategy>
<outbound>
<strength>strong</strength>
<!-- Workaround - groupOfNames MUST have at least one member. Even non-existent DN. -->
<expression>
<value>cn=dummy,o=whatever</value>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:cn</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<path>$focus/name</path>
</source>
<expression>
<script>
<code>return name + '-users'</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:description</ref>
<outbound>
<source>
<path>description</path>
</source>
</outbound>
</attribute>
<dependency>
<kind>generic</kind>
<intent>ou-customer</intent>
<strictness>relaxed</strictness>
</dependency>
<configuredCapabilities>
<cap:pagedSearch>
<cap:defaultSortField>ri:uid</cap:defaultSortField>
</cap:pagedSearch>
</configuredCapabilities>
</objectType>
<!--用于创建openldap中的权限组 xxx-admins -->
<objectType>
<kind>entitlement</kind>
<intent>group-org-admin</intent>
<displayName>LDAP Group - Admin</displayName>
<objectClass>ri:groupOfNames</objectClass>
<attribute>
<ref>ri:dn</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<!-- Name cannot be weak. Changes in name trigger object rename. -->
<source>
<path>$focus/name</path>
</source>
<expression>
<script>
<code>
return 'cn=' + name + '-admins,ou=' + name + ',ou=customers,dc=example,dc=com'
</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:member</ref>
<matchingRule>mr:distinguishedName</matchingRule>
<fetchStrategy>minimal</fetchStrategy>
<outbound>
<strength>strong</strength>
<!-- Workaround - groupOfNames MUST have at least one member. Even non-existent DN. -->
<expression>
<value>cn=dummy,o=whatever</value>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:cn</ref>
<matchingRule>mr:stringIgnoreCase</matchingRule>
<outbound>
<strength>weak</strength>
<source>
<path>$focus/name</path>
</source>
<expression>
<script>
<code>return name + '-admins'</code>
</script>
</expression>
</outbound>
</attribute>
<attribute>
<ref>ri:description</ref>
<outbound>
<source>
<path>description</path>
</source>
</outbound>
</attribute>
<dependency>
<kind>generic</kind>
<intent>ou-customer</intent>
<strictness>relaxed</strictness>
</dependency>
<configuredCapabilities>
<cap:pagedSearch>
<cap:defaultSortField>ri:uid</cap:defaultSortField>
</cap:pagedSearch>
</configuredCapabilities>
</objectType>
</schemaHandling>
<consistency>
<avoidDuplicateValues>true</avoidDuplicateValues>
</consistency>
<!-- 同步部分 说的是 同步策略、时间、行为及设置 -->
<synchronization>
<objectSynchronization>
<enabled>true</enabled>
<correlation>
<q:description>
Correlation expression is a search query.
Following search query will look for users that have "name"
equal to the "uid" attribute of the account. Simply speaking,
it will look for match in usernames in the IDM and the resource.
The correlation rule always looks for users, so it will not match
any other object type.
</q:description>
<q:equal>
<q:path>name</q:path>
<expression>
<path>
declare namespace ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3";
$account/attributes/ri:uid
</path>
</expression>
</q:equal>
</correlation>
<reaction>
<situation>linked</situation>
<synchronize>true</synchronize>
</reaction>
<reaction>
<situation>deleted</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
</action>
</reaction>
<reaction>
<situation>unlinked</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
</action>
</reaction>
<reaction>
<situation>unmatched</situation>
</reaction>
</objectSynchronization>
<objectSynchronization>
<objectClass>ri:organizationalUnit</objectClass>
<kind>generic</kind>
<intent>ou-customer</intent>
<focusType>c:OrgType</focusType>
<enabled>true</enabled>
<condition>
<script>
<code>
import static com.evolveum.midpoint.schema.constants.SchemaConstants.*
tmpSuffix = '(?i)^ou=.*,ou=customers,dc=example,dc=com$'
re = ~tmpSuffix
basic.getAttributeValue(shadow, 'http://midpoint.evolveum.com/xml/ns/public/resource/instance-3', 'dn') ==~ re
</code>
</script>
</condition>
<correlation>
<q:equal>
<q:matching>polyStringNorm</q:matching>
<q:path>c:name</q:path>
<expression>
<path>
declare namespace ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3";
$shadow/attributes/ri:ou
</path>
</expression>
</q:equal>
</correlation>
<reaction>
<situation>linked</situation>
<synchronize>true</synchronize>
</reaction>
<reaction>
<situation>deleted</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
</action>
</reaction>
<reaction>
<situation>unlinked</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
</action>
</reaction>
<reaction>
<situation>unmatched</situation>
</reaction>
</objectSynchronization>
.......
