Wiki Home

Deploying Grouper

Grouper Guides

Grouper Deployment Guide

Community Contributions

Internal Developer Resources

 

 

Main Grouper Loader page

Common setup 

  • Setup an LDAP source, here is one I googled from the Internet (public unauthenticated).  Put this in the sources.xml in all groupers (WS, UI, loader, whatever)

  • subject.properties config

    #########################################
## Configuration for source id: cmuDirectory
## Source configName: cmuDirectory
#########################################
subjectApi.source.cmuDirectory.id = cmuDirectory

# this is a friendly name for the source
subjectApi.source.cmuDirectory.name = CMU Directory

# type is not used all that much.  Can have multiple types, comma separate.  Can be person, group, application
subjectApi.source.cmuDirectory.types = person

# the adapter class implements the interface: edu.internet2.middleware.subject.Source
# adapter class must extend: edu.internet2.middleware.subject.provider.BaseSourceAdapter
# edu.internet2.middleware.grouper.subj.GrouperJdbcSourceAdapter2  :  if doing JDBC this should be used if possible.  All subject data in one table/view.
# edu.internet2.middleware.grouper.subj.GrouperJdbcSourceAdapter   :  oldest JDBC source.  Put freeform queries in here
# edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter   :  used for LDAP
subjectApi.source.cmuDirectory.adapterClass = edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter

# e.g. com.sun.jndi.ldap.LdapCtxFactory
subjectApi.source.cmuDirectory.param.INITIAL_CONTEXT_FACTORY.value = com.sun.jndi.ldap.LdapCtxFactory

# e.g. ldap://localhost:389
subjectApi.source.cmuDirectory.param.PROVIDER_URL.value = ldap://ldap.andrew.cmu.edu:389

# e.g. simple, none, sasl_mech
subjectApi.source.cmuDirectory.param.SECURITY_AUTHENTICATION.value = none

# ldap attribute which is the subject id.  e.g. exampleEduRegID   Each subject has one and only one subject id.  Generally it is opaque and permanent.
subjectApi.source.cmuDirectory.param.SubjectID_AttributeType.value = guid

# if the subject id should be changed to lower case after reading from datastore.  true or false
subjectApi.source.cmuDirectory.param.SubjectID_formatToLowerCase.value = false

# attribute which is the subject name
subjectApi.source.cmuDirectory.param.Name_AttributeType.value = cn

# attribute which is the subject description
subjectApi.source.cmuDirectory.param.Description_AttributeType.value = cn

# the 1st sort attribute for lists on screen that are derived from member table (e.g. search for member in group)
# you can have up to 5 sort attributes 
subjectApi.source.cmuDirectory.param.sortAttribute0.value = cn

# the 1st search attribute for lists on screen that are derived from member table (e.g. search for member in group)
# you can have up to 5 search attributes 
subjectApi.source.cmuDirectory.param.searchAttribute0.value = searchAttribute0

# attribute name of the email attribute
subjectApi.source.cmuDirectory.param.emailAttributeName.value = mail

#searchSubject: find a subject by ID.  ID is generally an opaque and permanent identifier, e.g. 12345678.
#  Each subject has one and only on ID.  Returns one result when searching for one ID.

# sql is the sql to search for the subject by id.  %TERM% will be subsituted by the id searched for
subjectApi.source.cmuDirectory.search.searchSubject.param.filter.value = (& (guid=%TERM%) (objectclass=cmuPerson))

# Scope Values can be: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE
subjectApi.source.cmuDirectory.search.searchSubject.param.scope.value = SUBTREE_SCOPE

# base dn to search in
subjectApi.source.cmuDirectory.search.searchSubject.param.base.value = ou=person,dc=cmu,dc=edu

#searchSubjectByIdentifier: find a subject by identifier.  Identifier is anything that uniquely
#  identifies the user, e.g. jsmith or jsmith@institution.edu.
#  Subjects can have multiple identifiers.  Note: it is nice to have if identifiers are unique
#  even across sources.  Returns one result when searching for one identifier.

