Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error.

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error.


Chronological Thread 
  • From: "Sanjay Vivek" <>
  • To: <>
  • Subject: RE: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error.
  • Date: Mon, 15 Oct 2007 16:32:55 +0100

Title: RE: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error.

Hi Tom,

I'm still unable to provision my groups into the LDAP server and I can't figure out why. I've looked at the ldap logs and is given below.


=> access_allowed: search access to "uid=,ou=people,dc=ncl,dc=ac,dc=uk" "eduPersonPrincipalName" requested

 <= root access granted
 <= test_filter 5
 <= test_filter_and 5
 <= test_filter 5
 bdb_search: 135 does not match filter
 send_ldap_result: conn=27 op=1 p=3
 send_ldap_result: err=0 matched="" text=""
 send_ldap_response: msgid=2 tag=101 err=0
 conn=27 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
 daemon: activity on 1 descriptor
 daemon: activity on:
  16r
 
 daemon: read active on 16
 connection_get(16)
 connection_get(16): got connid=27
 connection_read(16): checking for input on id=27
 ber_get_next on fd 16 failed errno=0 (Success)
 connection_read(16): input error=-2 id=27, closing.
 connection_closing: readying conn=27 sd=16 for close
 connection_close: deferring conn=27 sd=16
 daemon: select: listen=7 active_threads=0 tvp=NULL
 daemon: select: listen=8 active_threads=0 tvp=NULL
 daemon: activity on 1 descriptor
 daemon: activity on:
 
 daemon: select: listen=7 active_threads=0 tvp=NULL
 daemon: select: listen=8 active_threads=0 tvp=NULL
 do_unbind
 conn=27 op=2 UNBIND
 connection_resched: attempting closing conn=27 sd=16
 connection_close: conn=27 sd=16
 daemon: removing 16
 conn=27 fd=16 closed
 daemon: activity on 1 descriptor
 daemon: activity on:
  13r
 
 daemon: read active on 13
 connection_get(13)
 connection_get(13): got connid=25
 connection_read(13): checking for input on id=25
 ber_get_next on fd 13 failed errno=0 (Success)
 connection_read(13): input error=-2 id=25, closing.
 connection_closing: readying conn=25 sd=13 for close
 connection_close: deferring conn=25 sd=13
 daemon: select: listen=7 active_threads=0 tvp=NULL
 daemon: select: listen=8 active_threads=0 tvp=NULL
 daemon: activity on 1 descriptor
 daemon: activity on:
 
 daemon: select: listen=7 active_threads=0 tvp=NULL
 daemon: select: listen=8 active_threads=0 tvp=NULL
 do_unbind
 conn=25 op=1 UNBIND
 connection_resched: attempting closing conn=25 sd=13
 connection_close: conn=25 sd=13
 daemon: removing 13
 conn=25 fd=13 closed


Line 6, which is in bold, states that the search filter is wrong. Does this mean that the <source-subject-identifiers> element below is configured wrongly?

  <source-subject-identifiers>
    <source-subject-identifier source="jdbc_ncl" subject-attribute="loginid" >
      <ldap-search base="ou=people,dc=ncl,dc=ac,dc=uk"
        scope="subtree_scope"
        filter="(uid={0})" />
    </source-subject-identifier>
  </source-subject-identifiers>

To recap, all the subjects are located in my LDAP source, and my loginid attribute in the JDBC source corresponds to the uid attribute in LDAP. I've also attached sources.xml and ldappc.xml for reference. A sample entry in our LDAP server is also given below:

dn: uid=john.smith@ncl.ac.uk,ou=people,dc=ncl,dc=ac,dc=uk
objectClass: top
objectclass: person
objectclass: eduPerson
objectclass: organizationalPerson
objectClass: inetOrgPerson
eduPersonPrincipalName: john.smith@ncl.ac.uk
uid: john.smith@ncl.ac.uk
cn: John Smith
sn: Smith

