Technical FAQ about Grouper

    Grouper is Licensed under the Apache 2.0 license.

1. How do I get group information out of Grouper and into my operational systems?
2. "ant schemaexport" creates 14 tables, 2 of which are "subject" and "subjectattribute". Do I need these?
3. How do I bootstrap membership in the wheel group?.
4. Can I add custom attributes to Grouper groups for my custom purposes?
5. How do I shibbolize Grouper?
6. I am using Oracle for my Grouper database, and when I try to add more groups or members, I am getting this error: "hibernate commit error: Could not execute JDBC batch update." What causes that?
7. Grouper is failing to query my LDAP server over a SSL connection because it cannot find the certificate for the CA that signed the cert the LDAP server presents. How can I help Grouper find the CA cert?
8. Are there examples for how to create a Grouper WS client using PHP?
    

1. How do I get group information out of Grouper and into my operational systems?

With the 1.0 release, Grouper includes an XML import and export tool that can be used for episodic or periodic provisioning of group info to other contexts. The GrouperShell can likewise be used to load and retrieve group information.

With the release of Ldappc 1.0 (the LDAP Provisioning Connector) we now have a near-real-time "provisioning connector" that can update LDAP directories or other run-time security infrastructure services. See LDAP Provisioning Connector for more information.

With the release of Grouper 1.2.0 there is also a Web Services interface to Grouper. See https://wiki.internet2.edu/confluence/display/GrouperWG/Grouper+Product for more information.

2. "ant schemaexport" creates 14 tables, 2 of which are "subject" and "subjectattribute". Do I need these?

No. They are there only to support the quickstart demo and testing the API. They can safely be removed or ignored if you are using an outside subject source such as an LDAP directory.

3. How do I bootstrap membership in the wheel group?

The GrouperShell can be used for this purpose. See Initializing Administration of Privileges for the details.

4. Can I add custom attributes to Grouper groups for my custom purposes?

Yes. Custom single-valued string attributes and lists of subjects can be added to Grouper groups and subsequently managed by the API and the UI. See Custom Group Types for all of the details.

5. How do I shibbolize Grouper?

By default, Grouper relies on an external authentication service to identify authenticated principals to it through the servlet container's REMOTE_USER, so configure your shibboleth AAP to provide a suitable identifier to Grouper as REMOTE_USER. In addition, you'll need to arrange that the same identifiers are provided to Grouper through a source adapter so that shibboleth-authenticated principals can have a security context created for them.  Note, if you want grouper to use REMOTE_USER or something other than tomcat authentication then you need to take out the security configuration in the web.xml if it is there: e.g. security-constraint, login-config,  security-role.

6. I am using Oracle for my Grouper database, and when I try to add more groups or members, I am getting this error: "hibernate commit error: Could not execute JDBC batch update." What causes that?

One cause may be that you have run out of tablespace - try extending your tablespace for the Grouper database.

7. Grouper is failing to query my LDAP server over a SSL connection because it cannot find the certificate for the CA that signed the cert the LDAP server presents. How can I help Grouper find the CA cert?

One way is to add the CA cert to the list of trusted CAs that the Java JRE keeps. The JRE provides the keytool executable to help you manage the list. With JAVA_HOME set appropriately and JAVA_HOME/bin in your path you should be able to run

keytool -import -file /path/to/cacert/file.pem -keystore $JAVA_HOME/jre/lib/security/cacerts

Note that the default password is 'changeit'. You should change it! See http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html for details on the keytool and how to change the password for the trusted CA keystore.

8. Are there examples for how to create a Grouper WS client using PHP?

Click here for some simple client examples that use the PHP SOAP extension

      Questions or comments?  Contact us.