Grouper Users - Open Discussion List

[Matt Wilks <>]

> Does this help ?


Yes, indeed, very helpful!  I wonder if it would be helpful to put a link
somewhere on the LDAPPC-NG page pointing to the Shibboleth Attribute page?
 Once you point it out it's obvious that that is the place to visit for
help determining which groups are provisioned but I didn't pick that up
from reading the LDAPPC-NG docs.

Thanks,
Matt.

On 11-12-12 4:38 PM, "Tom Zeller" 
<>
 wrote:

>The ldappcng configuration, ldappcng.xml, maps attributes returned by
>a shibboleth attribute resolver to provisioned objects which consist
>of identifiers, attributes, and references to the identifiers other
>objects (e.g. group memberships).
>
>The following defines an ldap "group" whose identifier (ldap dn) is
>returned by the "group-dn" attribute definition in ldappc-resolver.xml
>
><object id="group" ... />
> <identifier ref="group-dn" ... />
>  <identifyingAttribute name="objectClass" value="${groupObjectClass}" />
>  ...
>
>The <identifyingAttribute /> element in ldappcng.xml maps a target
>object (an ldap entry) to the corresponding object in the ldappcng
>configuration. So, if an ldap entry has "objectClass" of
>"groupOfNames" then it is considered by ldappcng to be a provisionable
>"group".
>
>
>Grouper groups to be provisioned are configured via data connectors in
>ldappc-resolver.xml. For example :
>
><resolver:DataConnector id="GroupDataConnector"
>xsi:type="grouper:GroupDataConnector">
>    <grouper:Attribute id="members" />
>    <grouper:Attribute id="groups" />
></resolver:DataConnector>
>
>Will provision all groups in Grouper. (And will return the results of
>group.getMembers() as the "members" attribute and group.getGroups() as
>the "groups" attribute. Returning these attributes is optional for
>performance reasons.)
>
>Groups may be filtered by attribute value or by stem. For example, the
>following will provision groups which are in the stem "stem" or have a
>custom attribute "attr" with value "value".
>
><resolver:DataConnector id="GroupDataConnector"
>xsi:type="grouper:GroupDataConnector">
>    <grouper:Attribute id="members" />
>    <grouper:Attribute id="groups" />
>    <grouper:GroupFilter xsi:type="grouper:OR">
>      <grouper:GroupFilter xsi:type="grouper:ExactAttribute"
>name="attr" value="value" />
>      <grouper:GroupFilter xsi:type="grouper:StemName" name="stem"
>scope="SUB" />
>    </grouper:GroupFilter>
></resolver:DataConnector>
>
>Does this help ?
>
>TomZ
>
>On Mon, Dec 12, 2011 at 1:50 PM, Matt Wilks 
><>
>wrote:
>> Trying to get LDAPPC-NG set up on a Grouper installation.  I can't quite
>> figure out how to indicate that a group should be provisioned to LDAP.
>> Best I can see these lines in ldappcng.xml (inside a <object id="group">
>> tag):
>>
>> <identifier ref="group-dn" baseId="${groupsOU}">
>>
>>        <identifyingAttribute name="objectClass"
>>value="${groupObjectClass}" />
>> </identifier>
>>
>> would indicate that all groups with an attribute named 'objectClass'
>> assigned with the value '${groupObjectClass}' (set in ldappc.properties
>>to
>> be 'groupOfNames') should be provisioned into the dn indicated by
>> ${groupsOU}.  Is that correct?  It doesn't seem to be working so I want
>>to
>> check that I have at least that part correct.
>>
>> Thanks,
>> Matt.
>>
>>