We want to protect part of apache with Grouper based on a SQL loaded group for a new application. Note that most institutions can use the apache mod_authnz_ldap, but our ldap doesnt have memberOf and isnt conducive to it.
So the architecture we will have is the grouperClient which calls a WS to keep an apache .htaccess up to date via cron.
First, we use kerberos principals for authentication to Grouper WS, so we created a kerberos principal / pass: application_grouper/server.school.edu
Then we have a custom non-grouper application to enter this kerberos principal into our kerberos principal subject source, note, this is an admin action.
Then I add this kerberos principal to the WS users group: school:etc:webServiceClientUsers
This is an application which didn't previously use Grouper, so I create a folder in the applications folders in the IT department: school:it:ait:apps:appName
In there, I like to keep the privileges in groups, so make a group for that: school:it:ait:apps:appName:etc:appNameReaders
Add the kerberosPrincipal and the client person to that group.
Make a loader group: school:it:ait:apps:appName:groups:apacheGroup
Make sure that group is of grouperLoader type
Add the school:it:ait:apps:appName:etc:appNameReaders group to have the READ privilege on school:it:ait:apps:appName:groups:apacheGroup. Note, dont give admin because you dont want a non admin editing the attributes on a loader group.
In this case we have a new database connection since the SQL is not loaded from the Grouper database. The DBA setup a new schema for use so that all we have permissions in the DB is to select from a certain view. We need to add in a database connection in the grouper-loader.properties:
db.admissions.user = APP_SCHEMA db.admissions.pass = /home/user/pass/grouper/grouperMorphApp.pass db.admissions.url = jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=YES)(FAILOVER=YES)(ADDRESS_LIST=(ADDRESS=(PROTOCOL=tcp)(HOST=1.2.3.4)(PORT=1234))(ADDRESS=(PROTOCOL=tcp)(HOST=1.2.3.5)(PORT=1235)))(CONNECT_DATA=(SERVICE_NAME=appdb.school.edu))) db.admissions.driver = oracle.jdbc.driver.OracleDriver
Note the password is not in the file, so encrypt that and put it in the file:
[user@server bin]$ cd /opt/tomcat_9b/webapps/grouper/WEB-INF/lib [user@server lib]$ java -jar morphString.jar Enter the location of morphString.properties: ../classes/morphString.properties Type the string to encrypt (note: pasting might echo it back): The encrypted string is: abc123abc123abc123== [user@server lib]$ echo abc123abc123abc123== > /home/user/pass/grouper/grouperMorphApp.pass
Now we can fill in the grouperLoader attributes:
sdf