Date: Thu, 28 Mar 2024 22:55:15 +0000 (UTC) Message-ID: <62762760.7143.1711666515003@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_7142_1293110059.1711666515003" ------=_Part_7142_1293110059.1711666515003 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Many components of Grouper may optionally access LDAP
In Grouper 2.3, #1-3 above used vt-ldap and #4 used ldaptive. In G= rouper 2.4, all of the above uses ldaptive. Now in Grouper 2.4, #1-3 = uses common configuration via grouper-loader.properties and uses an abstrac= tion layer to make any future migrations much easier. And #4 still us= es the separate configuration as it was used in Grouper 2.3, but will migra= te to using the same configuration in the future.
Note that the migration to ldaptive is being done because vt-ldap is no = longer supported and has been deprecated for a long time.
INITIAL_CONTEXT_FACTORY
= li>PROVIDER_URL
SECURITY_AUTHENTICATION
= li>SECURITY_PRINCIPAL
SECURITY_CREDENTIALS
= subjectApi.source.*.param.ldapProperties_file.value (subject.properties no longer uses external property sources, t= his can be migrated to grouper-loader.properties)
VTLDAP_* (pooling co= nfig migrated to grouper-loader.properties)
<=
/p>
Instead you must specify a new prope= rty in subject.properties. "example" should be replaced with the name= of your source. And "personLdap" should be replaced with what your l= dap configuration is called in grouper-loader.properties.
=
subject= Api.source.example.param.ldapServerId.value =3D personLdap
If you have trouble using the new ldaptive based subject source, you= can revert to the vt-ldap based subject source used in Grouper 2.3 by usin= g this configuration in subject.properties. (Though also inform = the Grouper developers via Jira or email in case a fix is needed.)
subject= Api.source.example.adapterClass =3D edu.internet2.middleware.subject.provid= er.LdapSourceAdapterLegacy
If you have trouble using ldaptive, you can revert back to vt-ldap u= sing this configuration in grouper.properties. (Though also info= rm the Grouper developers via Jira or email in case a fix is needed.)
ldap.im= plementation.className =3D edu.internet2.middleware.grouper.ldap.vtldap.VTL= dapSessionImpl
If you have trouble using ldaptive, you can revert back to vt-ldap u= sing this configuration in grouper.properties. (Though also info= rm the Grouper developers via Jira or email in case a fix is needed.)
ldap.im= plementation.className =3D edu.internet2.middleware.grouper.ldap.vtldap.VTL= dapSessionImpl
The following applies to the subject api, loader, and web services. = ;
#######= ########################## ## LDAP connections ################################# # specify the ldap connection with user, pass, url # the string after "ldap." is the ID of the connection, and it should not h= ave # spaces or other special chars in it. In this case is it "personLdap" #note the URL should start with ldap: or ldaps: if it is SSL. #It should contain the server and port (optional if not default), and baseD= n, #e.g. ldaps://ldapserver.school.edu:636/dc=3Dschool,dc=3Dedu #ldap.personLdap.url =3D ldaps://ldapserver.school.edu:636/dc=3Dschool,dc= =3Dedu # load this ldaptive config file before the configs here. load from classp= ath #ldap.personLdap.configFileFromClasspath =3D ldap.personLdap.properties #optional, if authenticated #ldap.personLdap.user =3D uid=3Dsomeapp,ou=3Dpeople,dc=3Dmyschool,dc=3Dedu #optional, if authenticated, note the password can be stored encrypted in a= n external file #ldap.personLdap.pass =3D secret #optional, if you are using tls, set this to true. Generally you will not = be using an SSL URL to use TLS... #ldap.personLdap.tls =3D false #optional, if using sasl #ldap.personLdap.saslAuthorizationId =3D #ldap.personLdap.saslRealm =3D #optional (note, time limit is for search operations, timeout is for connec= tion timeouts), #most of these default to ldaptive defaults. times are in millis #validateOnCheckout defaults to true if all other validate methods are fals= e #ldap.personLdap.batchSize =3D #ldap.personLdap.countLimit =3D #ldap.personLdap.timeLimit =3D #ldap.personLdap.timeout =3D #ldap.personLdap.minPoolSize =3D #ldap.personLdap.maxPoolSize =3D #ldap.personLdap.validateOnCheckIn =3D #ldap.personLdap.validateOnCheckOut =3D #ldap.personLdap.validatePeriodically =3D #ldap.personLdap.validateTimerPeriod =3D #ldap.personLdap.pruneTimerPeriod =3D # if there is a max size limit on ldap server, then this will retrieve resu= lts in pages #ldap.personLdap.pagedResultsSize =3D # set to 'follow' if using AD and using paged results size and need this fo= r some reason (generally you shouldnt) #ldap.personLdap.referral =3D # validator setup, currently supports CompareLdapValidator and SearchValida= tor. additional properties below for CompareLdapValidator. ldap.personLdap.validator =3D SearchValidator #ldap.personLdap.validator =3D CompareLdapValidator #ldap.personLdap.validatorCompareDn =3D ou=3Dpeople,dc=3Dexample,dc=3Dcom #ldap.personLdap.validatorCompareAttribute =3D ou #ldap.personLdap.validatorCompareValue =3D people # comma-delimited list of classes to process LDAP search results. Useful if= AD returns a ranged attribute for large # groups (e.g., member;range=3D0-1499); include the GrouperRangeEntryHandle= r to handle progressive fetching. #ldap.personLdap.searchResultHandlers=3Dorg.ldaptive.handler.DnAttributeEnt= ryHandler,edu.internet2.middleware.grouper.ldap.ldaptive.GrouperRangeEntryH= andler # comma-delimited list of result codes (org.ldaptive.ResultCode) to ignore,= e.g. TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS #ldap.personLdap.searchIgnoreResultCodes=3DSIZE_LIMIT_EXCEEDED