...
| No Format |
|---|
|
<param-name>base</param-name>
<param-value>ou=people,dc=example,dc=edu</param-value>
...
|
Changing the LDAP Subject Source Id
The id of the Grouper LDAP subject source adapter, <id>ldap</id>, appears in several psp configuration files. If your Grouper LDAP subject source adapter id is not "ldap", you should read the following and make changes to your psp configuration files.
In the psp service configuration psp-services.xml, the LDAP target to be provisioned re-uses the same pooled vt-ldap connection as the Grouper LDAP subject source adapter. The value of the vt-ldap pool id property ldapPoolId="ldap" should match the Grouper LDAP subject source adapter id <id>ldap</id> in sources.xml. If your Grouper LDAP subject source id is <id>ad</ad>, then the vt-ldap pool id should be ldapPoolId="ad".
Also in the psp service configuration psp-services.xml, the id of the LDAP target to be provisioned, id="ldap", is the SPMLv2 targetId which should match the targetId attribute of <identifier/> elements in the psp configuration file.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | psp-services.xml |
|---|
|
<!-- The ldap target. The ldapPoolIdSource is either "grouper" or "spring". -->
<!-- If ldapPoolIdSource is "spring", the ldapPoolId must be the id of the ldap pool bean in the vt-ldap xml spring configuration. -->
<!-- If ldapPoolIdSource is "grouper", the ldapPoolId must be the id of the LdapSourceAdapter in sources.xml -->
<Service
id="ldap"
xsi:type="psp-ldap-target:LdapTarget"
logSpml="true"
ldapPoolId="ldap"
ldapPoolIdSource="grouper">
<!-- A <ConfigurationResource/> is required to instantiate the <Service/>, so supply a do-nothing resource. -->
<ConfigurationResource
file="/edu/internet2/middleware/psp/util/empty-bean.xml"
xsi:type="resource:ClasspathResource" />
</Service>
|
In the psp configuration file psp.xml, the target id of the <identifier/> element of objects to be provisioned, targetId="ldap", should match the LDAP target id <Service id="ldap"/> as defined in psp-services.xml. If your Grouper LDAP subject source id is <id>ad</id>, you do NOT need to change the targetId.
| Code Block |
|---|
|
<!-- The ladp group DN. -->
<identifier
ref="groupDn"
targetId="ldap"
containerId="${edu.internet2.middleware.psp.groupsBaseDn}" />
|
In the attribute resolver configuration psp-resolver.xml, the Grouper LDAP subject source id, <id>ldap</id>, appears in several elements.
The first place that Grouper LDAP subject source id "ldap" appears in the attribute resolver configuration is in the element which defines that the MemberDataConnector should return the "dn" attribute for Grouper members whose subject source is "ldap". The "dn" attribute is used as the identifier of provisioned member objects. If your Grouper LDAP subject source id is <id>ad</id>, then the source of the "dn" attribute should be source="ad".
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | psp-resolver.xml |
|---|
|
<!-- The MemberDataConnector returns attributes representing the member whose subject id or identifier is the principal
name. -->
<resolver:DataConnector
id="MemberDataConnector"
xsi:type="grouper:MemberDataConnector">
<!-- Return the "dn" attribute of members whose subject source id is "ldap". -->
<grouper:Attribute
id="dn"
source="ldap" />
</resolver:DataConnector>
|
The second place that "ldap" appears in the attribute resolver configuration is in the element which defines that the "id" attribute should be returned as values of the "membersLdap" attribute for Grouper members whose subject source is "ldap". The values of the "membersLdap" attribute definition, Grouper LDAP subject ids, are used to calculate group memberships. If your Grouper LDAP subject source id is <id>ad</id>, then the source of the "membersLdap" attribute should be source="ad".
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | psp-resolver.xml |
|---|
|
<!-- The values of the "membersLdap" attribute are the subject ids of group members from the "ldap" source. -->
<resolver:AttributeDefinition
id="membersLdap"
xsi:type="grouper:Member"
sourceAttributeID="members">
<resolver:Dependency ref="GroupDataConnector" />
<!-- The values of the "id" attribute are the identifiers of subjects whose source id is "ldap". -->
<grouper:Attribute
id="id"
source="ldap" />
</resolver:AttributeDefinition>
|
The third place that "ldap" appears in the attribute resolver configuration is in the element which defines that the "id" attribute should be returned as values of the "changeLogMembershipLdapSubjectId" attribute for Grouper members whose subject source is "ldap". The values of the "changeLogMembershipLdapSubjectId" attribute definition, Grouper LDAP subject ids, are used to calculate group memberships during processing of change log entries. If your Grouper LDAP subject source id is <id>ad</id>, then the sourceId should contain "ad", for example, sourceId.getValues().contains("ad").
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | psp-resolver.xml |
|---|
|
<!-- The value of the "changeLogMembershipLdapSubjectId" attribute is the subject identifier of the "ldap" source member
of a membership change log entry. -->
<resolver:AttributeDefinition
id="changeLogMembershipLdapSubjectId"
xsi:type="ad:Script">
<resolver:Dependency ref="AddMembershipChangeLogDataConnector" />
<resolver:Dependency ref="DeleteMembershipChangeLogDataConnector" />
<ad:Script><![CDATA[
// Import Shibboleth attribute provider.
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
// Create the attribute to be returned.
changeLogMembershipLdapSubjectId = new BasicAttribute("changeLogMembershipLdapSubjectId");
// Return 'subjectId' attribute values if the 'sourceId' attribute is 'ldap'.
if (typeof sourceId != "undefined" && sourceId != null ){
if (sourceId.getValues().contains("ldap")) {
if (typeof subjectId != "undefined" && subjectId != null ){
changeLogMembershipLdapSubjectId.getValues().add(subjectId.getValues().get(0));
}
}
}
]]></ad:Script>
</resolver:AttributeDefinition>
|
Configure LDAP Subject Source in Grouper UI
...