Versions Compared

Old Version 220

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version 221

changes.mady.by.user Hyzer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel
borderColor#ccc
bgColor#FcFEFF
titleColorwhite
titleBGColor#00a400

 These topics are discussed in the "Grouper Provisioning Service Provider" training series.

For Provisioning with the Grouper 2.3 Release, see this page

Table of Contents

Introduction

 

Grouper groups, memberships, and stems may be provisioned using the provisioning service provider (PSP, formerly known as LDAPPC-NG).

...

Currently, the psp supports SPMLv2 requests represented as java objects via the Oasis SPMLv2 implementation. The requester is Grouper's cli, gsh.

Usage

...

The psp may be run using GrouperShell (gsh).

...

One of -bulkCalc, -bulkDiff, -bulkSync, -calc <id>, -diff <id>, or -sync <id> must be specified. All other arguments are optional.

calc

Calculate how an object should be provisioned.

Upon receipt of a calc request, the psp will calculate how an object (or objects) should be provisioned, and will return a calc response representing the correct provisioning.

diff

Determine the changes necessary to transform a provisioned object from how it is currently provisioned to how it should be provisioned.

Upon receipt of a diff request, the psp first performs a calc request to calculate how objects should be provisioned. Then, the PSP queries each target to determine how objects are provisioned. The psp returns a diff response representing the changes necessary to synchronize the provisioned objects from how it is currently provisioned to how it should be. The changes consist of add, delete, and or modify requests.

sync

Synchronize a provisioned object.

Upon receipt of a sync request, the psp first performs a diff request to determine provisioning changes. Then, the PSP requests targets to perform the changes, and returns the results as a sync response.

bulkCalc|bulkDiff|bulkSync

Bulk requests operate on all configured source identifiers, and includes the remove of orphan objects (provisioned objects for which no source identifier is known).

LDAPPC-NG -> PSP

The code formerly known as "ldappc-ng" has been refactored to "psp".

module

description

psp

The provisioning service provider and provisioning engine.

psp-distribution

Distribution package.

psp-distribution-for-grouper

Distribution package for Grouper.

psp-example-*

Example configuration and junit test modules.

psp-grouper-changelog

Grouper change log integration including data connectors and change log consumer.

psp-grouper-ldap

Grouper and LDAP integration including attribute definitions to transform Grouper names to LDAP DNs and vice versa.

psp-grouper-source

Data connectors which return the identifiers of all Grouper groups, stems, and members.

psp-grouper-target

Grouper provisioning target.

psp-ldap-target

LDAP provisioning target.

psp-parent

Parent project.

"Real-Time" Provisioning

...

Real-time provisioning is the provisioning of groups, stems, and memberships triggered from the Grouper change log. In Grouper 2.1 real-time incremental provisioning is available using the PSP.  Real-time full provisioning is not yet available.  Incremental provisioning is distinguished from full provisioning in that only a single or subset of an attribute's values are provisioned.

...

These instructions assume that Grouper subjects are already provisioned to your LDAP directory, and makes use of the vt-ldap based ldap source adapter.

Known Issues with "Real Time" Provisioning
  • The PSP will run the shibboleth attribute resolver for every entry in the changelog including entries for which it will eventually do nothing.  This is done because the Shibboleth Attribute Resolver is setup to resolve all attributes prior to returning the data for further evaluation.  
  • You cannot create an empty group to be incrementally provisioned.  The groupOfNames schema that most LDAP and AD setups use REQUIRES at least one member.  In practice, this means that you must add a member to a group within about 45 seconds of creation of that group or provisioning (and subsequent updates) will fail for that group.  The only way to fix a group broken in this manner is to sync that group manually via gsh -psp -sync group:that:is:broken.  After running that command, the PSP will resume incrementally maintaining the group.

Requirements

...

  • Grouper API (requires Java 6 and a database, details are here)
  • provisioning service provider (PSP)
  • LDAP directory

Install : Grouper Installer

...

To install Grouper including the API, UI, WS, grouperClient, psp, etc., download and run the Grouper Installer.

