LDAPPC - LDAP Provisioning Connector as of v1.5.0

LDAPPC provisions group and membership information contained in the Groups Registry to an LDAP directory service.

See also the information on the newer provisioning connector called LDAPPC-NG.

As of Grouper 2.1, see the Provisioning Service Provider (PSP)

Usage

LDAPPC is run using GrouperShell (gsh).

For example, to maintain group and membership provisioning, polling every 60 seconds for changes :

bin/gsh.sh -ldappc -groups -memberships -interval 60

One or both of -groups and -memberships must be specified. All other arguments are optional.

Key

Value

Description

no arguments

 

Display usage.

-groups

 

Provision groups.

-memberships

 

Provision memberships.

-subject

subjectId

The SubjectId used to establish Grouper API sessions. Defaults to GrouperSystem.

-interval

interval

Number of seconds between polling intervals. If omitted, only one provisioning cycle is performed.

-lastModifyTime

yyyy-MM-dd[_hh:mm:ss]

Select objects changed since this time.

-configManager

path to configuration xml

Path to configuration file. Defaults to classpath resource ldappc.xml.

-properties

path to properties file

Path to properties file. Defaults to classpath resource ldappc.properties.

-resolver

path to directory

Path to directory containing Shibboleth Attribute Resolver configuration files.

-calc

file

Calculate provisioning and write to file.

-dryRun

file

Write provisioning changes to file only, do not provision changes.

-logLDIF

 

While provisioning, log changes in LDIF format.

Release Notes

Version 1.5.0 of LDAPPC includes several new features, many of which were implemented because of requests on the Grouper mailing lists. Thank you for your involvement.

The ability to provision Active Directory has improved significantly. Integration with the Shibboleth Attribute Resolver provides customizable attributes, potentially suitable for Exchange. Integration with vt-ldap 3.2 provides support for paging and groups with a large (>1500) number of members.

An upcoming version of LDAPPC should include SPML 2 support.

Upgrading to LDAPPC 1.5.0

The <ldap> configuration element in ldappc.xml is no longer allowed. LDAP connection parameters are now defined in ldappc.properties. See vt-ldap .

Remove any <source-subject-identifier source="g:gsa" ...> configuration elements.

As of Grouper v1.4.1, LDAPPC is included in the Grouper API. Previously LDAPPC was a separate project.

Configuration

LDAPPC requires two files, ldappc.xml and ldappc.properties. The full path to these files may be defined at runtime.

By default, macros of the form ${name} in ldappc.xml will be replaced by their corresponding values in ldappc.properties.

ldappc.properties

LDAP connectivity is provided by vt-ldap and is defined in ldappc.properties.

# Macros of the form ${name} in your configuration (default ldappc.xml)
# will be replaced with the values of the matching keys of this file.

edu.vt.middleware.ldap.ldapUrl=ldap://127.0.0.1:389
edu.vt.middleware.ldap.base=dc=example,dc=edu
edu.vt.middleware.ldap.authtype=simple
edu.vt.middleware.ldap.serviceUser=cn=Manager
edu.vt.middleware.ldap.serviceCredential=secret
edu.vt.middleware.ldap.tls=true

ldappc.xml

Example Active Directory Configuration

An example configuration file for provisioning Active Directory might look like the following. There is no <memberships/> element since Active Directory handles provisioning the memberOf attribute of group members. In this example, the sAMAccountName attribute, a.k.a. pre-Windows 2000 logon name, is calculated using the Shibboleth Attribute Resolver to replace whitespace in group names with an underscore.

