Child pages
  • Grouper LDAP provisioner demo6 groupAttributes flat with DN override and troubleshooting
Skip to end of metadata
Go to start of metadata

The info on this page applies to Grouper 2.6 and above.

Requirements

  • Groups with attribute for memberships
  • Membership attribute value is user DN
  • Users looked up by netId which is a subjectIdentifier which is subjectAttribute0
  • Flat (each Grouper group name translates to an LDAP RDN (CN) in an OU)
  • DN's can be overridden so they can live outside of the normal flat OU


Youtube demo

Note: probably should select minimal attributes for entities, i.e. do not select objectClass

Configuration

Provisioner in grouper-loader.properties

provisioner.ldapGroupsWithOverride.allowLdapGroupDnOverride = true
provisioner.ldapGroupsWithOverride.class = edu.internet2.middleware.grouper.app.ldapProvisioning.LdapSync
provisioner.ldapGroupsWithOverride.deleteGroups = true
provisioner.ldapGroupsWithOverride.deleteGroupsIfNotExistInGrouper = true
provisioner.ldapGroupsWithOverride.deleteMemberships = true
provisioner.ldapGroupsWithOverride.deleteMembershipsIfNotExistInGrouper = true
provisioner.ldapGroupsWithOverride.groupDnType = flat
provisioner.ldapGroupsWithOverride.groupSearchBaseDn = ou=GrouperGroups,dc=example,dc=edu
provisioner.ldapGroupsWithOverride.hasTargetEntityLink = true
provisioner.ldapGroupsWithOverride.hasTargetGroupLink = true
provisioner.ldapGroupsWithOverride.insertGroups = true
provisioner.ldapGroupsWithOverride.insertMemberships = true
provisioner.ldapGroupsWithOverride.ldapExternalSystemConfigId = personLdap
provisioner.ldapGroupsWithOverride.logAllObjectsVerbose = true
provisioner.ldapGroupsWithOverride.numberOfEntityAttributes = 3
provisioner.ldapGroupsWithOverride.numberOfGroupAttributes = 5
provisioner.ldapGroupsWithOverride.operateOnGrouperEntities = true
provisioner.ldapGroupsWithOverride.operateOnGrouperGroups = true
provisioner.ldapGroupsWithOverride.operateOnGrouperMemberships = true
provisioner.ldapGroupsWithOverride.provisioningType = groupAttributes
provisioner.ldapGroupsWithOverride.selectAllEntities = true
provisioner.ldapGroupsWithOverride.selectEntities = true
provisioner.ldapGroupsWithOverride.selectGroups = true
provisioner.ldapGroupsWithOverride.selectMemberships = true
provisioner.ldapGroupsWithOverride.showAdvanced = true
provisioner.ldapGroupsWithOverride.subjectSourcesToProvision = personLdapSource
provisioner.ldapGroupsWithOverride.targetEntityAttribute.0.fieldName = name
provisioner.ldapGroupsWithOverride.targetEntityAttribute.0.isFieldElseAttribute = true
provisioner.ldapGroupsWithOverride.targetEntityAttribute.0.select = true
provisioner.ldapGroupsWithOverride.targetEntityAttribute.0.translateToMemberSyncField = memberToId2
provisioner.ldapGroupsWithOverride.targetEntityAttribute.1.isFieldElseAttribute = false
provisioner.ldapGroupsWithOverride.targetEntityAttribute.1.matchingId = true
provisioner.ldapGroupsWithOverride.targetEntityAttribute.1.name = mail
provisioner.ldapGroupsWithOverride.targetEntityAttribute.1.searchAttribute = true
provisioner.ldapGroupsWithOverride.targetEntityAttribute.1.select = true
provisioner.ldapGroupsWithOverride.targetEntityAttribute.1.translateExpressionType = grouperProvisioningEntityField
provisioner.ldapGroupsWithOverride.targetEntityAttribute.1.translateFromGrouperProvisioningEntityField = attribute__subjectIdentifier0
provisioner.ldapGroupsWithOverride.targetEntityAttribute.2.isFieldElseAttribute = false
provisioner.ldapGroupsWithOverride.targetEntityAttribute.2.multiValued = true
provisioner.ldapGroupsWithOverride.targetEntityAttribute.2.name = objectClass
provisioner.ldapGroupsWithOverride.targetEntityAttribute.2.select = true
provisioner.ldapGroupsWithOverride.targetEntityAttribute.2.translateExpression = ${grouperUtil.toSet('person')}
provisioner.ldapGroupsWithOverride.targetEntityAttribute.2.translateExpressionType = translationScript
provisioner.ldapGroupsWithOverride.targetGroupAttribute.0.fieldName = name
