LDAPPC - LDAP Provisioning Connector as of v1.5.0

LDAPPC provisions group and membership information contained in the Groups Registry to an LDAP directory service.

See also the information on the newer provisioning connector called LDAPPC-NG.

As of Grouper 2.1, see the Provisioning Service Provider (PSP)


LDAPPC is run using GrouperShell (gsh).

For example, to maintain group and membership provisioning, polling every 60 seconds for changes :

bin/gsh.sh -ldappc -groups -memberships -interval 60

One or both of -groups and -memberships must be specified. All other arguments are optional.




no arguments


Display usage.



Provision groups.



Provision memberships.



The SubjectId used to establish Grouper API sessions. Defaults to GrouperSystem.



Number of seconds between polling intervals. If omitted, only one provisioning cycle is performed.



Select objects changed since this time.


path to configuration xml

Path to configuration file. Defaults to classpath resource ldappc.xml.


path to properties file

Path to properties file. Defaults to classpath resource ldappc.properties.


path to directory

Path to directory containing Shibboleth Attribute Resolver configuration files.



Calculate provisioning and write to file.



Write provisioning changes to file only, do not provision changes.



While provisioning, log changes in LDIF format.

Release Notes

Version 1.5.0 of LDAPPC includes several new features, many of which were implemented because of requests on the Grouper mailing lists. Thank you for your involvement.

The ability to provision Active Directory has improved significantly. Integration with the Shibboleth Attribute Resolver provides customizable attributes, potentially suitable for Exchange. Integration with vt-ldap 3.2 provides support for paging and groups with a large (>1500) number of members.

An upcoming version of LDAPPC should include SPML 2 support.

Upgrading to LDAPPC 1.5.0

The <ldap> configuration element in ldappc.xml is no longer allowed. LDAP connection parameters are now defined in ldappc.properties. See vt-ldap .

Remove any <source-subject-identifier source="g:gsa" ...> configuration elements.

As of Grouper v1.4.1, LDAPPC is included in the Grouper API. Previously LDAPPC was a separate project.


LDAPPC requires two files, ldappc.xml and ldappc.properties. The full path to these files may be defined at runtime.

By default, macros of the form ${name} in ldappc.xml will be replaced by their corresponding values in ldappc.properties.


LDAP connectivity is provided by vt-ldap and is defined in ldappc.properties.

# Macros of the form ${name} in your configuration (default ldappc.xml)
# will be replaced with the values of the matching keys of this file.



Example Active Directory Configuration

An example configuration file for provisioning Active Directory might look like the following. There is no <memberships/> element since Active Directory handles provisioning the memberOf attribute of group members. In this example, the sAMAccountName attribute, a.k.a. pre-Windows 2000 logon name, is calculated using the Shibboleth Attribute Resolver to replace whitespace in group names with an underscore.

<?xml version="1.0" encoding="utf-8"?>


    <groups structure="bushy" root-dn="ou=testgroups,${base}" ldap-object-class="group"
            ldap-rdn-attribute="cn" grouper-attribute="name" >

      <group-members-dn-list list-object-class="group" list-attribute="member" />

      <group-attribute-mapping ldap-object-class="group">
      	<group-attribute-map group-attribute="description" ldap-attribute="description" />

      <resolver-attribute-mapping ldap-object-class="group">
        <resolver-attribute-map resolver-attribute="sAMAccountName" ldap-attribute="sAMAccountName" />



    <source-subject-identifier source="jdbc" subject-attribute="id">
      <ldap-search base="ou=testpeople,${base}" scope="subtree_scope" filter="(cn={0})" />


Shibboleth Attribute Resolver configuration :

<resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="sAMAccountName" sourceAttributeID="name">
    <resolver:Dependency ref="groupDataConnector" />
      // Import Shibboleth attribute provider
      value = name.getValues().get(0);

      value = value.replaceAll("\\/", "_");
      value = value.replaceAll("\\/", "_");
      value = value.replaceAll("\\[", "_");
      value = value.replaceAll("\\]", "_");
      value = value.replaceAll("\\:", "_");
      value = value.replaceAll("\\;", "_");
      value = value.replaceAll("\\|", "_");
      value = value.replaceAll("\\=", "_");
      value = value.replaceAll("\\,", "_");
      value = value.replaceAll("\\+", "_");
      value = value.replaceAll("\\*", "_");
      value = value.replaceAll("\\?", "_");

      sAMAccountName = new BasicAttribute("sAMAccountName");

Example OpenLDAP Configuration

An example configuration file for provisioning OpenLDAP might look like :

<?xml version="1.0" encoding="utf-8"?>



          <attribute name="_attr_name_" value="_attr_value_" />



      <group-members-dn-list list-object-class="groupOfNames" list-attribute="member" list-empty-value="" />

      <group-members-name-list list-object-class="eduMember" list-attribute="hasMember">
          <source-subject-name-map source="_source_name_" subject-attribute="_attr_name_" />
          <source-subject-name-map source="g:gsa" subject-attribute="name" />

      <group-attribute-mapping ldap-object-class="groupOfNames">
        <group-attribute-map group-attribute="description" ldap-attribute="description" />


      <member-groups-list list-object-class="eduMember" list-attribute="isMemberOf" naming-attribute="name" />


    <source-subject-identifier source="_source_name_" subject-attribute="_attr_name_">
        filter="(uid={0})" />


Documentation for previous versions is available at https://wiki.internet2.edu/confluence/display/i2miCommon/Ldappc

     (question) Questions or comments? (info) Contact us.