You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

This page documents using the Grouper Loader to load a group from LDAP.  This is available in Grouper v2.1 and later

Grouper loader LDAP configuration

The Grouper loader LDAP configuration is done through the "new attribute framework".  You can assign the grouperLoaderLdap attribute on a group, and the configuration attributes on that assignment.  Note, these attributes are in the attribute root stem name (default "etc:attribute"), in a subfolder named "loaderLdap").  By default only Grouper admins can assign or edit these attributes, though an admin could delegate that permission to someone else.  Be very careful of the security implications (they could run any ldap filter to load their group, which could be sensitive data).  Note, all LDAP jobs are scheduled as crons.  These attributes are automatically created on Grouper started if they don't exist if the grouper.properties setting: grouper.attribute.loader.autoconfigure is set to true.

Attribute system name

Attribute display name

Required?

Description

Assignable to

Value type

Example value

grouperLoaderLdap

Grouper loader LDAP

required

This is the marker attribute that you assign to a group to mark is as a grouper loader ldap group

Groups

None

 

grouperLoaderLdapType

Grouper loader LDAP type

required

Like the SQL loader, this holds the type of job from the GrouperLoaderType enum, currently the only valid values are LDAP_SIMPLE, LDAP_GROUP_LIST

grouperLoaderLdap
attribute assignment

Enum

LDAP_SIMPLE

grouperLoaderLdapServerId

Grouper loader LDAP server ID

required

Server ID that is configured in the grouper-loader.properties that identifies the connection information to the LDAP serve.  Note, if you use "dn", and dn is not an attribute of the object, then the fully qualified object name will be used

grouperLoaderLdap
attribute assignment

String

personLdap (note: depends on your configuration)

grouperLoaderLdapFilter

Grouper loader LDAP filter

required

LDAP filter returns objects that have subjectIds or subjectIdentifiers and group name (if LDAP_GROUP_LIST)

grouperLoaderLdap
attribute assignment

String

(affiliation=student)

grouperLoaderLdapSubjectAttribute

Grouper loader LDAP subject attribute name

required

Attribute name of the filter object result that holds the subject id.

grouperLoaderLdap
attribute assignment

String

hasMember, or personId

grouperLoaderLdapSearchDn

Grouper loader LDAP search base DN

optional

Location that constrains the subtree where the filter is applicable.  Note, this is relative to the base DN in the ldap server config in the grouper-loader.properties for this server.  This makes the query more efficient

grouperLoaderLdap
attribute assignment

String

ou=people

grouperLoaderLdapQuartzCron

Grouper loader LDAP quartz cron

required

Quartz cron config string, e.g. every day at 8am is: 0 0 8 * * ?
Here are more examples

grouperLoaderLdap
attribute assignment

String

0 0 8 * * ?

grouperLoaderLdapSourceId

Grouper loader LDAP source ID

optional

Source ID from the sources.xml that narrows the search for subjects.  This is optional though makes the loader job more efficient

grouperLoaderLdap
attribute assignment

String

schoolPeople

grouperLoaderLdapSubjectIdType

Grouper loader LDAP subject ID type

optional

The type of subject ID.  This can be either: subjectId (most efficient, default), subjectIdentifier (2nd most efficient), or subjectIdOrIdentifier

grouperLoaderLdap
attribute assignment

Enum

subjectId, subjectIdentifier, subjectIdOrIdentifier

grouperLoaderLdapSearchScope

Grouper loader LDAP search scope

optional

How the deep in the subtree the search will take place.  Can be OBJECT_SCOPE, ONELEVEL_SCOPE, or SUBTREE_SCOPE (default)

grouperLoaderLdap
attribute assignment

Enum

OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE

grouperLoaderLdapAndGroups

Grouper loader LDAP require in groups

optional

If you want to restrict membership in the dynamic group based on other group(s), put the list of group names here comma-separated.  The require groups means if you put a group names in there (e.g. school:community:employee) then it will 'and' that group with the member list from the loader.  So only members of the group from the loader query who are also employees will be in the resulting group

grouperLoaderLdap
attribute assignment

String

school:community:employee

grouperLoaderLdapPriority

Grouper loader LDAP scheduling priority

optional

Quartz has a fixed threadpool (max configured in the grouper-loader.properties), and when the max is reached, then jobs are prioritized by this integer.  The higher the better, and the default if not set is 5.

grouperLoaderLdap
attribute assignment

Integer

5

sdf

  • No labels