Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] RE: LDAP bushy vs flat

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] RE: LDAP bushy vs flat


Chronological Thread 
  • From: Shilen Patel <>
  • To: Holger Dippel <>
  • Cc: Grouper Dev <>
  • Subject: Re: [grouper-dev] RE: LDAP bushy vs flat
  • Date: Mon, 23 Jul 2012 15:05:20 +0000
  • Accept-language: en-US

Can you comment out or remove the pso element with id=stem in the psp.xml file?  That should prevent stems from being provisioned.  And yes, the documentation needs to be updated with this I think.

Thanks!

-- Shilen

From: Holger Dippel <>
Reply-To: Holger Dippel <>
Date: Mon, 23 Jul 2012 10:53:34 -0400
To: Shilen Patel <>
Cc: Grouper Dev <>
Subject: Re: [grouper-dev] RE: LDAP bushy vs flat

Hi Shilen,

In psp.xml I commented the attribute mapping out and it worked without error! AD assigns a randomly generated unique sAMAccountName. Now, I just have to figure out how to prevent the "flat" provisioning style from provisioning stems as (empty) OUs. For example:

test:psp_test1

provisions as OU=test (stem) and CN=test:psp_test1 (group). Maybe there could be something added to the documentation how and where to turn off the stem -> OU provisioning when switching to flat?

Thank you,


Holger

Holger Dippel
Director of IT Development and Integration
University of Massachusetts Dartmouth
285 Old Westport Road • North Dartmouth, MA 02747

508-999-9181 •

http://www.umassd.edu/

CITS will never ask you for your password or other confidential information via email. Beware of phishing scams where email and/or malicious web sites try to trick users into entering their username and password.
For more information about password security please visit: http://www.umassd.edu/cits/security/


From: "Shilen Patel" <>
To: "Holger Dippel" <>
Cc: "Grouper Dev" <>
Sent: Monday, July 23, 2012 10:29:06 AM
Subject: Re: [grouper-dev] RE: LDAP bushy vs flat

Hi,

I think the following bit in the psp.xml is making the sAMAccountName equivalent to the CN attribute:

    <attribute
      name="sAMAccountName"
      ref="cn" />

And you're probably getting the error because colons aren't allowed in sAMAccountName values, right?

Keeping in mind that sAMAccountName has to be unique, what value would you like to use for it?  If it's just the group extension, you can run into problems unless you're guaranteeing uniqueness in Grouper, right?  At Duke, we work around the colon issue and maintain uniqueness by converting the colons into hyphens and not allowing hyphens in group/folder names in Grouper.  I think either way should be possible by creating an attribute definition in the resolver file and switching the "ref" above to point at it.  Let us know if you need help with that.

Thanks!

-- Shilen


From: Holger Dippel <>
Reply-To: Holger Dippel <>
Date: Mon, 23 Jul 2012 10:03:59 -0400
To: Shilen Patel <>
Cc: Grouper Dev <>
Subject: Re: [grouper-dev] RE: LDAP bushy vs flat

Good morning Shilen,

I am using 2.1.1 - however, I am using a combination of PSP and vt-ldap due to our AD setup. I combined the AD example with my version 2.0.3 LDAP configuration and the multiple OpenLDAP example that illustrates the use of vt-ldap with PSP. In sources.xml the subject source is on the global catalog port 3268 which does not allow me to modify anything in AD. Therefore I use the vt-ldap configuration to the same AD on port 389 for provisioning.

And yes, I've changed the configuration in ldap.properties to flat structure with using the name as cnSourceAttributeID.

After digging a bit further last week, I found this in the logs:

