scim integration

98c91d14 · benjamin.ertl · 6291efc1 · 6291efc1 · 98c91d14 · 98c91d14
Commit 98c91d14 authored May 18, 2016 by benjamin.ertl
20 changed files
--- a/assertions/fbhcfgee
+++ b/assertions/fbhcfgee
-H6GNGExp4J8vHLeTGCaV86oeLsJfYXpYHoldMn6TckgUiapgt-ctIRHdRbIKasYW8rvsZufORIw_
-ylH6fLW4SH3WUNw4LrnsrLq9CwtnSpd2bNRBXgS9mDx9oMUfbCLnh28GU9JYBIObpFiPDZRBMRzB
-Jtemq5e7T3EFOGReOFf8YAWYVbJ7kl10C8O65A3SXU3nTD2q8HFJgnBpl4tLdygXS5PJHjZ77I5N
-cc6SI0DWgiv6AhNfs1nC1Hll7ouCC9JYebDrgGZ76yBJOEkms6v8yV1WFG4kd8QYnhmWHSOJ3ZpX
-92kP9U-ywE03VvJnvSpFB4YoS6jYJBThPL0o1e4HKy9zns3LUpeH3N37JLXxWIXv_UBh6pli4Jnk
-f1mDRgtEN9rRSHaILO1ACb2JbECXBTkfhN153CjO4DYkvaRFFw0KXnZqbEs_O49QfccKVuxj8JnZ
-BEyYYOUY5BoiTsRc3fIhotXKlWD5QBsjXB2EcuFYBujLx6z8Xxg-fDYaFgMQXTKJxmkbg4EJHLoG
-L02ar7-U_c0h2J6ewyZDg3O3vALxNuOz18rwlXm7x-3hqoIIvmice4XUnmuJTRz1At8OeBx7P2_E
-uqMMUWoPW-B3JkYTUjkxom-lm7pMwWdRxBCYEpvsKswrA2HlwN3EvciU3ZkxcFw3ckhlVsdOpWCF
-LxGT5x2d4Yp9TWANNIosG9gQrHTZk7FB_JHhJCiftxBkR9j51yKejWWr7zIkRQdagXlXdkzcVhUz
-XrKFYTLqKZRXWUxNhc4SeX2QqVXB1XAGzmebuK4K8FvoPB-T1aDFqqDF6MuHG3OnESkIrRODQsux
-h9gV1zwrSKJbhYb3q4sTz7iRkYpy7yjVF9TgDczQI8SLoW5XyOgrrKxOCbkq_1E23rLANJSVFY0X
-Hfh3U5uAzgqzWLf7vc9x-22uVKkWmCa428_mjq44J1whm_GwCpznij8agEn6mKxlY6Bnnro5VQft
-m-ypsnqQnUtYZr2tRBUrlUTCTG4jthlKtu1RbVahOwk8GYtcX4nEuWceOTPiz3iQB5KYylv8GoDM
-EX5zrLTfWfBHoHcMpQO7QtiMfygsgop6Pf165XkTBv396Atp2Y-yWGbLcR7tvYsDBAvQ6Z5bsZSf
-tKiTECQEtVp7d5_aZSVZElyT2qQtolAHygwzBQKizzCSFgDpg7asXtElR3JMmBXt8uuQ-z6mR54z
-zvQgiTL4Q5l9A_NMqMtxaKw1ws6YuFbkorNZjm_c0i_eIJSbYdNqKGco2rG-z2eshdSZPyBBTfyv
-MaFyR8GAGeJhdCWE9PkTq4jyHIVzs6hKc9OuzqT_oVt5fJVOhzSLrB3ptrNbJdrZt3PHJFYiaHdP
-YGs3Y9GFpIYzRoLiidPVFuCWkRfZCbjKftvc_70yetgF3nx1c2_tseB_1vKV-udQMJhFbeiVOpA9
-tSti_NX_q3iRAmXo5jCrZEYBt1I7SjUn3suvkkVna-UaiUeoncl8ATg22_F7lv1nKUZJ32bpKeTb
-7WY-wAYYqebb_Hj-bH7BIX9sv1768buLM_XmiOBGydx1AmDHvpiboR8-9UdW02n5AnOrWh4JVcYA
-e9vGhHQZjo2hPRGy2cMmzAaVxhZkJTYCcwH-yvQwIgIE1cxjDnXv9bZWrZZeRpWdaaumEyXfUZv4
-_zik7-8AJuBjlczb6v63nNa1BUzMAXjXQ2G8U07EV0d_CzzU4mcgOYkeNq7IMbe6I522dq_i5eTY
-a3y__zI7FQxN1KpSOSokmm9haEm0MuyxWbFn1c-QjVprnhC7YojF-p-FLGx8PgD_tappyNKP2gyQ
-ba_COv3d9gGSkUh6I6rU20jgsOfD4yZ2CWu81WK3RKtlixGhJXhSO2C0Gv0HOVo1fz1Rcb25EtS0
-6ra6ZlQII333k4TYBzwKH_2xgU_1chKZBqSvVHWeirOml7ETye6CD-NQ4Tj7UyO8V5WNhnu0LzZS
