grouper-users - RE: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error.
Subject: Grouper Users - Open Discussion List
List archive
RE: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error.
Chronological Thread
- From: "Sanjay Vivek" <>
- To: <>
- Subject: RE: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error.
- Date: Mon, 15 Oct 2007 16:32:55 +0100
Title: RE: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error.
Hi Tom,
I'm still unable to provision my groups into the LDAP server and I can't figure out why. I've looked at the ldap logs and is given below.
=> access_allowed: search access to "uid=,ou=people,dc=ncl,dc=ac,dc=uk" "eduPersonPrincipalName" requested
<= root access granted
<= test_filter 5
<= test_filter_and 5
<= test_filter 5
bdb_search: 135 does not match filter
send_ldap_result: conn=27 op=1 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=2 tag=101 err=0
conn=27 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
daemon: activity on 1 descriptor
daemon: activity on:
16r
daemon: read active on 16
connection_get(16)
connection_get(16): got connid=27
connection_read(16): checking for input on id=27
ber_get_next on fd 16 failed errno=0 (Success)
connection_read(16): input error=-2 id=27, closing.
connection_closing: readying conn=27 sd=16 for close
connection_close: deferring conn=27 sd=16
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on:
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
do_unbind
conn=27 op=2 UNBIND
connection_resched: attempting closing conn=27 sd=16
connection_close: conn=27 sd=16
daemon: removing 16
conn=27 fd=16 closed
daemon: activity on 1 descriptor
daemon: activity on:
13r
daemon: read active on 13
connection_get(13)
connection_get(13): got connid=25
connection_read(13): checking for input on id=25
ber_get_next on fd 13 failed errno=0 (Success)
connection_read(13): input error=-2 id=25, closing.
connection_closing: readying conn=25 sd=13 for close
connection_close: deferring conn=25 sd=13
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on:
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
do_unbind
conn=25 op=1 UNBIND
connection_resched: attempting closing conn=25 sd=13
connection_close: conn=25 sd=13
daemon: removing 13
conn=25 fd=13 closed
Line 6, which is in bold, states that the search filter is wrong. Does this mean that the <source-subject-identifiers> element below is configured wrongly?
<source-subject-identifiers>
<source-subject-identifier source="jdbc_ncl" subject-attribute="loginid" >
<ldap-search base="ou=people,dc=ncl,dc=ac,dc=uk"
scope="subtree_scope"
filter="(uid={0})" />
</source-subject-identifier>
</source-subject-identifiers>
To recap, all the subjects are located in my LDAP source, and my loginid attribute in the JDBC source corresponds to the uid attribute in LDAP. I've also attached sources.xml and ldappc.xml for reference. A sample entry in our LDAP server is also given below:
dn: uid=john.smith@ncl.ac.uk,ou=people,dc=ncl,dc=ac,dc=uk
objectClass: top
objectclass: person
objectclass: eduPerson
objectclass: organizationalPerson
objectClass: inetOrgPerson
eduPersonPrincipalName: john.smith@ncl.ac.uk
uid: john.smith@ncl.ac.uk
cn: John Smith
sn: Smith
Thanks again for your help. Cheers. <<ldappc.xml>> <<sources.xml>>
Regards
Sanjay
>-----Original Message-----
>From: Tom Barton []
>Sent: 11 October 2007 17:10
>To: Sanjay Vivek
>Cc:
>Subject: Re: [grouper-users] null dto in class
>edu.internet2.middleware.grouper.GrouperSession error.
