Grouper Users - Open Discussion List

[Scott Koranda <>]

Hi,

> 
>  I assume that you have verified with a plain ldap client that this filter 
>  with whatever base you've configured and onelevel scope works fine when 
>  BINDing as the configured security_principal.

Yes, but...

> 
> > How can I verify that the grouper running under Tomcat and
> > also gsh.sh are able to search our LDAP correctly? 
> 
>  Give gsh the getSources() command. It should list each source configured 
> in 
>  sources.xml, if they have initialized ok.
> 
>  gsh's findSubject("883") ought to just fetch that subject.
> 
>  If either of these don't work, check the grouper_error log. You might want 
>  to retry after setting the Subject API logging level up to "info" in 
>  $GROUPER_HOME/conf/log4j.properties to get more verbose log messages. 
> These 
>  should provide a good clue.
> 

Thanks, this was quite helpful.

The main problem was that Grouper/gsh as a client was not able
to use SSL to talk with our LDAP because it could not find the
CA cert to verify the cert that the LDAP is using. 

I used this brute force approach to solve that problem:

keytool -import -file /etc/openldap/cacerts/df0d159c.0 -keystore 
/opt/java/jre/lib/security/cacerts

With this change I was able to do getSources() and see that
the Grouper API can talk to our LDAP.

>  If you've got the problem solved with gsh, I bet you can get tomcat to 
>  follow suit!

Yes, indeed. I now have Grouper running inside of Tomcat.

Thanks much,

Scott