-doiREk_lpzor7EU_MehB0aIOMVBKf5S1bvCkF61qLL0mJEVtMThsi8ObuzA0udE4cvx8LWUeaPdM
-x00SZJhKu5WNJ8RifYHWvFhlo4BRImo8nOEvzDcouMIqQPj2S50Dkm0mY_V3u_6KLQi-c4kbjr8g
-uFIUYhe-DFGEETpkAGV_dhGVD3OZTBS1J__hG7B5pBrTvkUvx3KKXBSSVDPFXKlBJ5boqmDHhFAK
-mohYyHzja1Z2aGyS4nMdi9BYSaTyK4fr6zBlkf1XE2MDlhgBnW69dcenkx4HU_Dkf-iVf91i7NUS
-XvwCnca892lWJgthskizwfe4bIZrn45HzXbjq6z-eeo5UXgilRs35JYw_9semmCzg8Z-nhIszro8
-m2oQThCFGH-XHKAwRY8SpeUdNR20wxh4WrO84Wb3Ypu3xwbpmTi4VbliRiAj4v9wDOVjmkQppbds
-xAaJLn8t9Vi39eJ3bGSEozm-jMxIpF6pHMfCoQOyG6WGZmftK7L-x5Asns-ZRJVXLMIV3hIZZU78
-et8I9lpb30kZngE7mVQp8PEVbs0TaNbRxEp-zqKK39vjo4bS0Xg1DKRvxtvYZ_OZ1cZJHOnA8EuV
-rw0Nmi8Mhc4gEwGYtK2wIc8t0U9iyxGMQelyPTwd5SStV4fy0FH8r_XpGvKqeOK13Hb63EjcgVlI
-fdRQVkkmy1EnffIxCymBPaO-KUXTa1ThZ6dSRBzQi65uxFUP1stOcsLtAunG5fPawcU1GTMLszfw
-UcLC1NSJ3FE-3rFV3rVRPjnp1Vy-zuXamg0z1syoxbOyNNicphmdJ_Ku6Gkdo6xcyYBIAb8Xi6mw
-JR-sJftkZIsKS_dwRyg0oYRZQgr7URnzEVVJ19Tv4-bwNi7ZlhN_E_WWhQqKkpwTm9EhKR_fYOr_
-Rx27X5xr48hCWYKmLbDfPaRHqkB5hOR9tbfwqdQrHIUoKdPBStRNNJuTP1_dRvY_Lc3M4yZjjO68
-xJi9YevPfghj2pmYpMIMBp7tCp4jAmtLyOmdwsxMPdqNJeKbm3uXvhxCaHW6SuDQTcmicvjz0U0N
-WLKFZap4_RtqWNWo3TQVTsYC2aM1nDEfzO5VPkNOB-2VDaEHoAtsPxnrwGLSJs8k1O3VzzoBM1cu
-m1i8D7tEtkw3I7WSQbzL-IscBLsezP3HPL6maG0dHCf9gcl1RxceBhNOWHaE6UQrNcVzEzxaoWZI
-tlP__nGmQ0iObfDi2OF433IMGlIgIL9DNWh0YCKZ13XxGtJD6FBpetJKh1sPluTfvGLjJchPdxP3
-qGsEBtBwWExk39P4wnRtNO62sfAO3tHnDR_rHG6vFwkf-9FhZLL-1QkjpcFBdUpaLHlS1q1fhJmc
-XtwRXriTQH4EnqQTKCYdw3l2IgU_X9chVScZoeF5Druc9aP9ffV0RIlbgHCrocfvvyX_OxYbEPYR
-9WRZ_s9FpRhpkGWSXowv18O8XYhG88Au74glE8v_Dvjn6qGqYvPaqPT9-8wiXAxQubCRYqc3pAFf
-LNB6YalHn2ZCp_nxKdqEJQ9gRG-sSEsvJSFsGtvH4Jsys7cjgBd0B8XyC1YEPlho0E5HpiuSmha6
-sSEcfq9JDKA62rujw7wS_7hJgQvmK_hq-R26QTn8B24D8NYDRXr2JhARsGaSKW9RuzD4DplgjUS_
-LdPU8Sq83x5pwUYrWxLgD2sQAlKrgtT9vgqWV67F9xvaDmrKKUL2uD3ch9FPU3ctjD33rX6yUWGt
-81zGTzNJ3UVO4K4ZOknLcjCk2vl9i6Lkersk5sBm54b_s6ldobGtz-d4kV_u-D82IrPfdLMYkV72
-UDwZjIJ6jaipztNlJjA
--- a/mapping
+++ b/mapping
+OIDC
+{
+    "email": "benjamin.ertl@kit.edu",
+    "email_verified": true,
+    "family_name": "Ertl",
+    "groups": [
+        {
+            "id": "54e3843d-2b9d-45df-a76d-03bdf2fe46a2",
+            "name": "Users"
+        },
+        {
