Versions Compared

Old Version 100

changes.mady.by.user Shilen Patel (duke.edu)

Saved on

compared with

New Version Current

changes.mady.by.user ben.rappleyea.2@at.internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Include Page
spaceKeyGrouper
pageTitleNavigation

Main Grouper Loader page

Panel
borderColor#ccc
bgColor#FcFEFF
titleColorwhite
titleBGColor#00a400

Image Removed  These topics are discussed in the "Grouper Loader" training series.

Panel
borderColor#ccc
bgColor#FcFEFF
titleColorwhite
titleBGColor#00a400

Image Removed  LDAP is also covered in the LDAP training video.

This page documents using the Grouper Loader to load a group from LDAP.  This is available in Grouper v2.1 and later

...

Attribute system name

Attribute display name

Required?

Description

Assignable to

Value type

Example value

grouperLoaderLdap

Grouper Loader LDAP

required

This is the marker attribute that you assign to a group to mark is as a grouper loader ldap group

Groups

None


grouperLoaderLdapType

Grouper Loader LDAP type

required

Like the SQL loader, this holds the type of job from the GrouperLoaderType enum, currently the only valid values are LDAP_SIMPLE, LDAP_GROUP_LIST, LDAP_GROUPS_FROM_ATTRIBUTES.  Simple is a group loaded from LDAP filter which returns subject ids or identifiers.  Group list is an LDAP filter which returns group objects, and the group objects have a list of subjects.  Groups from attributes is an LDAP filter that returns subjects which have a multi-valued attribute e.g. affiliations where groups will be created based on subject who have each attribute value

grouperLoaderLdap
attribute assignment

Enum

LDAP_SIMPLE

grouperLoaderLdapServerId

Grouper loader LDAP server ID

required

Server ID that is configured in the grouper-loader.properties that identifies the connection information to the LDAP server.  Note, if you use "dn", and dn is not an attribute of the object, then the fully qualified object name will be used

grouperLoaderLdap
attribute assignment

String

personLdap (note: depends on your configuration)

grouperLoaderLdapFilter

Grouper loader LDAP filter

requiredLDAP filter returns objects that have subjectIds or subjectIdentifiers and group name (if LDAP_GROUP_LIST)

LDAP filter returns objects that have subjectIds or subjectIdentifiers and group name (if LDAP_GROUP_LIST).

(v2.6.9+) If this starts and ends like a jexl script, it will evaluate as a jexl script, e.g.


Code Block
${
var now = (System.currentTimeMillis() + 11644473600000L) * 10000;
'(&(accountexpires<=' + now + '))';
}


Code Block
${
var now = grouperUtil.ldapAdDateFromMillis1970(java.lang.System.currentTimeMillis());
'(&(accountexpires<=' + now + '))';
}


Code Block
${
var now = grouperUtil.ldapAdDateCurrent();
'(&(accountexpires<=' + now + '))';
}


Code Block
${'(&(accountexpires<=' + grouperUtil.ldapAdDateCurrent() + '))'}


grouperLoaderLdap
attribute assignment

String

(affiliation=student)

grouperLoaderLdapSubjectAttribute

Grouper loader LDAP subject attribute name

required, for LDAP_SIMPLE, and LDAP_GROUP_LIST, optional for LDAP_GROUPS_FROM_ATTRIBUTES

Attribute name of the filter object result that holds the subject id.

grouperLoaderLdap
attribute assignment

String

hasMember, or personId

grouperLoaderLdapGroupAttribute

Grouper loader LDAP group attribute name

required for LDAP_GROUPS_FROM_ATTRIBUTES

Attribute name of the filter object result that holds the group name.  Note, in 2.1.5+ you can put multiple attribute names here comma separated

grouperLoaderLdap
attribute assignment

String

affiliation

grouperLoaderLdapGroupAttributeProcessingExpressionGrouper loader LDAP group attribute processing expressionoptional for LDAP_GROUPS_FROM_ATTRIBUTESExpression to process group name to potentially split it into other names or get the name in theregrouperLoaderLdap
attribute assignment		String


