|
Can you comment out or remove the pso element with id=stem in the psp.xml file? That should prevent stems from being provisioned. And yes, the documentation needs to be updated with this I think.
Thanks!
-- Shilen
From: Holger Dippel <>
Reply-To: Holger Dippel <>
Date: Mon, 23 Jul 2012 10:53:34 -0400
To: Shilen Patel <>
Cc: Grouper Dev <>
Subject: Re: [grouper-dev] RE: LDAP bushy vs flat
Hi Shilen,
In psp.xml I commented the attribute mapping out and it worked without error! AD assigns a randomly generated unique sAMAccountName. Now, I just have to figure out how to prevent the "flat" provisioning style from provisioning stems as (empty) OUs. For example:
test:psp_test1
provisions as OU=test (stem) and CN=test:psp_test1 (group). Maybe there could be something added to the documentation how and where to turn off the stem -> OU provisioning when switching to flat?
Thank you,
Holger
Holger Dippel
Director of IT Development and Integration
University of Massachusetts Dartmouth
285 Old Westport Road • North Dartmouth, MA 02747
508-999-9181 •
http://www.umassd.edu/
CITS will never ask you for your password or other confidential information via email. Beware of phishing scams where email and/or malicious web sites try to trick users into entering their username and password.
For more information about password security please visit: http://www.umassd.edu/cits/security/
From: "Shilen Patel" <>
To: "Holger Dippel" <>
Cc: "Grouper Dev" <>
Sent: Monday, July 23, 2012 10:29:06 AM
Subject: Re: [grouper-dev] RE: LDAP bushy vs flat
Hi,
I think the following bit in the psp.xml is making the sAMAccountName equivalent to the CN attribute:
<attribute
name="sAMAccountName"
ref="cn" />
And you're probably getting the error because colons aren't allowed in sAMAccountName values, right?
Keeping in mind that sAMAccountName has to be unique, what value would you like to use for it? If it's just the group extension, you can run into problems unless you're guaranteeing uniqueness in Grouper, right? At Duke, we work around the colon issue
and maintain uniqueness by converting the colons into hyphens and not allowing hyphens in group/folder names in Grouper. I think either way should be possible by creating an attribute definition in the resolver file and switching the "ref" above to point
at it. Let us know if you need help with that.
Thanks!
-- Shilen
From: Holger Dippel <>
Reply-To: Holger Dippel <>
Date: Mon, 23 Jul 2012 10:03:59 -0400
To: Shilen Patel <>
Cc: Grouper Dev <>
Subject: Re: [grouper-dev] RE: LDAP bushy vs flat
Good morning Shilen,
I am using 2.1.1 - however, I am using a combination of PSP and vt-ldap due to our AD setup. I combined the AD example with my version 2.0.3 LDAP configuration and the multiple OpenLDAP example that illustrates the use of vt-ldap with PSP. In sources.xml the
subject source is on the global catalog port 3268 which does not allow me to modify anything in AD. Therefore I use the vt-ldap configuration to the same AD on port 389 for provisioning.
And yes, I've changed the configuration in ldap.properties to flat structure with using the name as cnSourceAttributeID.