<objectSynchronization>
<objectClass>ri:groupOfNames</objectClass>
<kind>entitlement</kind>
<intent>group-org-admin</intent>
<focusType>c:OrgType</focusType>
<enabled>true</enabled>
<condition>
<script>
<code>
import static com.evolveum.midpoint.schema.constants.SchemaConstants.*
tmpSuffix = '(?i)^cn=.*-admins,ou=.*,ou=customers,dc=example,dc=com$'
re = ~tmpSuffix
basic.getAttributeValue(shadow, 'http://midpoint.evolveum.com/xml/ns/public/resource/instance-3', 'dn') ==~ re
</code>
</script>
</condition>
<correlation>
<q:equal>
<q:matching>polyStringNorm</q:matching>
<q:path>c:name</q:path>
<expression>
<script>
<code>
tmpCn = basic.getAttributeValue(shadow, 'http://midpoint.evolveum.com/xml/ns/public/resource/instance-3', 'cn')
re = /(?i)^(.*)-admins$/
matcher = (tmpCn =~ re)
if (matcher.matches()) return matcher[0][1]
</code>
</script>
</expression>
</q:equal>
</correlation>
<reaction>
<situation>linked</situation>
<synchronize>true</synchronize>
</reaction>
<reaction>
<situation>deleted</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#unlink</handlerUri>
</action>
</reaction>
<reaction>
<situation>unlinked</situation>
<synchronize>true</synchronize>
<action>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
</action>
</reaction>
<reaction>
<situation>unmatched</situation>
</reaction>
</objectSynchronization>
</synchronization>
</resource>4、对象模板
对象模板在midpoint用于 创建该模板的对象时,自动处理好该对象的附加属性
① 用户对象模板
下面是用户对象模板object-user-template.xml配置文件的解读,该示例代码在创建用户的时候,会根据该模板将用户的fullName补齐、(若该用户组织还未创建,则创建该组织)、同时根据employType的属性给该用户赋予对应的角色。
<objectTemplate oid="e63e1118-cbe5-11e5-b08e-3c970e44b9e2"
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
<name>User Template</name>
<item>
<ref>employeeType</ref>
<valueEnumerationRef oid="5783c174-d141-11e4-bb29-001e8c717e5b"/>
</item>
<!--在crm-simulation-sync.xml中定义了orgaization的数据源对应项为ri:customerDisplayName-->
<item>
<ref>organization</ref>
</item>
<!--在crm-simulation-sync.xml中定义了organizationalUnit的数据源对应项为ri:customerName-->
<item>
<ref>organizationalUnit</ref>
</item>
<!--说明了fullname字段如何填充-->
<mapping>
<name>Fullname</name>
<authoritative>true</authoritative>
<strength>strong</strength>
<source>
<path>givenName</path>
</source>
<source>
<path>familyName</path>
</source>
<expression>
<script>
<code>basic.concatName(givenName, familyName)</code>
</script>
</expression>
<target>
<path>fullName</path>
</target>
</mapping>
<!--根据用户的organization、organizationUnit值,
给该用户赋予组织,若找不到该组织则创建该组织.
通过csv导入用户时,组织都未创建,则该段代码创建的组织结构如下:
用户信息:
name, givenName, familyName, customerName, customerDisplayName, customerContact, disabled
"ultraone-admin","Perry", "Houser", "ultra1", "Ultra One Cloud Inc.", "[email protected]", "false"
<org>
<name>organizationalUnit——> ultra1</name>
<displayName>organizationa——> Ultra One Cloud Inc.</displayName>
<orgType>customer</orgType>
</org>
-->
<mapping>
<name>Org mapping - organization member</name>
<description>
Look for appropriate Org objects by using the user's organizationalUnit property
as the name of the org object. When no such object is found we want to create it on
demand. We want to populate new Org object with a name and displayName derived from
the user.