Code Block
${GrouperUtilElSafe.splitTrimCurlyColons(groupExtension, "deptDescription", "[a-zA-Z0-9_]", "_")}


grouperLoaderLdapSearchDn

Grouper loader LDAP search base DN

optional

Location that constrains the subtree where the filter is applicable.  Note, this is relative to the base DN in the ldap server config in the grouper-loader.properties for this server.  This makes the query more efficient

grouperLoaderLdap
attribute assignment

String

ou=people

grouperLoaderLdapQuartzCron

Grouper loader LDAP quartz cron

required

Quartz cron config string, e.g. every day at 8am is: 0 0 8 * * ?
Here are more examples

grouperLoaderLdap
attribute assignment

String

0 0 8 * * ?

grouperLoaderLdapSourceId

Grouper loader LDAP source ID

optional

Source ID from the sources.xml that narrows the search for subjects.  This is optional though makes the loader job more efficient

grouperLoaderLdap
attribute assignment

String

schoolPeople

grouperLoaderLdapSubjectIdType

Grouper loader LDAP subject ID type

optional

The type of subject ID.  This can be either: subjectId (most efficient, default), subjectIdentifier (2nd most efficient), or subjectIdOrIdentifier

grouperLoaderLdap
attribute assignment

Enum

subjectId, subjectIdentifier, subjectIdOrIdentifier

grouperLoaderLdapSearchScope

Grouper loader LDAP search scope

optional

How the deep in the subtree the search will take place.  Can be OBJECT_SCOPE, ONELEVEL_SCOPE, or SUBTREE_SCOPE (default)

grouperLoaderLdap
attribute assignment

Enum

OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE

grouperLoaderLdapAndGroups

Grouper loader LDAP require in groups

optional

If you want to restrict membership in the dynamic group based on other group(s), put the list of group names here comma-separated.  The require groups means if you put a group names in there (e.g. school:community:employee) then it will 'and' that group with the member list from the loader.  So only members of the group from the loader query who are also employees will be in the resulting group

grouperLoaderLdap
attribute assignment

String

school:community:employee

grouperLoaderLdapPriority

Grouper loader LDAP scheduling priority

optional

Quartz has a fixed threadpool (max configured in the grouper-loader.properties), and when the max is reached, then jobs are prioritized by this integer.  The higher the better, and the default if not set is 5.

grouperLoaderLdap
attribute assignment

Integer

5

grouperLoaderLdapGroupsLike

Grouper loader LDAP groups like

optional, for LDAP_GROUP_LIST, or LDAP_GROUPS_FROM_ATTRIBUTES

This should be a sql like string (e.g. school:orgs:%org%_systemOfRecord), and the loader should be able to query group names to see which names are managed by this loader job. So if a group falls off the loader resultset (or is moved), this will help the loader remove the members from this group. Note, if the group is used anywhere as a member or composite member, it wont be removed.
All include/exclude/requireGroups will be removed. Though the two groups, include and exclude, will not be removed if they have members. There is a grouper-loader.properties setting to remove loader groups if empty and not used:
# if using a sql table, and specifying the name like string, then shoudl the group (in addition to memberships) 
# be removed if not used anywhere else?
loader.sqlTable.likeString.removeGroupIfNotUsed = true

grouperLoaderLdap
attribute assignment

String

school:orgs:%org%_systemOfRecord

grouperLoaderLdapExtraAttributes

Grouper loader LDAP extra attributes

optional, for LDAP_GROUP_LIST

Attribute names (comma separated) to get LDAP data for expressions in group name, displayExtension, description

grouperLoaderLdap
attribute assignment

String

name, description

grouperLoaderLdapAttributeFilterExpression (2.1.4+)

