Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] ldappc-ng configuration

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] ldappc-ng configuration


Chronological Thread 
  • From: Tom Zeller <>
  • To: Matt Wilks <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] ldappc-ng configuration
  • Date: Mon, 12 Dec 2011 15:38:39 -0600
The ldappcng configuration, ldappcng.xml, maps attributes returned by
a shibboleth attribute resolver to provisioned objects which consist
of identifiers, attributes, and references to the identifiers other
objects (e.g. group memberships).

The following defines an ldap "group" whose identifier (ldap dn) is
returned by the "group-dn" attribute definition in ldappc-resolver.xml

<object id="group" ... />
<identifier ref="group-dn" ... />
<identifyingAttribute name="objectClass" value="${groupObjectClass}" />
...

The <identifyingAttribute /> element in ldappcng.xml maps a target
object (an ldap entry) to the corresponding object in the ldappcng
configuration. So, if an ldap entry has "objectClass" of
"groupOfNames" then it is considered by ldappcng to be a provisionable
"group".


Grouper groups to be provisioned are configured via data connectors in
ldappc-resolver.xml. For example :

<resolver:DataConnector id="GroupDataConnector"
xsi:type="grouper:GroupDataConnector">
<grouper:Attribute id="members" />
<grouper:Attribute id="groups" />
</resolver:DataConnector>

Will provision all groups in Grouper. (And will return the results of
group.getMembers() as the "members" attribute and group.getGroups() as
the "groups" attribute. Returning these attributes is optional for
performance reasons.)

Groups may be filtered by attribute value or by stem. For example, the
following will provision groups which are in the stem "stem" or have a
custom attribute "attr" with value "value".

<resolver:DataConnector id="GroupDataConnector"
xsi:type="grouper:GroupDataConnector">
<grouper:Attribute id="members" />
<grouper:Attribute id="groups" />
<grouper:GroupFilter xsi:type="grouper:OR">
<grouper:GroupFilter xsi:type="grouper:ExactAttribute"
name="attr" value="value" />
<grouper:GroupFilter xsi:type="grouper:StemName" name="stem"
scope="SUB" />
</grouper:GroupFilter>
</resolver:DataConnector>

Does this help ?

TomZ

On Mon, Dec 12, 2011 at 1:50 PM, Matt Wilks
<>
wrote:
> Trying to get LDAPPC-NG set up on a Grouper installation.  I can't quite
> figure out how to indicate that a group should be provisioned to LDAP.
> Best I can see these lines in ldappcng.xml (inside a <object id="group">
> tag):
>
> <identifier ref="group-dn" baseId="${groupsOU}">
>
>        <identifyingAttribute name="objectClass" value="${groupObjectClass}"
> />
> </identifier>
>
> would indicate that all groups with an attribute named 'objectClass'
> assigned with the value '${groupObjectClass}' (set in ldappc.properties to
> be 'groupOfNames') should be provisioned into the dn indicated by
> ${groupsOU}.  Is that correct?  It doesn't seem to be working so I want to
> check that I have at least that part correct.
>
> Thanks,
> Matt.
>
>

Archive powered by MHonArc 2.6.16.

Top of Page