Follow the steps below if you would like the Grouper Provisioning Services Provider (PSP) to provision group and group membership information from Grouper to LDAP. Usually this deployment configuration is done to provision to the same LDAP in which the COmanage LDAP Provisioner Plugin is provisioning person records.

  1. Verify that your LDAP server includes the eduMember schema (eduMember ObjectClass and isMemberOf and hasMember attribute types).
     
  2. Review the COmanage LDAP Provisioner Plugin configuration and confirm that it is not configured to provision group and group membership information. The eduMember and groupOfNames object classes should not be enabled.
     
  3. Edit the COmanage LDAP Provisioner Plugin configuration to add "eduMember" in the "Additional Person Object Classes" text box.
     

  4. In the Grouper deployment create the file /opt/grouper/grouper.apiBinary-2.2.2/conf/ldap.properties with the following contents. Be sure to adjust the values appropriately for your deployment:

    # LDAP connection URL
edu.vt.middleware.ldap.ldapUrl=


edu.vt.middleware.ldap.searchScope=SUBTREE


# LDAP bind DN and password for user with write access
edu.vt.middleware.ldap.bindDn=
edu.vt.middleware.ldap.bindCredential= 
  
edu.vt.middleware.ldap.authtype=simple
 
# Use ssl=true for ldaps:// and tls=true for StartTLS with ldap://
edu.vt.middleware.ldap.ssl=true
edu.vt.middleware.ldap.tls=false

edu.vt.middleware.ldap.pool.minPoolSize = 2
edu.vt.middleware.ldap.pool.maxPoolSize = 5
edu.vt.middleware.ldap.pagedResultsSize=0
 
# Overall base DN
edu.vt.middleware.ldap.baseDn=
 
# Base DN into which groups will be provisioned
edu.internet2.middleware.psp.groupsBaseDn=
 
# Base DN where person records can be found
edu.internet2.middleware.psp.peopleBaseDn=

edu.internet2.middleware.psp.groupObjectClass=groupOfNames
 
# Grouper stem with children to be provisioned. Leave blank for all stems
edu.internet2.middleware.psp.baseStem=

edu.internet2.middleware.psp.structure=bushy
edu.internet2.middleware.psp.cnSourceAttributeID=extension
edu.vt.middleware.ldap.searchResultHandlers=edu.internet2.middleware.psp.ldap.QuotedDnResultHandler,edu.vt.middleware.ldap.handler.FqdnSearchResultHandler

# RDN attribute for person record. This should be coordinated with COmanage LDAP Provisioner Plugin configuration
edu.internet2.middleware.psp.rdn=employeeNumber
 
# ID of the Grouper subject source for COmanage found in sources.xml
edu.internet2.middleware.psp.sourceID=COmanage_Humanities_Commons
  5. Download psp.xmlpsp-internal.xmlpsp-resolver.xmlpsp-services.xml, and psp-vt-ldap-1.xml put them into /opt/grouper/grouper.apiBinary-2.2.2/conf.

  6. Test the PSP configuration using GSH:

    cd /opt/grouper/grouper.apiBinary-2.2.2
sudo -u tomcat6 ./bin/gsh.sh -psp -bulkCalc

    No data will be provisioned but you should see an XML representation of the objects the PSP computed based on the configuration and the state of Grouper.

  7. Run a full bulk synchronization using GSH:

    cd /opt/grouper/grouper.apiBinary-2.2.2
sudo -u tomcat6 ./bin/gsh.sh -psp -bulkSync

    If all objects (groups and memberships) provision correctly you should see an XML parent element in the output from the bulkSync command like this:

    <psp:bulkSyncResponse xmlns:psp='http://grouper.internet2.edu/psp' status='success' requestID='2016/04/28-17:52:14.567'>

  8. Edit the file /opt/grouper/grouper.apiBinary-2.2.2/conf/grouper-loader.properties and add the following:

    changeLog.changeLogTempToChangeLog.quartz.cron = 0/10 * * * * ?
changeLog.consumer.psp.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer
changeLog.consumer.psp.quartzCron = 5/10 * * * * ?
changeLog.consumer.psp.retryOnError = true
changeLog.psp.fullSync.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer
changeLog.psp.fullSync.quartzCron = 0 0 5 * * ?

    This will configure the Grouper loader daemon to use the PSP for "real time" provisioning of groups and memberships from Grouper to LDAP.

  9. Test the Grouper loader daemon configuration by running

    cd /opt/grouper/grouper.apiBinary-2.2.2
sudo -u tomcat6 ./bin/gsh.sh -loader

    Leave the process running and then use the COmanage Registry to create a test group and add a person to the group. Within 15 seconds you should see that the COmanage Grouper Provisioner has provisioned the group and membership to Grouper and then the Grouper PSP/loader has provisioned the group and membership from Grouper to LDAP.

  10. Stop the current Grouper loader process (Ctrl+c).

  11. Create a directory for the Grouper loader process PID file:

    mkdir /var/run/grouper_loader
chown tomcat6 /var/run/grouper_loader

  12. Download grouper_loader.sh and put it into /opt/grouper/grouper.apiBinary-2.2.2/bin/. Be sure to make the file executable:

    cp grouper_loader.sh /opt/grouper/grouper.apiBinary-2.2.2/bin/
chmod 755 /opt/grouper/grouper.apiBinary-2.2.2/bin/grouper_loader.sh

  13. Download the init script grouper_loader (Debian/Ubuntu) and put it into /etc/init.d/. Be sure to make the file executable:

    cp grouper_loader /etc/init.d/
chmod 755 /etc/init.d/grouper_loader

  14. Configure the init script to be run at system boot time:

    update-rc.d grouper_loader defaults

  15. Start the Grouper loader process:

    /etc/init.d/grouper_loader start

 

 

  • No labels