Grouper loader LDAP JEXL expression to filter attributes in LDAP_GROUPS_FROM_ATTRIBUTES

optional


Code Block
The value is a JEXL expression with the variable: attributeValue
e.g. to specify a few values: ${attributeValue == 'a' || attributeValue == 'b'}
e.g. to restrict a few values: ${attributeValue != 'a' && attributeValue != 'b'}
e.g. to use some java methods: ${attributeName.toLowerCase().startsWith('st')}
e.g. to do a regex: ${attributeName =~ '^fa.*$' }


grouperLoaderLdap
attribute assignment

String


Code Block
${attributeValue == 'a' || attributeValue == 'b'}


grouperLoaderLdapResultsTransformationClass (2.4.0 with patches)Grouper loader LDAP results transformation classoptional for LDAP_GROUPS_FROM_ATTRIBUTESCustom Java class to adjust data from LDAP in order to support advanced data transformations and filtering. For example, if your LDAP attribute contains a delimited string and you need to parse it to form multiple groups. Your class should extend LdapResultsTransformationBase. See LdapResultsTransformationDelimitedValueExample as an example.

grouperLoaderLdap
attribute assignment		String

edu.internet2.middleware.grouper.app.loader.ldap.LdapResultsTransformationDelimitedValueExample

grouperLoaderLdapGroupNameExpression

Grouper loader LDAP group name expression

optional, for LDAP_GROUP_LIST, or LDAP_GROUPS_FROM_ATTRIBUTES

JEXL expression language fragment that evaluates to the group name (relative to the stem of the group which has the loader definition).  groupAttributes['dn'] is a variable in scope as is groupAttributes['cn'] etc

Note, if you set loader.ldap.requireTopStemAsStemFromConfigGroup=false   in the grouper-loader.properties, it will use the name for all ldap loader jobs from the root of the repository, not relative to the loader group.

Note: if using LDAP_GROUPS_FROM_ATTRIBUTES then use the variable groupAttribute

grouperLoaderLdap
attribute assignment

String


Code Block
someFolder:${groupAttributes['name']}

groups:${loaderLdapElUtils.convertDnToSubPath(groupAttributes['dn'], null, null)}

You can massage the data with java regex, e.g. replace non alphanumeric (or dash) with underscore

Code Block
${groupAttributes['dn'], null, null['name'].replaceAll("[^a-zA-Z0-9_-]", "_")}

Or for LDAP_GROUPS_FROM_ATTRIBUTES 

Code Block
${groupAttribute.replaceAll("[^a-zA-Z0-9_-]", "_")}


grouperLoaderLdapGroupDisplayNameExpression

Grouper loader LDAP group display name expression

optional, for LDAP_GROUP_LIST, or LDAP_GROUPS_FROM_ATTRIBUTES

JEXL expression language fragment that evaluates to the group display name. groupAttributes['dn'] is a variable in scope as is groupAttributes['cn'] etc

grouperLoaderLdap
attribute assignment

String


Code Block
Some folder:${groupAttributes['displayName']}


grouperLoaderLdapGroupDescriptionExpression

Grouper loader LDAP group description expression

optional, for LDAP_GROUP_LIST, or LDAP_GROUPS_FROM_ATTRIBUTES

JEXL expression language fragment that evaluates to the group description. groupAttributes['dn'] is a variable in scope as is groupAttributes['cn'] etc


Note, descriptions for groups may default to "<extension> auto-created by grouperLoader" unless you set loader.allowBlankGroupDescriptions to true in grouper-loader.properties (it is false by default)

grouperLoaderLdap
attribute assignment

String


Code Block
Auto-created based on LDAP group ${dn}


grouperLoaderLdapSubjectExpression

Grouper loader LDAP subject expression

optional

JEXL expression language fragment that processes the subject string before passing it to the subject API

grouperLoaderLdap
attribute assignment

String


Code Block
${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}


grouperLoaderLdapGroupTypes

Grouper loader LDAP group types

optional for LDAP_GROUP_LIST or LDAP_GROUPS_FROM_ATTRIBUTES, not considered for LDAP_SIMPLE

