Versions Compared

Old Version 5

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version 6

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel

See also the information on the newer provisioning connector called LDAPPC-NG.

As of Grouper 2.1, see the Provisioning Service Provider (PSP)

Usage

LDAPPC is run using GrouperShell (gsh).

...

Key

Value

Description

no arguments

 

Display usage.

-groups

 

Provision groups.

-memberships

 

Provision memberships.

-subject

subjectId

The SubjectId used to establish Grouper API sessions. Defaults to GrouperSystem.

-interval

interval

Number of seconds between polling intervals. If omitted, only one provisioning cycle is performed.

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="aefbadb867517e7c-74233720-41434cdb-bb16a853-e012a270d67660a35efa6076"><ac:plain-text-body><![CDATA[

-lastModifyTime

yyyy-MM-dd[_hh:mm:ss]

Select objects changed since this time.

]]></ac:plain-text-body></ac:structured-macro>

-configManager

path to configuration xml

Path to configuration file. Defaults to classpath resource ldappc.xml.

-properties

path to properties file

Path to properties file. Defaults to classpath resource ldappc.properties.

-resolver

path to directory

Path to directory containing Shibboleth Attribute Resolver configuration files.

-calc

file

Calculate provisioning and write to file.

-dryRun

file

Write provisioning changes to file only, do not provision changes.

-logLDIF

 

While provisioning, log changes in LDIF format.

...

  • <ldappc> - Provisioning Configuration

    Code Block
    xml
    xml
    <ldappc>
 <grouper ... />
 <source-subject-identifiers ... />
</ldappc>
    The LDAPPC provisioning configuration consists of two elements : Grouper and LDAP subject parameters.

  • <grouper> - Grouper Configuration

    Code Block
    xml
    xml
    <grouper>
 <grouper-queries ... />
 <groups ... />
 <memberships ... />
</grouper>
    The Grouper configuration includes the selection of groups to be provisioned, and optional group and membership provisioning.

  • <grouper-queries> - Select Groups to be Provisioned

    Code Block
    xml
    xml
    <grouper-queries>
 <subordinate-stem-queries ... />
 <attribute-matching-queries ... />
 <resolver-matching-queries ... />
</grouper-queries>
    The groups to be provisioned may be selected by stem, attribute value, or a union of both. Currently, it is not possible to exclude a group that otherwise matches the selection criteria from being provisioned.
  • <subordinate-stem-queries> - Select Groups to be Provisioned by Stem
    Code Block
    xml
    xml
    <subordinate-stem-queries>
 <stem-list>
  <stem>uc:faculty:art</stem>
  <stem>uc:faculty:math</stem>
 </stem-list>
</subordinate-stem-queries>
    All groups subordinate to any of the given stems are selected for provisioning.
  • <attribute-matching-queries> - Select Groups to be Provisioned by Attribute
    Code Block
    xml
    xml
    <attribute-matching-queries>
 <attribute-list>
  <attribute name="attr1" value="value1" />
  <attribute name="attr2" value="value2" />
 </attribute-list>
</attribute-matching-queries>
    All groups having the given attribute value(s) are selected for provisioning.
  • <attribute-matching-queries> - Select Groups to be Provisioned by Attribute Resolver
    Code Block
    xml
    xml
    <resolver-matching-queries>
  <data-connector-list>
    <data-connector id="ID" />
  </data-connector-list>
</resolver-matching-queries>
    All groups returned by the GroupDataConnector with the given ID will be provisioned.

  • <groups> - Provision Groups

    Code Block
    xml
    xml
    <groups structure="flat"
        root-dn="ou=grouper,ou=groups,dc=example,dc=edu"
        ldap-object-class="groupOfNames"
        ldap-rdn-attribute="cn"
        grouper-attribute="name">
 <group-members-dn-list ... />
 <group-members-name-list ... />
 <group-attribute-mapping ... />
 <resolver-attribute-mapping ... />
</groups>
    The optional <groups> element defines how entries and DNs for provisioned groups are created.