>
>
>
>Sanjay Vivek wrote:
>> Hi Tom,
>>
>> I've taken a look at the LDAP logs and it looks like Ldappc
>is looking
>> for the users in the Grouper groups in the LDAP source and not the
>> JDBC source. For example, we have John Smith
>> () in the Staff group and he's
>located in our
>> JDBC source (jdbc_ncl). What we would like to happen is for
>the groups
>> to be provisioned from Grouper to LDAP with the following
>entry in LDAP:
>>
>> dn: cn=ncl:staff,ou=grouper,dc=ncl,dc=ac,dc=uk
>> objectClass: groupOfNames
>> objectClass: top
>> member: ,ou=grouper,dc=ncl,dc=ac,dc=uk
>> cn: ncl:staff
>>
>> We are in a rather unique position of having JDBC as our primary
>> source of users. So is it feasible to provision users from our JDBC
>> source to LDAP without the users first being present in a
>LDAP source? Cheers.
>
>Ldappc will not create or delete person entries in ldap.
>That's presumed to be the province of your existing IdM
>operation. It *will* add/delete/modify group entries that
>correspond to grouper groups, and it will add/delete/modify a
>membership attribute in existing person entries (and any other
>entry types that are associated with group memberships).
>
>Ldappc is looking for users in ldap to determine the DN of
>entries corresponding to grouper group memberships to add
>those value to each group's member attribute. I expect that,
>if you turned up the log level of the
>log4j.logger.edu.internet2.middleware.subject logging target
>to debug, you'd see it looking up member subjects in your jdbc
>source to find the subject attribute it uses to build the ldap
>search filter to find each subject's corresponding ldap entry,
>and to find the subject attribute with which to populate
>corresponding hasMember values, per the declarations in ldappc.xml.
>
>
<?xml version="1.0" encoding="utf-8"?>
<!--
* This file contains data for testing Ldappc.
*
* See ldappcTemplate.xml for documentation regarding how to use these
* elements.
-->
<ldappc>
<grouper>
<group-queries>
<subordinate-stem-queries>
<stem-list>
<stem>ncl</stem>
</stem-list>
</subordinate-stem-queries>
<!--
<attribute-matching-queries>
<attribute-list>
<attribute name="attribute" value="value" />
</attribute-list>
</attribute-matching-queries>
-->
</group-queries>
<groups structure="flat"
root-dn="ou=grouper,dc=ncl,dc=ac,dc=uk"
ldap-object-class="groupOfNames"
ldap-rdn-attribute="cn" grouper-attribute="name" >
<group-members-dn-list list-object-class="groupOfNames" list-attribute="member" list-empty-value=""/>
<group-members-name-list list-object-class="eduMember" list-attribute="hasMember" >
<source-subject-name-mapping>
<source-subject-name-map source="jdbc_ncl" subject-attribute="id" />
<source-subject-name-map source="g:gsa" subject-attribute="name" />
</source-subject-name-mapping>
</group-members-name-list>
<!--
<group-attribute-mapping ldap-object-class="">
<group-attribute-map group-attribute="xxxx" ldap-attribute="yyyy" />
</group-attribute-mapping>
-->
</groups>
<memberships>
<member-groups-list
list-object-class="eduMember"
list-attribute="isMemberOf"
naming-attribute="name" />
</memberships>
</grouper>
<source-subject-identifiers>
<source-subject-identifier source="jdbc_ncl" subject-attribute="loginid" >
<ldap-search base="ou=people,dc=ncl,dc=ac,dc=uk"
scope="subtree_scope"
filter="(uid={0})" />
</source-subject-identifier>
</source-subject-identifiers>
<ldap>
<context>
<parameter-list>
<parameter name="initial_context_factory" value="com.sun.jndi.ldap.LdapCtxFactory" />
<parameter name="provider_url" value="ldap://pen.ncl.ac.uk:389"; />
<parameter name="security_authentication" value="simple" />
<parameter name="security_principal" value="cn=YYYY" />
<parameter name="security_credentials" value="XXXXX" />
</parameter-list>
</context>
</ldap>
</ldappc>
<?xml version="1.0" encoding="utf-8"?>
<!--
Grouper's subject resolver configuration
$Id: sources.xml,v 1.6 2007/04/17 13:59:09 isgwb Exp $
-->
<sources>
<!-- Group Subject Resolver -->
<!--
NOTE: It is recommended that you **not** change the default
values for this source adapter.
