...
Configuration Example - Grouper to Active Directory
Configure
You will need to configure Grouper to look for subjects in your ldap directory and you will need to configure how groups, stems, and memberships are provisioned to your ldap directory by the psp.
Several example configuration files are provided. Adjust and copy to the conf directory of your Grouper API installation.
| Note |
|---|
If you have already configured |
Configure the Provisioning Service Provider
The psp configuration files are :
| Maps source attributes returned by a Shibboleth attribute resolver to target objects. |
| The Shibboleth attribute resolver configuration file. |
| Configures Shibboleth attribute resolver services, including provisioning targets. |
| Bootstraps the Shibboleth attribute resolver. |
The configuration files for Grouper ldap subjects are :
| Configures Grouper subjects. |
| The vt-ldap configuration. Also used for macro replacement in the psp configuration files. |
Configure the Ldap Connection in sources.xml
Configure Grouper to look for subjects in your ldap directory by using the ldap source adapter. Connection information is defined in ldap.properties.
| No Format |
|---|
<source adapterClass="edu.internet2.middleware.subject.provider.LdapSourceAdapter">
<id>ldap</id>
<name>LdapSourceAdapter</name>
<type>person</type>
<init-param>
<param-name>ldapProperties_file</param-name>
<param-value>ldap.properties</param-value>
</init-param>
|
Change the base DN to match your ldap directory in search configuration elements :
| No Format |
|---|
<param-name>base</param-name>
<param-value>ou=people,dc=example,dc=edu</param-value>
|
Configure the Ldap Connection in ldap.properties
Change the default base DN for ldap searches to match your ldap directory :
| No Format |
|---|
edu.vt.middleware.ldap.baseDn = dc=example,dc=edu
|
Configure authentication and encryption :
| No Format |
|---|
edu.vt.middleware.ldap.serviceUser=cn=Manager,dc=example,dc=edu
edu.vt.middleware.ldap.serviceCredential=secret
|
Change the default base DN (container) for provisioning people and groups :
| No Format |
|---|
# The base DN for groups.
edu.internet2.middleware.psp.groupsBaseDn = ou=groups,dc=example,dc=edu
# The base DN for people.
edu.internet2.middleware.psp.peopleBaseDn = ou=people,dc=example,dc=edu
|
...
Provisioned Objects
...
Provisioned objects, in spmlv2 terms, consist of identifiers, attributes (probably), and references (maybe) to the identifiers of other objects, which are most likely located on the same provisioning target.
...
Identifiers
...
Identifiers consist of a string ID, a target ID, and possibly a container ID. We consider a container ID to be similar to an ldap base dn. A container ID is itself an identifier, recursing potentially indefinitely.
...
Attributes
...
Name value pairs. Probably multi-valued. Case sensitive names and values. We return values in the same order as they were given to us.
...
References
...
A reference refers to the identifier of another object. It consists of two identifiers, the "from object" and the "to object". A node in a directed graph. Directional.
...
Flat or Bushy Structure
...
In a flat structure all groups are provisioned under a single base DN (container ID). A flat group's ldap RDN is its Grouper name or displayName.
In a bushy structure groups are provisioned hierarchically, with stems as branches (ldap organizationalUnits) in the tree. A bushy group's RDN is its Grouper extension or displayExtension.
The flat or bushy structure is important when calculating ldap DNs and RDNs in the attribute resolver configuration psp-resolver.xml.
...
<!-- Group identifier and attributes. -->
<!-- The LDAP DN of a group. For example, "cn=groupExtension,ou=stem,ou=groups,dc=edu". -->
<resolver:AttributeDefinition
id="groupDn"
xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier"
structure="${edu.internet2.middleware.psp.structure}"
sourceAttributeID="name"
rdnAttributeName="cn"
base="${edu.internet2.middleware.psp.groupsBaseDn}">
<resolver:Dependency ref="GroupDataConnector" />
<resolver:Dependency ref="DeleteGroupChangeLogDataConnector" />
<resolver:Dependency ref="UpdateGroupChangeLogDataConnector" />
</resolver:AttributeDefinition>
<!-- The value of the group "cn" attribute is the group extension. -->
<!-- If the group DN structure is "bushy" the sourceAttributeID should be "extension". -->
<!-- If the group DN structure is "flat" the sourceAttributeID should be "name". -->
<resolver:AttributeDefinition
id="cn"
xsi:type="ad:Simple"
sourceAttributeID="${edu.internet2.middleware.psp.cnSourceAttributeID}">
<resolver:Dependency ref="GroupDataConnector" />
</resolver:AttributeDefinition>
Configuration : SPMLv2
Provisioned Objects
Provisioned objects, in spmlv2 terms, consist of identifiers, attributes (probably), and references (maybe) to the identifiers of other objects, which are most likely located on the same provisioning target.
Identifiers
Identifiers consist of a string ID, a target ID, and possibly a container ID. We consider a container ID to be similar to an ldap base dn. A container ID is itself an identifier, recursing potentially indefinitely.