    <groups>

     

    structure

    The group DN naming structure may be either "flat" or "bushy". A flat structure provisions all groups into the same root DN using the name of the group as the RDN, e.g. cn=stem:child-stem:group-name,root-dn. A bushy structure will provision groups hierarchically, e.g. cn=group-name,ou=child-stem,ou=stem,root-dn.

    root-dn

    The DN of the entry used as the root of the provisioned groups

    ldap-object-class

    Defines the LDAP object class used to create each provisioned group. If this object class has required attributes not populated by this provisioning process, then an error will occur.

    ldap-rdn-attribute

    Defines the attribute in the ldap-object-class used as the RDN. This value may not be "ou" in order to prevent naming collisions between stems and groups when the structure is "bushy".

    grouper-attribute

    Required when the structure is flat. Defines the attribute value of the group to be used for the value of the ldap-rdn-attribute.

    initial-cache-size

    Optional attribute specifying the initial size of the group cache. Setting this larger than the likely number of groups to be provisioned should improve performance.

    provision-member-groups

    If true, member groups should be provisioned as members. Defaults to true. Replaces the "g:gsa" source-subject-identifier.

    provision-member-groups-ignore-queries

    If true, provision member groups even if they are not in the set of groups to be provisioned. Defaults to false. This is new in v1.5.0, and the behavior of LDAPPC pre-v1.5.0 may be reproduced by setting this to true. In other words, by default, only provision member groups if they are in the set of groups to be provisioned, i.e. match group-queries.

    provision-groups-two-step

    If true, groups should be provisioned in two steps. The first step provisions all groups without any members. The second step provisions all groups with members. Defaults to true. If false, member groups which have not yet been provisioned may result in log warnings or failures, depending on the value of on-not-found.

    bundle-modifications

    If true, a group's attribute modifications should be performed in one LDAP operation. If false, each group attribute modification is performed as a separate LDAP operation. Defaults to true.

    create-then-modify-members

    If true, groups should be created (LDAP add) without members followed by an update (LDAP modify) to add member attributes. Defaults to false.

  • <group-members-dn-list> - Provision Member DNs
    Code Block
    xml
    xml
    <group-members-dn-list
  list-attribute="member"
  list-object-class="groupOfNames"
  list-empty-value="" />
    If defined, provisioned groups will include member DNs.

    <grouper-members-dn-list

     

    list-attribute

    Defines the LDAP attribute in which to store member DNs.

    list-object-class

    Optional. Defines the LDAP object class the group entry must have to support the list-attribute. Please note that if this object class has required attributes not populated by this provisioning process, then an error may occur.

    list-empty-value

    Optional. Defines the value of the list-attribute if no member DNs are stored there. If list-attribute is optional (i.e., a MAY attribute), this value is most likely not needed. If list-attribute is required (i.e., a MUST attribute), then this value should be defined.

  • <group-members-name-list> - Provision Member Names
    Code Block
    xml
    xml
    <group-members-name-list
  list-attribute="hasMember"
  list-object-class="eduMember"
  list-empty-value="">
 <source-subject-name-mapping>
   <source-subject-name-map source="sourceA" subject-attribute="userid" />
   <source-subject-name-map source="sourceB" subject-attribute="userid" />
</group-members-name-list>
    If defined, provisioned groups will include member names.

    <grouper-members-name-list>

     

    list-attribute

    Defines the LDAP attribute in which to store member names.

    list-object-class

    Optional. Defines the LDAP object class the group entry must have to support the list-attribute. Please note that if this object class has required attributes not populated by this provisioning process, then an error may occur.

    list-empty-value

    Optional. Defines the value of the list-attribute if no member DNs are stored there. If list-attribute is optional (i.e., a MAY attribute), this value is most likely not needed. If list-attribute is required (i.e., a MUST attribute), then this value should be defined.

    The <source-subject-name-mapping> element contains one or more <source-subject-name-map> elements, which defines the subject attribute containing the subject's name.