# sql is the sql to search for the subject by identifier.  %TERM% will be subsituted by the identifier searched for
subjectApi.source.cmuDirectory.search.searchSubjectByIdentifier.param.filter.value = (& (cmuAndrewCommonNamespaceId=%TERM%) (objectclass=cmuPerson))

# Scope Values can be: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE
subjectApi.source.cmuDirectory.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE

# base dn to search in
subjectApi.source.cmuDirectory.search.searchSubjectByIdentifier.param.base.value = ou=person,dc=cmu,dc=edu

#   search: find subjects by free form search.  Returns multiple results.

# sql is the sql to search for the subject by free form search.  %TERM% will be subsituted by the text searched for
subjectApi.source.cmuDirectory.search.search.param.filter.value = (& (|(guid=%TERM%)(|(cn=*%TERM%*)(cmuAndrewCommonNamespaceId=*%TERM%*)))(objectclass=cmuPerson))

# Scope Values can be: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE
subjectApi.source.cmuDirectory.search.search.param.scope.value = SUBTREE_SCOPE

# base dn to search in
subjectApi.source.cmuDirectory.search.search.param.base.value = ou=person,dc=cmu,dc=edu

# attributes from ldap object to become subject attributes.  comma separated
subjectApi.source.cmuDirectory.attributes = cn, guid, cmuAndrewCommonNamespaceId, mail

# internal attributes are used by grouper only not exposed to code that uses subjects.  comma separated
subjectApi.source.cmuDirectory.internalAttributes = searchAttribute0
  • sources.xml config
  <source adapterClass="edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter">
    <id>cmuDirectory</id>
    <name>CMU Directory</name>
    <type>person</type>
    <init-param>
      <param-name>INITIAL_CONTEXT_FACTORY</param-name>
      <param-value>com.sun.jndi.ldap.LdapCtxFactory</param-value>
    </init-param>
    <init-param>
      <param-name>PROVIDER_URL</param-name>
      <param-value>ldap://ldap.andrew.cmu.edu:389</param-value>
    </init-param>
    <init-param>
      <param-name>SECURITY_AUTHENTICATION</param-name>
      <param-value>none</param-value>
    </init-param>
     <init-param>
      <param-name>SubjectID_AttributeType</param-name>
      <param-value>guid</param-value>
    </init-param>
     <init-param>
      <param-name>SubjectID_formatToLowerCase</param-name>
      <param-value>false</param-value>
    </init-param>
    <init-param>
      <param-name>Name_AttributeType</param-name>
      <param-value>cn</param-value>
    </init-param>
    <init-param>
      <param-name>Description_AttributeType</param-name>
      <param-value>cn</param-value>
    </init-param>
    <!--     
    /// Scope Values can be: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE 
    /// For filter use 
     -->
    <search>
        <searchType>searchSubject</searchType>
        <param>
            <param-name>filter</param-name>
            <param-value>
                (&amp; (guid=%TERM%) (objectclass=cmuPerson))
            </param-value>
        </param>
        <param>
            <param-name>scope</param-name>
            <param-value>
                SUBTREE_SCOPE            
            </param-value>
        </param>
        <param>
            <param-name>base</param-name>
            <param-value>
                ou=person,dc=cmu,dc=edu
            </param-value>
        </param>
         
    </search>
    <search>
        <searchType>searchSubjectByIdentifier</searchType>
        <param>
            <param-name>filter</param-name>
            <param-value>
                (&amp; (cmuAndrewCommonNamespaceId=%TERM%) (objectclass=cmuPerson))
            </param-value>
        </param>
        <param>
            <param-name>scope</param-name>
            <param-value>
                SUBTREE_SCOPE            
            </param-value>
        </param>
        <param>
            <param-name>base</param-name>
            <param-value>
                ou=person,dc=cmu,dc=edu
            </param-value>
        </param>
    </search>
    
    <search>
       <searchType>search</searchType>
         <param>
            <param-name>filter</param-name>
            <param-value>
                (&amp; (|(guid=%TERM%)(|(cn=*%TERM%*)(cmuAndrewCommonNamespaceId=*%TERM%*)))(objectclass=cmuPerson))
            </param-value>
        </param>
        <param>
            <param-name>scope</param-name>
            <param-value>
                SUBTREE_SCOPE            
            </param-value>
        </param>
         <param>
            <param-name>base</param-name>
            <param-value>
                ou=person,dc=cmu,dc=edu
            </param-value>
        </param>
    </search>
    <init-param>
      <param-name>sortAttribute0</param-name>
      <param-value>cn</param-value>
    </init-param>
    <init-param>
      <param-name>searchAttribute0</param-name>
      <param-value>searchAttribute0</param-value>
    </init-param>

