In a Grouper v2.5 container build we will re-organize the configuration for external systems. In general this will consolidate most the credentials that grouper uses (except to its own database).
In the Grouper UI you will be able to review all the configured external systems in one place with an easy-to-use UI.
We will try not to make changes to how these things are configured so that few or no changes are needed to leverage the new functionality.
This will assume you are storing configuration in the database, since the UI needs to save its settings. If you do not want encrypted passwords in the database you will be able to enter a scriptlet to get the password from an environment variable or other place.
UI changes to "misc"
- In "Misc" will we re-organize and have a top section for Grouper registry end user links, and an "Administration" section (the only shows for administrators) that move the following links underneath
- Configure
- Daemon jobs
- Loader jobs
- External systems (e.g. LDAP, database, etc)
- Subject API diagnostics
- Unresolvable subject
Screens
- Main screen shows table of external system sorted by type, and name
- Name
- Type
- Show some of the configuration
- If enabled
- "Test all" button
- Drop down with actions (View, Edit, Delete, Enable, Disable, Test)
- Detail screen
- Drop down to
- View
- Enable/disable
- Test
- Edit
- Delete (with a confirm)
- Show all configuration readonly
- Test by default and show status at top
- Section for "Used by" (which provisioners/loaders use it, clickable to each provisioner/loader (TODO LATER)
- Drop down to
- Edit screen
- Standard label/form element/documentation look and feel, indicator if required, etc
- Allow scriptlets for value (checkbox)
- Checkbox for if password
- Show default value if not entered
Technical details
- GrouperExternalSystem abstract class per type (one for LDAP, one for SQL, etc)
- configId property
- enabled property
- Validate (test) method (optional)
- saveConfig() method
- listAllExternalSystemsOfThisType() method to get a list of all of this type (e.g. all LDAP systems)
- retrieveAllUsedBy() returns everything that uses this
- GrouperExternalSystemUsedBy
- name
- links to externalized text
- return list of attributes
- GrouperExternalSystemAttribute
- type
- standard validations
- links to externalized text
- order
- required?
- get value
- configSuffix
- default value
Identify the external systems and properties
LDAP connections in grouper-loader.properties
ldap.<connectionId>.attributeName
e.g. ldap.personLdap.url
https://www.ldaptive.org/v1/docs/guide/connections/pooling.html
| Attribute | Type | Default | Notes |
|---|---|---|---|
| url | String | required. Explain that for provisioning the URL should point to one node for consistency | |
user | String | optional | |
pass | String | encrypted if a password. Save this like the configuration editor saves | |
configFileFromClasspath | String | ||
| isActiveDirectory | Boolean | ||
tls | Boolean | ||
| saslAuthorizationId | String | ||
| saslRealm | String | ||
| batchSize | Integer | ||
| countLimit | Integer | ||
| timeLimit | Integer | time limit for search operations in millis | |
| timeout | Integer | timeout to get a connection in millis | |
| minPoolSize | Integer | 3 | |
| maxPoolSize | Integer | 10 | |
| validateOnCheckIn | Boolean | ||
| validateOnCheckOut | Boolean | defaults to true if all other validate methods are false | |
| validatePeriodically | Boolean | ||
| validateTimerPeriod | String | PT30M | |
| pruneTimerPeriod | String | ||
| pagedResultsSize | Integer | needs to be equal to or less than the max result size server setting | |
| referral | String | set to 'follow' if using AD and using paged results size and need this for some reason (generally you shouldnt) | |
| validator | String | drop down. validator setup, currently supports CompareLdapValidator and SearchValidator. additional properties below for CompareLdapValidator. | |
| validatorCompareDn | String | required for CompareLdapValidator. check this DN exists when saving connection. e.g. ou=people,dc=example,dc=com | |
| validatorCompareAttribute | String | required for CompareLdapValidator. e.g. ou check this DN exists when saving connection | |
| validatorCompareValue | String | required for CompareLdapValidator. e.g. people | |
| searchResultHandlers | String | comma-delimited list of classes to process LDAP search results. Useful if AD returns a ranged attribute for large # groups (e.g., member;range=0-1499); include the GrouperRangeEntryHandler to handle progressive fetching. | |
| searchIgnoreResultCodes | String | comma-delimited list of result codes (org.ldaptive.ResultCode) to ignore, e.g. TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS |
Database from grouper-loader.properties
db.<connectionId>.url
e.g. db.warehouse.url
| Attribute | Type | Default | Notes |
|---|---|---|---|
| url | String | Required e.g. mysql: jdbc:mysql://localhost:3306/grouper?useSSL=false | |
| user | String | ||
| pass | String | Save this like the configuration editor saves | |
| driver | String | note: you probably dont have to enter a driver, it will detect from URL. If it cant detect, then specify it here. | |
| c3p0.max_size | Integer | optional pooling params, these will default to the grouper.hibernate(.base).properties pooling settings (get that value for the UI from that config) | |
| c3p0.min_size | Integer | ||
| c3p0.timeout | Integer | seconds | |
| c3p0.max_statements | Integer | ||
| c3p0.idle_test_period | Integer | ||
| c3p0.acquire_increment | Integer | ||
| c3p0.validate | Boolean | ||
| c3p0.debugUnreturnedConnectionStackTraces | Boolean | if unreturnedConnectionTimeout is non zero, then if connection takes too long it will be logged as stack | |
| c3p0.unreturnedConnectionTimeout | Integer |