Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] ldappc-ng and custom extension

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] ldappc-ng and custom extension

Chronological Thread 
  • From: Tom Zeller <>
  • To: Scott Koranda <>
  • Cc: Grouper Users Mailing List <>
  • Subject: Re: [grouper-users] ldappc-ng and custom extension
  • Date: Mon, 7 Feb 2011 09:36:09 -0600
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=HD23oLBTQukjnrhh+CxdwhF4Hmc1PI6sLXzQk9/R9n9rvBcHylEEs3MbSvdh41ZP/Y iytFwDVy710vXjYj50FRqFeeuP2CCKcX8XO5/wo3z8iw/1SRHmrz8hD6dG5XfYDpOIFf j1HqegwjpMQa5YYMndippT6XZi3V8k3hyd6vQ=

I am pleased someone asked :-) Documentation should be better. After
writing this, I realize it should be on the wiki, which I should
attend to when I find time. This should be easier. If you decide to go
this route, keep in touch, I think it is very possible, however, it
may be time consuming for you to figure out what I have done so I
suggest we work together.

In general, you need to write (1) an ldappcng SpmlTargetProvider and
(2) a Shibboleth IdP extension.

The Provisioning Service Provider specific to your non-LDAP target
listens for SPML Requests and returns Responses. Implement the
interface, probably by extending BaseSpmlTargetProvider. Take a look
at the LdapTargetProvider. Your custom provisioning business logic
will be (mostly) in :


The SPML library is now at :

The Spring wiring for your custom IdP extension should be immensely enjoyable

Your CustomSpmlTargetProvider will be a Shibboleth Service
instantiated by Spring and defined in ldappc-services.xml. For
example, here is the LdapTargetProvider configuration :

<!-- the ldap provider is required for ldappcng, not ldappc -->
<Service id="ldap-provider" xsi:type="ldappc:LdapPoolProvider"
<ConfigurationResource file="/ldappc-ldap.xml"
xsi:type="resource:ClasspathResource" />

Yours may look like :

<Service id="LIGO-provider" xsi:type="ligo:LIGO" >
<ConfigurationResource file="/LIGO.xml"
xsi:type="resource:ClasspathResource" />

The Spring wiring for ldappcng is in src/main/resources. The ldappcng
namespace is specified in spring.handlers :

http\:// =

Here is the corresponding LdappcNamespaceHandler class :

public class LdappcNamespaceHandler extends BaseSpringNamespaceHandler {
public static final String NAMESPACE =
public void init() {

new LdapTargetProviderBeanDefinitionParser());

and the registered BeanDefinitionParser :

public class LdapTargetProviderBeanDefinitionParser extends
AbstractServiceBeanDefinitionParser {
public static final QName TYPE_NAME = new
QName(LdappcNamespaceHandler.NAMESPACE, "LdapPoolProvider");
protected Class getBeanClass(Element element) {
return LdapTargetProvider.class;
protected void doParse(Element configElement, ParserContext
parserContext, BeanDefinitionBuilder builder) {
super.doParse(configElement, parserContext, builder);

The ldappcng xsd schema is specified in spring.schemas :

http\:// = schema/ldappc.xsd

Here is the ldappcPoolProvider service :

<complexType name="LdapPoolProvider">
<extension base="service:ServiceType">
<attribute name="ldapPoolId" type="string" use="required">
<attribute name="logLdif" type="boolean" default="false" />
<attribute name="logSpml" type="boolean" default="false" />

Your schema object needs to extend the ServiceType, for example :

<complexType name="LIGO">
<extension base="service:ServiceType" />

The ServiceType is defined in shibboleth-2.0-services.xsd, the
java-shib-common project may be helpful for you to check out and look
at :

Once you figure out your custom extension, the provisioned object,
identifier, and attribute definitions for your target are defined in
ldappcng.xml. For example :

<target id="ldap" provider="ldap-provider" />
<object ...
<identifier ...
<attribute ...

I think this should be enough for you to get started ;-)


On Sun, Feb 6, 2011 at 11:07 AM, Scott Koranda
> Hi,
> We have a tool that requires (at this time) its own
> representation of group memberships. We prefer, however, to use
> Grouper as the single source of group membership information
> in our organization.
> I would like to understand if it is possible and how much work
> it would be to write a custom extension for ldappc-ng that
> would provision into the representation required for this
> tool.
> I have read this page with an overview of how ldappc-ng works
> I would be grateful if someone could provide more technical
> details on how we would go about provisioning a non-LDAP
> target and creating a custom extension. I have downloaded the
> source but would appreciate some hints on where to get
> started.
> Thanks,
> Scott

Archive powered by MHonArc 2.6.16.

Top of Page