If two grouper management systems need to share a group, Grouper should have a way to do this. There should be push, pull, and incremental. In the future we can add permissions. This is a design document for a potential enhancement to Grouper.
We would like this provisioning to occur with SPML similar to ldappcng, speak the common Groups API (up and coming). Therefore anything that speaks the (standard) API could be an endpoint. Perhaps the below design of web services and xmpp could use spml as the data format.
A config might look like this in the grouper-loader.properties to define the connection to the school (similar to how we define various DB connections for the loader):
grouperWs.anotherSchool.user = someLogin/someServer.school.edu #note the password can be stored encrypted in an external file grouperWs.anotherSchool.pass = secret #note: not sure if this is a WS call or something else with SPML grouperWs.anotherSchool.url = https://www.anotherSchool.edu/grouperWs
Then a config either in the grouper-loader or in some ldappc or other config file that has this spirit:
syncExternal.chemWorldGroup.syncType = pull syncExternal.chemWorldGroup.grouperWsName = anotherSchool syncExternal.chemWorldGroup.remoteGroup = a:b:c:d syncExternal.chemWorldGroup.localGroup = e:f:g:h syncExternal.chemWorldGroup.quartzCron = 0 8 * * * ? #in this respect, you are only syncing people with this source, so if there is a group in there, ignore it syncExternal.chemWorldGroup.sources = schoolPeople #maybe you only want people with shibIds to be sent syncExternal.chemWorldGroup.requireSubjectAttributes = shibId
I doubt we will need this since we have SPML, but if so, we could easily go XMPP since Grouper can currently send and receive XMPP. Note, that config could be on the sender and receiver. Grouper-loader on the sender would send notifications to that address, and on the receiver would listen on its address for messages from the external address... maybe the cryptography could be pluggable.
syncExternal.chemWorldGroup.externalJabberId = someServer@someSchool.edu/grouperServer #inter-institution jabber is not trusted, so sign the message and decode with public key encryption syncExternal.chemWorldGroup.externalPublicKeyFile = /opt/keys/someSchool.pub #this institutions key grouper.privateKeyFile = /opt/keys/my.key
There should be a way to translate subjectIds/sourceIds between groupers as well.
External subjects and attributes might need to be synced also...
The external subjects and attributes might also need to be transferred between groupers as well.
We should look at real time proxying of the getMembers() call to the remote site.
sdaf