    <source-subject-name-map>

     

    source

    Source ID

    subject-attribute

    The Subject attribute containing the Subject's name

  • <group-attribute-mapping> - Provision Group Attributes
    Code Block
    xml
    xml
    <group-attribute-mapping ldap-object-class="">
 <group-attribute-map
    group-attribute="aci"
    ldap-attribute="aci"
    ldap-attribute-empty-value="" />
</group-attribute-mapping>
    Optionally, group attributes may be provisioned.

    <group-attribute-mapping>

     

    ldap-object-class

    Optional. Defines the LDAP object class the group entry must have to support the attribute mapping. Please note that if this object class has required attributes not populated by this provisioning process, then an error may occur.

    The <group-attribute-mapping> element contains one or more <grouper-attribute-map> elements, which map Grouper attributes to LDAP.

    <group-attribute-map>

     

    group-attribute

    The Grouper attribute name.

    ldap-attribute

    The LDAP attribute name.

    ldap-attribute-empty-value

    Optional. Defines the value to be placed in the ldap-attribute if no values are stored there. If ldap-attribute is optional (i.e., a MAY attribute), this value is most likely not needed. If ldap-attribute is required (i.e., a MUST attribute), then this value should be defined.

  • <resolver-attribute-mapping> - Provision Resolver Attributes
    Code Block
    xml
    xml
    <resolver-attribute-mapping ldap-object-class="">
 <resolver-attribute-map
    resolver-attribute="sAMAccountName"
    ldap-attribute="sAMAccountName"
    ldap-attribute-empty-value="" />
</resolver-attribute-mapping>
    Optionally, attributes calculated by the Shibboleth Attribute Resolver may be provisioned. If the <resolver-attribute-mapping> is specified, then three files are required : ldappc-internal.xml, ldappc-services.xml, and ldappc-resolver.xml. These files should be located on the classpath or the directory containing these files may be given as a command line argument. The contents of these files are the same as used by the Shibboleth IDP.

    <resolver-attribute-mapping>

     

    ldap-object-class

    Optional. Defines the LDAP object class the group entry must have to support the attribute mapping. Please note that if this object class has required attributes not populated by this provisioning process, then an error may occur.

    The <resolver-attribute-mapping> element contains one or more <resolver-attribute-map> elements, which map Shibboleth Attribute Resolver attributes to LDAP.

    <resolver-attribute-map>

     

    resolver-attribute

    The Shibboleth Attribute Resolver attribute definition id.

    ldap-attribute

    The LDAP attribute name.

    ldap-attribute-empty-value

    Optional. Defines the value to be placed in the ldap-attribute if no values are stored there. If ldap-attribute is optional (i.e., a MAY attribute), this value is most likely not needed. If ldap-attribute is required (i.e., a MUST attribute), then this value should be defined.

  • <membership> - Provision Membership

    Code Block
    xml
    xml
    <memberships>
 <member-groups-list
  list-object-class="eduMember"
  list-attribute="isMemberOf"
  naming-attribute="name"
  temporary-directory="" />
</memberships>
    In addition to provisioning groups, LDAPPC may provision memberships. The optional <memberships> element contains one <member-groups-list> element, which defines the LDAP attribute of member entries containing the groups of which they are a member.

    <member-groups-list

     

    list-object-class

    Optional. Defines the LDAP object class the Member's entry must have to support the group list. Please note that if this object class has required attributes not populated by the provisioning process, then an error may occur.

    list-attribute

    Defines the LDAP attribute in which to store groups.

    naming-attribute

    The Grouper attribute used to create the list of groups for a member.

    temporary-directory

    Optional. Defines the file system directory in which temporary files will be written. Defaults to the current directory.

  • <source-subject-identifiers> - Finding Subjects in the Directory

    Code Block
    xml
    xml
    <source-subject-identifiers>
 <source-subject-identifier
   source="jdbc"
   subject-attribute="id"
   initial-cache-size="350007">
  <ldap-search
    base="ou=people,dc=example,dc=edu"
    scope="onelevel_scope"
    filter="(&(examplePersonId=\{0\})(objectclass=examplePerson)))" />
 </source-subject-identifier>
</source-subject-identifiers>
    The <source-subject-identifiers> element contains one or more <source-subject-identifier> elements, which defines for a Source the Subject attribute and LDAP search parameters used to lookup Subjects in the directory.