...

curl http://www.internet2.edu/grouper/release/2.1.0/grouperInstaller.jar -O
java -jar grouperInstaller.jar

Install : Manual

...

Install the provisioning service provider by copying jar files and example configuration files from the psp distribution to your Grouper API installation.

...

To install manually, download and unpack the psp, then copy jars and configuration files to your Grouper API installation.

Install : Manual - Download and Unpack the PSP

Download the PSP here and unpack.

...

curl http://www.internet2.edu/grouper/release/2.1.0/grouper.psp-2.1.0.tar.gz -O
tar xzf grouper.psp-2.1.0.tar.gz

Install : Manual - Copy Jars

Copy jars located in lib/custom from the PSP distribution to the Grouper API installation.

cp -vR grouper.psp-2.1.0/lib/custom/ grouper.apiBinary-2.1.0/lib/custom/

Install : Copy Example Configuration Files

...

Copy example configuration files located in conf from the psp distribution to the Grouper API installation.

...

cp -vR grouper.psp-2.1.0/conf/ grouper.apiBinary-2.1.0/conf/

Configuration Example : Grouper to LDAP

...

This configuration example should apply to any ldap directory server.

examples

psp-example-grouper-to-ldap

DN structure

bushy

member

member DNs

Configuration Example : Grouper to Tivoli

...

This configuration example targets an IBM Tivoli Directory Server with requirements from Penn State.

examples

psp-example-grouper-to-tivoli

DN structure

flat

member

member subject ids

memberOf

group DNs

hasMember

member names

isMemberOf

group names

Configuration Example : Grouper to OpenLDAP

...

This configuration example applies to OpenLDAP, and includes provisioning the mailLocalAddress attribute sourced from the Grouper attribute framework.

...

Code Block
java
java
GrouperSession.startRootSession();
Stem etcAttributeStem = StemFinder.findByName(GrouperSession.staticGrouperSession(), "etc:attribute", true);
AttributeDef attributeDef = etcAttributeStem.addChildAttributeDef("mailLocalAddressAttributeDef", AttributeDefType.attr);
attributeDef.setAssignToGroup(true);
attributeDef.setMultiValued(true);
attributeDef.setValueType(AttributeDefValueType.string);
attributeDef.store();
etcAttributeStem.addChildAttributeDefName(attributeDef, "mailLocalAddress", "mailLocalAddress");

AttributeDef seeAlsoAttributeDef = etcAttributeStem.addChildAttributeDef("seeAlsoAttributeDef", AttributeDefType.attr);
seeAlsoAttributeDef.setAssignToStem(true);
seeAlsoAttributeDef.setMultiValued(true);
seeAlsoAttributeDef.setValueType(AttributeDefValueType.string);
seeAlsoAttributeDef.store();
etcAttributeStem.addChildAttributeDefName(seeAlsoAttributeDef, "seeAlso", "seeAlso");

Configuration Example : Grouper to OpenLDAP MemberOf Overlay

...

This configuration example applies to an OpenLDAP directory with the memberOf overlay. This example is similar to the OpenLDAP example, except that the memberOf attribute is not provisioned by the psp.

examples

psp-example-grouper-to-openldap-memberof-overlay

DN structure

bushy

hasMember

member names

isMemberOf

group names

member

member DNs

Configuration Example : Grouper to OpenLDAP Multiple

...

This configuration example provisions multiple OpenLDAP directories, and is based on a request from the University of Modena and Reggio Emilia on the grouper-users@internet2.edu mail list.

...

examples

psp-example-grouper-to-openldap-multiple

DN structure

bushy

hasMember

member names

isMemberOf

group names

member

member DNs

memberOf

group DNs

Configuration Example : Grouper to Active Directory

...

A contribution from Sébastien Gagné, Université de Montréal.

examples

psp-example-grouper-to-active-directory

DN structure

bushy

member

member DNs

Configuration Example : LDAP to Grouper

...

This example provisions groups, stems, and memberships from an ldap directory to Grouper.

examples

psp-example-ldap-to-grouper

Configure LDAP Provisioning Target

...