</description>
<authoritative>true</authoritative>
<strength>strong</strength>
<source>
<path>organization</path>
</source>
<source>
<path>organizationalUnit</path>
</source>
<expression>
<!--如果orgType项中的name属性没有organizationalUnit值的话,
则创建该组织(Organizational Structure),
使Organizational Structure中的 name=organizationalUnit='ultra1',
displayName=organization='Ultra One Cloud Inc.',orgType='customer'-->
<assignmentTargetSearch>
<!-- c:orgType 指 Organizational Structure -->
<targetType>c:OrgType</targetType>
<filter>
<q:equal>
<q:path>c:name</q:path>
<expression>
<script>
<code>
log.info("XXXXXX USER TEMPLATE assignmentTargetSearch, organizationalUnit {}", organizationalUnit);
return organizationalUnit
</code>
</script>
</expression>
</q:equal>
</filter>
<createOnDemand>true</createOnDemand>
<populateObject>
<populateItem>
<expression>
<script>
<code>
log.info("XXXXXX USER TEMPLATE populate item organizationalUnit {}", organizationalUnit);
return organizationalUnit
</code>
</script>
</expression>
<target>
<path>name</path>
</target>
</populateItem>
<populateItem>
<expression>
<script>
<code>
log.info("XXXXXX USER TEMPLATE populate item organization {}", organization);
return organization
</code>
</script>
</expression>
<target>
<path>displayName</path>
</target>
</populateItem>
<populateItem>
<expression>
<value>customer</value>
</expression>
<!-- orgType 指 Organizational Structure中的属性orgType -->
<target>
<path>orgType</path>
</target>
</populateItem>
</populateObject>
</assignmentTargetSearch>
</expression>
<target>
<path>assignment</path>
</target>
</mapping>
<mapping>
<name>Org mapping - organization manager</name>
<description>
Look for appropriate Org objects by using the user's organizationalUnit property
as the name of the org object. When no such object is found we want to create it on
demand. We want to populate new Org object with a name and displayName derived from
the user.
</description>
<authoritative>true</authoritative>
<strength>strong</strength>
<source>
<path>organization</path>
</source>
<source>
<path>organizationalUnit</path>
</source>
<source>
<path>employeeType</path>
</source>
<expression>
<assignmentTargetSearch>
<targetType>c:OrgType</targetType>
<filter>
<q:equal>
<q:path>c:name</q:path>
<expression>
<script>
<code>
log.info("XXXXXX USER TEMPLATE assignmentTargetSearch, organizationalUnit {}", organizationalUnit);
return organizationalUnit
</code>
</script>
</expression>
</q:equal>
</filter>
<relation>org:manager</relation>
</assignmentTargetSearch>
</expression>
<target>
<path>assignment</path>
</target>
<condition>
<script>
<code>employeeType == 'customer-admin'</code>
</script>
</condition>
</mapping>
<!--给用户赋予角色-->
<mapping>
<name>Basic Customer Admin role assignment</name>
<strength>strong</strength>
<source>
<path>$user/employeeType</path>
</source>
<expression>
<assignmentTargetSearch>
<targetType>c:RoleType</targetType>
<oid>3410a44a-cc00-11e5-bc03-3c970e44b9e2</oid>
</assignmentTargetSearch>
</expression>
<target>
<path>assignment</path>
</target>
<condition>
<script>
<code>employeeType == 'customer-admin'</code>
</script>
</condition>
</mapping>
..........
</objectTemplate>②组织对象模板
组织对象模板object-template-org.xml相对来说比较简单,仅仅用于创建组织的时候给该组织赋予相应的角色,在此就不展示了。
5、组织——数据源角色
在metarole-org.xml中通过间接分配,给组织分配了 在数据源中 对应的角色
<role oid="bb1adfda-cbee-11e5-a445-3c970e44b9e2"
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
<name>Functional Orgstruct Metarole</name>
<inducement>
<construction>
<!-- OpenLDAP -->
<resourceRef oid="40be7fa0-cbec-11e5-926a-3c970e44b9e2" type="c:ResourceType"/>
<!--kind和intent的组合,我们可以在openldap-customers.xml中找到对应的objectClass
如kind=generic、intent=ou-customer 其对应的objectClass = organizationalUnit
-->
<kind>generic</kind>
<intent>ou-customer</intent>
</construction>
<condition>
<source>
<path>$immediateRole/orgType</path>
</source>
<expression>
<script>
<code>orgType == 'customer'</code>
</script>
</expression>
</condition>
</inducement>
<inducement>
<construction>
<!-- OpenLDAP -->
<resourceRef oid="40be7fa0-cbec-11e5-926a-3c970e44b9e2" type="c:ResourceType"/>
<!--kind和intent的组合,我们可以在openldap-customers.xml中找到对应的objectClass
如kind=generic、intent=ou-customer 其对应的objectClass =groupOfNames
-->
<kind>entitlement</kind>
<intent>group-org-admin</intent>
</construction>
<condition>
<source>
<path>$immediateRole/orgType</path>
</source>
<expression>
<script>
<code>orgType == 'customer'</code>
</script>
</expression>
</condition>
</inducement>
..........
