Versions Compared

Old Version 175

changes.mady.by.user Tom Zeller

Saved on

compared with

New Version 176

changes.mady.by.user Tom Zeller

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The psp-grouper-ldap project provides a Shibboleth attribute resolver attribute definition which maps Grouper names to ldap DNs.

For example, a Grouper group with name edu:courses:course will be mapped to the ldap DN cn=course,ou=courses,ou=edu,ou=groups,dc=example,dc=edu.

Based on a request from the University of Montreal, the Grouper base stem to be provisioned may be omitted from ldap DNs. For example, for the Grouper group with name edu:courses:course, if the edu.internet2.middleware.psp.baseStem property is 'edu', then the resulting ldap DN will be cn=course,ou=courses,ou=groups,dc=example,dc=edu. The following table describes the affect of the base stem to be provisioned :

grouper base stem

grouper name

ldap dn

 

edu:courses:course

cn=course,ou=courses,ou=edu,ou=groups,dc=example,dc=edu

edu

edu:courses:course

cn=course,ou=courses,ou=groups,dc=example,dc=edu

Code Block
xml
xml
titlepsp-resolver.xml
  <!-- The LDAP DN of a group. For example, "cn=groupExtension,ou=stem,ou=groups,dc=example,dc=edu". -->
  <resolver:AttributeDefinition
    id="groupDn"
    xsi:type="psp-grouper-ldap:LdapDnFromGrouperNamePSOIdentifier"
    structure="${edu.internet2.middleware.psp.structure}"
    sourceAttributeID="namegroupNameInStem"
    rdnAttributeName="cn"
    baseDn="${edu.internet2.middleware.psp.groupsBaseDn}"
    baseStem="${edu.internet2.middleware.psp.baseStem}">
    <!-- Dependencies which return a "groupNameInStem" attribute whose value is the group name. -->
     <resolver:Dependency ref="group
<resolver:Dependency ref="group

Based on a request from the University of Montreal, the Grouper base stem to be provisioned may be omitted from ldap DNs. The following table describes the affect of the base stem to be provisioned when the structure is bushy :

grouper base stem

grouper name

ldap dn

 

edu:courses:course

cn=course,ou=courses,ou=edu,ou=groups,dc=example,dc=edu

edu

edu:courses:course

cn=course,ou=courses,ou=groups,dc=example,dc=edu

By default, the psp-example-* configuration files use the Grouper name to create ldap DNs. It is also possible to create ldap DNs from the Grouper displayName.

Configure Grouper Stem to be Provisioned

Configure the name of the Grouper stem to be provisioned, by default this is the root stem, which is the empty string.

The Grouper stem to be provisioned is configured in ldap.properties.

by changing the relevant sourceAttributeID to "displayName".

Code Block
xml
xml
titlepsp-resolver.xml

 <resolver:AttributeDefinition
    id="groupNameInStem"
    xsi:type="grouper:FilteredName"
    sourceAttributeID="displayName">
    ...
{code:xml|title=psp-resolver.xml}

h4. Configure Grouper Stem to be Provisioned
----
Configure the name of the Grouper stem to be provisioned, by default this is the root stem, which is the empty string.

The Grouper stem to be provisioned is configured in&nbsp;{{ldap.properties}}.
{noformat:title=ldap.properties}
No Format
titleldap.properties
# The base Grouper stem to be provisioned.
edu.internet2.middleware.psp.baseStem=

Configure Grouper Change Log

...

{noformat}

h4. Configure Grouper Change Log
----
The Grouper change log is configured in {{grouper-loader.properties}}.

...



To enable change log provisioning :

...



{noformat
:title
=grouper-loader.properties
}
changeLog.consumer.psp.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer

To schedule when the change log is processed :

No Format
title
.PspChangeLogConsumer
{noformat}

To schedule when the change log is processed :

{noformat:title=grouper-loader.properties
}
changeLog.consumer.psp.quartzCron = 0 * * * * ?
{noformat}

To run full synchronizations periodically (by default every day at 5am) :

...



{noformat
:title
=grouper-loader.properties
}
changeLog.psp.fullSync.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer
changeLog.psp.fullSync.quartzCron = 0 0 5 * * ?
{noformat}

To run a full synchronization job at loader startup :

...



{noformat
:title
=grouper-loader.properties
}
changeLog.psp.fullSync.runAtStartup = true
{noformat}

The Quartz cron

...

Configure Grouper Logging

...

 string documentation is [here|http://www.quartz-scheduler.org/documentation/quartz-1.x/tutorials/crontrigger].

h4. Configure Grouper Logging
----
You may want to change the Grouper log file appenders in {{grouper.apiBinary-2.1.0/conf/log4j.properties}}.

...



