diff --git a/base/Dockerfile b/base/Dockerfile index 0bc1948..e861680 100644 --- a/base/Dockerfile +++ b/base/Dockerfile @@ -49,11 +49,6 @@ RUN cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG \ COPY container_files/conf/* /opt/grouper/grouper.apiBinary/conf/ -RUN rm /opt/grouper/grouper.apiBinary/conf/sources.xml \ - /opt/grouper/grouper.ui/WEB-INF/classes/sources.xml \ - /opt/grouper/grouper.ws/WEB-INF/classes/sources.xml \ - /opt/grouper/grouper.scim/WEB-INF/classes/sources.xml - RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \ && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ (mysqld_safe & ) \ diff --git a/base/container_files/conf/grouper-loader.properties b/base/container_files/conf/grouper-loader.properties new file mode 100644 index 0000000..7924419 --- /dev/null +++ b/base/container_files/conf/grouper-loader.properties @@ -0,0 +1,73 @@ +#specify the consumers here. specify the consumer name after the changeLog.consumer. part. This example is "psp" +#but it could be changeLog.consumer.myConsumerName.class +#the class must extend edu.internet2.middleware.grouper.changeLog.ChangeLogConsumerBase +#changeLog.consumer.psp.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer + +#the quartz cron is a cron-like string. it defaults to every minute on the minute (since the temp to change log job runs +#at 10 seconds to each minute). it defaults to this: 0 * * * * ? +#though it will stagger each one by 2 seconds +# http://www.quartz-scheduler.org/documentation/quartz-1.x/tutorials/crontrigger +#changeLog.consumer.psp.quartzCron = 0 * * * * ? + +# To retry processing a change log entry if an error occurs, set retryOnError to true. Defaults to false. +#changeLog.consumer.psp.retryOnError = false + +# To run full provisioning synchronizations periodically, provide the class name which provides a 'public void fullSync()' method. +#changeLog.psp.fullSync.class = edu.internet2.middleware.psp.grouper.PspChangeLogConsumer + +# Schedule full synchronizations. Defaults to 5 am : 0 0 5 * * ?. +#changeLog.psp.fullSync.quartzCron = 0 0 5 * * ? + +# Run a full synchronization job at startup. Defaults to false. +#changeLog.psp.fullSync.runAtStartup = false + +# Omit diff responses from bulk response to conserve memory. +#changeLog.psp.fullSync.omitDiffResponses = true + +# Omit sync responses from bulk response to conserve memory. +#changeLog.psp.fullSync.omitSyncResponses = true + +################################# +## LDAP connections +################################# +# specify the ldap connection with user, pass, url +# the string after "ldap." is the ID of the connection, and it should not have +# spaces or other special chars in it. In this case is it "personLdap" + +#note the URL should start with ldap: or ldaps: if it is SSL. +#It should contain the server and port (optional if not default), and baseDn, +#e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu +ldap.demo.url = ldap://localhost:389/dc=internet2,dc=edu + +#optional, if authenticated +ldap.demo.user = cn=root,dc=internet2,dc=edu + +#optional, if authenticated note the password can be stored encrypted in an external file +ldap.demo.pass = password + +#optional, if you are using tls, set this to true. Generally you will not be using an SSL URL to use TLS... +ldap.demo.tls = false + +#optional, if using sasl +#ldap.personLdap.saslAuthorizationId = +#ldap.personLdap.saslRealm = + +#optional (note, time limit is for search operations, timeout is for connection timeouts), +#most of these default to vt-ldap defaults. times are in millis +#validateOnCheckout defaults to true if all other validate methods are false +#ldap.personLdap.batchSize = +#ldap.personLdap.countLimit = +#ldap.personLdap.timeLimit = +#ldap.personLdap.timeout = +#ldap.personLdap.minPoolSize = +#ldap.personLdap.maxPoolSize = +#ldap.personLdap.validateOnCheckIn = +#ldap.personLdap.validateOnCheckOut = +#ldap.personLdap.validatePeriodically = +#ldap.personLdap.validateTimerPeriod = +#ldap.personLdap.pruneTimerPeriod = +#if connections expire after a certain amount of time, this is it, in millis, defaults to 300000 (5 minutes) +#ldap.personLdap.expirationTime = + +#make the paths fully qualified and not relative to the loader group. +loader.ldap.requireTopStemAsStemFromConfigGroup=false diff --git a/base/container_files/conf/subject.properties b/base/container_files/conf/subject.properties index 5ef2de5..8b2096e 100644 --- a/base/container_files/conf/subject.properties +++ b/base/container_files/conf/subject.properties @@ -1,23 +1,23 @@ -subject.sources.xml.location = - subjectApi.source.ldap.id = ldap subjectApi.source.ldap.name = EDU Ldap subjectApi.source.ldap.types = person subjectApi.source.ldap.adapterClass = edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter -subjectApi.source.ldap.param.INITIAL_CONTEXT_FACTORY.value = com.sun.jndi.ldap.LdapCtxFactory -subjectApi.source.ldap.param.PROVIDER_URL.value = ldap://localhost:389 -subjectApi.source.ldap.param.SECURITY_AUTHENTICATION.value = simple -subjectApi.source.ldap.param.SECURITY_PRINCIPAL.value = cn=admin,dc=internet2,dc=edu -subjectApi.source.ldap.param.SECURITY_CREDENTIALS.value = password +subjectApi.source.ldap.param.ldapServerId.value = demo subjectApi.source.ldap.param.SubjectID_AttributeType.value = uid subjectApi.source.ldap.param.SubjectID_formatToLowerCase.value = false subjectApi.source.ldap.param.Name_AttributeType.value = cn subjectApi.source.ldap.param.Description_AttributeType.value = cn subjectApi.source.ldap.param.VTLDAP_VALIDATOR.value = ConnectLdapValidator -subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value = ${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('employeeNumber'), "")} + +subjectApi.source.ldap.param.SubjectID_AttributeType.value = uid +subjectApi.source.ldap.param.SubjectID_formatToLowerCase.value = false +subjectApi.source.ldap.param.Name_AttributeType.value = cn +subjectApi.source.ldap.param.Description_AttributeType.value = cn +subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value = ${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('exampleEduRegId'), "")} subjectApi.source.ldap.param.sortAttribute0.value = cn subjectApi.source.ldap.param.searchAttribute0.value = searchAttribute0 + # STATUS SECTION for searches to filter out inactives and allow # the user to filter by status with e.g. status=all # this is optional, and advanced @@ -55,7 +55,7 @@ subjectApi.source.ldap.param.subjectIdentifierAttribute0.value = employeeNumber # Each subject has one and only on ID. Returns one result when searching for one ID. subjectApi.source.ldap.search.searchSubject.param.filter.value = (&(uid=%TERM%)(objectclass=person)) subjectApi.source.ldap.search.searchSubject.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=internet2,dc=edu +subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people #searchSubjectByIdentifier: find a subject by identifier. Identifier is anything that uniquely # identifies the user, e.g. jsmith or jsmith@institution.edu. @@ -63,12 +63,12 @@ subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=inte # even across sources. Returns one result when searching for one identifier. subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(employeeNumber=%TERM%)(objectclass=person)) subjectApi.source.ldap.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people,dc=internet2,dc=edu +subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people # search: find subjects by free form search. Returns multiple results. subjectApi.source.ldap.search.search.param.filter.value = (&(|(|(uid=%TERM%)(cn=*%TERM%*))(uid=%TERM%*))(objectclass=person)) subjectApi.source.ldap.search.search.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.search.param.base.value = ou=people,dc=internet2,dc=edu +subjectApi.source.ldap.search.search.param.base.value = ou=people subjectApi.source.ldap.internalAttributes = searchAttribute0 diff --git a/ex401/ex401.1.1/container_files/grouper-loader.properties b/ex401/ex401.1.1/container_files/grouper-loader.properties index ae41ed1..7924419 100644 --- a/ex401/ex401.1.1/container_files/grouper-loader.properties +++ b/ex401/ex401.1.1/container_files/grouper-loader.properties @@ -37,7 +37,7 @@ #note the URL should start with ldap: or ldaps: if it is SSL. #It should contain the server and port (optional if not default), and baseDn, #e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu -ldap.demo.url = ldap://localhost:389/ +ldap.demo.url = ldap://localhost:389/dc=internet2,dc=edu #optional, if authenticated ldap.demo.user = cn=root,dc=internet2,dc=edu diff --git a/ex401/ex401.1.1/container_files/subject.properties b/ex401/ex401.1.1/container_files/subject.properties index 313937a..af7911a 100644 --- a/ex401/ex401.1.1/container_files/subject.properties +++ b/ex401/ex401.1.1/container_files/subject.properties @@ -1,21 +1,19 @@ -subject.sources.xml.location = - subjectApi.source.ldap.id = ldap subjectApi.source.ldap.name = EDU Ldap subjectApi.source.ldap.types = person subjectApi.source.ldap.adapterClass = edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter -subjectApi.source.ldap.param.INITIAL_CONTEXT_FACTORY.value = com.sun.jndi.ldap.LdapCtxFactory -subjectApi.source.ldap.param.PROVIDER_URL.value = ldap://localhost:389 -subjectApi.source.ldap.param.SECURITY_AUTHENTICATION.value = simple -subjectApi.source.ldap.param.SECURITY_PRINCIPAL.value = cn=admin,dc=internet2,dc=edu -subjectApi.source.ldap.param.SECURITY_CREDENTIALS.value = password +subjectApi.source.ldap.param.ldapServerId.value = demo subjectApi.source.ldap.param.SubjectID_AttributeType.value = uid subjectApi.source.ldap.param.SubjectID_formatToLowerCase.value = false -subjectApi.source.ldap.param.Name_AttributeType.value = displayName -subjectApi.source.ldap.param.Description_AttributeType.value = displayName +subjectApi.source.ldap.param.Name_AttributeType.value = cn +subjectApi.source.ldap.param.Description_AttributeType.value = cn subjectApi.source.ldap.param.VTLDAP_VALIDATOR.value = ConnectLdapValidator -subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value = ${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('employeeNumber'), "")} -subjectApi.source.ldap.param.subjectVirtualAttribute_1_displayName.value = ${subject.getAttributeValueOrCommaSeparated('cn') + ' (' + subject.getAttributeValueOrCommaSeparated('title') + ')'} + +subjectApi.source.ldap.param.SubjectID_AttributeType.value = uid +subjectApi.source.ldap.param.SubjectID_formatToLowerCase.value = false +subjectApi.source.ldap.param.Name_AttributeType.value = cn +subjectApi.source.ldap.param.Description_AttributeType.value = cn +subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value = ${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('exampleEduRegId'), "")} subjectApi.source.ldap.param.sortAttribute0.value = cn subjectApi.source.ldap.param.searchAttribute0.value = searchAttribute0 @@ -56,7 +54,7 @@ subjectApi.source.ldap.param.subjectIdentifierAttribute0.value = employeeNumber # Each subject has one and only on ID. Returns one result when searching for one ID. subjectApi.source.ldap.search.searchSubject.param.filter.value = (&(uid=%TERM%)(objectclass=person)) subjectApi.source.ldap.search.searchSubject.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=internet2,dc=edu +subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people #searchSubjectByIdentifier: find a subject by identifier. Identifier is anything that uniquely # identifies the user, e.g. jsmith or jsmith@institution.edu. @@ -64,13 +62,13 @@ subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=inte # even across sources. Returns one result when searching for one identifier. subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(employeeNumber=%TERM%)(objectclass=person)) subjectApi.source.ldap.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people,dc=internet2,dc=edu +subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people # search: find subjects by free form search. Returns multiple results. subjectApi.source.ldap.search.search.param.filter.value = (&(|(|(uid=%TERM%)(cn=*%TERM%*))(uid=%TERM%*))(objectclass=person)) subjectApi.source.ldap.search.search.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.search.param.base.value = ou=people,dc=internet2,dc=edu +subjectApi.source.ldap.search.search.param.base.value = ou=people subjectApi.source.ldap.attributes = givenName, sn, cn, uid, mail, employeeNumber, title subjectApi.source.ldap.internalAttributes = searchAttribute0 diff --git a/ex401/ex401.1.4/container_files/grouper-loader.properties b/ex401/ex401.1.4/container_files/grouper-loader.properties index fb60438..ae032ff 100644 --- a/ex401/ex401.1.4/container_files/grouper-loader.properties +++ b/ex401/ex401.1.4/container_files/grouper-loader.properties @@ -37,7 +37,7 @@ #note the URL should start with ldap: or ldaps: if it is SSL. #It should contain the server and port (optional if not default), and baseDn, #e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu -ldap.demo.url = ldap://localhost:389/ +ldap.demo.url = ldap://localhost:389/dc=internet2,dc=edu #optional, if authenticated ldap.demo.user = cn=root,dc=internet2,dc=edu diff --git a/ex401/ex401.2.3/container_files/grouper-loader.properties b/ex401/ex401.2.3/container_files/grouper-loader.properties index 6df4abe..8a4c72d 100644 --- a/ex401/ex401.2.3/container_files/grouper-loader.properties +++ b/ex401/ex401.2.3/container_files/grouper-loader.properties @@ -37,7 +37,7 @@ #note the URL should start with ldap: or ldaps: if it is SSL. #It should contain the server and port (optional if not default), and baseDn, #e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu -ldap.demo.url = ldap://localhost:389/ +ldap.demo.url = ldap://localhost:389/dc=internet2,dc=edu #optional, if authenticated ldap.demo.user = cn=root,dc=internet2,dc=edu diff --git a/ex401/ex401.2.end/container_files/seed-data/bootstrap.gsh b/ex401/ex401.2.end/container_files/seed-data/bootstrap.gsh index 0c07f9d..e3d5848 100644 --- a/ex401/ex401.2.end/container_files/seed-data/bootstrap.gsh +++ b/ex401/ex401.2.end/container_files/seed-data/bootstrap.gsh @@ -1 +1,5 @@ gs = GrouperSession.startRootSession(); + +addMember("app:mfa:mfa_enabled_allow", "ref:faculty"); +addMember("app:mfa:mfa_enabled_allow", "ref:staff"); +addMember("app:mfa:mfa_enabled_allow", "ref:student"); diff --git a/full-demo/container_files/grouper-loader.properties b/full-demo/container_files/grouper-loader.properties index fbf9c2b..e5c004e 100644 --- a/full-demo/container_files/grouper-loader.properties +++ b/full-demo/container_files/grouper-loader.properties @@ -37,7 +37,7 @@ #note the URL should start with ldap: or ldaps: if it is SSL. #It should contain the server and port (optional if not default), and baseDn, #e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu -ldap.demo.url = ldap://localhost:389/ +ldap.demo.url = ldap://localhost:389/dc=internet2,dc=edu #optional, if authenticated ldap.demo.user = cn=root,dc=internet2,dc=edu diff --git a/full-demo/container_files/subject.properties b/full-demo/container_files/subject.properties index bc0ccdf..d899efd 100644 --- a/full-demo/container_files/subject.properties +++ b/full-demo/container_files/subject.properties @@ -1,23 +1,23 @@ -subject.sources.xml.location = - subjectApi.source.ldap.id = ldap subjectApi.source.ldap.name = EDU Ldap subjectApi.source.ldap.types = person subjectApi.source.ldap.adapterClass = edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter -subjectApi.source.ldap.param.INITIAL_CONTEXT_FACTORY.value = com.sun.jndi.ldap.LdapCtxFactory -subjectApi.source.ldap.param.PROVIDER_URL.value = ldap://localhost:389 -subjectApi.source.ldap.param.SECURITY_AUTHENTICATION.value = simple -subjectApi.source.ldap.param.SECURITY_PRINCIPAL.value = cn=admin,dc=internet2,dc=edu -subjectApi.source.ldap.param.SECURITY_CREDENTIALS.value = password +subjectApi.source.ldap.param.ldapServerId.value = demo subjectApi.source.ldap.param.SubjectID_AttributeType.value = uid subjectApi.source.ldap.param.SubjectID_formatToLowerCase.value = false subjectApi.source.ldap.param.Name_AttributeType.value = cn subjectApi.source.ldap.param.Description_AttributeType.value = cn subjectApi.source.ldap.param.VTLDAP_VALIDATOR.value = ConnectLdapValidator -subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value = ${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('employeeNumber'), "")} + +subjectApi.source.ldap.param.SubjectID_AttributeType.value = uid +subjectApi.source.ldap.param.SubjectID_formatToLowerCase.value = false +subjectApi.source.ldap.param.Name_AttributeType.value = cn +subjectApi.source.ldap.param.Description_AttributeType.value = cn +subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value = ${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('exampleEduRegId'), "")} subjectApi.source.ldap.param.sortAttribute0.value = cn subjectApi.source.ldap.param.searchAttribute0.value = searchAttribute0 + # STATUS SECTION for searches to filter out inactives and allow # the user to filter by status with e.g. status=all # this is optional, and advanced @@ -55,7 +55,7 @@ subjectApi.source.ldap.param.subjectIdentifierAttribute0.value = employeeNumber # Each subject has one and only on ID. Returns one result when searching for one ID. subjectApi.source.ldap.search.searchSubject.param.filter.value = (&(uid=%TERM%)(objectclass=person)) subjectApi.source.ldap.search.searchSubject.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=internet2,dc=edu +subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people #searchSubjectByIdentifier: find a subject by identifier. Identifier is anything that uniquely # identifies the user, e.g. jsmith or jsmith@institution.edu. @@ -63,13 +63,13 @@ subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=inte # even across sources. Returns one result when searching for one identifier. subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(employeeNumber=%TERM%)(objectclass=person)) subjectApi.source.ldap.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people,dc=internet2,dc=edu +subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people # search: find subjects by free form search. Returns multiple results. subjectApi.source.ldap.search.search.param.filter.value = (&(|(|(uid=%TERM%)(cn=*%TERM%*))(uid=%TERM%*))(objectclass=person)) subjectApi.source.ldap.search.search.param.scope.value = SUBTREE_SCOPE -subjectApi.source.ldap.search.search.param.base.value = ou=people,dc=internet2,dc=edu +subjectApi.source.ldap.search.search.param.base.value = ou=people subjectApi.source.ldap.attributes = givenName, sn, uid, mail, employeeNumber subjectApi.source.ldap.internalAttributes = searchAttribute0