...
Attribute system name | Attribute display name | Required? | Description | Assignable to | Value type | Example value | ||||
---|---|---|---|---|---|---|---|---|---|---|
grouperLoaderLdap | Grouper loader LDAP | required | This is the marker attribute that you assign to a group to mark is as a grouper loader ldap group | Groups | None |
| ||||
grouperLoaderLdapType | Grouper loader LDAP type | required | Like the SQL loader, this holds the type of job from the GrouperLoaderType enum, currently the only valid values are LDAP_SIMPLE, LDAP_GROUP_LIST, LDAP_GROUPS_FROM_ATTRIBUTES. Simple is a group loaded from LDAP filter which returns subject ids or identifiers. Group list is an LDAP filter which returns group objects, and the group objects have a list of subjects. Groups from attributes is an LDAP filter that returns subjects which have a multi-valued attribute e.g. affiliations where groups will be created based on subject who have each attribute value | grouperLoaderLdap | Enum | LDAP_SIMPLE | ||||
grouperLoaderLdapServerId | Grouper loader LDAP server ID | required | Server ID that is configured in the grouper-loader.properties that identifies the connection information to the LDAP server. Note, if you use "dn", and dn is not an attribute of the object, then the fully qualified object name will be used | grouperLoaderLdap | String | personLdap (note: depends on your configuration) | ||||
grouperLoaderLdapFilter | Grouper loader LDAP filter | required | LDAP filter returns objects that have subjectIds or subjectIdentifiers and group name (if LDAP_GROUP_LIST) | grouperLoaderLdap | String | (affiliation=student) | ||||
grouperLoaderLdapSubjectAttribute | Grouper loader LDAP subject attribute name | required, for LDAP_SIMPLE, and LDAP_GROUP_LIST, optional for LDAP_GROUPS_FROM_ATTRIBUTES | Attribute name of the filter object result that holds the subject id. | grouperLoaderLdap | String | hasMember, or personId | ||||
grouperLoaderLdapGroupAttribute | Grouper loader LDAP group attribute name | required for LDAP_GROUPS_FROM_ATTRIBUTES | Attribute name of the filter object result that holds the group name. Note, in 2.1.5+ you can put multiple attribute names here comma separated | grouperLoaderLdap | String | affiliation | ||||
grouperLoaderLdapSearchDn | Grouper loader LDAP search base DN | optional | Location that constrains the subtree where the filter is applicable. Note, this is relative to the base DN in the ldap server config in the grouper-loader.properties for this server. This makes the query more efficient | grouperLoaderLdap | String | ou=people | ||||
grouperLoaderLdapQuartzCron | Grouper loader LDAP quartz cron | required | Quartz cron config string, e.g. every day at 8am is: 0 0 8 * * ? | grouperLoaderLdap | String | 0 0 8 * * ? | ||||
grouperLoaderLdapSourceId | Grouper loader LDAP source ID | optional | Source ID from the sources.xml that narrows the search for subjects. This is optional though makes the loader job more efficient | grouperLoaderLdap | String | schoolPeople | ||||
grouperLoaderLdapSubjectIdType | Grouper loader LDAP subject ID type | optional | The type of subject ID. This can be either: subjectId (most efficient, default), subjectIdentifier (2nd most efficient), or subjectIdOrIdentifier | grouperLoaderLdap | Enum | subjectId, subjectIdentifier, subjectIdOrIdentifier | ||||
grouperLoaderLdapSearchScope | Grouper loader LDAP search scope | optional | How the deep in the subtree the search will take place. Can be OBJECT_SCOPE, ONELEVEL_SCOPE, or SUBTREE_SCOPE (default) | grouperLoaderLdap | Enum | OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE | ||||
grouperLoaderLdapAndGroups | Grouper loader LDAP require in groups | optional | If you want to restrict membership in the dynamic group based on other group(s), put the list of group names here comma-separated. The require groups means if you put a group names in there (e.g. school:community:employee) then it will 'and' that group with the member list from the loader. So only members of the group from the loader query who are also employees will be in the resulting group | grouperLoaderLdap | String | school:community:employee | ||||
grouperLoaderLdapPriority | Grouper loader LDAP scheduling priority | optional | Quartz has a fixed threadpool (max configured in the grouper-loader.properties), and when the max is reached, then jobs are prioritized by this integer. The higher the better, and the default if not set is 5. | grouperLoaderLdap | Integer | 5 | ||||
grouperLoaderLdapGroupsLike | Grouper loader LDAP groups like | optional, for LDAP_GROUP_LIST, or LDAP_GROUPS_FROM_ATTRIBUTES | This should be a sql like string (e.g. school:orgs:%org%_systemOfRecord), and the loader should be able to query group names to see which names are managed by this loader job. So if a group falls off the loader resultset (or is moved), this will help the loader remove the members from this group. Note, if the group is used anywhere as a member or composite member, it wont be removed. | grouperLoaderLdap | String | school:orgs:%org%_systemOfRecord | ||||
