1 / 18

Grouper Training – Admin – Provisioning Service Provider (PSP) – Part 2

Grouper Training – Admin – Provisioning Service Provider (PSP) – Part 2. Shilen Patel Duke University. This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License. Contents. Design Decisions Flat vs bushy for LDAP Incremental vs Bulk

gada
Download Presentation

Grouper Training – Admin – Provisioning Service Provider (PSP) – Part 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Grouper Training – Admin – Provisioning Service Provider (PSP) – Part 2 Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.

  2. Contents • Design Decisions • Flat vsbushy for LDAP • Incremental vsBulk • Methods of provisioning memberships to LDAP. • Configuration Options

  3. PSP Design Options – Flat vs Bushy for LDAP Flat Bushy

  4. PSP Design Options – Incremental vs Bulk • Bulk Provisioning • Compares source data with target data and applies changes. • Run using command line (GSH) or Grouper Daemon • Incremental Provisioning from Grouper • Provisions target based on Grouper Notifications (change log) • Supports the following changes. • addAttributeAssignValue • deleteAttributeAssignValue • addGroup • deleteGroup • updateGroup • addMembership • deleteMembership • addStem • deleteStem • updateStem

  5. PSP Design Options – Methods of provisioning memberships to LDAP • Group objects • hasMember – names of subjects that are members of the group. • isMemberOf – names of groups that this group is a member of. • member – LDAP entry DNs of subjects that are members of the group. • memberOf – LDAP entry DNs of groups that this group is a member of.

  6. PSP Design Options – Methods of provisioning memberships to LDAP (continued) • Member objects • isMemberOf– names of groups that this subject is a member of. • memberOf – LDAP entry DNs of groups that this subject is a member of.

  7. PSP Configuration Options – ldap.properties • LDAP connection settings. edu.vt.middleware.ldap.ldapUrl=ldap://127.0.0.1:389 edu.vt.middleware.ldap.bindDn=cn=Manager,dc=example,dc=edu edu.vt.middleware.ldap.bindCredential=secret edu.vt.middleware.ldap.ssl=false edu.vt.middleware.ldap.tls=false • Base DNs. edu.vt.middleware.ldap.baseDn=dc=example,dc=edu edu.internet2.middleware.psp.groupsBaseDn=ou=groups,dc=example,dc=edu edu.internet2.middleware.psp.peopleBaseDn=ou=people,dc=example,dc=edu • Base Grouper stem to provision. edu.internet2.middleware.psp.baseStem=

  8. PSP Configuration Options – ldap.properties (continued) • Flat vs bushy. • Flat edu.internet2.middleware.psp.structure=flat edu.internet2.middleware.psp.cnSourceAttributeID=name • Bushy edu.internet2.middleware.psp.structure=bushy edu.internet2.middleware.psp.cnSourceAttributeID=extension • searchResultHandlers - performs post processing of search results; supports a comma delimited list for multiple values.

  9. PSP Configuration Options – psp.xml Configuration for the objects, identifiers, attributes, and references to be provisioned to a target. Contains Provisioning Service Object (PSO) definitions for various objects (stems, groups, members, etc). Refers to the Shibboleth Attribute Resolver (psp-resolver.xml) to query source data.

  10. PSP Configuration Options – psp.xml (continued) • authoritative – Deletion of orphan objects. • allSourceIdentifiersRef – All source identifiers. <!-- Provision a grouper group as an ldap group. --> <pso id="group" authoritative="true" allSourceIdentifiersRef="groupNames”> • identifier – identifies target object. <!-- The ldap group DN. --> <identifier ref="groupDn" targetId="ldap" containerId="${edu.internet2.middleware.psp.groupsBaseDn}" />

  11. PSP Configuration Options – psp.xml (continued) • identifyingAttribute • Used to determine object type in target. • Used to query all identifiers in target. <!-- Identifies ldap group objects which exist on the target by objectClass attribute value. --> <identifyingAttribute name="objectClass" value="${edu.internet2.middleware.psp.groupObjectClass}" /> • alternateIdentifier – Used for renaming. <!-- The "old" ldap group DN if a group has been renamed. --> <alternateIdentifier ref="groupDnAlternate" /> <!-- The "old" ldap group DN calculated from group update change log events. --> <alternateIdentifier ref="groupDnAlternateChangeLog" />

  12. PSP Configuration Options – psp.xml (continued) • attribute – Name value pairs for target attributes. <!-- The ldap group "description" attribute. --> <attribute name="description" ref="groupDescription" /> • May have references to other objects. <!-- The ldap group "member" attribute. --> <references name="member”> <reference ref="membersLdap" toObject="member" /> <reference ref="membersGsa" toObject="group" /> </references>

  13. PSP Configuration Options – psp-resolver.xml Configuration for the Shibboleth attribute resolver. Uses Shibboleth data connectors to retrieve source data. Data may be filtered. Produces Shibboleth attribute definitions. Attribute definitions can be used to reformat Grouper data for target optionally using a script. https://spaces.internet2.edu/display/Grouper/Grouper+Shibboleth+Integration

  14. PSP Configuration Options – psp-services.xml Configuration for Shibboleth services such as the attribute resolver, PSP, and provisioning targets.

  15. PSP Configuration Options – psp-internal.xml Bootstraps Shibboleth.

  16. PSP Configuration Options – grouper-loader.properties. • Configure incremental provisioning changeLog.consumer.psp.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer changeLog.consumer.psp.quartzCron = 0 * * * * ? changeLog.consumer.psp.retryOnError = false • Configure bulk provisioning changeLog.psp.fullSync.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer changeLog.psp.fullSync.quartzCron = 0 0 5 * * ? changeLog.psp.fullSync.runAtStartup = false changeLog.psp.fullSync.omitDiffResponses = true changeLog.psp.fullSync.omitSyncResponses = true

  17. Quiz Click on the quiz link in the video description to reinforce your knowledge of this topic.

  18. Thanks! • Further information: • Infosheets, mailing lists, wiki, downloads, etc.:www.internet2.edu/grouper • Grouper demo server:grouperdemo.internet2.edu/ • Grouper Online Training Home:spaces.internet2.edu/x/IIGfAQ This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.

More Related