Grouper Training – Admin –
Provisioning Service Provider (PSP) –
Part 2
Shilen Patel
Duke University
This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
Contents
• Design Decisions
• Flat vs bushy for LDAP
• Incremental vs Bulk
• Methods of provisioning memberships to
LDAP.
• Configuration Options
2
PSP Design Options – Flat vs Bushy
for LDAP
• Flat
• Bushy
3
PSP Design Options – Incremental vs
Bulk
• Bulk Provisioning
• Compares source data with target data and applies changes.
• Run using command line (GSH) or Grouper Daemon
• Incremental Provisioning from Grouper
• Provisions target based on Grouper Notifications (change log)
• Supports the following changes.
•
•
•
•
•
•
•
•
•
•
addAttributeAssignValue
deleteAttributeAssignValue
addGroup
deleteGroup
updateGroup
addMembership
deleteMembership
addStem
deleteStem
updateStem
4
PSP Design Options – Methods of
provisioning memberships to LDAP
• Group objects
• hasMember – names of subjects that are
members of the group.
• isMemberOf – names of groups that this
group is a member of.
• member – LDAP entry DNs of subjects that
are members of the group.
• memberOf – LDAP entry DNs of groups
that this group is a member of.
5
PSP Design Options – Methods of
provisioning memberships to LDAP
(continued)
• Member objects
• isMemberOf – names of groups that this
subject is a member of.
• memberOf – LDAP entry DNs of groups
that this subject is a member of.
6
PSP Configuration Options –
ldap.properties
• LDAP connection settings.
edu.vt.middleware.ldap.ldapUrl=ldap://127.0.0.1:389
edu.vt.middleware.ldap.bindDn=cn=Manager,dc=example,dc=edu
edu.vt.middleware.ldap.bindCredential=secret
edu.vt.middleware.ldap.ssl=false
edu.vt.middleware.ldap.tls=false
• Base DNs.
edu.vt.middleware.ldap.baseDn=dc=example,dc=edu
edu.internet2.middleware.psp.groupsBaseDn=ou=groups,dc=example,dc=edu
edu.internet2.middleware.psp.peopleBaseDn=ou=people,dc=example,dc=edu
• Base Grouper stem to provision.
edu.internet2.middleware.psp.baseStem=
7
PSP Configuration Options –
ldap.properties (continued)
• Flat vs bushy.
• Flat
edu.internet2.middleware.psp.structure=flat
edu.internet2.middleware.psp.cnSourceAttributeID=name
• Bushy
edu.internet2.middleware.psp.structure=bushy
edu.internet2.middleware.psp.cnSourceAttributeID=extension
• searchResultHandlers - performs post
processing of search results; supports a
comma delimited list for multiple values.
8
PSP Configuration Options –
psp.xml
• Configuration for the objects, identifiers,
attributes, and references to be provisioned
to a target.
• Contains Provisioning Service Object (PSO)
definitions for various objects (stems, groups,
members, etc).
• Refers to the Shibboleth Attribute Resolver
(psp-resolver.xml) to query source data.
9
PSP Configuration Options –
psp.xml (continued)
• authoritative – Deletion of orphan objects.
• allSourceIdentifiersRef – All source identifiers.
<!-- Provision a grouper group as an ldap group. -->
<pso
id="group"
authoritative="true"
allSourceIdentifiersRef="groupNames”>
• identifier – identifies target object.
<!-- The ldap group DN. -->
<identifier
ref="groupDn"
targetId="ldap"
containerId="${edu.internet2.middleware.psp.groupsBaseDn}" />
10
PSP Configuration Options –
psp.xml (continued)
• identifyingAttribute
• Used to determine object type in target.
• Used to query all identifiers in target.
<!-- Identifies ldap group objects which exist on the target by objectClass attribute value. -->
<identifyingAttribute
name="objectClass"
value="${edu.internet2.middleware.psp.groupObjectClass}" />
• alternateIdentifier – Used for renaming.
<!-- The "old" ldap group DN if a group has been renamed. -->
<alternateIdentifier ref="groupDnAlternate" />
<!-- The "old" ldap group DN calculated from group update change log events. -->
<alternateIdentifier ref="groupDnAlternateChangeLog" />
11
PSP Configuration Options –
psp.xml (continued)
• attribute – Name value pairs for target attributes.
<!-- The ldap group "description" attribute. -->
<attribute
name="description"
ref="groupDescription" />
• May have references to other objects.
<!-- The ldap group "member" attribute. -->
<references name="member”>
<reference
ref="membersLdap"
toObject="member" />
<reference
ref="membersGsa"
toObject="group" />
</references>
12
PSP Configuration Options –
psp-resolver.xml
• Configuration for the Shibboleth attribute
resolver.
• Uses Shibboleth data connectors to retrieve
source data. Data may be filtered.
• Produces Shibboleth attribute definitions.
• Attribute definitions can be used to reformat
Grouper data for target optionally using a
script.
• https://spaces.internet2.edu/display/Grouper/Gro
uper+Shibboleth+Integration
13
PSP Configuration Options –
psp-services.xml
• Configuration for Shibboleth services such as
the attribute resolver, PSP, and provisioning
targets.
14
PSP Configuration Options –
psp-internal.xml
• Bootstraps Shibboleth.
15
PSP Configuration Options –
grouper-loader.properties.
• Configure incremental provisioning
changeLog.consumer.psp.class =
edu.internet2.middleware.psp.grouper.PspChangeLogConsumer
changeLog.consumer.psp.quartzCron = 0 * * * * ?
changeLog.consumer.psp.retryOnError = false
• Configure bulk provisioning
changeLog.psp.fullSync.class =
edu.internet2.middleware.psp.grouper.PspChangeLogConsumer
changeLog.psp.fullSync.quartzCron = 0 0 5 * * ?
changeLog.psp.fullSync.runAtStartup = false
changeLog.psp.fullSync.omitDiffResponses = true
changeLog.psp.fullSync.omitSyncResponses = true
16
Quiz
Click on the quiz link in the video
description to reinforce your knowledge of
this topic.
17
Thanks!
Further information:
•
Infosheets, mailing lists, wiki, downloads, etc.:
www.internet2.edu/grouper
•
Grouper demo server:
grouperdemo.internet2.edu/
•
Grouper Online Training Home:
spaces.internet2.edu/x/IIGfAQ
This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
18