The LDAP provisioning target connection is configured in ldap.properties.

...

No Format
titleldap.properties
# The base DN for groups.
edu.internet2.middleware.psp.groupsBaseDn = ou=groups,dc=example,dc=edu
# The base DN for people.
edu.internet2.middleware.psp.peopleBaseDn = ou=people,dc=example,dc=edu

Configure LDAP Provisioning Structure : Flat

...

In a flat structure all groups are provisioned under a single base DN (container ID). A flat group's ldap RDN is its Grouper name or displayName.

...

No Format
titleldap.properties
edu.internet2.middleware.psp.structure=flat
edu.internet2.middleware.psp.cnSourceAttributeID=name

Configure LDAP Provisioning Structure : Bushy

...

In a bushy structure groups are provisioned hierarchically, with stems as branches (ldap organizationalUnits) in the tree. A bushy group's RDN is its Grouper extension or displayExtension.

...

No Format
titleldap.properties
edu.internet2.middleware.psp.structure=bushy
edu.internet2.middleware.psp.cnSourceAttributeID=extension

Configure LDAP Base DNs

The example default base DN is dc=example,dc=edu. Change the base DN in ldap.properties :

...

Code Block
xml
xml
titlesources.xml
<source adapterClass="edu.internet2.middleware.subject.provider.LdapSourceAdapter">
    <id>ldap</id>
    <name>LdapSourceAdapter</name>
    <type>person</type>

    <search>
        <searchType>searchSubject</searchType>
        ...
        <param>
            <param-name>base</param-name>
            <param-value>ou=people,dc=example,dc=edu</param-value>
        </param>

    </search>
    <search>
        <searchType>searchSubjectByIdentifier</searchType>
        ...
        <param>
            <param-name>base</param-name>
            <param-value>ou=people,dc=example,dc=edu</param-value>
        </param>
    </search>

    <search>
       <searchType>search</searchType>
         ...
         <param>
            <param-name>base</param-name>
            <param-value>ou=people,dc=example,dc=edu</param-value>
        </param>
    </search>

Configure LDAP Subject Source

...

Configure Grouper to look for subjects in your LDAP directory by using the ldap source adapter.

...

No Format
titlesources.xml
<source adapterClass="edu.internet2.middleware.subject.provider.LdapSourceAdapter">
    <id>ldap</id>
    <name>LdapSourceAdapter</name>
    <type>person</type>

    <init-param>
      <param-name>ldapProperties_file</param-name>
      <param-value>ldap.properties</param-value>
    </init-param>

Configure LDAP Subject Source ID Other Than "ldap"

...

The id of the Grouper LDAP subject source adapter, <id>ldap</id>, appears in several psp configuration files. If your Grouper LDAP subject source adapter id is not "ldap", you should read the following and make changes to your psp configuration files. In the following examples, the Grouper LDAP subject source id has been changed from "ldap" to "ad".

...

Code Block
xml
xml
titlepsp-resolver.xml
<!-- The value of the "changeLogMembershipLdapSubjectId" attribute is the subject identifier of the "ldap" source member
    of a membership change log entry. -->
  <resolver:AttributeDefinition
    id="changeLogMembershipLdapSubjectId"
    xsi:type="ad:Script">
    <resolver:Dependency ref="AddMembershipChangeLogDataConnector" />
    <resolver:Dependency ref="DeleteMembershipChangeLogDataConnector" />
    <ad:Script><![CDATA[here|Grouper:Notifications (change log)]]></ad:Script>
  </resolver:AttributeDefinition>

Configure LDAP Subject Source in Grouper UI

...

Copy sources.xml and ldap.properties from the Grouper API to the Grouper UI.

...

No Format
titleldap.properties
# edu.vt.middleware.ldap.searchResultHandlers=edu.internet2.middleware.psp.ldap.QuotedDnResultHandler,...

Configure LDAP Subject Source in Grouper WS

TODO

Configure LDAP DNs Created from Grouper Names

...

A provisioned object requires a unique identifier. When provisioning an ldap target, provisioned object identifiers are ldap distinguished names (DNs).

