The info on this page applies to Grouper v2.6 and above.     


This page presents the configuration for the Grouper Provisioning framework

Configuration

Scaffolding (start with) is recommended to help you get started with provisioning configuration.



The configName must match the provisioner config name.  Example config in grouper-loader.properties is provisioner.<configName>.subjectSourcesToProvision

"target" is the system being provisioned to

LDAP provisioner config

ConfigExampleDescriptionNotes
classedu.whatever.MyProvisionerClass extends the base provisioner classThis class informs configuration decisions. Required. Read-only.
hasSubjectLink

true

false

If the subject API is needed to resolve attribute on subjectrequired, drives requirements of other configurations. defaults to false.
hasTargetUserLink

true

false

If subjects need to be resolved in the target before provisioning

defaults to false. required.
hasTargetGroupLink

true

false

If groups need to be resolved in the target before provisioningdefaults to false. required.
subjectSourcesToProvisionpennpersonsubject sources to provisionoptional, defaults to all except g:gsa, grouperExternal, g:isa, localEntities. comma separated list. checkboxes. 
userSearchAttributeNameemployeeIDattribute to filter onrequired if userAttributes or hasTargetUserLink
userSearchAttributeValueFormat

${subject.id}
${targetEntity.dn}
${targetEntity.attributes['uid']}

value for the user search attribute namerequired if userAttributes or hasTargetUserLink
userAttributeReferredToByGroupdnin group memberships, this is the value that refers to the user

optional. show if groupMemberships and hasTargetUserLink

default to dn

subjectApiAttributeForTargetUser


for subject link, this is the subject api identifier that is needed to look up the target user

required. show if hasSubjectLink

groupAttributeReferredToByUser

dn

in user attributes, this is the value that refers to the group

required. show if userAttributes and hasTargetGroupLink. defaults to dn
syncMemberToId2AttributeValueFormat${targetEntity.attributes['dn']}main identifier of the user on the target sideshow = false
syncMemberToId3AttributeValueFormat${targetEntity.attributes['uid']}identifier of the user as referred to by the groupshow = false
syncMemberFromId2AttributeValueFormat${targetEntity.attributes['netId']}

target attribute value that helps look up user

show = false
syncMemberFromId3AttributeValueFormat${subject.attributes['myLdapId']}

subject attribute value that helps look up user

show = false
syncGroupToId2AttributeValueFormat

show = false
syncGroupToId3AttributeValueFormat

show = false
syncGroupFromId2AttributeValueFormat

show = false
syncGroupFromId3AttributeValueFormat

show = false
userSearchAttributesdn,cn,uid,mail,
samAccountName,uidNumber,
objectclass
attributes to search when getting usersoptional. show if userAttributes or hasTargetUserLink.
userAttributesMultivaluedsomeAttreverything is assumed to be single valued except objectclass and the provisionedAttributeNameoptional. show if userAttributes or hasTargetUserLink.
createMissingUserstrue or false
defaults false, optional. show if userAttributes or hasTargetUserLink
createMissingGroupstrue or false
defaults to true. show if groupMemberships or hasTargetGroupLink
groupSearchAttributeNamegidNumberattribute name to filter on

show if groupMemberships or hasTargetGroupLink 

required

groupSearchAttributeValueFormat${syncGroup.groupIdIndex}value to filter group on

show if groupMemberships or hasTargetGroupLink 

required

groupSearchAttributescn,gidNumber,samAccountName,objectclassattributes to get if searching for groups

optional

show if groupMemberships or hasTargetGroupLink 

groupAttributesMultivaluedsomeAttreverything is assumed to be single valued except object class.  List attributes in the groupSearchAttribute which are multivaluedoptional. show if groupMemberships or hasTargetGroupLink 
deleteInTargetIfInTargetAndNotGroupertrue or falseif groups in full sync should be deleted if in group all filter and not in grouper
or for attributes delete other attribute not provisioned by grouper
default to false
deleteInTargetIfDeletedInGroupertrue or falseif groups that were created in grouper were deleted should it be deleted in ldap?
or for attributes, delete attribute value if deleted in grouper
default to true
membershipFields

members

read,admin

update,admin

admin

if provisioning normal memberships or privilegesdefault to "members" for normal memberships
recalculateAllOperationstrue or falseIf the target should be checked before sending actions.  e.g. if an addMember is made to a provisionable group, then check the target to see if the entity is already a member first.default to false
membershipsConvertToGroupSyncThreshold500

If there are this number of incremental memberships or more for a single provisionable group, then perform a "group sync" instead of the individual operations instead, for efficiency.

-1 to not use this feature

grouper-loader.properties

provisionerDefault.membershipsConvertToGroupSyncThreshold

which is 500

scoreConvertToFullSyncThreshold10000

In incremental processing, each provisionable group/entity to sync memberships counts as 10, each provisionable membership to sync counts as 1.  If the total score is more than this number, it will convert the incrementals to a a full sync.  e.g. 10000 individual memberships to sync (and not more than 500 in a single group), or 1000 groups to sync, or a combination. 

-1 means do not convert to full sync

grouper-loader.properties

provisionerDefault.scoreConvertToFullSyncThreshold

which is 10000

Provisioning types

grouperLdapProvisioningCases


See Also

Grouper Provisioning Configuration Scaffolding (start with)

  • No labels