    <source-subject-identifier>

    description

    source

    Subject Source ID

    subject-attribute

    The name of the Subject attribute. If a value other than "id" (the subject ID) is specified, performance may suffer as an extra Subject lookup will be performed. It is strongly recommended that the subject ID be in the subject's directory object and that it be indexed.

    initial-cache-size

    Optional. The initial cache size to cache subject DNs by subject ID. Specifying a larger number than the number of subjects should give better performance.

    Each <source-subject-identifier> element contains exactly one <ldap-search> element.

    <ldap-search>

    description

    base

    The base DN of the context or object to search.

    scope

    Either "object_scope", "onelevel_scope", or "subtree_scope". The JNDI scope constants are defined in javax.naming.SearchControls. For most flat people branches, "onelevel_scope" is a good choice.

    filter

    The string "{0}" in the search filter will be replaced by the value of the Subject's attribute defined by subject-attribute in the <source-subject-identifier> element.

    on-not-found

    Optional, either "warn", "fail", or "ignore". Defaults to "warn". The action that should be taken if the LDAP search does not return any results. "Warn" logs at level WARN. "Fail" throws a RuntimeException which will terminate the LDAPPC process. "Ignore" does nothing.

    multiple-results

    Optional, either "true" or "false". Defaults to "false". When "false", if multiple results are returned from the LDAP search a RuntimeException is thrown which will terminate the LDAPPC process. When "true", all results returned from the LDAP search will be provisioned.

...

Code Block
xml
xml
<?xml version="1.0" encoding="utf-8"?>

<ldappc>
  <grouper>
    <group-queries>
      <subordinate-stem-queries>
        <stem-list>
          <stem>edu</stem>
        </stem-list>
      </subordinate-stem-queries>
    </group-queries>

    <groups structure="bushy" root-dn="ou=testgroups,${base}" ldap-object-class="group"
            ldap-rdn-attribute="cn" grouper-attribute="name" >

      <group-members-dn-list list-object-class="group" list-attribute="member" />

      <group-attribute-mapping ldap-object-class="group">
      	<group-attribute-map group-attribute="description" ldap-attribute="description" />
      </group-attribute-mapping>

      <resolver-attribute-mapping ldap-object-class="group">
        <resolver-attribute-map resolver-attribute="sAMAccountName" ldap-attribute="sAMAccountName" />
      </resolver-attribute-mapping>

    </groups>

  </grouper>

  <source-subject-identifiers>
    <source-subject-identifier source="jdbc" subject-attribute="id">
      <ldap-search base="ou=testpeople,${base}" scope="subtree_scope" filter="(cn={0})" />
    </source-subject-identifier>
  </source-subject-identifiers>

</ldappc>
Shibboleth Attribute Resolver configuration :

Code Block
xml
xml
  <resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="sAMAccountName" sourceAttributeID="name">
    <resolver:Dependency ref="groupDataConnector" />
    <Script><![CDATA[
      // Import Shibboleth attribute provider
      value = name.getValues().get(0);

      value = value.replaceAll("\\/", "_");
      value = value.replaceAll("\\/", "_");
      value = value.replaceAll("\\[", "_");
      value = value.replaceAll("\\]", "_");
      value = value.replaceAll("\\:", "_");
      value = value.replaceAll("\\;", "_");
      value = value.replaceAll("\\|", "_");
      value = value.replaceAll("\\=", "_");
      value = value.replaceAll("\\,", "_");
      value = value.replaceAll("\\+", "_");
      value = value.replaceAll("\\*", "_");
      value = value.replaceAll("\\?", "_");

      sAMAccountName = new BasicAttribute("sAMAccountName");
      sAMAccountName.getValues().add(value);
      ]]></Script>
  </resolver:AttributeDefinition>

...