Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] RE: Grouper Newbie - LDAP integration

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] RE: Grouper Newbie - LDAP integration

Chronological Thread 
  • From: Carl Waldbieser <>
  • To: Duane Booher <>
  • Cc: grouper-users <>
  • Subject: Re: [grouper-users] RE: Grouper Newbie - LDAP integration
  • Date: Wed, 24 Oct 2018 15:10:07 -0400 (EDT)
  • Ironport-phdr: 9a23:FVtljBSH7utOT84Agt7/cT7Oktpsv+yvbD5Q0YIujvd0So/mwa6ybReN2/xhgRfzUJnB7Loc0qyK6/+mATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfbF/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0ligIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNgHR2ROQ9xRWjRPDI28cYUBDOgOPehFoYbyu1QAohq+Cw6wBO701j9In2P50bEg3ug9EwzL2hErEdIUsHTTqdX4LLkfXvqvzKnM0D7Mb+lZ2TPg54fTcxAuv+qMUqxqccHMzkQuGRnKjlGNpoP+PjOayPgCvnOf7+V6W+KgkW4mpB9tojiz2MggkJfGiZ8Iyl3d8yhy3Yg7Jdq9SEFhYN6kFoNdty6AN4txX8MiW3tkuCAgxb0Dp5G2ejUBxpc/xxPHdvCKfYyF7gj+WOueIzp0nm9pdK+lixqv/kWtyPXwWtS63VtOtCZJj9bBu3IX2xDO6sWLUOVx8lu81TqXygze5OVJLVopmafUKZMt2KM8mocJvUjeECL6hkP7h7KMeEo+4Oin8eHnb63mppCCM490jRnzMqEymsOlA+k0KAwOUHKV+eum1Lzs41H5QKlUgfEsjKbWrY3aKdwapq6/HQBVzp4u5wuxAjqiytgUgHYKIVBfdB6akoTlIUzCLf/6APunhlSjijZrx/TIPr37BZXNK2DOkbn7crZ59kFT0wszws5D6J9PDrEOOvzzVVXxtdPGEh85LxK7z/z5B9pgy4MSQXiPDbOBMKPOrV+I4foiI+aWZI8SpTb9M+Yq5+T3gX8kgl8SY7Op3YAMZXC8H/RmOFmZYWHyjtsbEGcKuBY+Q/LwiF2ETzFTe2i+U7gi6T4mFYL1RbvEE6ywibqMlA28GZ1bfCgSJk2FF3quXYKDW/oWQCSbP4lsniFSBpa7TIp0/hi0sEfFwr5rJOvZ4SAC/cb83dx57ezenjk2/DJ9HsmBz2zLQm1pyDBbDwQq1bxy9BQugmyI1rJ11rkBTYRe


There is a difference between loading memberships and subjects.
Memberships are loaded with the Grouper Loader, and they may be cron-like.
Subjects come from a subject source (like LDAP or a RDBMS), and they are
utilized in a more or less instantaneous fashion. If you add a subject to
your subject source, it immediately becomes available to Grouper.

Carl Waldbieser
ITS Identity Management
Lafayette College

----- Original Message -----
From: "Duane Booher"
To: "Coleman, Erik C"
Sent: Wednesday, October 24, 2018 1:46:16 PM
Subject: Re: [grouper-users] RE: Grouper Newbie - LDAP integration

Hi Erik, thanks for the info. I will look at the examples that you have

I’m not using the TIER grouper containers, instead I’m using the grouper
installer option via: java -jar grouperInstaller.jar

When I look at the grouper loader, my understanding (which may be incorrect)
is that it uses a cron based approach for syncing between LDAP and grouper? I
was hoping for a direct grouper LDAP connection, where grouper would connect
to LDAP and get the necessary user id’s from ou=people (this would be a
step1a on my list). Then as a group is created/maintained then I was hoping
that grouper would also store the group membership also back into LDAP (this
would be step2b on my list). I understand that grouper uses a database, so
some of these lookups and persistence may be maintained in the grouper

In general, I’m having a hard time with this part of the configuration. I’m
carefully looking at all of the relevant grouper technical configuration
documentation for customizing my grouper/LDAP connection. So if you have any
additional grouper links, then that would be great.


on behalf of "Coleman, Erik C"
Date: Tuesday, October 23, 2018 at 12:16 PM

Subject: [grouper-users] RE: Grouper Newbie - LDAP integration


We basically approached the same way with our eval—swinging over one-by-one
to our LDAP, then to our Shib, then to our own database instance. Are you
using the Grouper Demo Docker containers?

With 2.4, all of your LDAP connections are specified in, so you simply need to change the parameters in
there to point to your enterprise LDAP. Change in order to
point to where your identities (subjects) live in that LDAP. Then you can
throw out the LDAP container.

For Shib, you’ll want to upload your own shibboleth2.xml as well as the
appropriate sp-key.pem and sp-cert.pem to the Grouper UI container, with
settings as you would for any SP configured to connect to your IDP. Then you
can throw out the supplied IDP container.

As a tip, I found it more convenient to bootstrap me in the wheel group so
that I have admin access, this is in, which should also go
into the Grouper containers:

groups.wheel.use = true = etc:sysadmingroup = etc:sysadmingroup = Grouper Service Admins = ecc

That’s glossing over many of the specific details, but should give you an



On Behalf Of Duane Booher
Sent: Tuesday, October 23, 2018 10:20 AM

Subject: [grouper-users] Grouper Newbie - LDAP integration

Hello, I am doing a quick grouper 2.4 evaluation and I have it running on
both my personal workstation (Mac Os X) and a redhat 6 server. In both cases
I used the grouper installer with the default demo processes. Then I migrated
the grouper-ui and grouper-ws applications over to a seperate tomcat
container. I am still running the remaining processes out of the installer
folder, such as the demo hsqldb, daemon, etc. I have been following the
Grouper Deployment Guide, however things are still fuzzy to me.

I have two immediate goals and I hope the community can point me in the right

1) I would now like to connect grouper up with our LDAP for both user lookup
and for integration with groups stored in LDAP.

2) I would like to connect the grouper login to our shibboleth/SAML single

I am both a LDAP integrator, along with a shib w/ in-common and CAS
integrator. But, I do not fully understand the grouper configuration details.
So any help is greatly appreciated.


Archive powered by MHonArc 2.6.19.

Top of Page