In a Grouper v2.5 container build we will re-organize the configuration for external systems. In general this will consolidate most the credentials that grouper uses (except to its own database).
In the Grouper UI you will be able to review all the configured external systems in one place with an easy-to-use UI.
We will try not to make changes to how these things are configured so that few or no changes are needed to leverage the new functionality.
This will assume you are storing configuration in the database, since the UI needs to save its settings. If you do not want encrypted passwords in the database you will be able to enter a scriptlet to get the password from an environment variable or other place.
UI changes to "misc"
- In "Misc" will we re-organize and have a top section for Grouper registry end user links, and an "Administration" section (the only shows for administrators) that move the following links underneath
- Configure
- Daemon jobs
- Loader jobs
- External systems (e.g. LDAP, database, etc)
- Subject API diagnostics
- Unresolvable subject
Screens
- Main screen shows table of external system sorted by type, and name
- Name
- Type
- Show some of the configuration
- If enabled
- "Test all" button
- Drop down with actions (View, Edit, Delete, Enable, Disable, Test)
- Detail screen
- Drop down to
- View
- Enable/disable
- Test
- Edit
- Delete (with a confirm)
- Show all configuration readonly
- Test by default and show status at top
- Section for "Used by" (which provisioners/loaders use it, clickable to each provisioner/loader (TODO LATER)
- Drop down to
- Edit screen
- Standard label/form element/documentation look and feel, indicator if required, etc
- Allow scriptlets for value (checkbox)
- Checkbox for if password
- Show default value if not entered
Technical details
- GrouperExternalSystem abstract class per type (one for LDAP, one for SQL, etc)
- configId property
- enabled property
- Validate (test) method (optional)
- saveConfig() method
- listAllExternalSystemsOfThisType() method to get a list of all of this type (e.g. all LDAP systems)
- retrieveAllUsedBy() returns everything that uses this
- GrouperExternalSystemUsedBy
- name
- links to externalized text
- return list of attributes
- GrouperExternalSystemAttribute
- type
- standard validations
- links to externalized text
- order
- required?
- get value
- configSuffix
- default value
Identify the external systems and properties
LDAP connections in grouper-loader.properties
ldap.<connectionId>.attributeName
e.g. ldap.personLdap.url
https://www.ldaptive.org/v1/docs/guide/connections/pooling.html
Attribute | Type | Default | Notes |
---|---|---|---|
url | String | required. Explain that for provisioning the URL should point to one node for consistency | |
user | String | optional | |
pass | String | encrypted if a password. Save this like the configuration editor saves | |
configFileFromClasspath | String | ||
isActiveDirectory | Boolean | ||
tls | Boolean | ||
saslAuthorizationId | String | ||
saslRealm | String | ||
batchSize | Integer | ||
countLimit | Integer | ||
timeLimit | Integer | time limit for search operations in millis | |
timeout | Integer | timeout to get a connection in millis | |
minPoolSize | Integer | 3 | |
maxPoolSize | Integer | 10 | |
validateOnCheckIn | Boolean | ||
validateOnCheckOut | Boolean | defaults to true if all other validate methods are false | |
validatePeriodically | Boolean | ||
validateTimerPeriod | String | PT30M | |
pruneTimerPeriod | String | ||
pagedResultsSize | Integer | needs to be equal to or less than the max result size server setting | |
referral | String | set to 'follow' if using AD and using paged results size and need this for some reason (generally you shouldnt) | |
validator | String | drop down. validator setup, currently supports CompareLdapValidator and SearchValidator. additional properties below for CompareLdapValidator. | |
validatorCompareDn | String | required for CompareLdapValidator. check this DN exists when saving connection. e.g. ou=people,dc=example,dc=com | |
validatorCompareAttribute | String | required for CompareLdapValidator. e.g. ou check this DN exists when saving connection | |
validatorCompareValue | String | required for CompareLdapValidator. e.g. people | |
searchResultHandlers | String | comma-delimited list of classes to process LDAP search results. Useful if AD returns a ranged attribute for large # groups (e.g., member;range=0-1499); include the GrouperRangeEntryHandler to handle progressive fetching. | |
searchIgnoreResultCodes | String | comma-delimited list of result codes (org.ldaptive.ResultCode) to ignore, e.g. TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS |
Database from grouper-loader.properties
db.<connectionId>.attributeName
e.g. db.warehouse.url
Attribute | Type | Default | Notes |
---|---|---|---|
url | String | Required e.g. mysql: jdbc:mysql://localhost:3306/grouper?useSSL=false | |
user | String | ||
pass | String | Save this like the configuration editor saves | |
driver | String | note: you probably dont have to enter a driver, it will detect from URL. If it cant detect, then specify it here. | |
