grouper-users - Re: [grouper-users] RE: Grouper Newbie - LDAP integration
Subject: Grouper Users - Open Discussion List
Re: [grouper-users] RE: Grouper Newbie - LDAP integration
- From: Duane Booher <>
- To: "Redman, Chad" <>, "Coleman, Erik C" <>, "" <>
- Subject: Re: [grouper-users] RE: Grouper Newbie - LDAP integration
- Date: Thu, 25 Oct 2018 15:16:46 +0000
- Accept-language: en-US
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Thank you for all of the responses on this. Nothing is too basic this at this point and I’m planning on experimenting with some of these configuration files.
From: "Redman, Chad" <>
It kind of sounds like what you are asking about is just the normal setup that most people have, so here is just a very brief overview of the various aspects.
The subjects "database" points to one or more external SQL or LDAP sources. You would configure that in a combination of the subject.properties and the grouper-loader.properties files. Once you have that working (use the Miscellaneous -> Subject API Diagnostics to test it out) you can simply start assigning subjects to groups. Grouper will query the external sources as needed to get the subject information.
The "sync" between LDAP and Grouper are two different things. Data coming into Grouper will be set up in loader jobs. You can set up a single group to import, or a utility group that can keep a whole set of groups up to date with the source system. Data coming out of Grouper will be set up with either PSPNG, or other provisioner modules for different targets. Where they get provisioned depends on attributes set on the group. For example, in your original description, you may be publishing certain groups to LDAP, into the groups OU instead of the People OU. The cn for the LDAP group may or may not be the Grouper path, and the members field may be the constructed Dn values of all the members in the group.
The SSO setup instructions at the moment seems hard to find. Dead ends in the Wiki? In the meantime, setting up for external SSO is essentially:
- remove from web.xml the <security-constraint>, <login-config>, and <security-role> nodes
- before you enable SSO, make sure you don't get locked out since you won't be able to use GrouperSystem anymore; set groups.wheel.use = true, and add yourself to the etc:sysadmingroup group
- set up Apache as a normal Shibboleth SP
- if what Apache sets as REMOTE_USER is not your subject id, you can set in grouper-ui.properties a value for grouper.ui.authentication.http.header, to use eppn for example
- if you do have an alternate header identifier, it helps to set the subject.properties "searchSubjectByIdentifier" filter to include it so it can pull up the subject data from it
* - e.g. subjectApi.source.xxx.search.searchSubjectByIdentifier.param.filter.value = (&(|(uid=%TERM%)(eduPersonPrincipalName=%TERM%))(objectclass=Person))
- many things could go wrong; look in the grouper log files as a first step
I hope that's not too basic :)
On Behalf Of Duane Booher
Hi Erik, thanks for the info. I will look at the examples that you have provided.
I’m not using the TIER grouper containers, instead I’m using the grouper installer option via: java -jar grouperInstaller.jar
When I look at the grouper loader, my understanding (which may be incorrect) is that it uses a cron based approach for syncing between LDAP and grouper? I was hoping for a direct grouper LDAP connection, where grouper would connect to LDAP and get the necessary user id’s from ou=people (this would be a step1a on my list). Then as a group is created/maintained then I was hoping that grouper would also store the group membership also back into LDAP (this would be step2b on my list). I understand that grouper uses a database, so some of these lookups and persistence may be maintained in the grouper database.
In general, I’m having a hard time with this part of the configuration. I’m carefully looking at all of the relevant grouper technical configuration documentation for customizing my grouper/LDAP connection. So if you have any additional grouper links, then that would be great.
From: <> on behalf of "Coleman, Erik C" <>
We basically approached the same way with our eval—swinging over one-by-one to our LDAP, then to our Shib, then to our own database instance. Are you using the Grouper Demo Docker containers?
With 2.4, all of your LDAP connections are specified in grouper-loader.properties, so you simply need to change the parameters in there to point to your enterprise LDAP. Change subject.properties in order to point to where your identities (subjects) live in that LDAP. Then you can throw out the LDAP container.
For Shib, you’ll want to upload your own shibboleth2.xml as well as the appropriate sp-key.pem and sp-cert.pem to the Grouper UI container, with settings as you would for any SP configured to connect to your IDP. Then you can throw out the supplied IDP container.
As a tip, I found it more convenient to bootstrap me in the wheel group so that I have admin access, this is in grouper.properties, which should also go into the Grouper containers:
groups.wheel.use = true
groups.wheel.group = etc:sysadmingroup
configuration.autocreate.group.name.0 = etc:sysadmingroup
configuration.autocreate.group.description.0 = Grouper Service Admins
configuration.autocreate.group.subjects.0 = ecc
That’s glossing over many of the specific details, but should give you an idea.
On Behalf Of Duane Booher
Hello, I am doing a quick grouper 2.4 evaluation and I have it running on both my personal workstation (Mac Os X) and a redhat 6 server. In both cases I used the grouper installer with the default demo processes. Then I migrated the grouper-ui and grouper-ws applications over to a seperate tomcat container. I am still running the remaining processes out of the installer folder, such as the demo hsqldb, daemon, etc. I have been following the Grouper Deployment Guide, however things are still fuzzy to me.
I have two immediate goals and I hope the community can point me in the right direction:
1) I would now like to connect grouper up with our LDAP for both user lookup and for integration with groups stored in LDAP.
2) I would like to connect the grouper login to our shibboleth/SAML single sign-on.
I am both a LDAP integrator, along with a shib w/ in-common and CAS integrator. But, I do not fully understand the grouper configuration details. So any help is greatly appreciated.
- Re: [grouper-users] RE: Grouper Newbie - LDAP integration, Duane Booher, 10/24/2018
- RE: [grouper-users] RE: Grouper Newbie - LDAP integration, Hyzer, Chris, 10/24/2018
- Re: [grouper-users] RE: Grouper Newbie - LDAP integration, Carl Waldbieser, 10/24/2018
- Re: [grouper-users] RE: Grouper Newbie - LDAP integration, Bill Thompson, 10/24/2018
- RE: [grouper-users] RE: Grouper Newbie - LDAP integration, Redman, Chad, 10/24/2018
- Re: [grouper-users] RE: Grouper Newbie - LDAP integration, Duane Booher, 10/25/2018
Archive powered by MHonArc 2.6.19.