...
- Credentials are no longer stored in the subject.properties file (also formally the sources.xml file). So the following options are no longer valid in that file.
INITIAL_CONTEXT_FACTORY
PROVIDER_URL
SECURITY_AUTHENTICATION
SECURITY_PRINCIPAL
SECURITY_CREDENTIALS
Instead you must specify a new property in subject.properties. "example" should be replaced with the name of your source. And "personLdap" should be replaced with what your ldap configuration is called in grouper-loader.properties.
Code Block subjectApi.source.example.param.ldapServerId.value = personLdap
If you have trouble using the new ldaptive based subject source, you can revert to the vt-ldap based subject source used in Grouper 2.3 by using this configuration in subject.properties. (Though also inform the Grouper developers via Jira or email in case a fix is needed.)
Code Block subjectApi.source.example.adapterClass = edu.internet2.middleware.subject.provider.LdapSourceAdapterLegacy
Migration for Grouper Loader
- Changes may not be needed here since the loader was already using the grouper-loader.properties file. However, if you used vt-ldap specific properties, changes may be needed.
If you have trouble using ldaptive, you can revert back to vt-ldap using this configuration in grouper.properties. (Though also inform the Grouper developers via Jira or email in case a fix is needed.)
Code Block ldap.implementation.className = edu.internet2.middleware.grouper.ldap.vtldap.VTLdapSessionImpl
Migration for Grouper Web Services
- Changes may not be needed here since the web services were already using the grouper-loader.properties file. However, if you used vt-ldap specific properties, changes may be needed.
If you have trouble using ldaptive, you can revert back to vt-ldap using this configuration in grouper.properties. (Though also inform the Grouper developers via Jira or email in case a fix is needed.)
Code Block ldap.implementation.className = edu.internet2.middleware.grouper.ldap.vtldap.VTLdapSessionImpl
Configuration options
The following applies to the subject api, loader, and web services.
- Look at the grouper-loader.base.properties file for the latest configuration options.
- Your configuration should go in grouper-loader.properties.
- ldap.<connection name>.url is the only property that's required (unless you specify the url using the configFileFromClasspath configuration).
- The default pooling validator is SearchValidator. And the validation is done on connection checkout by default.
Code Block |
---|
################################# ## LDAP connections ################################# # specify the ldap connection with user, pass, url # the string after "ldap." is the ID of the connection, and it should not have # spaces or other special chars in it. In this case is it "personLdap" #note the URL should start with ldap: or ldaps: if it is SSL. #It should contain the server and port (optional if not default), and baseDn, #e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu #ldap.personLdap.url = ldaps://ldapserver.school.edu:636/dc=school,dc=edu # load this ldaptive config file before the configs here. load from classpath #ldap.personLdap.configFileFromClasspath = ldap.personLdap.properties #optional, if authenticated #ldap.personLdap.user = uid=someapp,ou=people,dc=myschool,dc=edu #optional, if authenticated, note the password can be stored encrypted in an external file #ldap.personLdap.pass = secret #optional, if you are using tls, set this to true. Generally you will not be using an SSL URL to use TLS... #ldap.personLdap.tls = false #optional, if using sasl #ldap.personLdap.saslAuthorizationId = #ldap.personLdap.saslRealm = #optional (note, time limit is for search operations, timeout is for connection timeouts), #most of these default to ldaptive defaults. times are in millis #validateOnCheckout defaults to true if all other validate methods are false #ldap.personLdap.batchSize = #ldap.personLdap.countLimit = #ldap.personLdap.timeLimit = #ldap.personLdap.timeout = #ldap.personLdap.minPoolSize = #ldap.personLdap.maxPoolSize = #ldap.personLdap.validateOnCheckIn = #ldap.personLdap.validateOnCheckOut = #ldap.personLdap.validatePeriodically = #ldap.personLdap.validateTimerPeriod = #ldap.personLdap.pruneTimerPeriod = # if there is a max size limit on ldap server, then this will retrieve results in pages #ldap.personLdap.pagedResultsSize = # set to 'follow' if using AD and using paged results size and need this for some reason (generally you shouldnt) #ldap.personLdap.referral = # validator setup, currently supports CompareLdapValidator and SearchValidator. additional properties below for CompareLdapValidator. ldap.personLdap.validator = SearchValidator #ldap.personLdap.validator = CompareLdapValidator #ldap.personLdap.validatorCompareDn = ou=people,dc=example,dc=com #ldap.personLdap.validatorCompareAttribute = ou #ldap.personLdap.validatorCompareValue = people # comma-delimited list of classes to process LDAP search results. Useful if AD returns a ranged attribute for large # groups (e.g., member;range=0-1499); include the GrouperRangeEntryHandler to handle progressive fetching. #ldap.personLdap.searchResultHandlers=org.ldaptive.handler.DnAttributeEntryHandler,edu.internet2.middleware.grouper.ldap.ldaptive.GrouperRangeEntryHandler # comma-delimited list of result codes (org.ldaptive.ResultCode) to ignore, e.g. TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS #ldap.personLdap.searchIgnoreResultCodes=SIZE_LIMIT_EXCEEDED |