c3p0.max_size | Integer | optional pooling params, these will default to the grouper.hibernate(.base).properties pooling settings (get that value for the UI from that config) | |
c3p0.min_size | Integer | ||
c3p0.timeout | Integer | seconds | |
c3p0.max_statements | Integer | ||
c3p0.idle_test_period | Integer | ||
c3p0.acquire_increment | Integer | ||
c3p0.validate | Boolean | ||
c3p0.debugUnreturnedConnectionStackTraces | Boolean | if unreturnedConnectionTimeout is non zero, then if connection takes too long it will be logged as stack | |
c3p0.unreturnedConnectionTimeout | Integer |
Mail SMTP in grouper.properties
There is only one SMTP server in Grouper
mail.smtp.attributeName
Attribute | Type | Default | Notes |
---|---|---|---|
server | String | required | |
user | String | ||
pass | String | use method from config editor to save | |
from.address | String | required. this is the default email address where mail from grouper will come from e.g. noreply@school.edu | |
ssl | Boolean | ||
starttls.enable | Boolean | ||
ssl.trust | String | if you are doing SSL/TLS, you should put the smtp server here so it is trusted | |
port | Integer | 25 for non-ssl, 465 for ssl | |
transport.protocol | String | smtp | |
use.protocol.in.property.names | Boolean | in the java mail settings if "smtp" or whatever the protocol is should be in the property names | |
smtp.ssl.protocols | String | if you have trouble connecting to SSL/TLS, try a different SSL protocol, e.g. TLSv1.2 | |
smtp.socketFactory.class | String | generally saying SSL true is enough, though you might need to set a class. generally leave this blank | |
smtp.socketFactory.fallback | Boolean | generally you will leave this blank unless doing something advanced | |
subject.prefix | String | prefix all email's subjects. e.g. TEST: | |
test.address | String | when running junit tests, this is the address that will be used | |
debug | Boolean | if debug info from java mail should be printed |
SFTP server in grouper.properties
grouperSftp.site.configId.attributeName
e.g. grouperSftp.site.depot.host
Attribute | Type | Default | Notes |
---|---|---|---|
host | String | required | |
user | String | ||
password | String | password if not using private key | |
secret.privateKey | String textarea | note this is stored in secret.privateKey_0, secret.privateKey_0, if longer than 4k you can encrypt the private key to connect with. if its more than 4k encrypted, then take it in chunks and they will be concatenated # and use _0, _1, _2, etc. Note, replace newlines with $newline$ so it fits in a textfield | |
secret.privateKeyPassphrase | |||
knownHostsEntry | connect to the host, and copy the known_hosts entry for the host to connect to e.g. host.whatever ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA3B00cx5W9KPSjzik3E | ||
deleteTempFilesAfterSession | if any temporary files (e.g. private key and known hosts) should be deleted after session, default true | ||
timeoutMillis | 10000 | timeout in millis |
Azure endpoint in grouper.properties
grouper.azureConnector.<configId>.loginEndpoint
e.g. grouper.azureConnector.myAzure.loginEndpoint
Attribute | Type | Default | Notes |
---|---|---|---|
loginEndpoint | String | login endpoint to get a token e.g. https://login.microsoftonline.com | |
DirectoryID | String | azure directory id e.g. 6c4dxxx0d | |
client_id | String | azure client id e.g. fd805xxxxdfb | |
client_secret | String, password | ||
resource | String | resource. generally same as graph endpoint e.g. https://graph.microsoft.com | |
graphEndpoint | String | e.g. https://graph.microsoft.com | |
graphVersion | String | e.g. v1.0 | |
groupLookupAttribute | String | e.g. displayName | |
groupLookupValueFormat | String | e.g. ${group.getName()} | |
requireSubjectAttribute | String | e.g. netId | |
subjectIdValueFormat | String | ${subject.getAttributeValue("netId")}@school.edu |
Googleapps endpoint in grouper.properties
This is not externalized and is configured with the change log consumer, so this will need to be adjusts in the google provisioner code
grouper.googleConnector.<configId>.attributeName
e.g. grouper.googleConnector.myGoogle.domain
Attribute | Type | Default | Notes |
---|---|---|---|
domain | String | The Google managed domain name. (e.g. example.org) | |
serviceAccountEmail | String | The service account email address created by Google. | |
serviceAccountPKCS12FilePath | String | The path of the PKCS12 file created and downloaded from Google. The OS account running Grouper needs to have read permissions to this file. Access to this file should be limited. | |
serviceAccountPKCS12Pass | String | If not reading from a file, this is the secret that is in the file | |
serviceImpersonationUser | String | This is the account that all actions will be made by. It needs to exists and will be the creator and modifier account associated with the Google auditing logs. |
O365 endpoint in grouper.properties
See documentation at http://graph.microsoft.io/en-us/docs
grouper.o365Connector.<configId>.attributeName
e.g. grouper.o365Connector.myO365.tenantId
Attribute | Type | Default | Notes |
---|---|---|---|
tenantId | String | ||
clientId | String | ||
clientSecret | String password | ||
idAttribute | String | ||
groupJexl | String |