SmartLdapGroupStore

Owned by Andrew Wills
Last updated: Oct 06, 2009 by SusanBramhallVersion comment
2 min read

SmartLdapGroupStore has been incorporated into uPortal 3.1. The files attached to this page pertain to uPortal version 2.x.

The SmartLdapGroupStore is an implementation of the uPortal Groups and Permissions (GaP) API developed by Johns Hopkins University for their portal. JHU would like to contribute this technology to the community, either as a patch or as a part of an existing JA-SIG project. All source files (code and configuration) are attached to this wiki page.

Purpose

The SmartLdapGroupStore is designed to discover information about groups of users defined within an LDAP directory server. It queries an LDAP data source for a collection of group objects and uses their attributes to organize them into a hierarchy. It uses Person Attributes to determine which users belong to these groups.

Although there are existing implementations of GaP that can leverage information from LDAP in some fashion - PAGS, LDAPGroupStore, JitLDAPGroupStore - none of them can do what SmartLdapGroupStore does: discover groups. They all rely on local configuration where they groups they support must be defined explicitly.

Configuration

SmartLdapGroupStore must be tightly coordinated with your directory server, and therefore configuring it appropriately isn't trivial.

Add SmartLdapGroupStore to Composite Group Services

Add the following entry in properties/groups/compositeGroupServices.xml:

<service>
  <name>smartldap</name>
  <service_factory>org.jasig.portal.groups.ReferenceIndividualGroupServiceFactory</service_factory>
  <entity_store_factory>org.jasig.portal.groups.smartldap.SmartLdapEntityStore$Factory</entity_store_factory>
  <group_store_factory>org.jasig.portal.groups.smartldap.SmartLdapGroupStore$Factory</group_store_factory>
  <entity_searcher_factory>org.jasig.portal.groups.smartldap.SmartLdapEntitySearcher$Factory</entity_searcher_factory>
  <internally_managed>false</internally_managed>
  <caching_enabled>true</caching_enabled>
</service>
Configure SmartLdapGroupStore

You must configure SmartLdapGroupStore itself in the properties/groups/SmartLdapGroupStoreConfig.xml file.

In summary, you must tell it:

  • how to connect to the directory
  • the Base DN under which you want to query for group records (e.g. 'DC=my,DC=university,DC=edu')
  • the Filter expression that returns the group records you want (e.g. '(objectCategory=group)')
  • the name of the Person Attribute on each user that contains the distinguishedName of each group he/she is a member of (e.g. 'memberOf')
  • (see Note below) the name of the LDAP attribute on each group that contains its distinguishedName (e.g. 'distinguishedName')
  • (see Note below) the name of the LDAP attribute on each group that contains its human-readable name (e.g. 'cn')
  • (see Note below) the name of the LDAP attribute on each group that contains the distinguishedName of each of its members (e.g. 'member')

    Note

    If your LDAP schema doesn't manage groups and their relationships to each other in this way, you can implement a custom org.springframework.ldap.core.AttributesMapper class that bridges the difference.

Configure personDirectoryContext.xml

You must define a Person Attribute that contains the distinguishedName of each group he/she is a member of, and it must have the name described above.