This page documents using the Grouper Loader to load a group from LDAP. This is available in Grouper v2.1 and later
Grouper loader LDAP configuration
The Grouper loader LDAP configuration is done through the "new attribute framework". You can assign the grouperLoaderLdap attribute on a group, and the configuration attributes on that assignment. Note, these attributes are in the attribute root stem name (default "etc:attribute"), in a subfolder named "loaderLdap"). By default only Grouper admins can assign or edit these attributes, though an admin could delegate that permission to someone else. Be very careful of the security implications (they could run any ldap filter to load their group, which could be sensitive data). Note, all LDAP jobs are scheduled as crons. These attributes are automatically created on Grouper started if they don't exist if the grouper.properties setting: grouper.attribute.loader.autoconfigure is set to true.
Attribute system name |
Attribute display name |
Required? |
Description |
Assignable to |
Value type |
Example value |
---|---|---|---|---|---|---|
grouperLoaderLdap |
Grouper loader LDAP |
required |
This is the marker attribute that you assign to a group to mark is as a grouper loader ldap group |
Groups |
None |
|
grouperLoaderLdapType |
Grouper loader LDAP type |
required |
Like the SQL loader, this holds the type of job from the GrouperLoaderType enum, currently the only valid values are LDAP_SIMPLE, LDAP_GROUP_LIST |
grouperLoaderLdap |
Enum |
LDAP_SIMPLE |
grouperLoaderLdapServerId |
Grouper loader LDAP server ID |
required |
Server ID that is configured in the grouper-loader.properties that identifies the connection information to the LDAP serve. Note, if you use "dn", and dn is not an attribute of the object, then the fully qualified object name will be used |
grouperLoaderLdap |
String |
personLdap (note: depends on your configuration) |
grouperLoaderLdapFilter |
Grouper loader LDAP filter |
required |
LDAP filter returns objects that have subjectIds or subjectIdentifiers and group name (if LDAP_GROUP_LIST) |
grouperLoaderLdap |
String |
(affiliation=student) |
grouperLoaderLdapSubjectAttribute |
Grouper loader LDAP subject attribute name |
required |
Attribute name of the filter object result that holds the subject id. |
grouperLoaderLdap |
String |
hasMember, or personId |
grouperLoaderLdapSearchDn |
Grouper loader LDAP search base DN |
optional |
Location that constrains the subtree where the filter is applicable. Note, this is relative to the base DN in the ldap server config in the grouper-loader.properties for this server. This makes the query more efficient |
grouperLoaderLdap |
String |
ou=people |
grouperLoaderLdapQuartzCron |
Grouper loader LDAP quartz cron |
required |
Quartz cron config string, e.g. every day at 8am is: 0 0 8 * * ? |
grouperLoaderLdap |
String |
0 0 8 * * ? |
grouperLoaderLdapSourceId |
Grouper loader LDAP source ID |
optional |
Source ID from the sources.xml that narrows the search for subjects. This is optional though makes the loader job more efficient |
grouperLoaderLdap |
String |
schoolPeople |
grouperLoaderLdapSubjectIdType |
Grouper loader LDAP subject ID type |
optional |
The type of subject ID. This can be either: subjectId (most efficient, default), subjectIdentifier (2nd most efficient), or subjectIdOrIdentifier |
grouperLoaderLdap |
Enum |
subjectId, subjectIdentifier, subjectIdOrIdentifier |
grouperLoaderLdapSearchScope |
Grouper loader LDAP search scope |
optional |
How the deep in the subtree the search will take place. Can be OBJECT_SCOPE, ONELEVEL_SCOPE, or SUBTREE_SCOPE (default) |
grouperLoaderLdap |
Enum |
OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE |
grouperLoaderLdapAndGroups |
Grouper loader LDAP require in groups |
optional |
If you want to restrict membership in the dynamic group based on other group(s), put the list of group names here comma-separated. The require groups means if you put a group names in there (e.g. school:community:employee) then it will 'and' that group with the member list from the loader. So only members of the group from the loader query who are also employees will be in the resulting group |
grouperLoaderLdap |
String |
school:community:employee |
grouperLoaderLdapPriority |
Grouper loader LDAP scheduling priority |
optional |
Quartz has a fixed threadpool (max configured in the grouper-loader.properties), and when the max is reached, then jobs are prioritized by this integer. The higher the better, and the default if not set is 5. |
grouperLoaderLdap |
Integer |
5 |
sdf