    <internal-attribute>searchAttribute0</internal-attribute>

    <!-- ///Attributes you would like to display when doing a search  -->
    <attribute>cn</attribute>
    <attribute>guid</attribute>
    <attribute>cmuAndrewCommonNamespaceId</attribute>
   
  </source>
  • Set this in the grouper-loader.properties
#################################
## LDAP connections
#################################
# specify the ldap connection with user, pass, url
# the string after "ldap." is the ID of the connection, and it should not have
# spaces or other special chars in it.  In this case is it "personLdap"

ldap.personLdap.url = ldap://ldap.andrew.cmu.edu/dc=cmu,dc=edu
ldap.personLdap.user = 
ldap.personLdap.pass = 

 

LDAP Simple group

  • Create folder/group test:testGroup
  • Use new attribute framework to assign ldap loader
  • Text version:
test:testGroup:         grouperLoaderLdapDef
subject attribute name: guid
search base DN:         ou=person
quartz cron:            0 0 8 * * ?
filter:                 (& (cmuAndrewCommonNamespaceId=*dest*) (objectClass=cmuPerson))
server ID:              personLdap
type:                   LDAP_SIMPLE
  • If you want you can turn debug on in the log4j.properties
log4j.logger.edu.internet2.middleware.grouper.app.loader = DEBUG
Run the loader job from GSH

 

gsh 0% grouperSession = GrouperSession.startRootSession(); 
gsh 1% loaderGroup = GroupFinder.findByName(grouperSession, "test:testGroup");
gsh 2% loaderRunOneJob(loaderGroup);
2013-06-02 16:47:28,725: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1926) -  - test:testGroup start syncing membership
2013-06-02 16:47:28,726: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1942) -  - test:testGroup syncing 13 rows
2013-06-02 16:47:28,733: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2055) -  - Done assigning privilege to related groups: test:testGroup
2013-06-02 16:47:28,881: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - test:testGroup will add subject to group: CMU Directory/4A10366C-D7F4-11D5-8000-080020CC75D3, 1 of 13 subjects
2013-06-02 16:47:29,175: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - test:testGroup will add subject to group: CMU Directory/00000000-0000-1000-3F70-0800207F02E6, 2 of 13 subjects
2013-06-02 16:47:29,301: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - test:testGroup will add subject to group: CMU Directory/00000000-0000-1000-79FA-0800207F02E6, 3 of 13 subjects
2013-06-02 16:47:29,405: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - test:testGroup will add subject to group: CMU Directory/2BF70E82-BD36-11D9-8000-0003BA2FA263, 4 of 13 subjects
2013-06-02 16:47:29,717: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - test:testGroup will add subject to group: CMU Directory/07696C48-CBA2-11D9-8001-0003BA2FA263, 5 of 13 subjects
2013-06-02 16:47:29,854: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - test:testGroup will add subject to group: CMU Directory/AE334D56-7E40-11DD-8001-0003BA2FA263, 6 of 13 subjects
2013-06-02 16:47:29,970: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - test:testGroup will add subject to group: CMU Directory/1A97ED54-3C6D-11DE-8001-0003BA2FA263, 7 of 13 subjects
2013-06-02 16:47:30,267: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - test:testGroup will add subject to group: CMU Directory/7404BCDC-9794-11DE-8001-0003BA2FA263, 8 of 13 subjects
2013-06-02 16:47:30,426: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - test:testGroup will add subject to group: CMU Directory/293ABE32-109C-11DF-8000-0003BA2FA263, 9 of 13 subjects
2013-06-02 16:47:30,554: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - test:testGroup will add subject to group: CMU Directory/8F2D682C-6261-11DF-8000-0003BA2FA263, 10 of 13 subjects
2013-06-02 16:47:30,841: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - test:testGroup will add subject to group: CMU Directory/D6914E6E-E0D7-11DF-8001-00144F799A7A, 11 of 13 subjects
2013-06-02 16:47:30,991: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - test:testGroup will add subject to group: CMU Directory/55F202B2-72F9-11E0-8001-00144F799A7A, 12 of 13 subjects
2013-06-02 16:47:31,099: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - test:testGroup will add subject to group: CMU Directory/8B075248-925C-11E2-8000-00144F799A7A, 13 of 13 subjects
2013-06-02 16:47:32,211: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: test:testGroup add Subject id: 55F202B2-72F9-11E0-8001-00144F799A7A, sourceId: pennDirectory, alreadyAdded: false
2013-06-02 16:47:32,254: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: test:testGroup add Subject id: 00000000-0000-1000-3F70-0800207F02E6, sourceId: pennDirectory, alreadyAdded: false
2013-06-02 16:47:32,302: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: test:testGroup add Subject id: AE334D56-7E40-11DD-8001-0003BA2FA263, sourceId: pennDirectory, alreadyAdded: false
2013-06-02 16:47:32,346: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: test:testGroup add Subject id: 07696C48-CBA2-11D9-8001-0003BA2FA263, sourceId: pennDirectory, alreadyAdded: false
2013-06-02 16:47:32,402: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: test:testGroup add Subject id: 1A97ED54-3C6D-11DE-8001-0003BA2FA263, sourceId: pennDirectory, alreadyAdded: false
2013-06-02 16:47:32,447: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: test:testGroup add Subject id: 4A10366C-D7F4-11D5-8000-080020CC75D3, sourceId: pennDirectory, alreadyAdded: false
2013-06-02 16:47:32,486: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: test:testGroup add Subject id: 2BF70E82-BD36-11D9-8000-0003BA2FA263, sourceId: pennDirectory, alreadyAdded: false
2013-06-02 16:47:32,529: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: test:testGroup add Subject id: 8F2D682C-6261-11DF-8000-0003BA2FA263, sourceId: pennDirectory, alreadyAdded: false
2013-06-02 16:47:32,577: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: test:testGroup add Subject id: 00000000-0000-1000-79FA-0800207F02E6, sourceId: pennDirectory, alreadyAdded: false
2013-06-02 16:47:32,621: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: test:testGroup add Subject id: D6914E6E-E0D7-11DF-8001-00144F799A7A, sourceId: pennDirectory, alreadyAdded: false
2013-06-02 16:47:32,678: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: test:testGroup add Subject id: 293ABE32-109C-11DF-8000-0003BA2FA263, sourceId: pennDirectory, alreadyAdded: false
2013-06-02 16:47:32,721: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: test:testGroup add Subject id: 7404BCDC-9794-11DE-8001-0003BA2FA263, sourceId: pennDirectory, alreadyAdded: false
2013-06-02 16:47:32,769: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: test:testGroup add Subject id: 8B075248-925C-11E2-8000-00144F799A7A, sourceId: pennDirectory, alreadyAdded: false
2013-06-02 16:47:32,769: [main] INFO  GrouperLoaderType.syncOneGroupMembership(2301) -  - test:testGroup done syncing membership, processed 13 records.  Total members: 13, inserts: 13, deletes: 0
loader ran successfully, inserted 13 memberships, deleted 0 memberships, total membership count: 13