Thanks again for your help. Cheers. <<ldappc.xml>> <<sources.xml>>

Regards
Sanjay



>-----Original Message-----
>From: Tom Barton []
>Sent: 11 October 2007 17:10
>To: Sanjay Vivek
>Cc:
>Subject: Re: [grouper-users] null dto in class
>edu.internet2.middleware.grouper.GrouperSession error.
>
>
>
>Sanjay Vivek wrote:
>> Hi Tom,
>>
>> I've taken a look at the LDAP logs and it looks like Ldappc
>is looking
>> for the users in the Grouper groups in the LDAP source and not the
>> JDBC source. For example, we have John Smith
>> () in the Staff group and he's
>located in our
>> JDBC source (jdbc_ncl). What we would like to happen is for
>the groups
>> to be provisioned from Grouper to LDAP with the following
>entry in LDAP:
>>
>> dn: cn=ncl:staff,ou=grouper,dc=ncl,dc=ac,dc=uk
>> objectClass: groupOfNames
>> objectClass: top
>> member: ,ou=grouper,dc=ncl,dc=ac,dc=uk
>> cn: ncl:staff
>>
>> We are in a rather unique position of having JDBC as our primary
>> source of users. So is it feasible to provision users from our JDBC
>> source to LDAP without the users first being present in a
>LDAP source? Cheers.
>
>Ldappc will not create or delete person entries in ldap.
>That's presumed to be the province of your existing IdM
>operation. It *will* add/delete/modify group entries that
>correspond to grouper groups, and it will add/delete/modify a
>membership attribute in existing person entries (and any other
>entry types that are associated with group memberships).
>
>Ldappc is looking for users in ldap to determine the DN of
>entries corresponding to grouper group memberships to add
>those value to each group's member attribute. I expect that,
>if you turned up the log level of the
>log4j.logger.edu.internet2.middleware.subject logging target
>to debug, you'd see it looking up member subjects in your jdbc
>source to find the subject attribute it uses to build the ldap
>search filter to find each subject's corresponding ldap entry,
>and to find the subject attribute with which to populate
>corresponding hasMember values, per the declarations in ldappc.xml.
>
>

<?xml version="1.0" encoding="utf-8"?>

<!-- 
    * This file contains data for testing Ldappc.
    *
    * See ldappcTemplate.xml for documentation regarding how to use these
    * elements.
-->

<ldappc>
  <grouper>
    <group-queries>
      <subordinate-stem-queries>
        <stem-list>
          <stem>ncl</stem>
        </stem-list>
      </subordinate-stem-queries>
      <!--
      <attribute-matching-queries>
        <attribute-list>
          <attribute name="attribute" value="value" />
        </attribute-list>
      </attribute-matching-queries>
      -->
    </group-queries>
    <groups structure="flat"
      root-dn="ou=grouper,dc=ncl,dc=ac,dc=uk"
      ldap-object-class="groupOfNames"
      ldap-rdn-attribute="cn" grouper-attribute="name" >
      <group-members-dn-list list-object-class="groupOfNames" list-attribute="member" list-empty-value=""/>
      <group-members-name-list list-object-class="eduMember" list-attribute="hasMember" >
        <source-subject-name-mapping>
          <source-subject-name-map source="jdbc_ncl" subject-attribute="id" />
          <source-subject-name-map source="g:gsa" subject-attribute="name" />
        </source-subject-name-mapping>
      </group-members-name-list>
      <!--
      <group-attribute-mapping ldap-object-class="">
        <group-attribute-map group-attribute="xxxx" ldap-attribute="yyyy" />
      </group-attribute-mapping>
      -->
    </groups>
    <memberships>
      <member-groups-list 
        list-object-class="eduMember" 
        list-attribute="isMemberOf"
        naming-attribute="name" />
    </memberships>
  </grouper>

  <source-subject-identifiers>
    <source-subject-identifier source="jdbc_ncl" subject-attribute="loginid" >
      <ldap-search base="ou=people,dc=ncl,dc=ac,dc=uk" 
        scope="subtree_scope" 
        filter="(uid={0})" />
    </source-subject-identifier>
  </source-subject-identifiers>

  <ldap>
    <context>
      <parameter-list>
        <parameter name="initial_context_factory" value="com.sun.jndi.ldap.LdapCtxFactory" />
        <parameter name="provider_url" value="ldap://pen.ncl.ac.uk:389"; />
        <parameter name="security_authentication" value="simple" />
        <parameter name="security_principal" value="cn=YYYY" />
        <parameter name="security_credentials" value="XXXXX" />
      </parameter-list>
    </context>
  </ldap>