Comma separated GroupTypes which will be applied to the loaded groups.  The reason this enhancement exists is so we can do a group list filter and attach addIncludeExclude to the groups.  Note, if you do this (or use some requireGroups), the group name in the loader query should end in the system of record suffix, which by default is _systemOfRecord.

grouperLoaderLdap
attribute assignment

String

addIncludeExclude

grouperLoaderLdapReaders

Grouper loader LDAP group readers

optional for LDAP_GROUP_LIST or LDAP_GROUPS_FROM_ATTRIBUTES

Comma separated subjectIds or subjectIdentifiers who will be allowed to READ the group memberships.

grouperLoaderLdap
attribute assignment

String

school:app:someApp:someAppReaders

grouperLoaderLdapViewers

Grouper loader LDAP group viewers

optional for LDAP_GROUP_LIST or LDAP_GROUPS_FROM_ATTRIBUTES

Comma separated subjectIds or subjectIdentifiers who will be allowed to VIEW the group.

grouperLoaderLdap
attribute assignment

String

school:app:someApp:someAppViewers

grouperLoaderLdapAdmins

Grouper loader LDAP group admins

optional for LDAP_GROUP_LIST or LDAP_GROUPS_FROM_ATTRIBUTES

Comma separated subjectIds or subjectIdentifiers who will be allowed to ADMIN the group (view, read, update, delete, rename, etc).

grouperLoaderLdap
attribute assignment

String

school:app:someApp:someAppAdmins

grouperLoaderLdapUpdaters

Grouper loader LDAP group updaters

optional for LDAP_GROUP_LIST or LDAP_GROUPS_FROM_ATTRIBUTES

Comma separated subjectIds or subjectIdentifiers who will be allowed to UPDATE the group memberships.

grouperLoaderLdap
attribute assignment

String

school:app:someApp:someAppUpdaters

grouperLoaderLdapOptins

Grouper loader LDAP group optins

optional for LDAP_GROUP_LIST or LDAP_GROUPS_FROM_ATTRIBUTES

Comma separated subjectIds or subjectIdentifiers who will be allowed to OPTIN self membership of the group.

grouperLoaderLdap
attribute assignment

String

school:app:someApp:someAppOptins

grouperLoaderLdapOptouts

Grouper loader LDAP group optouts

optional for LDAP_GROUP_LIST or LDAP_GROUPS_FROM_ATTRIBUTES

Comma separated subjectIds or subjectIdentifiers who will be allowed to OPTOUT self membership of the group.

grouperLoaderLdap
attribute assignment

String

school:app:someApp:someAppOptouts

...

Example of converting DN to subjectId or Group name (institution specific)

In the grouper-loader.properties, add the class

Code Block
loader.ldap.el.classes = edu.internet2.middleware.grouper.app.loader.ldap.LdapGroupUserConverter

Add the ldapGroupUserConverter.jar to the classpath (e.g. to lib/custom)

In the grouper-loader.properties, add the class

Code Block
loader.ldap.el.classes = ldapGroupUserConverter.LdapGroupUserConverter

...

If the subjectId is a subjectId, then make sure Grouper loader LDAP subject ID type is "subjectIdOrIdentifier".  If it is a subjectIdentifier (more common), then you can set it as subjectIdentifier.

Log the conversions with this in log4j2.xml or in grouper.properties

Code Block
grouper.logger.LdapGroupUserConverter.name = edu.internet2.middleware.grouper.app.loader.ldap.LdapGroupUserConverter
grouper.logger.LdapGroupUserConverter.level = debug

Log the conversions with this in log4j.properties

Code Block
log4j.logger.ldapGroupUserConverter.LdapGroupUserConverter = DEBUG

...