-->
<source adapterClass="edu.internet2.middleware.grouper.GrouperSourceAdapter">
<id>g:gsa</id>
<name>Grouper: Group Source Adapter</name>
<type>group</type>
</source>
<!-- Group Subject Resolver -->
<source adapterClass="edu.internet2.middleware.subject.provider.JDBCSourceAdapter">
<id>jdbc_ncl</id>
<name>NCL JDBC Source Adapter</name>
<type>person</type>
<init-param>
<param-name>maxActive</param-name>
<param-value>16</param-value>
</init-param>
<init-param>
<param-name>maxIdle</param-name>
<param-value>16</param-value>
</init-param>
<init-param>
<param-name>maxWait</param-name>
<param-value>-1</param-value>
</init-param>
<init-param>
<param-name>dbDriver</param-name>
<param-value>com.mysql.jdbc.Driver</param-value>
</init-param>
<init-param>
<param-name>dbUrl</param-name>
<param-value>jdbc:mysql://pod.ncl.ac.uk/XXXX</param-value>
</init-param>
<init-param>
<param-name>dbUser</param-name>
<param-value>XXXX</param-value>
</init-param>
<init-param>
<param-name>dbPwd</param-name>
<param-value>XXXX</param-value>
</init-param>
<init-param>
<param-name>SubjectID_AttributeType</param-name>
<param-value>id</param-value>
</init-param>
<init-param>
<param-name>Name_AttributeType</param-name>
<param-value>name</param-value>
</init-param>
<init-param>
<param-name>Description_AttributeType</param-name>
<param-value>description</param-value>
</init-param>
<search>
<searchType>searchSubject</searchType>
<param>
<param-name>numParameters</param-name>
<param-value>1</param-value>
</param>
<param>
<param-name>sql</param-name>
<param-value>
select
subject.subjectid as id, subject.name as name,
lfnamet.lfname as lfname, loginidt.loginid as loginid,
desct.description as description
from
subject
left join (select subjectid, value as lfname from subjectattribute
where name='name') as lfnamet
on subject.subjectid=lfnamet.subjectid
left join (select subjectid, value as loginid from subjectattribute
where name='loginid') as loginidt
on subject.subjectid=loginidt.subjectid
left join (select subjectid, value as description from subjectattribute
where name='description') as desct
on subject.subjectid=desct.subjectid
where
subject.subjectid = ?
</param-value>
</param>
</search>
<search>
<searchType>searchSubjectByIdentifier</searchType>
<param>
<param-name>numParameters</param-name>
<param-value>1</param-value>
</param>
<param>
<param-name>sql</param-name>
<param-value>
select
subject.subjectid as id, subject.name as name,
lfnamet.lfname as lfname, loginidt.loginid as loginid,
desct.description as description
from
subject
left join (select subjectid, value as lfname from subjectattribute
where name='name') as lfnamet
on subject.subjectid=lfnamet.subjectid
left join (select subjectid, value as loginid from subjectattribute
where name='loginid') as loginidt
on subject.subjectid=loginidt.subjectid
left join (select subjectid, value as description from subjectattribute
where name='description') as desct
on subject.subjectid=desct.subjectid
where
loginidt.loginid = ?