 

LDAP groups from attributes

  • Create folders / groups:        test:loader:testLdapSimple

 

  • text config
Attribute nameValue

Grouper loader LDAP group name expression

groupsFromAttributes:${groupAttribute}
Grouper loader LDAP subject ID type subjectIdentifier
Grouper loader LDAP subject attribute name cmuAndrewCommonNamespaceId
Grouper loader LDAP search base DN ou=person
Grouper loader LDAP type LDAP_GROUPS_FROM_ATTRIBUTES
Grouper loader LDAP group attribute name cmuDepartment
Grouper loader LDAP source ID cmuDirectory
Grouper loader LDAP quartz cron0 0 8 * * ?
Grouper loader LDAP server IDpersonLdap
Grouper loader LDAP filter(&(objectClass=cmuPerson)(cmuAndrewId=al*)(|(cmuDepartment=Mechanical Engineering)(cmuDepartment=Biological Sciences)(cmuDepartment=English)))
Run the job

 

 

These groups / memberships were created

 

 

LDAP Group List

  • Setup group / folders:     test:loader:groupList
  • Setup attributes:


Text values:

Attribute nameValue

Grouper loader LDAP search base DN

ou=group
Grouper loader LDAP group name expressiongroupList:${loaderLdapElUtils.convertDnToSpecificValue(groupAttributes['dn'])}
Grouper loader LDAP source IDcmuDirectory
Grouper loader LDAP subject expression${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}
Grouper loader LDAP quartz cron0 0 8 * * ?
Grouper loader LDAP typeLDAP_GROUP_LIST
Grouper loader LDAP subject ID typesubjectId
Grouper loader LDAP server IDpersonLdap
Grouper loader LDAP subject attribute namemember
Grouper loader LDAP filter(&(objectClass=cmuGroup)(cn=softdist2:system*))


Run the job



See the results






 

  • No labels