<?xml version="1.0" encoding="utf-8"?>

<ldappc>
  <grouper>
    <group-queries>
      <subordinate-stem-queries>
        <stem-list>
          <stem>edu</stem>
        </stem-list>
      </subordinate-stem-queries>
    </group-queries>

    <groups structure="bushy" root-dn="ou=testgroups,${base}" ldap-object-class="group"
            ldap-rdn-attribute="cn" grouper-attribute="name" >

      <group-members-dn-list list-object-class="group" list-attribute="member" />

      <group-attribute-mapping ldap-object-class="group">
      	<group-attribute-map group-attribute="description" ldap-attribute="description" />
      </group-attribute-mapping>

      <resolver-attribute-mapping ldap-object-class="group">
        <resolver-attribute-map resolver-attribute="sAMAccountName" ldap-attribute="sAMAccountName" />
      </resolver-attribute-mapping>

    </groups>

  </grouper>

  <source-subject-identifiers>
    <source-subject-identifier source="jdbc" subject-attribute="id">
      <ldap-search base="ou=testpeople,${base}" scope="subtree_scope" filter="(cn={0})" />
    </source-subject-identifier>
  </source-subject-identifiers>

</ldappc>

Shibboleth Attribute Resolver configuration :

<resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="sAMAccountName" sourceAttributeID="name">
    <resolver:Dependency ref="groupDataConnector" />
    <Script><![CDATA[
      // Import Shibboleth attribute provider
      value = name.getValues().get(0);

      value = value.replaceAll("\\/", "_");
      value = value.replaceAll("\\/", "_");
      value = value.replaceAll("\\[", "_");
      value = value.replaceAll("\\]", "_");
      value = value.replaceAll("\\:", "_");
      value = value.replaceAll("\\;", "_");
      value = value.replaceAll("\\|", "_");
      value = value.replaceAll("\\=", "_");
      value = value.replaceAll("\\,", "_");
      value = value.replaceAll("\\+", "_");
      value = value.replaceAll("\\*", "_");
      value = value.replaceAll("\\?", "_");

      sAMAccountName = new BasicAttribute("sAMAccountName");
      sAMAccountName.getValues().add(value);
      ]]></Script>
  </resolver:AttributeDefinition>

Example OpenLDAP Configuration

An example configuration file for provisioning OpenLDAP might look like :

<?xml version="1.0" encoding="utf-8"?>

<ldappc>
  <grouper>
    <group-queries>

      <subordinate-stem-queries>
        <stem-list>
          <stem>_stem_name_</stem>
        </stem-list>
      </subordinate-stem-queries>

      <attribute-matching-queries>
        <attribute-list>
          <attribute name="_attr_name_" value="_attr_value_" />
        </attribute-list>
      </attribute-matching-queries>

    </group-queries>

    <groups
      structure="flat"
      root-dn="ou=groups,${edu.vt.middleware.ldap.base}"
      ldap-object-class="groupOfNames"
      ldap-rdn-attribute="cn"
      grouper-attribute="name">

      <group-members-dn-list list-object-class="groupOfNames" list-attribute="member" list-empty-value="" />

      <group-members-name-list list-object-class="eduMember" list-attribute="hasMember">
        <source-subject-name-mapping>
          <source-subject-name-map source="_source_name_" subject-attribute="_attr_name_" />
          <source-subject-name-map source="g:gsa" subject-attribute="name" />
        </source-subject-name-mapping>
      </group-members-name-list>

      <group-attribute-mapping ldap-object-class="groupOfNames">
        <group-attribute-map group-attribute="description" ldap-attribute="description" />
      </group-attribute-mapping>

    </groups>

    <memberships>
      <member-groups-list list-object-class="eduMember" list-attribute="isMemberOf" naming-attribute="name" />
    </memberships>

  </grouper>

  <source-subject-identifiers>
    <source-subject-identifier source="_source_name_" subject-attribute="_attr_name_">
      <ldap-search
        base="ou=people,${edu.vt.middleware.ldap.base}"
        scope="subtree_scope"
        filter="(uid={0})" />
    </source-subject-identifier>
  </source-subject-identifiers>

</ldappc>

Documentation for previous versions is available at https://wiki.internet2.edu/confluence/display/i2miCommon/Ldappc


     (question) Questions or comments? (info) Contact us.