Date: Fri, 29 Mar 2024 15:47:09 +0000 (UTC) Message-ID: <1580152397.8201.1711727229435@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_8200_1838083593.1711727229435" ------=_Part_8200_1838083593.1711727229435 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
As of Grouper 2.1, LDAPPCNG has been replaced by the Provisioning Service Provider (PSP).<= /p>
LDAPPCNG provisions group and membership information contained in the Gr= oups Registry to an LDAP directory service.
Installation and usage information is on this page. Overview and g= eneral documentation, including an example, is here.
Download the LDAPPCNG binary provisioning plugin for Grouper= and expand it.
Copy the contents of the expanded package to your Grouper API directory.=
Configuration files are in the conf
directory and java librar=
ies are in lib/custom
.
LDAPPCNG is run using GrouperShell (gsh).
For example, to maintain provisioning, polling every 60 seconds for chan= ges :
bin/gsh.sh -ldappcng -bulkSync -interval 60
One of -bulkCalc
, -bulkDiff
, -bulkSync=
code>,
must be specified. All other arguments are optio=
nal.-calc <id>
, -diff <id>
, or
Key |
Value |
Description |
---|---|---|
no arguments |
|
Display usage. |
-bulkCalc |
|
Calculate provisioning for all identifiers.= p> |
-bulkDiff |
|
Determine provisioning difference for all ide=
ntifiers. |
-bulkSync |
|
Synchronize provisioning for all identifiers.= |
-calc <id> |
identifier |
Calculate provisioning for an identifier. = |
-diff <id> |
identifier |
Determine provisioning difference for an iden= tifier. |
-sync <id> |
identifier |
Synchronize provisioning for an identifier.= p> |
-entityName <id> |
entity identifier |
Provisioned object id. For example, group, me= mber, etc. |
-interval <seconds> |
seconds |
Number of seconds between the start of recurr= ing provisioning iterations. If omitted, only one provisioning cycle is per= formed. |
-lastModifyTime <id> |
yyyy-MM-dd[_hh:mm:ss] |
Select objects changed since this time. = td> |
-conf <dir> |
path to configuration files |
Configuration directory. |
-logSpml |
|
Log SPML requests and responses. |
-output <file> |
file |
Print SPML responses to Output file. Default:= STDOUT. |
-printRequests |
|
Print SPML requests as well as responses. = |
-requestID <id> |
request id |
SPML request identifier. |
-returnData |
|
Return data (identifier and attributes) = td> |
-returnEverything |
|
Return everything (identifier, attributes, an= d references) |
-returnIdentifier |
|
Return identifier only. |
-targetID <id> |
target id |
Target ID. |
Configuration files should be located on the Java classpath.
|
Shibboleth Attribute Resolver |
|
Shibboleth Attribute Resolver |
|
Shibboleth Attribute Resolver |
|
VT Ldap connector |
|
LDAPPCNG |
|
Macro replacement |
By default, macros of the form ${name} in ldappcng.xml
will=
be replaced by their corresponding values in ldappc.properties
.
Files prefixed with ldappc
may also be used by ldappc.
The ldappcng.xml
file defines provisioned targets, objects,=
identifiers, attributes, and references.
