Page Operations
Browse Space
Introduction
This page explains the simplest way to map a source into an LDAP entry in Penrose.
Goal
Suppose we have a table "users" which contains the full user information (e.g. username, first name, last name, password). We want to create a mapping that produces the following output:
dn: uid=<username>,ou=Users,dc=Example,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: <username> cn: <full name> sn: <last name> userPassword: <password>
Solution
First you need to specify the mapping from the "users" source into the attributes. Here the "users" source is referred by an alias "u".
<entry dn="uid=...,ou=Users,dc=Example,dc=com"> <oc>person</oc> <oc>organizationalPerson</oc> <oc>inetOrgPerson</oc> <at name="uid" rdn="true"> <variable>u.username</variable> </at> <at name="cn"> <expression> if (u == void || u == null) return null; return u.firstName+" "+u.lastName; </expression> </at> <at name="sn"> <variable>u.lastName</variable> </at> <at name="userPassword"> <variable>u.password</variable> </at> </entry>
The "..." in the DN indicates that the actual DN is dynamically generated from a source.
The "uid", "sn", and "userPassword" attributes are mapped directly from the appropriate fields in the "users" source. Since the "uid" is used in the RDN, you have to mark it with rdn="true".
The "cn" attribute is more complicated, it uses BeanShell script to concatenate the first and last name of the user. In expressions, you should check whether the "u" object is available by comparing it with void and null to prevent errors during execution.
Next in the same mapping we define the reverse mapping to translate the LDAP attributes back to the source.
<entry dn="uid=...,ou=Users,dc=Example,dc=com"> <source name="u"> <source-name>users</source-name> <field name="username"> <variable>uid</variable> </field> <field name="firstName"> <expression> if (cn == void || cn == null) return null; int i = cn.lastIndexOf(" "); if (i < 0) return null; return cn.substring(0, i); </expression> </field> <field name="lastName"> <expression> if (sn != void && sn != null) return sn; if (cn == void || cn == null) return null; int i = cn.lastIndexOf(" "); return cn.substring(i+1); </expression> </field> <field name="password"> <variable>userPassword</variable> </field> </source> </entry>
The "username" and "password" fields are mapped directly from the appropriate LDAP attribute.
The "firstName" is more complicated, it has to extract the first name part from a full name by searching the last occurence of space. The "lastName" is similar, but first it tries to see if the "sn" attribute is defined, otherwise it will try to extract it from the "cn".