grouperLoaderLdapExtraAttributes | Grouper loader LDAP extra attributes | optional, for LDAP_GROUP_LIST | Attribute names (comma separated) to get LDAP data for expressions in group name, displayExtension, description | grouperLoaderLdap | String | name, description | ||||
grouperLoaderLdapErrorUnresolvable | Grouper loader LDAP error unresolvable | optional | Value could be true or false (default to true). If true, then there will be an error if there are unresolvable subjects in the results. If you know there are subjects in LDAP which are not resolvable by Grouper, set to false, they will be ignored | grouperLoaderLdap | boolean | true or false (default to true) | ||||
grouperLoaderLdapAttributeFilterExpression (2.1.4+) | Grouper loader LDAP JEXL expression to filter attributes in LDAP_GROUPS_FROM_ATTRIBUTES | optional |
| grouperLoaderLdap | String |
| ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f9a38c5fa9e69995-ad9e288f-484e49c8-8af79f21-71e7f5d85a9b3a9871dedce2"><ac:plain-text-body><![CDATA[ | grouperLoaderLdapGroupNameExpression | Grouper loader LDAP group name expression | optional, for LDAP_GROUP_LIST, or LDAP_GROUPS_FROM_ATTRIBUTES | JEXL expression language fragment that evaluates to the group name (relative to the stem of the group which has the loader definition). groupAttributes['dn'] is a variable in scope as is groupAttributes['cn'] etc | grouperLoaderLdap | String |
| |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5ce91de3e0d27708-c8a31020-4b2d4d88-a2d09db3-98691b3a0aa2e604a3e3eba2"><ac:plain-text-body><![CDATA[ | grouperLoaderLdapGroupDisplayNameExpression | Grouper loader LDAP group display name expression | optional, for LDAP_GROUP_LIST, or LDAP_GROUPS_FROM_ATTRIBUTES | JEXL expression language fragment that evaluates to the group display name. groupAttributes['dn'] is a variable in scope as is groupAttributes['cn'] etc | grouperLoaderLdap | String |
| |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a8dbab5cf3480ca5-8ea5ca19-40764ee8-9a84805d-09daaa3bb5d6e840370d9adb"><ac:plain-text-body><![CDATA[ | grouperLoaderLdapGroupDescriptionExpression | Grouper loader LDAP group description expression | optional, for LDAP_GROUP_LIST, or LDAP_GROUPS_FROM_ATTRIBUTES | JEXL expression language fragment that evaluates to the group description. groupAttributes['dn'] is a variable in scope as is groupAttributes['cn'] etc | grouperLoaderLdap | String |
| |||
grouperLoaderLdapSubjectExpression | Grouper loader LDAP subject expression | optional | JEXL expression language fragment that processes the subject string before passing it to the subject API | grouperLoaderLdap | String |
| ||||
grouperLoaderLdapGroupTypes | Grouper loader LDAP group types | optional, for LDAP_GROUP_LIST, or LDAP_GROUPS_FROM_ATTRIBUTES | Comma separated GroupTypes which will be applied to the loaded groups. The reason this enhancement exists is so we can do a group list filter and attach addIncludeExclude to the groups. Note, if you do this (or use some requireGroups), the group name in the loader query should end in the system of record suffix, which by default is _systemOfRecord. | grouperLoaderLdap | String | addIncludeExclude | ||||
grouperLoaderLdapReaders | Grouper loader LDAP group readers | optional for LDAP_GROUP_LIST or LDAP_GROUPS_FROM_ATTRIBUTES | Comma separated subjectIds or subjectIdentifiers who will be allowed to READ the group memberships. | grouperLoaderLdap | String | school:app:someApp:someAppReaders | ||||
grouperLoaderLdapViewers | Grouper loader LDAP group viewers | optional for LDAP_GROUP_LIST or LDAP_GROUPS_FROM_ATTRIBUTES | Comma separated subjectIds or subjectIdentifiers who will be allowed to VIEW the group. | grouperLoaderLdap | String | school:app:someApp:someAppViewers | ||||
grouperLoaderLdapAdmins | Grouper loader LDAP group admins | optional for LDAP_GROUP_LIST or LDAP_GROUPS_FROM_ATTRIBUTES | Comma separated subjectIds or subjectIdentifiers who will be allowed to ADMIN the group (view, read, update, delete, rename, etc). | grouperLoaderLdap | String | school:app:someApp:someAppAdmins | ||||
grouperLoaderLdapUpdaters | Grouper loader LDAP group updaters | optional for LDAP_GROUP_LIST or LDAP_GROUPS_FROM_ATTRIBUTES | Comma separated subjectIds or subjectIdentifiers who will be allowed to UPDATE the group memberships. | grouperLoaderLdap | String | school:app:someApp:someAppUpdaters | ||||
grouperLoaderLdapOptins | Grouper loader LDAP group optins | optional for LDAP_GROUP_LIST or LDAP_GROUPS_FROM_ATTRIBUTES | Comma separated subjectIds or subjectIdentifiers who will be allowed to OPTIN self membership of the group. | grouperLoaderLdap | String | school:app:someApp:someAppOptins | ||||
grouperLoaderLdapOptouts | Grouper loader LDAP group optouts | optional for LDAP_GROUP_LIST or LDAP_GROUPS_FROM_ATTRIBUTES | Comma separated subjectIds or subjectIdentifiers who will be allowed to OPTOUT self membership of the group. | grouperLoaderLdap | String | school:app:someApp:someAppOptouts |
...