After digging a bit further last week, I found this in the logs:
2012-07-18 11:45:21,944: [main] DEBUG LdapSpmlTarget.execute(249) - - Target 'ldap' - Create 'AddRequest[psoID=PSOIdentifier[id='cn=test:psp_test2,ou=Grouper_Groups,dc=examen,dc=edu',targetID=ldap,containerID=<null>],targetID=ldap,returnData=everything,requestID=2012/07/18-11:45:21.941]'
2012-07-18 11:45:21,945: [main] DEBUG LdapSpmlTarget.execute(250) - - Target 'ldap' - Create DN 'cn=test:psp_test2,ou=Grouper_Groups,dc=examen,dc=edu'
2012-07-18 11:45:21,945: [main] DEBUG AbstractLdap.create(865) - - Create name with the following parameters:
2012-07-18 11:45:21,945: [main] DEBUG AbstractLdap.create(866) - - dn = cn=test:psp_test2,ou=Grouper_Groups,dc=examen,dc=edu
2012-07-18 11:45:21,945: [main] DEBUG AbstractLdap.create(867) - - attrs = {objectclass=objectClass: group, top,
samaccountname=sAMAccountName: test:psp_test2, member=member: CN=Jeannette S. Mello,OU=staff,DC=examen,DC=edu, CN=Joyce K Rosinha,OU=staff,DC=examen,DC=edu, CN=Steven T Splinter,OU=staff,DC=examen,DC=edu, cn=cn: test:psp_test2}
2012-07-18 11:45:21,948: [main] ERROR BaseSpmlProvider.execute(188) - - Target 'ldap' - Add AddResponse[pso=<null>,status=failure,error=customError,errorMessages={[LDAP:
error code 80 - 00000523: SysErr: DSID-031A1202, problem 22 (Invalid argument), data 0
_]},requestID=2012/07/18-11:45:21.941]
The group is created with an automatically assigned samAccountName by AD, but in the flat provisioning it somehow assumes that the samAccountName is the group ID Path/name. The group name/ID path is the common name (cn).
I am not able to locate a configuration setting where I could control this behavior.
Holger
Holger Dippel
Director of IT Development and Integration
University of Massachusetts Dartmouth
285 Old Westport Road • North Dartmouth, MA 02747
508-999-9181 •
http://www.umassd.edu/
CITS will never ask you for your password or other confidential information via email. Beware of phishing scams where email and/or malicious web sites try to trick users into entering their username and password.
For more information about password security please visit: http://www.umassd.edu/cits/security/
From: "Shilen Patel" <>
To: "Holger Dippel" <>
Cc: "Grouper Dev" <>
Sent: Sunday, July 22, 2012 2:04:00 PM
Subject: Re: [grouper-dev] RE: LDAP bushy vs flat
Hi Holger,
Using the 2.1.1 example configs, to switch from bushy to flat I set the following 2 properties in ldap.properties:
edu.internet2.middleware.psp.structure=flat
edu.internet2.middleware.psp.cnSourceAttributeID=name
And I commented out the pso element with id=stem in the psp.xml file. It seems to work for me without making any changes to the psp-resolver.xml file. The psp-resolver.xml file has multiple references to the 2 properties above.
Are you running 2.1 with the 2.1.0 or 2.1.1 example configs? What errors are you getting? Does your psp-resolver.xml file refer to the properties above like the latest example configs?
Thanks!
-- Shilen
From: Chris Hyzer <>
Date: Wed, 18 Jul 2012 15:47:36 +0000
To: Holger Dippel <>, Tom Zeller <>
Cc: Grouper Dev <>
Subject: [grouper-dev] RE: LDAP bushy vs flat
Forwarding to the list so Shilen and TomB can see this idea as well…
From: Holger Dippel []
Sent: Wednesday, July 18, 2012 11:33 AM
To: Chris Hyzer; Tom Zeller
Subject: LDAP bushy vs flat
Chris, Tom -
As a suggestion for the Grouper Provisioning guide: The sections that talk about flat vs bushy provisioning, may need to mention additional settings in the psp-resolver.xml -- or am I mistaken? Or would the psp-resolver.xml need to be updated to inherit the
settings from ldap.properties, if possible?
I am experimenting with different provisioning scenarios and tried switching from bushy to flat only with the ldap.properties settings, but then get all sorts of errors, and it provisions the stem as OU, but nothing else. Looking at the debug log indicates
that the stem still is provisioned bushy which then brought me to the resolver configuration.
What do you think?
Holger
Holger Dippel
Director of IT Development and Integration
University of Massachusetts Dartmouth
285 Old Westport Road • North Dartmouth, MA 02747
508-999-9181 •
http://www.umassd.edu/
CITS will never ask you for your password or other confidential information via email. Beware of phishing scams where email and/or malicious web sites try to trick users into entering their username and password.
For more information about password security please visit: http://www.umassd.edu/cits/security/
|