+            "id": "19a8dd29-2b8d-4efd-85cf-f8091037d51f",
+            "name": "Developers"
+        }
+    ],
+    "name": "Benjamin",
+    "organisation_name": "indigo-dc",
+    "preferred_username": "benjamin",
+    "sub": "54d75bff-7ae3-4d65-81db-81c456020655"
+}
+
+SCIM
+{
+  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+  "id": "90001",
+  "externalId": "54d75bff-7ae3-4d65-81db-81c456020655",
+  "userName": "benjamin",
+  "name": {
+    "familyName": "Ertl",
+    "givenName": "Benjamin",
+  },
+  "emails": [
+    {
+      "value": "benjamin.ertl@kit.edu",
+    }
+  ],
+  "groups": [
+    {
+      "value": "54e3843d-2b9d-45df-a76d-03bdf2fe46a2",
+      "$ref": "99991",
+      "display": "Users"
+    },
+    {
+      "value": "19a8dd29-2b8d-4efd-85cf-f8091037d51f",
+      "$ref": "99992",
+      "display": "Developers"
+    }
+  ],
+  "meta": {
+    "organisation_name": "indigo-dc",
+  }
+}
+
+POSIX Account
+
+dn: uid=benjamin,ou=users,dc=test,dc=kit,dc=edu
+objectclass: extensibleObject
+objectclass: top
+objectclass: posixAccount
+objectclass: person
+cn: benjamin.ertl@kit.edu
+gidNumber: 99991
+homeDirectory: /home/benjamin
+sn: Ertl
+uid: benjamin
+uidNumber: 90001
+description: indigo-dc
+uniqueIdentifier: 54d75bff-7ae3-4d65-81db-81c456020655
+givenName: Benjamin
+mail: benjamin.ertl@kit.edu
+
+POSIX Group
+
+dn: cn=Users,ou=groups,dc=test,dc=kit,dc=edu
+objectClass: top
+objectClass: posixGroup
+cn: Users
+gidNumber: 99991
+memberUid: benjamin
--- a/pom.xml
+++ b/pom.xml
@@ -22,7 +22,10 @@
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-surefire-plugin</artifactId>
 				<configuration>
-					<skipTests>true</skipTests>
+					<skipTests>false</skipTests>
+					<includes>
+						<include>edu.kit.scc.test.TestSuite</include>
+					</includes>
 				</configuration>
 			</plugin>
 			<plugin>
@@ -55,7 +58,7 @@
 		<version>1.3.1.RELEASE</version>
 	</parent>
 	<dependencies>
-		<!-- Spring -->
+		<!-- tag::Spring[] -->
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
@@ -68,22 +71,57 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-thymeleaf</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-redis</artifactId>
+		</dependency>
+		<!-- end::Spring[] -->