Variable | Represents | When set | ||
---|---|---|---|---|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="db604fb19476bf43-46c17ac2-44924e4a-b08cbc78-169e54f17a34d7b6478ad6f9"><ac:plain-text-body><![CDATA[ | subjectAttributes['subjectId'] | The subject id, identifier, or idOrIdentifier | When processing the subject. e.g. if you have a subjectAttribute config, it will be here | ]]></ac:plain-text-body></ac:structured-macro> |
loaderLdapElUtils | The LoaderLdapElUtils class | Always | ||
|
|
|
...
Code Block |
---|
grouperSession = GrouperSession.startRootSession();
group = new GroupSave(grouperSession).assignName("yetAnotherStem:groupsFromAttributesLdapGroup").assignCreateParentStemsIfNotExist(true).save();
new GroupSave(grouperSession).assignName("test:testGroup").assignCreateParentStemsIfNotExist(true).save();
new GroupSave(grouperSession).assignName("test:testGroup2").assignCreateParentStemsIfNotExist(true).save();
attributeAssign = group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign();
attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true);
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_GROUPS_FROM_ATTRIBUTES");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(|(cn=test:testGroup)(cn=test:testGroup2))");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=groups");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "personLdap");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSourceIdName(), "g:gsa");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupAttributeName(), "hasmember");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectIdentifier");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupNameExpressionName(), "groups:${groupAttribute}");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), "${subjectAttributes['cn']}");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapExtraAttributesName(), "cn");
group = GroupFinder.findByName(grouperSession, "yetAnotherStem:groupsFromAttributesLdapGroup");
loaderRunOneJob(group);
getGroups("yetAnotherStem:groups")
getMembers("yetAnotherStem:groups:choate");
for (theGroup : getMembers("yetAnotherStem:groups:choate")) {print(theGroup.getName());}
delMember("yetAnotherStem:groups:choate", "test:testGroup");
addMember("yetAnotherStem:groups:choate", "GrouperSystem");
loaderRunOneJob(group);
|
LDAP_GROUPS_FROM_ATTRIBUTES include/exclude example
I dont have a multi-valued user attribute, I will just do an inverted loader job from the above... the group ldap objects are the subjects (by identifier), and the hasmember multi-valued attributes will be the groups :)
First I make sure these are set in the grouper.properties:
Code Block |
---|
#if the addIncludeExclude and requireInGroups should be enabled, and if the type(s) should be
#auto-created, and used to auto create groups to facilitate include and exclude lists, and require lists
grouperIncludeExclude.use = true
grouperIncludeExclude.requireGroups.use = true
|
Setup and run the loader. Note the group name ends in _systemOfRecord
Code Block |
---|
grouperSession = GrouperSession.startRootSession();
group = new GroupSave(grouperSession).assignName("yetAnotherStem:groupsFromAttributesLdapGroupIncludeExclude").assignCreateParentStemsIfNotExist(true).save();
new GroupSave(grouperSession).assignName("test:testGroup").assignCreateParentStemsIfNotExist(true).save();
new GroupSave(grouperSession).assignName("test:testGroup2").assignCreateParentStemsIfNotExist(true).save();
attributeAssign = group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign();
attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true);
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_GROUPS_FROM_ATTRIBUTES");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(|(cn=test:testGroup)(cn=test:testGroup2))");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=groups");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "personLdap");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSourceIdName(), "g:gsa");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupAttributeName(), "hasmember");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectIdentifier");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupNameExpressionName(), "groupsIncludeExclude:${groupAttribute}_systemOfRecord");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), "${subjectAttributes['cn']}");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapExtraAttributesName(), "cn");
attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupTypesName(), "addIncludeExclude");
group = GroupFinder.findByName(grouperSession, "yetAnotherStem:groupsFromAttributesLdapGroupIncludeExclude");
loaderRunOneJob(group);
getGroups("yetAnotherStem:groups")
getMembers("yetAnotherStem:groups:choate");
for (theGroup : getMembers("yetAnotherStem:groups:choate")) {print(theGroup.getName());}
delMember("yetAnotherStem:groups:choate", "test:testGroup");
addMember("yetAnotherStem:groups:choate", "GrouperSystem");
loaderRunOneJob(group);
|
...