Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] RE: Grouper Newbie - LDAP integration

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] RE: Grouper Newbie - LDAP integration


Chronological Thread 
  • From: Carl Waldbieser <>
  • To: Duane Booher <>
  • Cc: grouper-users <>
  • Subject: Re: [grouper-users] RE: Grouper Newbie - LDAP integration
  • Date: Wed, 24 Oct 2018 15:10:07 -0400 (EDT)
  • Ironport-phdr: 9a23:FVtljBSH7utOT84Agt7/cT7Oktpsv+yvbD5Q0YIujvd0So/mwa6ybReN2/xhgRfzUJnB7Loc0qyK6/+mATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfbF/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0ligIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNgHR2ROQ9xRWjRPDI28cYUBDOgOPehFoYbyu1QAohq+Cw6wBO701j9In2P50bEg3ug9EwzL2hErEdIUsHTTqdX4LLkfXvqvzKnM0D7Mb+lZ2TPg54fTcxAuv+qMUqxqccHMzkQuGRnKjlGNpoP+PjOayPgCvnOf7+V6W+KgkW4mpB9tojiz2MggkJfGiZ8Iyl3d8yhy3Yg7Jdq9SEFhYN6kFoNdty6AN4txX8MiW3tkuCAgxb0Dp5G2ejUBxpc/xxPHdvCKfYyF7gj+WOueIzp0nm9pdK+lixqv/kWtyPXwWtS63VtOtCZJj9bBu3IX2xDO6sWLUOVx8lu81TqXygze5OVJLVopmafUKZMt2KM8mocJvUjeECL6hkP7h7KMeEo+4Oin8eHnb63mppCCM490jRnzMqEymsOlA+k0KAwOUHKV+eum1Lzs41H5QKlUgfEsjKbWrY3aKdwapq6/HQBVzp4u5wuxAjqiytgUgHYKIVBfdB6akoTlIUzCLf/6APunhlSjijZrx/TIPr37BZXNK2DOkbn7crZ59kFT0wszws5D6J9PDrEOOvzzVVXxtdPGEh85LxK7z/z5B9pgy4MSQXiPDbOBMKPOrV+I4foiI+aWZI8SpTb9M+Yq5+T3gX8kgl8SY7Op3YAMZXC8H/RmOFmZYWHyjtsbEGcKuBY+Q/LwiF2ETzFTe2i+U7gi6T4mFYL1RbvEE6ywibqMlA28GZ1bfCgSJk2FF3quXYKDW/oWQCSbP4lsniFSBpa7TIp0/hi0sEfFwr5rJOvZ4SAC/cb83dx57ezenjk2/DJ9HsmBz2zLQm1pyDBbDwQq1bxy9BQugmyI1rJ11rkBTYRe
Duane,

There is a difference between loading memberships and subjects.
Memberships are loaded with the Grouper Loader, and they may be cron-like.
Subjects come from a subject source (like LDAP or a RDBMS), and they are
utilized in a more or less instantaneous fashion. If you add a subject to
your subject source, it immediately becomes available to Grouper.

Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College

----- Original Message -----
From: "Duane Booher"
<>
To: "Coleman, Erik C"
<>,
"grouper-users"
<>
Sent: Wednesday, October 24, 2018 1:46:16 PM
Subject: Re: [grouper-users] RE: Grouper Newbie - LDAP integration

Hi Erik, thanks for the info. I will look at the examples that you have
provided.

I’m not using the TIER grouper containers, instead I’m using the grouper
installer option via: java -jar grouperInstaller.jar

When I look at the grouper loader, my understanding (which may be incorrect)
is that it uses a cron based approach for syncing between LDAP and grouper? I
was hoping for a direct grouper LDAP connection, where grouper would connect
to LDAP and get the necessary user id’s from ou=people (this would be a
step1a on my list). Then as a group is created/maintained then I was hoping
that grouper would also store the group membership also back into LDAP (this
would be step2b on my list). I understand that grouper uses a database, so
some of these lookups and persistence may be maintained in the grouper
database.

In general, I’m having a hard time with this part of the configuration. I’m
carefully looking at all of the relevant grouper technical configuration
documentation for customizing my grouper/LDAP connection. So if you have any
additional grouper links, then that would be great.

Duane

From:
<>
on behalf of "Coleman, Erik C"
<>
Date: Tuesday, October 23, 2018 at 12:16 PM
To:
""

<>
Subject: [grouper-users] RE: Grouper Newbie - LDAP integration

Duane,

We basically approached the same way with our eval—swinging over one-by-one
to our LDAP, then to our Shib, then to our own database instance. Are you
using the Grouper Demo Docker containers?

With 2.4, all of your LDAP connections are specified in
grouper-loader.properties, so you simply need to change the parameters in
there to point to your enterprise LDAP. Change subject.properties in order to
point to where your identities (subjects) live in that LDAP. Then you can
throw out the LDAP container.

For Shib, you’ll want to upload your own shibboleth2.xml as well as the
appropriate sp-key.pem and sp-cert.pem to the Grouper UI container, with
settings as you would for any SP configured to connect to your IDP. Then you
can throw out the supplied IDP container.

As a tip, I found it more convenient to bootstrap me in the wheel group so
that I have admin access, this is in grouper.properties, which should also go
into the Grouper containers:

groups.wheel.use = true
groups.wheel.group = etc:sysadmingroup
configuration.autocreate.group.name.0 = etc:sysadmingroup
configuration.autocreate.group.description.0 = Grouper Service Admins
configuration.autocreate.group.subjects.0 = ecc


That’s glossing over many of the specific details, but should give you an
idea.

-Erik




From:


<>
On Behalf Of Duane Booher
Sent: Tuesday, October 23, 2018 10:20 AM
To:

Subject: [grouper-users] Grouper Newbie - LDAP integration

Hello, I am doing a quick grouper 2.4 evaluation and I have it running on
both my personal workstation (Mac Os X) and a redhat 6 server. In both cases
I used the grouper installer with the default demo processes. Then I migrated
the grouper-ui and grouper-ws applications over to a seperate tomcat
container. I am still running the remaining processes out of the installer
folder, such as the demo hsqldb, daemon, etc. I have been following the
Grouper Deployment Guide, however things are still fuzzy to me.

I have two immediate goals and I hope the community can point me in the right
direction:

1) I would now like to connect grouper up with our LDAP for both user lookup
and for integration with groups stored in LDAP.

2) I would like to connect the grouper login to our shibboleth/SAML single
sign-on.

I am both a LDAP integrator, along with a shib w/ in-common and CAS
integrator. But, I do not fully understand the grouper configuration details.
So any help is greatly appreciated.

Thanks,
<mailto:>

Archive powered by MHonArc 2.6.19.

Top of Page