-		<!-- LDAP -->
+		<!-- tag::Test[] -->
+		<dependency>
+			<groupId>com.jayway.restassured</groupId>
+			<artifactId>rest-assured</artifactId>
+			<version>2.9.0</version>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>com.github.kstyrc</groupId>
+			<artifactId>embedded-redis</artifactId>
+			<version>0.6</version>
+		</dependency>
+		<dependency>
+			<groupId>com.unboundid</groupId>
+			<artifactId>unboundid-ldapsdk</artifactId>
+			<version>3.1.1</version>
+		</dependency>
+		<!-- end::Test[] -->
+
+		<!-- tag::LDAP[] -->
 		<dependency>
 			<groupId>org.springframework.ldap</groupId>
 			<artifactId>spring-ldap-core</artifactId>
 			<version>2.0.4.RELEASE</version>
 		</dependency>
+		<!-- end::LDAP[] -->

-		<!-- OpenID Connect -->
+		<!-- tag::OpenID Connect[] -->
 		<dependency>
 			<groupId>com.nimbusds</groupId>
 			<artifactId>oauth2-oidc-sdk</artifactId>
 			<version>5.1</version>
 		</dependency>
+		<dependency>
+			<groupId>com.nimbusds</groupId>
+			<artifactId>nimbus-jose-jwt</artifactId>
+			<version>4.16.2</version>
+		</dependency>
+		<!-- end::OpenID Connect[] -->

-		<!-- SAML -->
+		<!-- tag::SAML[] -->
 		<dependency>
 			<groupId>org.opensaml</groupId>
 			<artifactId>opensaml</artifactId>
@@ -95,25 +133,23 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
+		<!-- end::SAML[] -->