<inducement>
<focusMappings>
<mapping>
<name>Set organizationalUnit from organization name</name>
<strength>weak</strength><!-- XXX -->
<source>
<path>$immediateRole/name</path>
</source>
<target>
<path>$user/organizationalUnit</path>
</target>
</mapping>
</focusMappings>
<order>2</order>
<focusType>c:UserType</focusType>
</inducement>
</role>6、角色权限配置
该类配置文件就不详细介绍了,直接参看示例配置就行。
<role oid="c546fe38-def1-11e5-85bb-3c970e44b9e2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3">
<name>Delegated Administration Role</name>
<description>Role to delegate administration to customer admins.</description>
<!-- ***** GUI ***** -->
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#user</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#userDetails</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#findUsers</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#orgStruct</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#orgTree</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#orgUnit</action>
</authorization>
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<special>self</special>
</object>
</authorization>
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>ShadowType</type>
<owner>
<special>self</special>
</owner>
</object>
</authorization>
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</action>
<phase>request</phase>
<object>
<special>self</special>
</object>
<item>credentials</item>
</authorization>
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
<phase>execution</phase>
<object>
<special>self</special>
</object>
<item>credentials</item>
</authorization>
<authorization>
<name>Read for all password policies, all resources and roles of roleType=customer and End User</name>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>ValuePolicyType</type>
</object>
<object>
<type>ResourceType</type>
</object>
<object>
<type>RoleType</type>
<filter>
<q:or>
<q:equal>
<q:path>roleType</q:path>
<q:value>customer</q:value>
</q:equal>
<q:equal>
<q:path>name</q:path>
<q:value>End user</q:value>
</q:equal>
<q:equal>
<q:path>name</q:path>
<q:value>Delegated Administration Role</q:value><!-- To see also this role -->
</q:equal>
</q:or>
</filter>
</object>
</authorization>
<!-- ***** Model ***** --
<!-- Authorization to see lookupTables -->
<authorization>
<name>Read for lookuptable</name>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>LookupTableType</type>
</object>
</authorization>
<!-- Authorization to read own organization and its content including the path from root - if assigned as manager -->
<authorization>
<name>Magic read/modify</name>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
<object>
<orgRelation>
<subjectRelation>org:manager</subjectRelation>
<scope>allDescendants</scope>
<includeReferenceOrg>true</includeReferenceOrg>
</orgRelation>
</object>
</authorization>
<!-- Authorization to modify some attributes IN their own organizations - if assigned as manager -->
<authorization>
<name>Modify some user attributes</name>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
<object>
<type>UserType</type>
<orgRelation>
<subjectRelation>org:manager</subjectRelation>
</orgRelation>
</object>
<item>name</item>
<item>description</item>
<item>givenName</item>
<item>familyName</item>
<item>employeeType</item>
<item>emailAddress</item>
<item>activation</item>
<item>credentials</item>
</authorization>
<!-- Authorization to CRD IN their own organizations - if assigned as manager -->
<authorization>
<name>Authz: CRD UserType</name>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
<!-- <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>-->
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
<object>
<type>UserType</type>
<orgRelation>
<subjectRelation>org:manager</subjectRelation>
</orgRelation>
</object>
</authorization>
<!-- Authorization to assign/unassign IN their own organization - roles of roleType=customer or End user -->
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</action>
<object>
<type>UserType</type>
<orgRelation>
<subjectRelation>org:manager</subjectRelation>
</orgRelation>
</object>
<target>
<type>RoleType</type>
<filter>
<q:or>
<q:equal>
<q:path>roleType</q:path>
<q:value>customer</q:value>
</q:equal>
<q:equal>
<q:path>name</q:path>
<q:value>End user</q:value>
</q:equal>
</q:or>
</filter>
</target>
<!-- Authorization to read entitlements and generic -->
<authorization>
<name>Read all entitlements and generic shadows</name>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>ShadowType</type>
<filter>
<q:or>
<q:equal>
<q:path>kind</q:path>
<q:value>entitlement</q:value>
</q:equal>
<q:equal>
<q:path>kind</q:path>
<q:value>generic</q:value>
</q:equal>
</q:or>
</filter>
</object>
</authorization>
<requestable>false</requestable>
</role>7、示例代码后台数据创建过程
1)导入租户管理员csv文件(midpoint-crm-flatfile.csv)
2)根据该文件的用户记录,填充好fullName (object-template-user.xml)
3)根据该文件的用户记录,查询用户所属的组织是否存在,不存在的话,根据“Org mapping - organization membe” mapping里的描述创建该组织(object-template-user.xml)
4)创建组织时参照 组织模板文件 (object-template-org.xml)给创建的组织赋予父节点,根据metarole-org.xml文件 参照inducement段中的描述创建 projection
5)根据metarole-org.xml)中的inducement同时参照openldap-customers.xml的outbound描述在openldap中创建该组织及该组织下的角色组(groupOfNames)和用户(inetOrgPerson)
6)组织创建好后,在该用户的assignment中加入该组织
7)根据用户的employType给用户赋予midpoint中的角色,该角色事先通过角色权限文件(role-customer-authz-admin.xml等)导入到系统中。
8)至此用户创建完毕