</ldappc>
<?xml version="1.0" encoding="utf-8"?>

<!--
Grouper's subject resolver configuration
$Id: sources.xml,v 1.6 2007/04/17 13:59:09 isgwb Exp $
-->

<sources>

  <!-- Group Subject Resolver -->
  <!-- 
    NOTE: It is recommended that you **not** change the default
          values for this source adapter.
  -->
  <source adapterClass="edu.internet2.middleware.grouper.GrouperSourceAdapter">
    <id>g:gsa</id>
    <name>Grouper: Group Source Adapter</name>
    <type>group</type>
  </source>
  <!-- Group Subject Resolver -->


 <source adapterClass="edu.internet2.middleware.subject.provider.JDBCSourceAdapter">
    <id>jdbc_ncl</id>
    <name>NCL JDBC Source Adapter</name>
     <type>person</type>
     <init-param>
       <param-name>maxActive</param-name>
       <param-value>16</param-value>
     </init-param>
     <init-param>
       <param-name>maxIdle</param-name>
       <param-value>16</param-value>
     </init-param>
     <init-param>
       <param-name>maxWait</param-name>
       <param-value>-1</param-value>
     </init-param>
     <init-param>
       <param-name>dbDriver</param-name>
       <param-value>com.mysql.jdbc.Driver</param-value>
     </init-param>
     <init-param>
       <param-name>dbUrl</param-name>



   <param-value>jdbc:mysql://pod.ncl.ac.uk/XXXX</param-value>

     </init-param>
     <init-param>
       <param-name>dbUser</param-name>
       <param-value>XXXX</param-value>
     </init-param>
     <init-param>
       <param-name>dbPwd</param-name>
       <param-value>XXXX</param-value>
     </init-param>
      <init-param>
       <param-name>SubjectID_AttributeType</param-name>
       <param-value>id</param-value>
     </init-param>
     <init-param>
       <param-name>Name_AttributeType</param-name>
       <param-value>name</param-value>
     </init-param>
     <init-param>
       <param-name>Description_AttributeType</param-name>
       <param-value>description</param-value>
     </init-param>


     <search>
         <searchType>searchSubject</searchType>
		  <param>
        	<param-name>numParameters</param-name>
        	<param-value>1</param-value>
        </param>
         <param>
             <param-name>sql</param-name>
             <param-value>
select
   subject.subjectid as id, subject.name as name,
   lfnamet.lfname as lfname, loginidt.loginid as loginid,
   desct.description as description
from
   subject
   left join (select subjectid, value as lfname from subjectattribute
     where name='name') as lfnamet
     on subject.subjectid=lfnamet.subjectid
   left join (select subjectid, value as loginid from subjectattribute
     where name='loginid') as loginidt
     on subject.subjectid=loginidt.subjectid
   left join (select subjectid, value as description from subjectattribute
      where name='description') as desct
     on subject.subjectid=desct.subjectid
where
   subject.subjectid = ?
             </param-value>
         </param>
     </search>
     <search>
         <searchType>searchSubjectByIdentifier</searchType>
		  <param>
        	<param-name>numParameters</param-name>
        	<param-value>1</param-value>
        </param>
         <param>
             <param-name>sql</param-name>
             <param-value>
select
   subject.subjectid as id, subject.name as name,
   lfnamet.lfname as lfname, loginidt.loginid as loginid,
   desct.description as description
from
   subject
   left join (select subjectid, value as lfname from subjectattribute
     where name='name') as lfnamet
     on subject.subjectid=lfnamet.subjectid
   left join (select subjectid, value as loginid from subjectattribute
     where name='loginid') as loginidt
     on subject.subjectid=loginidt.subjectid
   left join (select subjectid, value as description from subjectattribute
      where name='description') as desct
     on subject.subjectid=desct.subjectid
where
   loginidt.loginid = ?
             </param-value>
         </param>
     </search>
     <search>
        <searchType>search</searchType>
		 <param>
        	<param-name>numParameters</param-name>
        	<param-value>4</param-value>
        </param>
         <param>
             <param-name>sql</param-name>
             <param-value>
select
   subject.subjectid as id, subject.name as name,
   lfnamet.lfname as lfname, loginidt.loginid as loginid,
   desct.description as description
from
   subject
   left join (select subjectid, value as lfname from subjectattribute
     where name='name') as lfnamet
     on subject.subjectid=lfnamet.subjectid
   left join (select subjectid, value as loginid from subjectattribute
     where name='loginid') as loginidt
     on subject.subjectid=loginidt.subjectid
   left join (select subjectid, value as description from subjectattribute
      where name='description') as desct
     on subject.subjectid=desct.subjectid
where
   (lower(name) like concat('%',concat(?,'%')))
   or (lower(lfnamet.lfname) like concat('%',concat(?,'%')))
   or (lower(loginidt.loginid) like concat('%',concat(?,'%')))
   or (lower(desct.description) like concat('%',concat(?,'%')))
             </param-value>
         </param>
     </search>
   </source>