...

Code Block
xml
xml
titlepsp-resolver.xml
<resolver:AttributeDefinition
    id="groupNameInStem"
    xsi:type="grouper:FilteredName"
    sourceAttributeID="displayName">
    ...

Configure Grouper Stem to be Provisioned

...

Configure the name of the Grouper stem to be provisioned, by default this is the root stem, which is the empty string.

...

No Format
titleldap.properties
# The base Grouper stem to be provisioned.
edu.internet2.middleware.psp.baseStem=

Configure Grouper Change Log

...

The Grouper change log is configured in grouper-loader.properties.

...

The Quartz cron string documentation is here.

Configure Grouper Logging

...

You may want to change the Grouper log file appenders in grouper.apiBinary-2.1.0/conf/log4j.properties.

No Format
titlelog4j.properties
log4j.appender.grouper_error                            = org.apache.log4j.DailyRollingFileAppender
log4j.appender.grouper_error.File                       = ${grouper.home}logs/grouper_error.log
log4j.appender.grouper_error.DatePattern                = '.'yyyy-MM-dd

log4j.appender.grouper_event                            = org.apache.log4j.DailyRollingFileAppender
log4j.appender.grouper_event.File                       = ${grouper.home}logs/grouper_event.log
log4j.appender.grouper_event.DatePattern                = '.'yyyy-MM-dd

Configure Grouper Versions Prior to 2.1.0

...

Note

The following changes are necessary to support provisioning Grouper API versions prior to 2.1.0 with the psp.

...

3. For Grouper API versions prior to 2.1.0, the ldap source adapter in subject.jar does not provide the method which allows the psp to re-use the same ldap connection as the subject source. You will need to copy lib/grouper/subject.jar from the Grouper 2.1.0 API distribution to your pre-2.1.0 Grouper API installation.

Configure Subject API Cache

...

The Subject API cache is configured in grouper.ehcache.xml.

...

Code Block
xml
xml
titlegrouper.ehcache.xml
<!-- Subject resolving caching -->

 <!-- @see   CachingResolver#find(...) -->
 <cache  name="edu.internet2.middleware.grouper.subj.CachingResolver.Find"
         maxElementsInMemory="5000"
         eternal="false"
         timeToIdleSeconds="30"
         timeToLiveSeconds="120"
         overflowToDisk="false"
         statistics="true"
 />

 <!-- @see   CachingResolver#findAll(...) -->
 <cache  name="edu.internet2.middleware.grouper.subj.CachingResolver.FindAll"
         maxElementsInMemory="5000"
         eternal="false"
         timeToIdleSeconds="30"
         timeToLiveSeconds="120"
         overflowToDisk="false"
         statistics="true"
 />

 <!-- @see   CachingResolver#findByIdentifier(...) -->
 <cache  name="edu.internet2.middleware.grouper.subj.CachingResolver.FindByIdentifier"
         maxElementsInMemory="5000"
         eternal="false"
         timeToIdleSeconds="30"
         timeToLiveSeconds="120"
         overflowToDisk="false"
         statistics="true"
 />

 <!-- @see   CachingResolver#findByIdOrIdentifier(...) -->
 <cache  name="edu.internet2.middleware.grouper.subj.CachingResolver.FindByIdOrIdentifier"
         maxElementsInMemory="5000"
         eternal="false"
         timeToIdleSeconds="30"
         timeToLiveSeconds="120"
         overflowToDisk="false"
         statistics="true"
 />

Configure PSP : Provisioning Service Provider

...

The psp configuration files are :

psp.xml

Configuration for the objects, identifiers, attributes, and references to be provisioned to a target.

psp-resolver.xml

Configuration for the Shibboleth attribute resolver.

psp-services.xml

Configuration for Shibboleth services such as the attribute resolver, psp, and provisioning targets.

psp-internal.xml

Bootstraps Shibboleth.

Configure PSP : SPMLv2 Provisioned Objects, Identifiers, Attributes and References

...

The objects, identifiers, attributes, and references to be provisioned are defined in psp.xml.

