Welcome to the University of Kansas Grouper Page
(page last updated in 2008; the Signet project is no longer active)
I (Kathryn Huxtable) have been particularly interested in how to get base group data from an identity management system (IdMS) into Grouper, and how to provision external systems with information from Grouper and Signet, with a special focus on feeding the data back to the IdMS so that its normal provisioning mechanisms can be used.
Subject API changes for v0.3.0 - for use by Signet and Grouper
A common API used by both Grouper and Signet is the Subject API, which provides an abstraction for a local implementation of entities (subjects) that may be members of groups in Grouper or recipients of permissions in Signet.
I have been working on the Subject API to produce better performance and also to move it towards a 1.0 release, with better flexibility for extension and better testing. On March 10 I checked in 0.3.0 release candidate 1 (SUBJECT_0_3_0_RC1), which escapes the queries to avoid LDAP or SQL injection into queries. It also uses prepared statements for the JDBC source adapter. Because the getParameterMetadata method is not supported in the ojdbc14 driver (Oracle) one must specify the number of parameters in the SQL statement.
We're thinking that for the future we probably want to be able to pass a hash map of named parameter/value pairs, in which case we'll need a way to map the parameter names to one or more parameter placeholders.
For additional details, please refer to Kathryn Huxtable's email to the Grouper-dev and Signet-dev mailing lists (c.f. 21-Feb-07). The following is a sample sources.xml file in the new format.
RDBPC - Relational Database Provisioning Connector
In January of 2007 the first release of the Signet-Grouper LDAP Provisioning Connector(Ldappc) was released. This provides a reasonable way to provision data from Signet and Grouper into an LDAP directory, from which it could be used by clients needing access control.
My main issues with this software are that it is insufficiently flexible and that its performance is not good for large groups. I developed an alternative for KU that provisions our IdMS RDBMS. I have also been developing an alternative, which will be able to provision LDAP and also relational databases, using flexible, extensible downstream provisioning connectors.
For more on its background, refer to Kathryn's email (c.f. 29-Jan - 6-Feb, subject:Ldappc issues)
RDBPC - take a look at this sample configuration file; a test suite is forthcoming.
RBACPC - Role Based Access Control Provisioning Connector
I'm tentatively calling my combination LDAP/RDBMS provisioner RBACPC. The Rbacpc page is a work in progress.