The info on this page applies to Grouper v2.6 and above.
This page presents the configuration for the Grouper Provisioning framework
Configuration
Scaffolding (start with) is recommended to help you get started with provisioning configuration.
The configName must match the provisioner config name. Example config in grouper-loader.properties is provisioner.<configName>.subjectSourcesToProvision
"target" is the system being provisioned to
LDAP provisioner config
Config | Example | Description | Notes |
---|---|---|---|
class | edu.whatever.MyProvisioner | Class extends the base provisioner class | This class informs configuration decisions. Required. Read-only. |
hasSubjectLink | true false | If the subject API is needed to resolve attribute on subject | required, drives requirements of other configurations. defaults to false. |
hasTargetUserLink | true false | If subjects need to be resolved in the target before provisioning | defaults to false. required. |
hasTargetGroupLink | true false | If groups need to be resolved in the target before provisioning | defaults to false. required. |
subjectSourcesToProvision | pennperson | subject sources to provision | optional, defaults to all except g:gsa, grouperExternal, g:isa, localEntities. comma separated list. checkboxes. |
userSearchAttributeName | employeeID | attribute to filter on | required if userAttributes or hasTargetUserLink |
userSearchAttributeValueFormat | ${subject.id} | value for the user search attribute name | required if userAttributes or hasTargetUserLink |
userAttributeReferredToByGroup | dn | in group memberships, this is the value that refers to the user | optional. show if groupMemberships and hasTargetUserLink default to dn |
subjectApiAttributeForTargetUser | for subject link, this is the subject api identifier that is needed to look up the target user | required. show if hasSubjectLink | |
groupAttributeReferredToByUser | dn | in user attributes, this is the value that refers to the group | required. show if userAttributes and hasTargetGroupLink. defaults to dn |
syncMemberToId2AttributeValueFormat | ${targetEntity.attributes['dn']} | main identifier of the user on the target side | show = false |
syncMemberToId3AttributeValueFormat | ${targetEntity.attributes['uid']} | identifier of the user as referred to by the group | show = false |
syncMemberFromId2AttributeValueFormat | ${targetEntity.attributes['netId']} | target attribute value that helps look up user | show = false |
syncMemberFromId3AttributeValueFormat | ${subject.attributes['myLdapId']} | subject attribute value that helps look up user | show = false |
syncGroupToId2AttributeValueFormat | show = false | ||
syncGroupToId3AttributeValueFormat | show = false | ||
syncGroupFromId2AttributeValueFormat | show = false | ||
syncGroupFromId3AttributeValueFormat | show = false | ||
userSearchAttributes | dn,cn,uid,mail, samAccountName,uidNumber, objectclass | attributes to search when getting users | optional. show if userAttributes or hasTargetUserLink. |
userAttributesMultivalued | someAttr | everything is assumed to be single valued except objectclass and the provisionedAttributeName | optional. show if userAttributes or hasTargetUserLink. |
createMissingUsers | true or false | defaults false, optional. show if userAttributes or hasTargetUserLink | |
createMissingGroups | true or false | defaults to true. show if groupMemberships or hasTargetGroupLink | |
groupSearchAttributeName | gidNumber | attribute name to filter on | show if groupMemberships or hasTargetGroupLink required |
groupSearchAttributeValueFormat | ${syncGroup.groupIdIndex} | value to filter group on | show if groupMemberships or hasTargetGroupLink required |
groupSearchAttributes | cn,gidNumber,samAccountName,objectclass | attributes to get if searching for groups | optional show if groupMemberships or hasTargetGroupLink |
groupAttributesMultivalued | someAttr | everything is assumed to be single valued except object class. List attributes in the groupSearchAttribute which are multivalued | optional. show if groupMemberships or hasTargetGroupLink |
deleteInTargetIfInTargetAndNotGrouper | true or false | if groups in full sync should be deleted if in group all filter and not in grouper or for attributes delete other attribute not provisioned by grouper | default to false |
deleteInTargetIfDeletedInGrouper | true or false | if groups that were created in grouper were deleted should it be deleted in ldap? or for attributes, delete attribute value if deleted in grouper | default to true |
membershipFields | members read,admin update,admin admin | if provisioning normal memberships or privileges | default to "members" for normal memberships |
recalculateAllOperations | true or false | If the target should be checked before sending actions. e.g. if an addMember is made to a provisionable group, then check the target to see if the entity is already a member first. | default to false |
membershipsConvertToGroupSyncThreshold | 500 | If there are this number of incremental memberships or more for a single provisionable group, then perform a "group sync" instead of the individual operations instead, for efficiency. -1 to not use this feature | grouper-loader.properties provisionerDefault.membershipsConvertToGroupSyncThreshold which is 500 |
scoreConvertToFullSyncThreshold | 10000 | In incremental processing, each provisionable group/entity to sync memberships counts as 10, each provisionable membership to sync counts as 1. If the total score is more than this number, it will convert the incrementals to a a full sync. e.g. 10000 individual memberships to sync (and not more than 500 in a single group), or 1000 groups to sync, or a combination. -1 means do not convert to full sync | grouper-loader.properties provisionerDefault.scoreConvertToFullSyncThreshold which is 10000 |
Provisioning types
See Also