Configure PSP : Provisioned Objects

...

Provisioned objects, or in SPMLv2 terms Provisioning Service Objects, consist of identifiers, attributes (probably), and references (maybe) to the identifiers of other objects, which are most likely located on the same provisioning target.

...

property

default

value

id

 

the unique id of the provisioned object

authoritative

true

If true, orphan objects will be deleted. Orphan objects exist on a target with no corresponding source object.

allSourceIdentifiersRef

 

The id of an attribute resolver definition whose values are all source identifiers applicable to this provisioned object.

Configure PSP : Identifiers

...

Identifiers consist of a string ID, a target ID, and possibly a container ID. We consider a container ID to be similar to an ldap base dn. A container ID is itself an identifier, recursing potentially indefinitely.

...

Code Block
titleLDIF identifier
dn: cn=group,ou=groups,dc=example,dc=edu

Configure PSP : Identifying Attribute

...

The optional <identifyingAttribute/> of a provisioned object has two purposes : (1) to determine the schema entity of target objects returned from a lookup or search request and (2) to be converted to a query when searching a target for all identifiers. If <identifyingAttribute/> is not present, the provisioned object will be ignored during bulk requests.

...

For example, in the configuration example above, the psp will perform an ldap search with filter "(objectClass=organizationalUnit)" to retrieve the identifiers of all provisioned stems as well as an ldap search with filter "(objectclass=groupOfNames)" to retrieve the identifiers of all provisioned groups. The base of each search will be the containerId of the <identifier/> element.

Configure PSP : Alternate Identifier

...

The optional <alternateIdentifier/> element configures the psp to rename provisioned objects. It refers to an attribute resolver definition whose value is the previous (old) identifier of an object after it has been renamed. If <alternateIdentifier/> is not present, provisioned objects will not be renamed, instead the old object will be deleted and a new object created.

...

property

value

ref

The id of the Shibboleth attribute definition whose value is the previous SPMLv2 PSO Identifier.

Configure PSP : Attributes

...

Name value pairs. Probably multi-valued. Case sensitive names and values. We return values in the same order as they were given to us.

...

Code Block
titleLDIF attribute
dn: cn=group,ou=groups,dc=example,dc=edu
cn: group

Configure PSP : References

...

A reference refers to the identifier of another object. It consists of two identifiers, the "from object" and the "to object". A node in a directed graph. Directional.

...

Code Block
titleLDIF reference
dn: cn=group,ou=groups,dc=example,dc=edu
cn: group
member: uid=person,ou=people,dc=example,dc=edu

dn: uid=person,ou=people,dc=example,dc=edu
...

Configure PSP : Attribute Resolver

...

The values of the identifiers, attributes, and references to be provisioned are defined by a Shibboleth attribute resolver configuration psp-resolver.xml.

Code Block
xml
xml
titlepsp-services.xml
<!-- The attribute resolver. -->
  <Service
    id="psp.AttributeResolver"
    xsi:type="attribute-resolver:ShibbolethAttributeResolver">
    <ConfigurationResource
      file="/psp-resolver.xml"
      xsi:type="resource:ClasspathResource">
      <ResourceFilter
        xsi:type="grouper:ClasspathPropertyReplacement"
        xmlns="urn:mace:shibboleth:2.0:resource"
        propertyFile="/ldap.properties" />
    </ConfigurationResource>
  </Service>

Configure PSP : Attribute Resolver and Grouper Integration

Please see Grouper and Shibboleth Integration.

Configure PSP : Attribute Resolver and Grouper ChangeLog Integration

Real-time provisioning based on the Grouper change log involves the transformation of change log entries into provisioning operations.

...

The psp-grouper-changelog project provides a change log consumer implementation, edu.internet2.middleware.psp.grouper.PspChangeLogConsumer. Documentation for Grouper change log consumers is here.

Configure PSP : PspChangeLogConsumer

The PspChangeLogConsumer processes change log entries which match hardcoded change log actions and categories. A future version should allow for configuration via xml or property files.

