Child pages
  • vt-ldap to ldaptive migration for LDAP access

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Credentials are no longer stored in the subject.properties file (also formally the sources.xml file).  So the following options are no longer valid in that file.
    • INITIAL_CONTEXT_FACTORY

    • PROVIDER_URL

    • SECURITY_AUTHENTICATION

    • SECURITY_PRINCIPAL

    • SECURITY_CREDENTIALS

    • subjectApi.source.*.param.ldapProperties_file.value (subject.properties no longer uses external property sources, this can be migrated to grouper-loader.properties)

    • VTLDAP_* (pooling config migrated to grouper-loader.properties)


  • Instead you must specify a new property in subject.properties.  "example" should be replaced with the name of your source.  And "personLdap" should be replaced with what your ldap configuration is called in grouper-loader.properties.


    Code Block
    subjectApi.source.example.param.ldapServerId.value = personLdap


  • If you have trouble using the new ldaptive based subject source, you can revert to the vt-ldap based subject source used in Grouper 2.3 by using this configuration in subject.properties.  (Though also inform the Grouper developers via Jira or email in case a fix is needed.)

    Code Block
    subjectApi.source.example.adapterClass = edu.internet2.middleware.subject.provider.LdapSourceAdapterLegacy


...

  • Changes may not be needed here since the loader was already using the grouper-loader.properties file.  However, if you used vt-ldap specific properties, changes may be needed.
  • If you have trouble using ldaptive, you can revert back to vt-ldap using this configuration in grouper.properties.  (Though also inform the Grouper developers via Jira or email in case a fix is needed.)

    Code Block
    ldap.implementation.className = edu.internet2.middleware.grouper.ldap.vtldap.VTLdapSessionImpl


...

  • Changes may not be needed here since the web services were already using the grouper-loader.properties file.  However, if you used vt-ldap specific properties, changes may be needed.
  • If you have trouble using ldaptive, you can revert back to vt-ldap using this configuration in grouper.properties.  (Though also inform the Grouper developers via Jira or email in case a fix is needed.)

    Code Block
    ldap.implementation.className = edu.internet2.middleware.grouper.ldap.vtldap.VTLdapSessionImpl


...

  • Look at the grouper-loader.base.properties file for the latest configuration options.
  • Your configuration should go in grouper-loader.properties.
  • ldap.<connection name>.url is the only property that's required (unless you specify the url using the configFileFromClasspath configuration).
  • The default pooling validator is SearchValidator.  And the validation is done on connection checkout by default.  ConnectLdapValidator is no longer valid.
  • ldap.personLdap.validatorCompareSearchFilterString has been changed to ldap.personLdap.validatorCompareAttribute and ldap.personLdap.validatorCompareValue
  • Search result handlers have changed, although there is a shim to map the old ones.


Code Block
#################################
## LDAP connections
#################################
# specify the ldap connection with user, pass, url
# the string after "ldap." is the ID of the connection, and it should not have
# spaces or other special chars in it.  In this case is it "personLdap"

#note the URL should start with ldap: or ldaps: if it is SSL.
#It should contain the server and port (optional if not default), and baseDn,
#e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu
#ldap.personLdap.url = ldaps://ldapserver.school.edu:636/dc=school,dc=edu

# load this ldaptive config file before the configs here.  load from classpath
#ldap.personLdap.configFileFromClasspath = ldap.personLdap.properties

#optional, if authenticated
#ldap.personLdap.user = uid=someapp,ou=people,dc=myschool,dc=edu

#optional, if authenticated, note the password can be stored encrypted in an external file
#ldap.personLdap.pass = secret

#optional, if you are using tls, set this to true.  Generally you will not be using an SSL URL to use TLS...
#ldap.personLdap.tls = false

#optional, if using sasl
#ldap.personLdap.saslAuthorizationId =
#ldap.personLdap.saslRealm =

#optional (note, time limit is for search operations, timeout is for connection timeouts),
#most of these default to ldaptive defaults.  times are in millis
#validateOnCheckout defaults to true if all other validate methods are false
#ldap.personLdap.batchSize =
#ldap.personLdap.countLimit =
#ldap.personLdap.timeLimit =
#ldap.personLdap.timeout =
#ldap.personLdap.minPoolSize =
#ldap.personLdap.maxPoolSize =
#ldap.personLdap.validateOnCheckIn =
#ldap.personLdap.validateOnCheckOut =
#ldap.personLdap.validatePeriodically =
#ldap.personLdap.validateTimerPeriod =
#ldap.personLdap.pruneTimerPeriod =
# if there is a max size limit on ldap server, then this will retrieve results in pages
#ldap.personLdap.pagedResultsSize =
# set to 'follow' if using AD and using paged results size and need this for some reason (generally you shouldnt)
#ldap.personLdap.referral =
# validator setup, currently supports CompareLdapValidator and SearchValidator.  additional properties below for CompareLdapValidator.
ldap.personLdap.validator = SearchValidator
#ldap.personLdap.validator = CompareLdapValidator
#ldap.personLdap.validatorCompareDn = ou=people,dc=example,dc=com
#ldap.personLdap.validatorCompareAttribute = ou
#ldap.personLdap.validatorCompareValue = people
# comma-delimited list of classes to process LDAP search results. Useful if AD returns a ranged attribute for large
# groups (e.g., member;range=0-1499); include the GrouperRangeEntryHandler to handle progressive fetching.
#ldap.personLdap.searchResultHandlers=org.ldaptive.handler.DnAttributeEntryHandler,edu.internet2.middleware.grouper.ldap.ldaptive.GrouperRangeEntryHandler
# comma-delimited list of result codes (org.ldaptive.ResultCode) to ignore, e.g. TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS
#ldap.personLdap.searchIgnoreResultCodes=SIZE_LIMIT_EXCEEDED

...