Attributes
Name value pairs. Probably multi-valued. Case sensitive names and values. We return values in the same order as they were given to us.
References
A reference refers to the identifier of another object. It consists of two identifiers, the "from object" and the "to object". A node in a directed graph. Directional.
Configuration : Grouper
Flat or Bushy Structure
In a flat structure all groups are provisioned under a single base DN (container ID). A flat group's ldap RDN is its Grouper name or displayName.
In a bushy structure groups are provisioned hierarchically, with stems as branches (ldap organizationalUnits) in the tree. A bushy group's RDN is its Grouper extension or displayExtension.
The flat or bushy structure is important when calculating ldap DNs and RDNs in the attribute resolver configuration psp-resolver.xml.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<!-- Group identifier and attributes. -->
<!-- The LDAP DN of a group. For example, "cn=groupExtension,ou=stem,ou=groups,dc=edu". -->
<resolver:AttributeDefinition
id="groupDn"
xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier"
structure="${edu.internet2.middleware.psp.structure}"
sourceAttributeID="name"
rdnAttributeName="cn"
base="${edu.internet2.middleware.psp.groupsBaseDn}">
<resolver:Dependency ref="GroupDataConnector" />
<resolver:Dependency ref="DeleteGroupChangeLogDataConnector" />
<resolver:Dependency ref="UpdateGroupChangeLogDataConnector" />
</resolver:AttributeDefinition>
<!-- The value of the group "cn" attribute is the group extension. -->
<!-- If the group DN structure is "bushy" the sourceAttributeID should be "extension". -->
<!-- If the group DN structure is "flat" the sourceAttributeID should be "name". -->
<resolver:AttributeDefinition
id="cn"
xsi:type="ad:Simple"
sourceAttributeID="${edu.internet2.middleware.psp.cnSourceAttributeID}">
<resolver:Dependency ref="GroupDataConnector" />
</resolver:AttributeDefinition>
|
In an attempt to make life easier for deployers, the flat or bushy structure and corresponding group RDN source attribute ID are configurable via macro replacement in ldap.properties.
| No Format |
|---|
edu.internet2.middleware.psp.structure=flat
edu.internet2.middleware.psp.cnSourceAttributeID=name
# edu.internet2.middleware.psp.structure=bushy
# edu.internet2.middleware.psp.cnSourceAttributeID=extension
|
Configure
You will need to configure Grouper to look for subjects in your ldap directory and you will need to configure how groups, stems, and memberships are provisioned to your ldap directory by the psp.
Several example configuration files are provided. Adjust and copy to the conf directory of your Grouper API installation.
| Note |
|---|
If you have already configured |
Configure the Provisioning Service Provider
The psp configuration files are :
| Maps source attributes returned by a Shibboleth attribute resolver to target objects. |
| The Shibboleth attribute resolver configuration file. |
| Configures Shibboleth attribute resolver services, including provisioning targets. |
| Bootstraps the Shibboleth attribute resolver. |
The configuration files for Grouper ldap subjects are :
| Configures Grouper subjects. |
| The vt-ldap configuration. Also used for macro replacement in the psp configuration files. |
Configure the Ldap Connection in sources.xml
Configure Grouper to look for subjects in your ldap directory by using the ldap source adapter. Connection information is defined in ldap.properties.
| No Format |
|---|
<source adapterClass="edu.internet2.middleware.subject.provider.LdapSourceAdapter">
<id>ldap</id>
<name>LdapSourceAdapter</name>
<type>person</type>
<init-param>
<param-name>ldapProperties_file</param-name>
<param-value>ldap.properties</param-value>
</init-param>
|
Change the base DN to match your ldap directory in search configuration elements :
| No Format |
|---|
<param-name>base</param-name>
<param-value>ou=people,dc=example,dc=edu</param-value>
|
Configure the Ldap Connection in ldap.properties
Change the default base DN for ldap searches to match your ldap directory :
| No Format |
|---|
edu.vt.middleware.ldap.baseDn = dc=example,dc=edu
|
Configure authentication and encryption :
| No Format |
|---|
edu.vt.middleware.ldap.serviceUser=cn=Manager,dc=example,dc=edu
edu.vt.middleware.ldap.serviceCredential=secret
|
Change the default base DN (container) for provisioning people and groups :
| No Format |
|---|
# The base DN for groups.
edu.internet2.middleware.psp.groupsBaseDn = ou=groups,dc=example,dc=edu
# The base DN for people.
edu.internet2.middleware.psp.peopleBaseDn = ou=people,dc=example,dc=edu |
In an attempt to make life easier for deployers, the flat or bushy structure and corresponding group RDN source attribute ID are configurable via macro replacement in ldap.properties.
| No Format |
|---|
edu.internet2.middleware.psp.structure=flat
edu.internet2.middleware.psp.cnSourceAttributeID=name
# edu.internet2.middleware.psp.structure=bushy
# edu.internet2.middleware.psp.cnSourceAttributeID=extension
|
Configure the Ldap Connection in the Grouper UI
...