...

addAttributeAssignValue
deleteAttributeAssignValue
addGroup
deleteGroup
updateGroup
addMembership
deleteMembership
addStem
deleteStem
updateStem

Configure PSP : Logging and Output

...

The psp is a Shibboleth service which is configured in psp-services.xml.

...

Code Block
xml
xml
titlepsp-services.xml
<!-- The provisioning service provider. -->
  <Service
    id="psp"
    xsi:type="psp:ProvisioningServiceProvider"
    depends-on="psp.AttributeAuthority"
    authority="psp.AttributeAuthority"
    logSpml="true"
    writeRequests="false"
    writeResponses="false"
    pathToOutputFile="">
    <ConfigurationResource
      file="/psp.xml"
      xsi:type="resource:ClasspathResource">
      <ResourceFilter
        xsi:type="grouper:ClasspathPropertyReplacement"
        xmlns="urn:mace:shibboleth:2.0:resource"
        propertyFile="/ldap.properties" />
    </ConfigurationResource>
  </Service>

Configure PSP : LDAP Target

...

The LDAP target to be provisioned is a Shibboleth service configured in psp-services.xml.

...

Code Block
xml
xml
titlepsp-services.xml
<!-- The ldap target. The ldapPoolIdSource is either "grouper" or "spring". -->
  <!-- If ldapPoolIdSource is "spring", the ldapPoolId must be the id of the ldap pool bean in the vt-ldap xml spring configuration. -->
  <!-- If ldapPoolIdSource is "grouper", the ldapPoolId must be the id of the LdapSourceAdapter in sources.xml -->
  <Service
    id="ldap"
    xsi:type="psp-ldap-target:LdapTarget"
    logSpml="true"
    ldapPoolId="ldap"
    ldapPoolIdSource="grouper">
    <!-- A <ConfigurationResource/> is required to instantiate the <Service/>, so supply a do-nothing resource. -->
    <ConfigurationResource
      file="/edu/internet2/middleware/psp/util/empty-bean.xml"
      xsi:type="resource:ClasspathResource" />
  </Service>

Provision Grouper

...

Before you can provision anything from Grouper to ldap or anywhere else, you will need to create the corresponding objects in Grouper using the UI, API, GSH, WS, loader, import, etc.

Provision Grouper : GSH

...

To calculate how a group should be provisioned :

...

bin/gsh.sh -psp -sync edu:group

Provision Grouper : Grouper Change Log

...

To provision in real-time triggered by the Grouper change log, enable the psp consumer in grouper-loader.properties

...

and run the loader via

bin/gsh.sh -loader

Real-Time Changelog Provisioning Details - Probably More Than You Ever Want to Know

Changes to grouper are consumed by change log consumers. Grouper change log consumers are managed by the grouper loader and are configured in grouper-loader.properties.

...

For more detailed examples, take a look at the spml requests and responses in src/test/resources of the various psp-example-grouper-to-ldap projects.

Real-Time Provisioning Beta-Testing : Grouper Subject Sources

...

Institution

Subject Source

Number of Subjects

Subject ID

LIGO

LDAP

1,000

dn: employeeNumber=882,ou=people,dc=ligo,dc=org

Penn State

LDAP

165,000

dn:uid=xyx123,dc=psu,dc=edu

UCLA

LDAP

40,000

 

UMontreal

LDAP

120,000

sAMAccountName (value same as cn)

UVienna

Undecided

155,000

cn, uid

UWMadison

 

 

 

Real-Time Provisioning Beta-Testing : Provisioning Targets

Institution

Target

Implementation

LIGO

LDAP

OpenLDAP 2.4.x

Penn State

LDAP

IBM Tivoli Directory Server

UCLA

LDAP

Sun Java System Directory Server Enterprise Edition 6.3.1

UMontreal

LDAP

Active Directory

UVienna

LDAP

Active Directory, OpenLDAP

UWMadison

 

 

Real-Time Provisioning Beta-Testing : Provisioning memberOf

The groups that a member is a member of may be provisioned to the memberOf attribute. Some LDAP implementations, such as Active Directory, automatically maintain the memberOf attribute. OpenLDAP maintains the memberOf attribute automatically via the memberOf overlay. The value of the memberOf attribute is typically a group DN.

