This page documents using the Grouper Loader to load a group from LDAP. This is available in Grouper v2.1 and later
Grouper loader LDAP configuration
The Grouper loader LDAP configuration is done through the "new attribute framework". You can assign the grouperLoaderLdap attribute on a group, and the configuration attributes on that assignment. Note, these attributes are in the attribute root stem name (default "etc:attribute"), in a subfolder named "loaderLdap"). By default only Grouper admins can assign or edit these attributes, though an admin could delegate that permission to someone else. Be very careful of the security implications (they could run any ldap filter to load their group, which could be sensitive data). Note, all LDAP jobs are scheduled as crons. These attributes are automatically created on Grouper started if they don't exist if the grouper.properties setting: grouper.attribute.loader.autoconfigure is set to true.
Attribute system name |
Attribute display name |
Required? |
Description |
Assignable to |
Value type |
Example value |
---|---|---|---|---|---|---|
grouperLoaderLdap |
Grouper loader LDAP |
required |
This is the marker attribute that you assign to a group to mark is as a grouper loader ldap group |
Groups |
None |
|
grouperLoaderLdapType |
Grouper loader LDAP type |
required |
Like the SQL loader, this holds the type of job from the GrouperLoaderType enum, currently the only valid values are LDAP_SIMPLE, LDAP_GROUP_LIST |
grouperLoaderLdap |
String |
LDAP_SIMPLE |
grouperLoaderLdapServerId |
Grouper loader LDAP server ID |
required |
Server ID that is configured in the grouper-loader.properties that identifies the connection information to the LDAP server |
grouperLoaderLdap |
String |
personLdap (note: depends on your configuration) |
grouperLoaderLdapFilter |
Grouper loader LDAP filter |
required |
LDAP filter returns objects that have subjectIds or subjectIdentifiers and group name (if LDAP_GROUP_LIST) |
grouperLoaderLdap |
String |
(affiliation=student) |
grouperLoaderLdapSubjectAttribute |
Grouper loader LDAP subject attribute name |
required |
Attribute name of the filter object result that holds the subject id |
grouperLoaderLdap |
String |
hasMember, or personId |
grouperLoaderSearchDn |
Grouper loader LDAP search base DN |
optional |
Location that constrains the subtree where the filter is applicable. Note, this is relative to the base DN in the ldap server config in the grouper-loader.properties for this server. This makes the query more efficient |
grouperLoaderLdap |
String |
ou=people |
grouperLoaderLdapSourceId |
Grouper loader LDAP source ID |
optional |
Source ID from the sources.xml that narrows the search for subjects. This is optional though makes the loader job more efficient |
grouperLoaderLdap |
String |
schoolPeople |
grouperLoaderLdapSubjectIdType |
Grouper loader LDAP subject ID type |
optional |
The type of subject ID. This can be either: subjectId (most efficient, default), subjectIdentifier (2nd most efficient), or subjectIdOrIdentifier |
grouperLoaderLdap |
String |
subjectId, subjectIdentifier, subjectIdOrIdentifier |
grouperLoaderLdapSearchScope |
Grouper loader LDAP search scope |
optional |
How the deep in the subtree the search will take place. Can be OBJECT_SCOPE, ONELEVEL_SCOPE, or SUBTREE_SCOPE (default) |
grouperLoaderLdap |
String |
OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE |
sdf