Grouper Users - Open Discussion List

[Tom Barton <>]

Scott Koranda wrote:
> Hi,
>
> Apologies for the long note and many questions...we would like
> to leverage Grouper but we are not Java/Tomcat experts.
>
> I am following the details at
>
> https://wiki.internet2.edu/confluence/display/GrouperWG/Initializing+Administration+of+Privileges
>
> to try and bootstrap the wheel group but I am confused and
> having some problems. Specifically:
>
> - Does Tomcat need to be running when trying to use gsh.sh?
>   Does gsh.sh talk through Tomcat in some way? Or is gsh.sh
>   authenticating directly to the underlying relational
>   database and manipulating it directly?

gsh uses the API to directly manipulate the database. No tomcat.

>   If it is directly maninpulating the relational database,
>   then which configuration file(s) is it using to obtain the
>   necessary information? Is it reading the configuration in 
>   $CATALINA_HOME/webapps/grouper or in $GROUPER_HOME
>   where I did the building?

$GROUPER_HOME/conf

>   Is the model that I am supposed to change configuration
>   files in $GROUPER_HOME, then redeploy into Tomcat each time
>   I want to make a configuration change?

Yes. Further, if your build and tomcat areas are on the same host, you 
can have tomcat run grouper from $GROUPER_HOME/../build/grouper, which 
is maintained when you rebuild grouper with ant. Very convenient, no 
copying and redeploying. Just a reload to pick up new config changes. To 
do so, place a context file in $TOMCAT_HOME/conf/Catalina/localhost 
named grouper.xml with contents similar to this:

<Context path="/grouper" docBase="/opt/grouper/1.3.0/build/grouper/"
   debug="0" privileged="false" reloadable="false" swallowOutput="true"
/>

Of course, you'll have to ensure that the tomcat user can read 
$GROUPER_HOME/../build/grouper.

> - I was able to run these commands:
>
> gsh-0.1.1 2% addRootStem("etc", "Grouper Administration")
> gsh-0.1.1 3% addGroup("etc", "sysadmingroup", "SysAdmin Group")
>
> When I try, however, to add a member to that group I am
> getting this:
>
> gsh-0.1.1 4% addMember("etc:sysadmingroup", "883")
> // Error: subject not found: 883
> false
>
> Here '883' is the value for the employeeNumber attribute in
> our LDAP for myself. I had configured in sources.xml the
> following:
>
> <param-name>SubjectID_AttributeType</param-name>
> <param-value>employeeNumber</param-value>
>
> ...
>
> <searchType>searchSubject</searchType>
>       <param>
>         <param-name>filter</param-name>
>         <param-value> 
> (&amp;(employeeNumber=%TERM%)(objectclass=inetOrgPerson))
>         </param-value>
>       </param>
>       <param>
>         <param-name>scope</param-name>
>         <param-value>ONELEVEL_SCOPE</param-value>
>       </param>
>
> So I would have thought entering '883' would have worked.

I assume that you have verified with a plain ldap client that this 
filter with whatever base you've configured and onelevel scope works 
fine when BINDing as the configured security_principal.

> How can I verify that the grouper running under Tomcat and
> also gsh.sh are able to search our LDAP correctly? 

Give gsh the getSources() command. It should list each source configured 
in sources.xml, if they have initialized ok.

gsh's findSubject("883") ought to just fetch that subject.

If either of these don't work, check the grouper_error log. You might 
want to retry after setting the Subject API logging level up to "info" 
in $GROUPER_HOME/conf/log4j.properties to get more verbose log messages. 
These should provide a good clue.

If you've got the problem solved with gsh, I bet you can get tomcat to 
follow suit!

> I appreciate any help you can offer.
>
> Thanks,
>
> Scott

Tom