Institution

memberOf for members (people)

memberOf for groups

LIGO

+

 

Penn State

+

 

UCLA

-

 

UMontreal

automatic (Active Directory)

automatic (Active Directory)

UVienna

automatic (Active Directory), OpenLDAP+memberOf

automatic (Active Directory), OpenLDAP+memberOf

UWMadison

+

 

Real-Time Provisioning Beta-Testing : Provisioning eduMember

The eduMember objectClass defines the isMemberOf and hasMember attributes, whose values are identifiers which are not DNs.

Institution

isMemberOf

hasMember

LIGO

+

+

Penn State

+

+

UCLA

uclaIsMemberOf

uclaHasMember

UMontreal

-

-

UVienna

-

-

UWMadison

+

+

Real-Time Provisioning Beta-Testing : Provisioning eduCourse

The eduCourse objectClass defines course related attributes.

Institution

eduCourse

LIGO

-

Penn State

-

UCLA

-

UMontreal

-

UVienna

-

UWMadison

+

Real-Time Provisioning Beta-Testing : Provisioning Structure

The group provisioning structure may be either flat or bushy. A flat structure provisions all groups into a single container. A bushy structure provisions groups hierarchically.

...

Institution

Structure (flat or bushy)

LIGO

bushy

Penn State

flat

UCLA

flat

UMontreal

bushy

UVienna

?

UWMadison

flat

Real-Time Provisioning Beta-Testing : Membership Structure

Given groupA with memberA and groupB with memberB :

...

Institution

member

memberOf

LIGO

everything

everything

Penn State

 

 

UCLA

 

 

UMontreal

immediate

immediate

UVienna

everything

everything

UWMadison

 

 

Excluding LDAP provisioning for groups based on group name

This is based on a contribution by NYU which has been integrated into the Grouper API - Selective Group Exclusion When Provisioning to LDAP

  1.  In grouper.properties, set:

    Code Block
    hooks.group.class=edu.internet2.middleware.grouper.hooks.examples.LDAPProvisioningHook

  2. Also, in grouper.properties, add the names that you want to exclude (regular expressions):

    Code Block
    LDAPProvisioningHook.exclude.regex.0=.*_excludes$
LDAPProvisioningHook.exclude.regex.1=.*_includes$
LDAPProvisioningHook.exclude.regex.2=.*_systemOfRecord$
LDAPProvisioningHook.exclude.regex.3=.*_systemOfRecordAndIncludes$

  3. In the psp-resolver.xml, in each section (there are a few) that returns groups, subtract the following:

    Code Block
    <grouper:Filter xsi:type="grouper:GroupExactAttribute" name="LDAPProvisioningExclude" value="true" />

    So for example, the following:

    Code Block
       <grouper:Filter xsi:type="grouper:MINUS">
      <!-- The GroupInStem filter matches groups which are children of the given stem. -->
      <grouper:Filter
        xsi:type="grouper:GroupInStem"
        name="${edu.internet2.middleware.psp.baseStem}"
        scope="SUB" />
      <grouper:Filter
        xsi:type="grouper:GroupInStem"
        name="etc"
        scope="SUB" />
    </grouper:Filter>

    .. would instead become:

    Code Block
    <grouper:Filter xsi:type="grouper:MINUS">
    <grouper:Filter xsi:type="grouper:MINUS">
      <!-- The GroupInStem filter matches groups which are children of the given stem. -->
      <grouper:Filter
        xsi:type="grouper:GroupInStem"
        name="${edu.internet2.middleware.psp.baseStem}"
        scope="SUB" />
      <grouper:Filter
        xsi:type="grouper:GroupInStem"
        name="etc"
        scope="SUB" />
    </grouper:Filter>
    <grouper:Filter xsi:type="grouper:GroupExactAttribute" name="LDAPProvisioningExclude" value="true" />
 </grouper:Filter>

See Also

Directions for Provisioning Strategy