Work in progress
This is the app that we intent to use for all our group management.
We will run this on an Ubuntu 12.04 VM.
I would like to stick as much as possible to Ubuntu provided packages, preferably the latest versions of everything. Confirmed on the list that Grouper can run fine with OpenJDK, so no need for the
Sun Oracle Java stuff any more (which was tedious to install and update since Oracle ended their Operating System Distributor License for Java in August 2011). So, at the moment it looks like we're going to use:
- Tomcat 6.0.35 (v7 does not work with Grouper - yet)
- PostgreSQL 9.1.4
- Ant 1.8.2
- OpenJDK 7u3
To page described how to get all various components installed and running on a pristine Ubuntu 12.04 system.
This is the core, and consists of a database and the
grouper/ directory in the repository - which is downloaded later.
apt-get install --no-install-recommends subversion postgresql libpgjava tomcat6 openjdk-7-jdk ant
Remove the old JRE:
apt-get purge openjdk-6-jre-headless
Now download the source code, in this case we're fetching the latest version of the 2.1 branch, and stick that under
cd /opt svn co http://anonsvn.internet2.edu/svn/i2mi/tags/GROUPER_2_1_BRANCH/
Create the PostgreSQL database and credentials:
sudo su - postgres createuser -D -I -R -S -P grouper_user createdb -O grouper_user -T template0 grouper exit
Because we run our databases on IPv6 only, we have to edit
/etc/postgresql/9.1/main/postgresql.conf to list:
listen_addresses = '::'
Copy the default hibernate config file:
cd /opt/GROUPER_2_1_BRANCH/grouper/conf cp grouper.hibernate.example.properties grouper.hibernate.properties
and edit accordingly. Note that the values should not be enclosed in quotes:
# Example: hibernate.connection.url = jdbc:postgresql://ip6-localhost:5432/grouper hibernate.connection.username = grouper_user hibernate.connection.password = hackme
Change all (6) occassions of the version string "1.5" into "1.7" in build.xml:
sed -i -e 's/"1\.5"/"1.7"/g' build.xml
Symlink the database driver:
ln -s /usr/share/java/postgresql-jdbc4.jar /opt/GROUPER_2_1_BRANCH/grouper/lib/custom/
cd /opt/GROUPER_2_1_BRANCH/grouper ant dist
Create the database structure:
bin/gsh.sh -registry -runscript
Check if this went OK:
bin/gsh.sh -registry -check
Run the tests. This is an extensive test suite - on a powerful VM it took me about one hour:
bin/gsh.sh -test -all
No errors should be reported in the end.
Configure the subject source(s)
At this stage the database structure is in place to manage groups, but obviously you need something to group .
Often you'll want to group users together. In Grouper-speak users are called subjects.
Grouper needs to know about the subjects before it can group them. This is done by configuring one or more subject sources.
There are several options: let Grouper look stuff up in a directory, an SQL database, etc, depending on the local situation.
users subjects are stored in a PostgreSQL database on a remote server. I created a dedicated view in the database, just for Grouper, which is handy because you can add whatever you like, without affecting the rest of the database.
This is the web interface that comes as another java app, and sits in
/grouper-ui of the repository.
First change the version statement to 1.7 to make sure it works with JDK1.7:
cd /opt/GROUPER_2_1_BRANCH/grouper-ui sed -i -e 's/"1\.5"/"1.7"/g' build.xml
Compile the app:
Create a file
/etc/tomcat6/Catalina/localhost/grouper.xml with this content:
<?xml version="1.0" encoding="UTF-8"?> <Context path="/grouper" docBase="/opt/GROUPER_2_1_BRANCH/grouper-ui/dist/grouper" reloadable="false" />
/etc/tomcat6/tomcat-users.xml so that there is a user called GrouperSystem, with a secure password:
<tomcat-users> <role rolename="grouper_user"/> <user username="GrouperSystem" password="hackme" roles="grouper_user"/> </tomcat-users>
Change the permissions on the logging directory:
chown tomcat6:tomcat6 /opt/GROUPER_2_1_BRANCH/grouper/logs
service tomcat6 restart
You should now be able to go to http://<yourservername>:8080/grouper-ui/
and log in.
This is optional, but good practise for security considerations. All the JAVA stuff can run on unprivileged ports, and apache faces the internet.
cd /etc/apache2 a2enmod proxy_ajp
Configure SSL certificates etc