-		<!-- Utils -->
+		<!-- tag::Utils[] -->
 		<dependency>
-			<groupId>com.google.guava</groupId>
-			<artifactId>guava</artifactId>
-			<version>18.0</version>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcprov-jdk15on</artifactId>
+			<version>1.54</version>
 		</dependency>
 		<dependency>
 			<groupId>org.json</groupId>
 			<artifactId>json</artifactId>
 		</dependency>
-		<dependency>
-			<groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot-starter-test</artifactId>
-		</dependency>
 		<dependency>
 			<groupId>org.jdom</groupId>
 			<artifactId>jdom</artifactId>
 			<version>2.0.2</version>
 		</dependency>
+		<!-- end::Utils[] -->
 	</dependencies>
 </project>
\ No newline at end of file
--- a/src/main/java/edu/kit/scc/DevelopmentConfiguration.java
+++ b/src/main/java/edu/kit/scc/DevelopmentConfiguration.java
+/*
+ * Copyright 2016 Karlsruhe Institute of Technology (KIT)
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package edu.kit.scc;
+
+import com.unboundid.ldap.listener.InMemoryDirectoryServer;
+import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
+import com.unboundid.ldap.listener.InMemoryListenerConfig;
+import com.unboundid.ldap.sdk.LDAPException;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+
+import redis.embedded.RedisServer;
+
+import java.io.IOException;
+
+import javax.annotation.PostConstruct;
+import javax.annotation.PreDestroy;
+
+@Configuration
+@Profile("development")
+public class DevelopmentConfiguration {
+
+  private static final Logger log = LoggerFactory.getLogger(DevelopmentConfiguration.class);
+
+  @Value("${spring.redis.port}")
+  private int port;
+
+  private static InMemoryDirectoryServer ds;
+  private static RedisServer redisServer;
+
+  /**
+   * Initializes in-memory LDAP and redis.
+   * 
+   * @throws LDAPException in case in-memory LDAP couldn't be created
+   * @throws IOException in case in-memory redis couldn't be created
+   */
+  @PostConstruct
+  public void init() throws LDAPException, IOException {
+    log.debug("Set-up in-memory LDAP...");
+    // set-up in-memory LDAP
+    InMemoryDirectoryServerConfig config =
+        new InMemoryDirectoryServerConfig("dc=springframework,dc=org");
+
+    // schema config only necessary if the standard
+    // schema provided by the library doesn't suit your needs
+    config.setSchema(null);
+
+    // listener config only necessary if you want to make sure that the
+    // server listens on port 33389, otherwise a free random port will
+    // be picked at runtime - which might be even better for tests btw
+    config.addAdditionalBindCredentials("cn=admin", "password");
+    config.setListenerConfigs(
+        new InMemoryListenerConfig("myListener", null, 33389, null, null, null));
+
+    ds = new InMemoryDirectoryServer(config);
+
+    ds.startListening();
+
+    // import your test data from ldif files
+    ds.importFromLDIF(true, "src/test/resources/test-server.ldif");
+
+    log.debug("Set-up in-memory redis...");
+    redisServer = new RedisServer(port);
+    redisServer.start();
+  }
+
+  /**
+   * Cleans up in-memory LDAP and redis.
+   * 
+   */
+  @PreDestroy
+  public void cleanUp() {
+    if (ds != null) {
+      log.debug("Shutdown in-memory LDAP");
+      ds.shutDown(true);
+    }
+
+    if (redisServer != null) {
+      log.debug("Shutdown in-memory redis");
+      redisServer.stop();
+    }
+  }
+
+}
--- a/src/main/java/edu/kit/scc/Application.java
+++ b/src/main/java/edu/kit/scc/Application.java
@@ -11,9 +11,10 @@ package edu.kit.scc;

 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.core.env.AbstractEnvironment;

 @SpringBootApplication
-public class Application {
+public class IdentityHarmonizationService {

  /**
   * Spring Boot Application Runner.
@@ -21,8 +22,10 @@ public class Application {
   * @param args command line arguments
   */
  public static void main(String[] args) {
+    // set development environment
+    //System.setProperty(AbstractEnvironment.ACTIVE_PROFILES_PROPERTY_NAME, "development");

-    SpringApplication.run(Application.class, args);
+    SpringApplication.run(IdentityHarmonizationService.class, args);

  }
 }
--- a/src/main/java/edu/kit/scc/IdentityHarmonizer.java
+++ b/src/main/java/edu/kit/scc/IdentityHarmonizer.java
@@ -9,9 +9,9 @@

 package edu.kit.scc;

-import edu.kit.scc.dto.PosixGroup;
-import edu.kit.scc.dto.PosixUser;
 import edu.kit.scc.ldap.LdapClient;
+import edu.kit.scc.ldap.PosixGroup;
+import edu.kit.scc.ldap.PosixUser;
 import edu.kit.scc.scim.ScimGroup;
 import edu.kit.scc.scim.ScimUser;
 import edu.kit.scc.scim.ScimUser.Meta;
@@ -153,7 +153,7 @@ public class IdentityHarmonizer {

      if (!user.isActive() && user.getMeta() != null) {
        posixUser.setHomeDirectory(user.getMeta().get("homeDirectory"));
-        posixUser.setUidNumber(Integer.valueOf(user.getMeta().get("uidNumber")));
+        posixUser.setUidNumber(user.getMeta().get("uidNumber"));

        ldapClient.updatePosixUser(posixUser);