provisioner.ldapGroupsWithOverride.targetGroupAttribute.0.insert = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.0.isFieldElseAttribute = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.0.select = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.0.translateExpression = ${grouperUtil.defaultString(grouperProvisioningGroup.retrieveAttributeValueString('md_grouper_ldapGroupDnOverride'), 'cn=' + edu.internet2.middleware.grouper.util.GrouperUtil.ldapEscapeRdnValue(grouperProvisioningGroup.name) + ',ou=GrouperGroups,dc=example,dc=edu')}
provisioner.ldapGroupsWithOverride.targetGroupAttribute.0.translateExpressionType = translationScript
provisioner.ldapGroupsWithOverride.targetGroupAttribute.0.translateToGroupSyncField = groupToId2
provisioner.ldapGroupsWithOverride.targetGroupAttribute.0.update = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.1.insert = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.1.isFieldElseAttribute = false
provisioner.ldapGroupsWithOverride.targetGroupAttribute.1.name = cn
provisioner.ldapGroupsWithOverride.targetGroupAttribute.1.select = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.1.translateExpression = ${edu.internet2.middleware.grouper.util.GrouperUtil.ldapConvertDnToSpecificValue(grouperUtil.defaultString(grouperProvisioningGroup.retrieveAttributeValueString('md_grouper_ldapGroupDnOverride'), 'cn=' + edu.internet2.middleware.grouper.util.GrouperUtil.ldapEscapeRdnValue(grouperProvisioningGroup.name) + ',ou=GrouperGroups,dc=example,dc=edu'))}
provisioner.ldapGroupsWithOverride.targetGroupAttribute.1.translateExpressionType = translationScript
provisioner.ldapGroupsWithOverride.targetGroupAttribute.1.update = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.2.insert = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.2.isFieldElseAttribute = false
provisioner.ldapGroupsWithOverride.targetGroupAttribute.2.matchingId = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.2.name = gidNumber
provisioner.ldapGroupsWithOverride.targetGroupAttribute.2.searchAttribute = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.2.select = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.2.translateExpressionType = grouperProvisioningGroupField
provisioner.ldapGroupsWithOverride.targetGroupAttribute.2.translateFromGrouperProvisioningGroupField = idIndexString
provisioner.ldapGroupsWithOverride.targetGroupAttribute.2.update = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.3.insert = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.3.isFieldElseAttribute = false
provisioner.ldapGroupsWithOverride.targetGroupAttribute.3.multiValued = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.3.name = objectClass
provisioner.ldapGroupsWithOverride.targetGroupAttribute.3.select = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.3.translateExpression = ${grouperUtil.toSet('top', 'posixGroup')}
provisioner.ldapGroupsWithOverride.targetGroupAttribute.3.translateExpressionType = translationScript
provisioner.ldapGroupsWithOverride.targetGroupAttribute.3.update = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.4.isFieldElseAttribute = false
provisioner.ldapGroupsWithOverride.targetGroupAttribute.4.membershipAttribute = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.4.multiValued = true
provisioner.ldapGroupsWithOverride.targetGroupAttribute.4.name = description
provisioner.ldapGroupsWithOverride.targetGroupAttribute.4.translateFromMemberSyncField = memberToId2
provisioner.ldapGroupsWithOverride.updateGroups = true
provisioner.ldapGroupsWithOverride.userSearchBaseDn = ou=People,dc=example,dc=edu
  

External system in grouper-loader.properties

ldap.personLdap.pass = *******
ldap.personLdap.searchResultHandlers = org.ldaptive.handler.DnAttributeEntryHandler,edu.internet2.middleware.grouper.ldap.ldaptive.GrouperRangeEntryHandler
ldap.personLdap.uiTestAttributeName = dc
ldap.personLdap.uiTestExpectedValue = example
ldap.personLdap.uiTestFilter = (dc=example)
ldap.personLdap.uiTestSearchDn = dc=example,dc=edu
ldap.personLdap.uiTestSearchScope = OBJECT_SCOPE
ldap.personLdap.url = ldap://localhost:389
ldap.personLdap.user = cn=admin,dc=example,dc=edu