</param-value>
</param>
</search>
<search>
<searchType>search</searchType>
<param>
<param-name>numParameters</param-name>
<param-value>4</param-value>
</param>
<param>
<param-name>sql</param-name>
<param-value>
select
subject.subjectid as id, subject.name as name,
lfnamet.lfname as lfname, loginidt.loginid as loginid,
desct.description as description
from
subject
left join (select subjectid, value as lfname from subjectattribute
where name='name') as lfnamet
on subject.subjectid=lfnamet.subjectid
left join (select subjectid, value as loginid from subjectattribute
where name='loginid') as loginidt
on subject.subjectid=loginidt.subjectid
left join (select subjectid, value as description from subjectattribute
where name='description') as desct
on subject.subjectid=desct.subjectid
where
(lower(name) like concat('%',concat(?,'%')))
or (lower(lfnamet.lfname) like concat('%',concat(?,'%')))
or (lower(loginidt.loginid) like concat('%',concat(?,'%')))
or (lower(desct.description) like concat('%',concat(?,'%')))
</param-value>
</param>
</search>
</source>
<source adapterClass="edu.internet2.middleware.subject.provider.JNDISourceAdapter">
<id>ldap_ncl</id>
<name>NCL LDAP Source Adapter</name>
<type>person</type>
<init-param>
<param-name>INITIAL_CONTEXT_FACTORY</param-name>
<param-value>com.sun.jndi.ldap.LdapCtxFactory</param-value>
</init-param>
<init-param>
<param-name>PROVIDER_URL</param-name>
<param-value>ldap://pen.ncl.ac.uk:389</param-value>
</init-param>
<init-param>
<param-name>SECURITY_AUTHENTICATION</param-name>
<param-value>simple</param-value>
</init-param>
<init-param>
<param-name>SECURITY_PRINCIPAL</param-name>
<param-value>cn=YYYYYY</param-value>
</init-param>
<init-param>
<param-name>SECURITY_CREDENTIALS</param-name>
<param-value>XXXXX</param-value>
</init-param>
<init-param>
<param-name>SubjectID_AttributeType</param-name>
<param-value>eduPersonPrincipalName</param-value>
</init-param>
<init-param>
<param-name>Name_AttributeType</param-name>
<param-value>cn</param-value>
</init-param>
<init-param>
<param-name>Description_AttributeType</param-name>
<param-value>cn</param-value>
</init-param>
/// Scope Values can be: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE
/// For filter use
<search>
<searchType>searchSubject</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(& (eduPersonPrincipalName=%TERM%) (objectclass=eduPerson))
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>
SUBTREE_SCOPE
</param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>
ou=people,dc=ncl,dc=ac,dc=uk
</param-value>
</param>
</search>
<search>
<searchType>searchSubjectByIdentifier</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(& (uid=%TERM%) (objectclass=eduPerson))
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>
SUBTREE_SCOPE
</param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>
ou=people,dc=ncl,dc=ac,dc=uk
</param-value>
</param>
</search>
<search>
<searchType>search</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(& (|(uid=%TERM%)(cn=*%TERM%*)(eduPersonPrincipalName=%TERM%))(objectclass=eduPerson))
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>
SUBTREE_SCOPE
</param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>
ou=people,dc=ncl,dc=ac,dc=uk
</param-value>
</param>
</search>
///Attributes you would like to display when doing a search
<attribute>eduPersonPrincipalName</attribute>
<attribute>cn</attribute>
</source>
</sources>
- null dto in class edu.internet2.middleware.grouper.GrouperSession error., Sanjay Vivek, 10/09/2007
- Message not available
- RE: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error., Sanjay Vivek, 10/09/2007
- Re: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error., Tom Barton, 10/09/2007
- Message not available
- Re: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error., Tom Barton, 10/10/2007
- RE: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error., Sanjay Vivek, 10/11/2007
- Re: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error., Tom Barton, 10/11/2007
- RE: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error., Sanjay Vivek, 10/11/2007
- Re: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error., Tom Barton, 10/11/2007
- RE: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error., Sanjay Vivek, 10/15/2007
- Re: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error., Tom Barton, 10/16/2007
- Message not available
- Re: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error., Tom Barton, 10/17/2007
- RE: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error., Sanjay Vivek, 10/11/2007
- Re: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error., Tom Barton, 10/11/2007
- RE: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error., Sanjay Vivek, 10/11/2007
- Re: [grouper-users] null dto in class edu.internet2.middleware.grouper.GrouperSession error., Tom Barton, 10/10/2007
- Message not available
- Message not available
- Formatting Update to previous email., Sanjay Vivek, 10/11/2007
Archive powered by MHonArc 2.6.16.