Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] RE: use cases for ldap loader to grouper

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] RE: use cases for ldap loader to grouper


Chronological Thread 
  • From: Tom Barton <>
  • To: Chris Hyzer <>
  • Cc: Shilen Patel <>, "" <>
  • Subject: Re: [grouper-dev] RE: use cases for ldap loader to grouper
  • Date: Mon, 10 Oct 2011 08:42:16 -0500
Nice work! -Tom

On 10/10/2011 1:45 AM, Chris Hyzer wrote:

I finished coding/testing/documenting/etc the LDAP loader.  There are test cases at the bottom that also explain how the features work.

 

https://spaces.internet2.edu/display/Grouper/Grouper+-+Loader+LDAP

 

 

Thanks,

Chris

 

 

 

From: [] On Behalf Of Shilen Patel
Sent: Thursday, October 06, 2011 6:24 PM
To: Tom Barton
Cc:
Subject: Re: [grouper-dev] RE: use cases for ldap loader to grouper

 

I tried this out using Duke's production Sun Directory and Active Directory.  For the tests I did, it was easy to use and worked great.  Here's what I tried, largely based on examples from Chris on the wiki.

 

1.  Use LDAP_SIMPLE to manage a group in Grouper for all staff with the OU attribute value of "Systems Admin-Identity Management."

 

grouperSession = GrouperSession.startRootSession();

group = new GroupSave(grouperSession).assignName("duke:employees:IdM").assignCreateParentStemsIfNotExist(true).save();

attributeAssign = group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign();

attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true);

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_SIMPLE");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(&(eduPersonAffiliation=staff)(ou=Systems Admin-Identity Management))");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=people");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "personLdap");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSourceIdName(), "jdbc");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "uid");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectIdentifier");

loaderRunOneJob(group);

 

2.  Use LDAP_GROUP_LIST to sync some AD groups into Grouper.  We currently have a need for this, so this is good.  I had to use some custom EL to get the subject identifier which is part of our RDN.  The flexibility here seems sufficient and easy to work with. 

 

grouperSession = GrouperSession.startRootSession();

group = new GroupSave(grouperSession).assignName("duke:ADGroups:groupList").assignCreateParentStemsIfNotExist(true).save();

attributeAssign = group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign();

attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true); 

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_GROUP_LIST");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(|(sAMAccountName=ITSO-OU-Admins)(sAMAccountName=OIT-IDM-Shared))");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?"); 

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=depts");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "personLdap2");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSourceIdName(), "jdbc");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "member");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectIdentifier");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapExtraAttributesName(), "cn");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupNameExpressionName(), "groups:${groupAttributes['cn']}");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), "${customLoaderLdapElUtils.convertDnToNetID(subjectId)}");

loaderRunOneJob(group);

 

3.  Use LDAP_GROUPS_FROM_ATTRIBUTES to manage Grouper groups based on OU attribute values.  So there's a different group created for each OU value.

 

grouperSession = GrouperSession.startRootSession();

group = new GroupSave(grouperSession).assignName("duke:OUGroups:groupList").assignCreateParentStemsIfNotExist(true).save();

attributeAssign = group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign();

attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true); 

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_GROUPS_FROM_ATTRIBUTES");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(&(eduPersonAffiliation=*)(ou=*))");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?"); 

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=test");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "personLdap");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSourceIdName(), "jdbc");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "uid");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectIdentifier");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupAttributeName(), "ou");

loaderRunOneJob(group);

 

So yeah, I think sites will find this useful.

 

Thanks!

 

-- Shilen

 

 

From: Tom Barton <>
Date: Wed, 5 Oct 2011 05:32:00 -0500
To: <>
Subject: Re: [grouper-dev] RE: use cases for ldap loader to grouper

 

Jim or Shilen, since I expect that you each have aceess to a rich and well-used ldap service, are you able to try this out to see how it might work? Do you think it is easily enough used to do useful things for many sites?

TomZ, do you have access to a rich ldap service any longer? Maybe one of your own making, for development purposes? If so, ditto, please.

Even more reason to put an ldap service on grouperdemo, finally.

Thanks,
Tom

On 10/5/2011 1:42 AM, Chris Hyzer wrote:

I implemented the groups from attributes ldap loader, here is an example (note, its not a typical example, its inverted, since I didn’t have user attributes to work with, but it should be ok):

 

https://spaces.internet2.edu/display/Grouper/Grouper+-+Loader+LDAP#Grouper-LoaderLDAP-LDAPGROUPSFROMATTRIBUTEStestcase

 

Need to test all the options, then done J

 

Thanks,

Chris

 

From: Chris Hyzer
Sent: Friday, September 30, 2011 2:53 AM
To: ''
Subject: RE: use cases for ldap loader to grouper

 

I implemented the LIST_OF_GROUPS, here is a basic example:

 

https://spaces.internet2.edu/display/Grouper/Grouper+-+Loader+LDAP#Grouper-LoaderLDAP-LDAPGROUPLISTtestcase

 

Thanks,

Chris

 

From: Chris Hyzer
Sent: Wednesday, September 28, 2011 3:20 PM
To:
Subject: use cases for ldap loader to grouper

 

Hey,

 

I’m implementing the Grouper-loader type of job for an LDAP source, and I wanted to make sure I am covering all the use cases…  my ldap terminology is not exact, but hopefully you will get my meaning.  Let me know any feedback, especially if there is something missing.  Btw, the more detailed of an example you can provide the more likely I will understand it J.  And yes, eventually this could be done with LDAPPC instead…

 

https://spaces.internet2.edu/display/Grouper/Grouper+-+Loader+LDAP

Use cases currently expected to be covered:

 

SIMPLE: a single group is loaded from ldap, you specify the ldap filter, the attribute that has user ids (could be multi-valued), and how the userid is converted to a subject API subject id (e.g. direct, or take the uid or cn part of the dn).  Note, the objects returned from ldap could be users or groups or whatever

 

LIST_OF_GROUPS: filter returns group objects, the systemName / displayExtension / description  of the groups in grouper can be based on attributes in the group object (including translation), and each group object has a multivalued attribute which has the uid’s or cns of the subjects which can be directly used as subject api ids/identifiers or unwrapped from the dn

 

GROUPS_FROM_ATTRIBUTES: filter returns user objects, which have an attribute for uid or cn which can be unwrapped for the subject api, and each user object has a multi-valued attribute (e.g. an affiliation).  The groups will be in a folder, with the name of the attribute, and the members will be the users who have that attribute value

 

Thoughts?

 

Thanks,

Chris


Archive powered by MHonArc 2.6.16.

Top of Page