Daemon jobs in grouper-loader.properties

otherJob.ldapGroupsWithOverrideFull.class = edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningFullSyncJob
otherJob.ldapGroupsWithOverrideFull.provisionerConfigId = ldapGroupsWithOverride
otherJob.ldapGroupsWithOverrideFull.quartzCron = 39 53 6 * * ?

changeLog.consumer.ldapGroupsWithOverrideIncremental.class = edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer
changeLog.consumer.ldapGroupsWithOverrideIncremental.provisionerConfigId = ldapGroupsWithOverride
changeLog.consumer.ldapGroupsWithOverrideIncremental.publisher.class = edu.internet2.middleware.grouper.app.provisioning.ProvisioningConsumer
changeLog.consumer.ldapGroupsWithOverrideIncremental.publisher.debug = false
changeLog.consumer.ldapGroupsWithOverrideIncremental.quartzCron = 0 * * * * ?
  

Subject source in subject.properties

subjectApi.source.myPeople.adapterClass = edu.internet2.middleware.grouper.subj.GrouperLdapSourceAdapter2_5
subjectApi.source.myPeople.attribute.0.name = uid
subjectApi.source.myPeople.attribute.0.translationType = sourceAttributeSameAsSubjectAttribute
subjectApi.source.myPeople.attribute.1.name = mail
subjectApi.source.myPeople.attribute.1.subjectIdentifier = true
subjectApi.source.myPeople.attribute.1.translationType = sourceAttributeSameAsSubjectAttribute
subjectApi.source.myPeople.attribute.2.name = name
subjectApi.source.myPeople.attribute.2.sourceAttribute = cn
subjectApi.source.myPeople.attribute.2.translationType = sourceAttribute
subjectApi.source.myPeople.attribute.3.name = description
subjectApi.source.myPeople.attribute.3.translation = ${subject_attribute__cn + ' (' +source_attribute__uid + ') - ' + source_attribute__businesscategory + ' - ' + source_attribute__edupersonaffiliation}
subjectApi.source.myPeople.attribute.3.translationType = translation
subjectApi.source.myPeople.extraAttributesFromSource = businessCategory, eduPersonAffiliation
subjectApi.source.myPeople.id = personLdapSource
subjectApi.source.myPeople.name = My LDAP
subjectApi.source.myPeople.numberOfAttributes = 4
subjectApi.source.myPeople.param.Description_AttributeType.value = description
subjectApi.source.myPeople.param.Name_AttributeType.value = name
subjectApi.source.myPeople.param.SubjectID_AttributeType.value = uid
subjectApi.source.myPeople.param.emailAttributeName.value = mail
subjectApi.source.myPeople.param.findSubjectByIdOnCheckConfig.value = true
subjectApi.source.myPeople.param.findSubjectByIdentifiedOnCheckConfig.value = true
subjectApi.source.myPeople.param.findSubjectByStringOnCheckConfig.value = true
subjectApi.source.myPeople.param.ldapServerId.value = personLdap
subjectApi.source.myPeople.param.netId.value = mail
subjectApi.source.myPeople.param.stringToFindOnCheckConfig.value = aa
subjectApi.source.myPeople.param.subjectIdToFindOnCheckConfig.value = aanderson
subjectApi.source.myPeople.param.subjectIdentifierToFindOnCheckConfig.value = aanderson@example.edu
subjectApi.source.myPeople.search.search.param.filter.value = (&(|(|(uid=%TERM%)(cn=*%TERM%*))(uid=%TERM%*))(objectclass=person))
subjectApi.source.myPeople.search.searchSubject.param.base.value = ou=People,dc=example,dc=edu
subjectApi.source.myPeople.search.searchSubject.param.filter.value = (uid=%TERM%)
subjectApi.source.myPeople.search.searchSubject.param.scope.value = SUBTREE_SCOPE
subjectApi.source.myPeople.search.searchSubjectByIdentifier.param.filter.value = (mail=%TERM%)
subjectApi.source.myPeople.searchAttribute.0.attributeName = description
subjectApi.source.myPeople.searchAttributeCount = 1
subjectApi.source.myPeople.sortAttribute.0.attributeName = name
subjectApi.source.myPeople.sortAttributeCount = 1
subjectApi.source.myPeople.types = person

  • No labels