Many components of Grouper may optionally access LDAP
In Grouper 2.3, #1-3 above used vt-ldap and #4 used ldaptive. In Grouper 2.4, all of the above uses ldaptive. Now in Grouper 2.4, #1-3 uses common configuration via grouper-loader.properties and uses an abstraction layer to make any future migrations much easier. And #4 still uses the separate configuration as it was used in Grouper 2.3, but will migrate to using the same configuration in the future.
Note that the migration to ldaptive is being done because vt-ldap is no longer supported and has been deprecated for a long time.
INITIAL_CONTEXT_FACTORY
PROVIDER_URL
SECURITY_AUTHENTICATION
SECURITY_PRINCIPAL
SECURITY_CREDENTIALS
subjectApi.source.*.param.ldapProperties_file.value (subject.properties no longer uses external property sources, this can be migrated to grouper-loader.properties)
VTLDAP_* (pooling config migrated to grouper-loader.properties)
Instead you must specify a new property in subject.properties. "example" should be replaced with the name of your source. And "personLdap" should be replaced with what your ldap configuration is called in grouper-loader.properties.
subjectApi.source.example.param.ldapServerId.value = personLdap |
If you have trouble using the new ldaptive based subject source, you can revert to the vt-ldap based subject source used in Grouper 2.3 by using this configuration in subject.properties. (Though also inform the Grouper developers via Jira or email in case a fix is needed.)
subjectApi.source.example.adapterClass = edu.internet2.middleware.subject.provider.LdapSourceAdapterLegacy |
If you have trouble using ldaptive, you can revert back to vt-ldap using this configuration in grouper.properties. (Though also inform the Grouper developers via Jira or email in case a fix is needed.)
ldap.implementation.className = edu.internet2.middleware.grouper.ldap.vtldap.VTLdapSessionImpl |
If you have trouble using ldaptive, you can revert back to vt-ldap using this configuration in grouper.properties. (Though also inform the Grouper developers via Jira or email in case a fix is needed.)
ldap.implementation.className = edu.internet2.middleware.grouper.ldap.vtldap.VTLdapSessionImpl |
The following applies to the subject api, loader, and web services.
################################# ## LDAP connections ################################# # specify the ldap connection with user, pass, url # the string after "ldap." is the ID of the connection, and it should not have # spaces or other special chars in it. In this case is it "personLdap" #note the URL should start with ldap: or ldaps: if it is SSL. #It should contain the server and port (optional if not default), and baseDn, #e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu #ldap.personLdap.url = ldaps://ldapserver.school.edu:636/dc=school,dc=edu # load this ldaptive config file before the configs here. load from classpath #ldap.personLdap.configFileFromClasspath = ldap.personLdap.properties #optional, if authenticated #ldap.personLdap.user = uid=someapp,ou=people,dc=myschool,dc=edu #optional, if authenticated, note the password can be stored encrypted in an external file #ldap.personLdap.pass = secret #optional, if you are using tls, set this to true. Generally you will not be using an SSL URL to use TLS... #ldap.personLdap.tls = false #optional, if using sasl #ldap.personLdap.saslAuthorizationId = #ldap.personLdap.saslRealm = #optional (note, time limit is for search operations, timeout is for connection timeouts), #most of these default to ldaptive defaults. times are in millis #validateOnCheckout defaults to true if all other validate methods are false #ldap.personLdap.batchSize = #ldap.personLdap.countLimit = #ldap.personLdap.timeLimit = #ldap.personLdap.timeout = #ldap.personLdap.minPoolSize = #ldap.personLdap.maxPoolSize = #ldap.personLdap.validateOnCheckIn = #ldap.personLdap.validateOnCheckOut = #ldap.personLdap.validatePeriodically = #ldap.personLdap.validateTimerPeriod = #ldap.personLdap.pruneTimerPeriod = # if there is a max size limit on ldap server, then this will retrieve results in pages #ldap.personLdap.pagedResultsSize = # set to 'follow' if using AD and using paged results size and need this for some reason (generally you shouldnt) #ldap.personLdap.referral = # validator setup, currently supports CompareLdapValidator and SearchValidator. additional properties below for CompareLdapValidator. ldap.personLdap.validator = SearchValidator #ldap.personLdap.validator = CompareLdapValidator #ldap.personLdap.validatorCompareDn = ou=people,dc=example,dc=com #ldap.personLdap.validatorCompareAttribute = ou #ldap.personLdap.validatorCompareValue = people # comma-delimited list of classes to process LDAP search results. Useful if AD returns a ranged attribute for large # groups (e.g., member;range=0-1499); include the GrouperRangeEntryHandler to handle progressive fetching. #ldap.personLdap.searchResultHandlers=org.ldaptive.handler.DnAttributeEntryHandler,edu.internet2.middleware.grouper.ldap.ldaptive.GrouperRangeEntryHandler # comma-delimited list of result codes (org.ldaptive.ResultCode) to ignore, e.g. TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS #ldap.personLdap.searchIgnoreResultCodes=SIZE_LIMIT_EXCEEDED |