--- a/src/main/java/edu/kit/scc/PosixUserGenerator.java
+++ b/src/main/java/edu/kit/scc/PosixUserGenerator.java
+/*
+ * Copyright 2016 Karlsruhe Institute of Technology (KIT)
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package edu.kit.scc;
+
+import edu.kit.scc.ldap.LdapClient;
+import edu.kit.scc.ldap.PosixGroup;
+import edu.kit.scc.ldap.PosixUser;
+import edu.kit.scc.redis.RedisClient;
+import edu.kit.scc.scim.ScimGroup;
+import edu.kit.scc.scim.ScimUser;
+import edu.kit.scc.scim.ScimUser.Email;
+import edu.kit.scc.scim.ScimUser.Meta;
+import edu.kit.scc.scim.ScimUser.Name;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.UUID;
+
+@Component
+public class PosixUserGenerator implements UserGenerator {
+
+  private static final Logger log = LoggerFactory.getLogger(PosixUserGenerator.class);
+
+  @Value("${ldap.default.gidNumber}")
+  String defaultGidNumber;
+
+  @Autowired
+  private RedisClient redisClient;
+
+  @Autowired
+  private LdapClient ldapClient;
+
+  private String generateUid(String uidNumber) {
+    return "user" + uidNumber;
+  }
+
+  @Override
+  public ScimUser createUser(ScimUser scimUser) {
+    // check if default group exists
+    PosixGroup defaultGroup = ldapClient.getPosixGroupByGidNumber(defaultGidNumber);
+    if (defaultGroup == null) {
+      log.error("default group {} does not exists", defaultGidNumber);
+      return null;
+    }
+
+    String uniqueIdentifier = scimUser.getExternalId();
+
+    // if no unique identifier provided generate a random one
+    if (uniqueIdentifier == null) {
+      uniqueIdentifier = UUID.randomUUID().toString();
+    }
+
+    // create a new user id number
+    String uidNumber = redisClient.createUser(uniqueIdentifier);
+    if (uidNumber == null) {
+      log.error("user {} already exists", uniqueIdentifier);
+      return null;
+    }
+
+    // create a default user id
+    String uid = generateUid(uidNumber);
+
+    // populate user with default values
+    PosixUser localUser = new PosixUser();
+    localUser.setCommonName(uid);
+    localUser.setDescription("user created by IdH");
+    localUser.setGidNumber(defaultGidNumber);
+    localUser.setHomeDirectory("/home/" + uid);
+    localUser.setSurName(uid);
+    localUser.setUid(uid);
+    localUser.setUidNumber(uidNumber);
+    localUser.setUniqueIdentifier(uniqueIdentifier);
+
+    log.debug("User defaults to {}", localUser.toString());
+
+    // overwrite with provided values
+    if (scimUser.getUserName() != null) {
+      // check for conflicting uid
+      if (ldapClient.getPosixUser(scimUser.getUserName()) == null) {
+        localUser.setUid(scimUser.getUserName());
+      } else {
+        log.warn("user {} already exists, use default uid", scimUser.getUserName());
+      }
+    }
+
+    List<Email> emails = scimUser.getEmails();
+    if (emails != null && !emails.isEmpty()) {
+      if (emails.get(0).getValue() != null) {
+        localUser.setMail(emails.get(0).getValue());
+        localUser.setCommonName(emails.get(0).getValue());
+      }
+    }
+
+    Name name = scimUser.getName();
+    if (name != null) {
+      if (name.getFamilyName() != null) {
+        localUser.setSurName(name.getFamilyName());
+      }
+      if (name.getGivenName() != null) {
+        localUser.setGivenName(name.getGivenName());
+      }
+    }
+
+    // create the user locally
+    PosixUser posixUser = ldapClient.createPosixUser(localUser);
+    if (posixUser == null) {
+      log.error("could not create user in the LDAP directory");