{noformat
:title
=log4j.properties
}
log4j.appender.grouper_error                            = org.apache.log4j.DailyRollingFileAppender
log4j.appender.grouper_error.File                       = ${grouper.home}logs/grouper_error.log
log4j.appender.grouper_error.DatePattern                = '.'yyyy-MM-dd

log4j.appender.grouper_event                            = org.apache.log4j.DailyRollingFileAppender
log4j.appender.grouper_event.File                       = ${grouper.home}logs/grouper_event.log
log4j.appender.grouper_event.DatePattern                = '.'yyyy-MM-dd

...

{noformat}

h4. Configure Grouper Versions Prior to 2.1.0

...

Note

The following changes are necessary to support provisioning Grouper API versions prior to 2.1.0 with the psp.

...


----
{note}
The following changes are necessary to support provisioning Grouper API versions prior to 2.1.0&nbsp;with the psp.
{note}

1. For Grouper versions prior to 2.1.0, there is a bug which will throw a NullPointerException if the following is not present in {{sources.xml

...

No Format
}} :

{noformat}
<search>
    <searchType>searchSubjectByIdentifierAttributes</searchType>
    <param>
        <param-name>filter</param-name>
        <param-value>
            (&amp;(uid=%TERM%)(objectclass=person))
        </param-value>
    </param>
    <param>
        <param-name>scope</param-name>
        <param-value>SUBTREE_SCOPE</param-value>
    </param>
    <param>
        <param-name>base</param-name>
        <param-value>ou=people,dc=example,dc=edu</param-value>
    </param>
</search>
{noformat}

2. For versions prior to 2.1.0, the location of {{ldap.properties}} specified in {{sources.xml}} must be an absolute path. For versions 2.1.0 or later, the location of {{ldap.properties}} may be an absolute path or in your Java classpath.

...



For example, Grouper API version 2.0.3 requires an absolute path to ldap.properties in {{sources.xml

...

No Format
}} :

{noformat}
<init-param>
    <param-name>ldapProperties_file</param-name>
    <param-value>/opt/grouper/2.0.3/grouper.apiBinary-2.0.3/conf/ldap.properties</param-value>
</init-param>
{noformat}

For Grouper UI and WS versions prior to 2.1.0, the path to {{ldap.

...

properties}} specified in {{sources.xml}} will be different than in the Grouper API since the psp specific search result handlers must be commented out or removed in the Grouper UI :

...



{noformat
}
<init-param>
    <param-name>ldapProperties_file</param-name>
    <param-value>/opt/grouper/2.0.3/grouper.ui-2.0.3/dist/grouper/WEB-INF/classes/ldap.properties</param-value>
</init-param>
{noformat}

3. For Grouper API versions prior to 2.1.0, the ldap source adapter in {{subject.jar}} does not provide the method which allows the psp to re-use the same ldap connection as the subject source. You will need to copy {{lib/grouper/subject.jar}} from the Grouper 2.1.0 API distribution to your pre-2.1.0 Grouper API installation.

...



h4. Configure Subject

...

 API Cache
----
The Subject API cache is configured in {{grouper.ehcache.xml}}.

...



Adjust {{maxElementsInMemory}} to be greater than or equal to the number of subjects.

...



Adjust {{timeToIdleSeconds}} and {{timeToLiveSeconds}} ... accordingly ... ?

...



Some words about testing via gsh.sh and looking at cache hit/miss ratio debugging.

...



As of Grouper version 2.1.0, which uses Ehcache 2.4, {{statistics}} must be {{"true"}} to collect statistics which are logged at {{DEBUG}} level.

...



{code
:xml
xml
|title
=grouper.ehcache.xml
}
<!-- Subject resolving caching -->

 <!-- @see   CachingResolver#find(...) -->
 <cache  name="edu.internet2.middleware.grouper.subj.CachingResolver.Find"
         maxElementsInMemory="5000"
         eternal="false"
         timeToIdleSeconds="30"
         timeToLiveSeconds="120"
         overflowToDisk="false"
         statistics="true"
 />

 <!-- @see   CachingResolver#findAll(...) -->
 <cache  name="edu.internet2.middleware.grouper.subj.CachingResolver.FindAll"
         maxElementsInMemory="5000"
         eternal="false"
         timeToIdleSeconds="30"
         timeToLiveSeconds="120"
         overflowToDisk="false"
         statistics="true"
 />

 <!-- @see   CachingResolver#findByIdentifier(...) -->
 <cache  name="edu.internet2.middleware.grouper.subj.CachingResolver.FindByIdentifier"
         maxElementsInMemory="5000"
         eternal="false"
         timeToIdleSeconds="30"
         timeToLiveSeconds="120"
         overflowToDisk="false"
         statistics="true"
 />

 <!-- @see   CachingResolver#findByIdOrIdentifier(...) -->
 <cache  name="edu.internet2.middleware.grouper.subj.CachingResolver.FindByIdOrIdentifier"
         maxElementsInMemory="5000"
         eternal="false"
         timeToIdleSeconds="30"
         timeToLiveSeconds="120"
         overflowToDisk="false"
         statistics="true"
 />

...