Versions Compared

Old Version 174

changes.mady.by.user Tom Zeller

Saved on

compared with

New Version 175

changes.mady.by.user Tom Zeller

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Configure LDAP Subject Source in Grouper WS

TODO

Configure LDAP DNs Created from Grouper Names

...

A provisioned object requires a unique identifier. When provisioning an ldap target, provisioned object identifiers are ldap distinguished names (DNs).

The psp-grouper-ldap project provides a Shibboleth attribute resolver attribute definition which maps Grouper names to ldap DNs.

For example, a Grouper group with name edu:courses:course will be mapped to the ldap DN cn=course,ou=courses,ou=edu,ou=groups,dc=example,dc=edu.

Based on a request from the University of Montreal, the Grouper base stem to be provisioned may be omitted from ldap DNs. For example, for the Grouper group with name edu:courses:course, if the edu.internet2.middleware.psp.baseStem property is 'edu', then the resulting ldap DN will be cn=course,ou=courses,ou=groups,dc=example,dc=edu. The following table describes the affect of the base stem to be provisioned :

grouper base stem

grouper name

ldap dn

 

edu:courses:course

cn=course,ou=courses,ou=edu,ou=groups,dc=example,dc=edu

edu

edu:courses:course

cn=course,ou=courses,ou=groups,dc=example,dc=edu

Code Block
xml
xml
titlepsp-resolver.xml

  <!-- The LDAP DN of a group. For example, "cn=groupExtension,ou=stem,ou=groups,dc=example,dc=edu". -->
  <resolver:AttributeDefinition
    id="groupDn"
    xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier"
    structure="${edu.internet2.middleware.psp.structure}"
    sourceAttributeID="name"
    rdnAttributeName="cn"
    baseDn="${edu.internet2.middleware.psp.groupsBaseDn}"
    baseStem="${edu.internet2.middleware.psp.baseStem}">
    <!-- Dependencies which return a "groupNameInStem" attribute whose value is the group name. -->
    <resolver:Dependency ref="group

By default, the psp-example-* configuration files use the Grouper name to create ldap DNs. It is also possible to create ldap DNs from the Grouper displayName.

Configure Grouper Stem to be Provisioned

...