+      return null;
+    }
+    log.debug("User created {}", posixUser.toString());
+
+    // add user to default group
+    ldapClient.addGroupMember(defaultGroup.getCommonName(), localUser.getUid());
+
+    ScimGroup defaultScimGroup = new ScimGroup();
+    defaultScimGroup.setDisplay(defaultGroup.getCommonName());
+    defaultScimGroup.setRef(defaultGroup.getGidNumber());
+
+    ScimUser createdUser = scimUserFromPosixUser(posixUser);
+    createdUser.getGroups().add(defaultScimGroup);
+
+    // TODO group unique identifiers
+    // create local groups, add user
+    if (scimUser.getGroups() != null) {
+      for (ScimGroup group : scimUser.getGroups()) {
+        if (group.getValue() != null && group.getDisplay() != null) {
+          // check if group already exists
+          PosixGroup localGroup = ldapClient.getPosixGroupByCn(group.getDisplay());
+
+          // create group
+          if (localGroup == null) {
+            String groupNumber = redisClient.createGroup(group.getValue());
+            localGroup = new PosixGroup();
+            localGroup.setGidNumber(groupNumber);
+            localGroup.setCommonName(group.getDisplay());
+            localGroup.setDescription("group created by IdH");
+
+            localGroup = ldapClient.createPosixGroup(localGroup);
+
+            if (localGroup == null) {
+              log.error("could not create group in the LDAP directory");
+              break;
+            } else {
+              log.debug("Created group {}", localGroup.toString());
+            }
+          } else {
+            log.debug("Found existing group {}", localGroup.toString());;
+          }
+
+          // add user
+          boolean userAdded =
+              ldapClient.addGroupMember(localGroup.getCommonName(), localUser.getUid());
+          if (userAdded) {
+            ScimGroup scimGroup = new ScimGroup();
+            scimGroup.setDisplay(localGroup.getCommonName());
+            scimGroup.setValue(group.getValue());
+            scimGroup.setRef(localGroup.getGidNumber());
+
+            createdUser.getGroups().add(scimGroup);
+
+            log.debug("Added user {} to group {}", localUser.getUid(), localGroup.getCommonName());
+          }
+        }
+      }
+    }
+
+    return createdUser;
+  }
+
+  private ScimUser scimUserFromPosixUser(PosixUser posixUser) {
+    ScimUser scimUser = new ScimUser();
+    scimUser.setSchemas(Arrays.asList(ScimUser.USER_SCHEMA_2_0));
+
+    scimUser.setExternalId(posixUser.getUniqueIdentifier());
+    scimUser.setId(posixUser.getUidNumber());
+    scimUser.setUserName(posixUser.getUid());
+
+    Email email = new Email();
+    email.setValue(posixUser.getMail());
+    scimUser.setEmails(Arrays.asList(email));
+
+    Meta meta = new Meta();
+    meta.put("description", posixUser.getDescription());
+    meta.put("homeDirectory", posixUser.getHomeDirectory());
+    meta.put("gecos", posixUser.getGecos());
+    meta.put("loginShell", posixUser.getLoginShell());
+
+    scimUser.setMeta(meta);
+
+    scimUser.setGroups(new ArrayList<ScimGroup>());
+
+    Name name = new Name();
+    name.setFamilyName(posixUser.getSurName());
+    name.setGivenName(posixUser.getGivenName());
+
+    // scimUser.setPassword(posixUser.getUserPassword());
+
+    scimUser.setActive(true);
+
+    return scimUser;
+  }
+
+}
--- a/src/main/java/edu/kit/scc/RestServiceController.java
+++ b/src/main/java/edu/kit/scc/RestServiceController.java
@@ -9,6 +9,7 @@

 package edu.kit.scc;