<ldap= pc xmlns=3D"http://grouper.internet2.edu/ldappc" xmlns:ldappc=3D"http://grouper.internet2.edu/ldappc" xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=3D"http://grouper.internet2.edu/ldappc classpath= :/schema/ldappc.xsd"> <targets id=3D"LDAP"> <target id=3D"ldap" provider=3D"ldap-provider" /> <object id=3D"stem"> <identifier ref=3D"stem-dn" baseId=3D"${groupsOU}"> <identifyingAttribute name=3D"objectclass" value=3D"organization= alUnit" /> </identifier> <attribute name=3D"objectClass" ref=3D"stem-objectclass" /> <attribute name=3D"ou" ref=3D"stem-ou" /> <attribute name=3D"description" ref=3D"stem-description" /> </object> <object id=3D"group" authoritative=3D"true"> <identifier ref=3D"group-dn" baseId=3D"${groupsOU}"> <identifyingAttribute name=3D"objectClass" value=3D"${groupObjec= tClass}" /> </identifier> <attribute name=3D"objectClass" ref=3D"group-objectclass-eduMember= " /> <attribute name=3D"cn" /> <attribute name=3D"description" /> <attribute name=3D"hasMember" ref=3D"hasMember" /> <attribute name=3D"isMemberOf" ref=3D"groupIsMemberOf" /> <references name=3D"member" emptyValue=3D"" > <reference ref=3D"members-jdbc" toObject=3D"member" /> <reference ref=3D"members-g:gsa" toObject=3D"group" /> </references> </object> <object id=3D"member"> <identifier ref=3D"member-dn" baseId=3D"${peopleOU}"> <identifyingAttribute name=3D"objectclass" value=3D"person" />= ; </identifier> <attribute name=3D"objectClass" ref=3D"member-objectclass" retainA= ll=3D"true" /> <attribute name=3D"isMemberOf" ref=3D"memberIsMemberOf" /> </object> </targets> </ldappc>
The targets element allows more than one target to be provisioned using = the same configuration. This may be useful, for example, when provisioning = a production and test environment identically.
<targ= ets id=3D"ID" > <target ... <target ... <object ... </targets>
attribute |
description |
---|---|
id |
Uniquely identifies a collection of targets.<= /p> |
A target contains objects. Each target requires a unique identifier and = a provider identifier. Multiple target elements are allowed.
<targ= et id=3D"ID" provider=3D"providerID" />
attribute |
description |
---|---|
id |
Unique identifier. |
provider |
Identifier of a provider defined in the attri= bute resolver services configuration. |
For example, LDAPPCNG ships with an LDAP provider using the vt-ldap dist= ribution.
<targ= et id=3D"ldap" provider=3D"ldap-provider" />
<Serv= ice id=3D"ldap-provider" xsi:type=3D"ldappc:LdapPoolProvider" ldapPoolId=3D= "ldapPool"> <ConfigurationResource file=3D"/ldappc-ldap.xml" xsi:type=3D"resource:= ClasspathResource" /> </Service>
A provisioned object. For example, a group, member, stem, account, etc. = An object consists of an identifier, attributes, and references.
<obje= ct id=3D"ID"> <identifier ... <attribute ... <references ... </object>
attribute |
description |
---|---|
id |
Uniquely identifies the object per target. |
All objects require a unique identifier. The value of the identifier is = returned from the Shibboleth Attribute Resolver.
<iden= tifier ref=3D"REF" baseId=3D"BASE"> <identifyingAttribute ... </identifier>
attribute |
description |
---|---|
ref |
The id of an attribute definition defined in = the attribute resolver configuration. |
baseId |
The identifier of the container (the SPML2 co= ntainerID). |
This element maps an object returned from a target provider to an object= in the LDAPPCNG configuration. This is not specified anywhere in the SPML = specification and is likely a candidate for improvement.
<iden= tifyingAttribute name=3D"NAME" value=3D"VALUE" />
attribute |
description |
---|---|
name |
Attribute name. |
value |
Attribute value. |
For example, an object returned from a target which has an attribute nam= ed "objectclass" with value "groupOfNames" will be identified as a "group" = object.
<obje= ct id=3D"group"> <identifier ref=3D"group-dn" baseId=3D"ou=3Dgroups,dc=3Dexample,dc=3De= du"> <identifyingAttribute name=3D"objectClass" value=3D"groupOfNames" /&= gt; </identifier>
A provisioned attribute. The value of the attribute is returned from the= Shibboleth Attribute Resolver.
<attr= ibute name=3D"NAME" ref=3D"REF" />
attribute |
description |
---|---|
name |
The name of the provisioned attribute. |
ref |
The id of an attribute definition defined in = the attribute resolver configuration. |
Defines references to other objects.
<refe= rences name=3D"NAME" emptyValue=3D"" > <reference ... /> </references
attribute |
description |
---|---|
name |
The provisioned attribute name. |
empty-value |
Optional. Defines the value of the provisione=
d attribute if no references are returned from the attribute resolver. This=
should be defined when provisioning a required (MUST) ldap attribute, such=
as "member" of an OpenLDAP directory. |
Defines a reference to another object. The value is
<refe= rence ref=3D"REF" toObject=3D"OBJECTID" /
attribute |
description |
---|---|
ref |
The id of an attribute definition defined in =
the attribute resolver configuration. |
toObject |
The id of the Provisioned Object referred to.=
|
For example, the following configuration will return references to the i= dentifiers of "member" objects for the attribute definition "members-jdbc",= and references to the identifiers of "group" objects for the attribute def= inition "member-g:gsa".