    <source adapterClass="edu.internet2.middleware.subject.provider.JNDISourceAdapter">
    <id>ldap_ncl</id>
    <name>NCL LDAP Source Adapter</name>
    <type>person</type>
    <init-param>
      <param-name>INITIAL_CONTEXT_FACTORY</param-name>
      <param-value>com.sun.jndi.ldap.LdapCtxFactory</param-value>
    </init-param>
    <init-param>
      <param-name>PROVIDER_URL</param-name>
      <param-value>ldap://pen.ncl.ac.uk:389</param-value>
    </init-param>
    <init-param>
      <param-name>SECURITY_AUTHENTICATION</param-name>
      <param-value>simple</param-value>
    </init-param>
    <init-param>
      <param-name>SECURITY_PRINCIPAL</param-name>
      <param-value>cn=YYYYYY</param-value>
    </init-param>
    <init-param>
      <param-name>SECURITY_CREDENTIALS</param-name>
      <param-value>XXXXX</param-value>
    </init-param>
     <init-param>
      <param-name>SubjectID_AttributeType</param-name>
      <param-value>eduPersonPrincipalName</param-value>
    </init-param>
    <init-param>
      <param-name>Name_AttributeType</param-name>
      <param-value>cn</param-value>
    </init-param>
    <init-param>
      <param-name>Description_AttributeType</param-name>
      <param-value>cn</param-value>
    </init-param>
    
    /// Scope Values can be: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE 
    /// For filter use 
    
    <search>
        <searchType>searchSubject</searchType>
        <param>
            <param-name>filter</param-name>
            <param-value>
                (&amp; (eduPersonPrincipalName=%TERM%) (objectclass=eduPerson))
            </param-value>
        </param>
        <param>
            <param-name>scope</param-name>
            <param-value>
                SUBTREE_SCOPE            
            </param-value>
        </param>
        <param>
            <param-name>base</param-name>
            <param-value>
                ou=people,dc=ncl,dc=ac,dc=uk
            </param-value>
        </param>
         
    </search>
    <search>
        <searchType>searchSubjectByIdentifier</searchType>
        <param>
            <param-name>filter</param-name>
            <param-value>
                (&amp; (uid=%TERM%) (objectclass=eduPerson))
            </param-value>
        </param>
        <param>
            <param-name>scope</param-name>
            <param-value>
                SUBTREE_SCOPE            
            </param-value>
        </param>
        <param>
            <param-name>base</param-name>
            <param-value>
                ou=people,dc=ncl,dc=ac,dc=uk
            </param-value>
        </param>
    </search>
    
    <search>
       <searchType>search</searchType>
         <param>
            <param-name>filter</param-name>
            <param-value>
                (&amp; (|(uid=%TERM%)(cn=*%TERM%*)(eduPersonPrincipalName=%TERM%))(objectclass=eduPerson))
            </param-value>
        </param>
        <param>
            <param-name>scope</param-name>
            <param-value>
                SUBTREE_SCOPE            
            </param-value>
        </param>
         <param>
            <param-name>base</param-name>
            <param-value>
                ou=people,dc=ncl,dc=ac,dc=uk
            </param-value>
        </param>
    </search>
    ///Attributes you would like to display when doing a search 
    
    <attribute>eduPersonPrincipalName</attribute>
    <attribute>cn</attribute>
    
  </source>

</sources>




Archive powered by MHonArc 2.6.16.

Top of Page