Versions Compared

Old Version 6

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version 7

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Key

Value

Description

no arguments

 

Display usage.

-groups

 

Provision groups.

-memberships

 

Provision memberships.

-subject

subjectId

The SubjectId used to establish Grouper API sessions. Defaults to GrouperSystem.

-interval

interval

Number of seconds between polling intervals. If omitted, only one provisioning cycle is performed.

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2606483e-bddb-4d36-86bb-cc36703c6ff2"><ac:plain-text-body><![CDATA[

-lastModifyTime

yyyy-MM-dd[_hh:mm:ss]

Select objects changed since this time. ]]></ac:plain-text-body></ac:structured-macro>

-configManager

path to configuration xml

Path to configuration file. Defaults to classpath resource ldappc.xml.

-properties

path to properties file

Path to properties file. Defaults to classpath resource ldappc.properties.

-resolver

path to directory

Path to directory containing Shibboleth Attribute Resolver configuration files.

-calc

file

Calculate provisioning and write to file.

-dryRun

file

Write provisioning changes to file only, do not provision changes.

-logLDIF

 

While provisioning, log changes in LDIF format.

...

An example configuration file for provisioning Active Directory might look like the following. There is no <memberships/> element since Active Directory handles provisioning the memberOf attribute of group members. In this example, the sAMAccountName attribute, a.k.a. pre-Windows 2000 logon name, is calculated using the Shibboleth Attribute Resolver to replace whitespace in group names with an underscore.

Code Block
xml
xml
<?xml version="1.0" encoding="utf-8"?>

<ldappc>
  <grouper>
    <group-queries>
      <subordinate-stem-queries>
        <stem-list>
          <stem>edu</stem>
        </stem-list>
      </subordinate-stem-queries>
    </group-queries>

    <groups structure="bushy" root-dn="ou=testgroups,${base}" ldap-object-class="group"
            ldap-rdn-attribute="cn" grouper-attribute="name" >

      <group-members-dn-list list-object-class="group" list-attribute="member" />

      <group-attribute-mapping ldap-object-class="group">
      	<group-attribute-map group-attribute="description" ldap-attribute="description" />
      </group-attribute-mapping>

      <resolver-attribute-mapping ldap-object-class="group">
        <resolver-attribute-map resolver-attribute="sAMAccountName" ldap-attribute="sAMAccountName" />
      </resolver-attribute-mapping>

    </groups>

  </grouper>

  <source-subject-identifiers>
    <source-subject-identifier source="jdbc" subject-attribute="id">
      <ldap-search base="ou=testpeople,${base}" scope="subtree_scope" filter="(cn={0})" />
    </source-subject-identifier>
  </source-subject-identifiers>

</ldappc>

Shibboleth Attribute Resolver configuration :

...

An example configuration file for provisioning OpenLDAP might look like :

Code Block
xml
xml
<?xml version="1.0" encoding="utf-8"?>

<ldappc>
  <grouper>
    <group-queries>

      <subordinate-stem-queries>
        <stem-list>
          <stem>_stem_name_</stem>
        </stem-list>
      </subordinate-stem-queries>

      <attribute-matching-queries>
        <attribute-list>
          <attribute name="_attr_name_" value="_attr_value_" />
        </attribute-list>
      </attribute-matching-queries>

    </group-queries>

    <groups
      structure="flat"
      root-dn="ou=groups,${edu.vt.middleware.ldap.base}"
      ldap-object-class="groupOfNames"
      ldap-rdn-attribute="cn"
      grouper-attribute="name">

      <group-members-dn-list list-object-class="groupOfNames" list-attribute="member" list-empty-value="" />

      <group-members-name-list list-object-class="eduMember" list-attribute="hasMember">
        <source-subject-name-mapping>
          <source-subject-name-map source="_source_name_" subject-attribute="_attr_name_" />
          <source-subject-name-map source="g:gsa" subject-attribute="name" />
        </source-subject-name-mapping>
      </group-members-name-list>

      <group-attribute-mapping ldap-object-class="groupOfNames">
        <group-attribute-map group-attribute="description" ldap-attribute="description" />
      </group-attribute-mapping>

    </groups>

    <memberships>
      <member-groups-list list-object-class="eduMember" list-attribute="isMemberOf" naming-attribute="name" />
    </memberships>

  </grouper>

  <source-subject-identifiers>
    <source-subject-identifier source="_source_name_" subject-attribute="_attr_name_">
      <ldap-search
        base="ou=people,${edu.vt.middleware.ldap.base}"
        scope="subtree_scope"
        filter="(uid={0})" />
    </source-subject-identifier>
  </source-subject-identifiers>

</ldappc>

Documentation for previous versions is available at https://wiki.internet2.edu/confluence/display/i2miCommon/Ldappc

...