SmartLdapGroupStore

The SmartLdapGroupStore is an implementation of the uPortal Groups and Permissions (GaP) API developed by Johns Hopkins University for their portal. JHU contributed this technology to the community which has been incorporated into uPortal since version 3.1.

Purpose

The SmartLdapGroupStore is designed to discover groups of users maintained within an LDAP directory server. It queries an LDAP data source for a collection of group objects and uses their attributes to re-organize them into a hierarchy. As users log in and use the portal, it uses Person Attributes to determine which of these groups (if any) each user belongs to. This behavior is similar to PAGS.  In fact, it is commonly the case that what you might want to do with SmartLdap, you could instead do with PAGS.

The main differences are:

  • SmartLdap is attractive for large numbers of groups (e.g. 200 or so) because PAGS groups must be defined individually
  • SmartLdap can respond to changes to changes in group structure within your directory automatically

Several other implementations of GaP also leverage information from LDAP:  LDAPGroupStore, JitLDAPGroupStore, and of course  PAGS - and each of these is useful in its own way. The role of SmartLdapGroupStore is to host in the portal groups that are defined and maintained entirely in LDAP. You don't have to state explicitly the groups you want to pull in; SmartLdap will automatically fetch all the groups that match the filter expression.

Configuration

SmartLdapGroupStore must coordinate both with your directory server and Person Attributes in the portal, so it's easy to make a mistake setting it up. The following sections describe the necessary steps for using SmartLdap in the portal.

Add SmartLdapGroupStore to Composite Group Services

Add the following entry in uportal-war/src/main/resources/properties/groups/compositeGroupServices.xml:

<service>
  <name>smartldap</name>
  <service_factory>org.jasig.portal.groups.ReferenceIndividualGroupServiceFactory</service_factory>
  <entity_store_factory>org.jasig.portal.groups.smartldap.SmartLdapEntityStore$Factory</entity_store_factory>
  <group_store_factory>org.jasig.portal.groups.smartldap.SmartLdapGroupStore$Factory</group_store_factory>
  <entity_searcher_factory>org.jasig.portal.groups.smartldap.SmartLdapEntitySearcher$Factory</entity_searcher_factory>
  <internally_managed>false</internally_managed>
  <caching_enabled>true</caching_enabled>
</service>

Note

This configuration is probably already in the compositeGroupServices.xml file, but commented-out.

 

Configure SmartLdapGroupStore

Next, you must configure SmartLdapGroupStore itself in the uportal-war/src/main/resources/properties/contexts/groupsContext.xml file.

Here is a summary of the settings in this file:

  • ldapContext bean – this is (typically) the same bean defined in ldapContext.xml and used by Person Attributes
  • Refresh interval (seconds): how frequently should SmartLdap check for changes to the groups hierarchy?
  • baseGroupDn– This is base DN under which you want to query for group records (e.g. 'DC=my,DC=university,DC=edu').  (warning) Remember this setting is relative to the baseDn for the ldapContext
  • Filter expression that returns the group records you want (e.g. '(objectCategory=group)')
  • Whether you want to resolve member groups outside the original Base DN (true/false)
  • Resolve DN: another Base DN for resolving member groups if resolve (above) it true
  • Name of the Person Attribute on each user that contains the distinguishedName of each group he/she is a member of (e.g. 'memberOf')
  • (see Note below) Name of the LDAP attribute on each group that contains its distinguishedName (e.g. 'distinguishedName')
  • (see Note below) Name of the LDAP attribute on each group that contains its human-readable name (e.g. 'cn')
  • (see Note below) Name of the LDAP attribute on each group that contains the distinguishedName of each of its members (e.g. 'member')

 

Note

If your LDAP schema doesn't manage groups and their relationships to each other in this way, you can implement a custom org.springframework.ldap.core.AttributesMapper class that bridges the difference.

Configure personDirectoryContext.xml

You must define a Person Attribute that contains the distinguishedName of each group he/she is a member of, and it must have the name provided above.