2012-07-18 11:45:21,944: [main] DEBUG LdapSpmlTarget.execute(249) -  - Target 'ldap' - Create 'AddRequest[psoID=PSOIdentifier[id='cn=test:psp_test2,ou=Grouper_Groups,dc=examen,dc=edu',targetID=ldap,containerID=<null>],targetID=ldap,returnData=everything,requestID=2012/07/18-11:45:21.941]'
2012-07-18 11:45:21,945: [main] DEBUG LdapSpmlTarget.execute(250) -  - Target 'ldap' - Create DN 'cn=test:psp_test2,ou=Grouper_Groups,dc=examen,dc=edu'
2012-07-18 11:45:21,945: [main] DEBUG AbstractLdap.create(865) -  - Create name with the following parameters:
2012-07-18 11:45:21,945: [main] DEBUG AbstractLdap.create(866) -  -   dn = cn=test:psp_test2,ou=Grouper_Groups,dc=examen,dc=edu
2012-07-18 11:45:21,945: [main] DEBUG AbstractLdap.create(867) -  -   attrs = {objectclass=objectClass: group, top, samaccountname=sAMAccountName: test:psp_test2, member=member: CN=Jeannette S. Mello,OU=staff,DC=examen,DC=edu, CN=Joyce K Rosinha,OU=staff,DC=examen,DC=edu, CN=Steven T Splinter,OU=staff,DC=examen,DC=edu, cn=cn: test:psp_test2}

2012-07-18 11:45:21,948: [main] ERROR BaseSpmlProvider.execute(188) -  - Target 'ldap' - Add AddResponse[pso=<null>,status=failure,error=customError,errorMessages={[LDAP: error code 80 - 00000523: SysErr: DSID-031A1202, problem 22 (Invalid argument), data 0
_]},requestID=2012/07/18-11:45:21.941]

The group is created with an automatically assigned samAccountName by AD, but in the flat provisioning it somehow assumes that the samAccountName is the group ID Path/name. The group name/ID path is the common name (cn).

I am not able to locate a configuration setting where I could control this behavior.


Holger


Holger Dippel
Director of IT Development and Integration
University of Massachusetts Dartmouth
285 Old Westport Road • North Dartmouth, MA 02747

508-999-9181 •

http://www.umassd.edu/

CITS will never ask you for your password or other confidential information via email. Beware of phishing scams where email and/or malicious web sites try to trick users into entering their username and password.
For more information about password security please visit: http://www.umassd.edu/cits/security/


From: "Shilen Patel" <>
To: "Holger Dippel" <>
Cc: "Grouper Dev" <>
Sent: Sunday, July 22, 2012 2:04:00 PM
Subject: Re: [grouper-dev] RE: LDAP bushy vs flat

Hi Holger,

Using the 2.1.1 example configs, to switch from bushy to flat I set the following 2 properties in ldap.properties:

edu.internet2.middleware.psp.structure=flat
edu.internet2.middleware.psp.cnSourceAttributeID=name

And I commented out the pso element with id=stem in the psp.xml file.  It seems to work for me without making any changes to the psp-resolver.xml file.    The psp-resolver.xml file has multiple references to the 2 properties above.

Are you running 2.1 with the 2.1.0 or 2.1.1 example configs?  What errors are you getting?  Does your psp-resolver.xml file refer to the properties above like the latest example configs?

Thanks!

-- Shilen


From: Chris Hyzer <>
Date: Wed, 18 Jul 2012 15:47:36 +0000
To: Holger Dippel <>, Tom Zeller <>
Cc: Grouper Dev <>
Subject: [grouper-dev] RE: LDAP bushy vs flat

Forwarding to the list so Shilen and TomB can see this idea as well…

 

From: Holger Dippel []
Sent: Wednesday, July 18, 2012 11:33 AM
To: Chris Hyzer; Tom Zeller
Subject: LDAP bushy vs flat

 

Chris, Tom -

As a suggestion for the Grouper Provisioning guide: The sections that talk about flat vs bushy provisioning, may need to mention additional settings in the psp-resolver.xml -- or am I mistaken? Or would the psp-resolver.xml need to be updated to inherit the settings from ldap.properties, if possible?

I am experimenting with different provisioning scenarios and tried switching from bushy to flat only with the ldap.properties settings, but then get all sorts of errors, and it provisions the stem as OU, but nothing else. Looking at the debug log indicates that the stem still is provisioned bushy which then brought me to the resolver configuration.

What do you think?


Holger

Holger Dippel
Director of IT Development and Integration
University of Massachusetts Dartmouth
285 Old Westport Road • North Dartmouth, MA 02747

508-999-9181 •

http://www.umassd.edu/


CITS will never ask you for your password or other confidential information via email. Beware of phishing scams where email and/or malicious web sites try to trick users into entering their username and password.
For more information about password security please visit: http://www.umassd.edu/cits/security/

 






Archive powered by MHonArc 2.6.16.

Top of Page