SmartLdapGroupStore
SmartLdapGroupStore has been incorporated into uPortal 3.1. The files attached to this page pertain to uPortal version 2.x.
The SmartLdapGroupStore is an implementation of the uPortal Groups and Permissions (GaP) API developed by Johns Hopkins University for their portal. JHU would like to contribute this technology to the community, either as a patch or as a part of an existing JA-SIG project. All source files (code and configuration) are attached to this wiki page.
Purpose
The SmartLdapGroupStore is designed to discover information about groups of users defined within an LDAP directory server. It queries an LDAP data source for a collection of group objects and uses their attributes to organize them into a hierarchy. It uses Person Attributes to determine which users belong to these groups.
Although there are existing implementations of GaP that can leverage information from LDAP in some fashion - PAGS, LDAPGroupStore, JitLDAPGroupStore - none of them can do what SmartLdapGroupStore does: discover groups. They all rely on local configuration where they groups they support must be defined explicitly.
Configuration
SmartLdapGroupStore must be tightly coordinated with your directory server, and therefore configuring it appropriately isn't trivial.
Add SmartLdapGroupStore to Composite Group Services
Add the following entry in properties/groups/compositeGroupServices.xml
:
<service> <name>smartldap</name> <service_factory>org.jasig.portal.groups.ReferenceIndividualGroupServiceFactory</service_factory> <entity_store_factory>org.jasig.portal.groups.smartldap.SmartLdapEntityStore$Factory</entity_store_factory> <group_store_factory>org.jasig.portal.groups.smartldap.SmartLdapGroupStore$Factory</group_store_factory> <entity_searcher_factory>org.jasig.portal.groups.smartldap.SmartLdapEntitySearcher$Factory</entity_searcher_factory> <internally_managed>false</internally_managed> <caching_enabled>true</caching_enabled> </service>
Configure SmartLdapGroupStore
You must configure SmartLdapGroupStore itself in the properties/groups/SmartLdapGroupStoreConfig.xml
file.
In summary, you must tell it:
- how to connect to the directory
- the Base DN under which you want to query for group records (e.g. '
DC=my,DC=university,DC=edu
') - the Filter expression that returns the group records you want (e.g. '
(objectCategory=group)
') - the name of the Person Attribute on each user that contains the
distinguishedName
of each group he/she is a member of (e.g. 'memberOf
') - (see Note below) the name of the LDAP attribute on each group that contains its
distinguishedName
(e.g. 'distinguishedName
') - (see Note below) the name of the LDAP attribute on each group that contains its human-readable name (e.g. '
cn
') - (see Note below) the name of the LDAP attribute on each group that contains the
distinguishedName
of each of its members (e.g. 'member
')Note
If your LDAP schema doesn't manage groups and their relationships to each other in this way, you can implement a custom
org.springframework.ldap.core.AttributesMapper
class that bridges the difference.
Configure personDirectoryContext.xml
You must define a Person Attribute that contains the distinguishedName
of each group he/she is a member of, and it must have the name described above.