The "members-jdbc" attribute's values will consist of the "id" attribute= for every subject which is a member of a group's "members" attribute.
The "members-g:gsa" attribute's values will consist of the "name" attrib= ute for every group which is a member of a group's "members" attribute.
The values of the "members-jdbc" and "members-g:gsa" attributes are pass= ed to the attribute resolver to determine their identifiers.
<refe= rences name=3D"member" emptyValue=3D"" > <reference ref=3D"members-jdbc" toObject=3D"member" /> <reference ref=3D"members-g:gsa" toObject=3D"group" /> </references>
<reso= lver:AttributeDefinition id=3D"members-jdbc" xsi:type=3D"grouper:Member" so= urceAttributeID=3D"members"> <resolver:Dependency ref=3D"GroupDataConnector" /> <grouper:Attribute id=3D"id" source=3D"jdbc" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id=3D"members-g:gsa" xsi:type=3D"grouper:M= ember" sourceAttributeID=3D"members"> <resolver:Dependency ref=3D"GroupDataConnector" /> <grouper:Attribute id=3D"name" source=3D"g:gsa" /> </resolver:AttributeDefinition>
To print to STDOUT the SPML representation of how an object should be pr= ovisioned :
>bin= /gsh.sh -ldappcng -calc stem:groupName <ldappc:calcResponse status=3D'success' requestID=3D'2010...QKUSL7CS' ..= . > <ldappc:id ID=3D'stem:groupName'/> <ldappc:pso entityName=3D'group'> <psoID ID=3D'cn=3Dstem:groupName,ou=3Dgroups,dc=3Dexample,dc=3Dedu' = targetID=3D'ldap'/> <data> <dsml:attr name=3D'objectClass' ... > <dsml:value>top</dsml:value> <dsml:value>groupOfNames</dsml:value> <dsml:value>eduMember</dsml:value> </dsml:attr> <dsml:attr name=3D'cn' ... > <dsml:value>groupName</dsml:value> </dsml:attr> <dsml:attr name=3D'hasMember' ... > <dsml:value>member1</dsml:value> <dsml:value>member2</dsml:value> </dsml:attr> <dsml:attr name=3D'isMemberOf' ... > <dsml:value>stem:otherGroup</dsml:value> </dsml:attr> </data> <capabilityData mustUnderstand=3D'true' capabilityURI=3D'urn:oasis:n= ames:tc:SPML:2:0:reference'> <spmlref:reference typeOfReference=3D'member' ... > <spmlref:toPsoID ID=3D'cn=3Dmember1,ou=3Dpeople,dc=3Dexample,dc= =3Dedu' targetID=3D'ldap'/> </spmlref:reference> <spmlref:reference typeOfReference=3D'member' ... > <spmlref:toPsoID ID=3D'cn=3Dmember2,ou=3Dpeople,dc=3Dexample,dc= =3Dedu' targetID=3D'ldap'/> </spmlref:reference> </capabilityData> </ldappc:pso> </ldappc:calcResponse>
To print to STDOUT the SPML representation of changes that should be mad= e :
>bin= /gsh.sh -ldappcng -diff stem:groupName <ldappc:diffResponse status=3D'success' requestID=3D'2010..._QKUSQLQ0' .= .. > <modifyRequest entityName=3D'group' requestID=3D'2010..._QKUSQLRM' ret= urnData=3D'everything' ... > <psoID ID=3D'cn=3Dum:manual:g20031124220052001,ou=3Dgroups,dc=3Dmemp= his,dc=3Dedu' targetID=3D'ldap'/> <modification modificationMode=3D'add'> <dsml:modification name=3D'description' operation=3D'add' ...> <dsml:value>A Description</dsml:value> </dsml:modification> </modification> </modifyRequest> <ldappc:id ID=3D'stem:groupName'/> </ldappc:diffResponse>