Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] LDAP user source -> SOLVED ?

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] LDAP user source -> SOLVED ?

Chronological Thread 
  • From: Tom Barton <>
  • To: Lutz Suhrbier <>
  • Cc:
  • Subject: Re: [grouper-users] LDAP user source -> SOLVED ?
  • Date: Wed, 12 Nov 2008 14:32:37 -0600

This is now bug -Tom

Lutz Suhrbier wrote:

According to one of its former developers, the issue appears to be a bug in the JNDISourceAdapter. Essentially, there's something about how it uses JNDI to deal with encrypted values such as userPassword that is buggy.

Lutz, although it's probably best practice to use <attribute> statements in a production system anyway, I wonder if another way to cure the problem is to change the ACL on the ldap server so that it doesn't allow READ of the userPassword attribute for the DN in the sources.xml file.
Tom, you are right !

I checked it out by removing all attribute-elements from the source.xml and changing the ACL of the admin-DN for userPassword from "write" to "auth" in the /etc/slapd.conf. Everything was working as expected.
Turning back by resetting the userPassword-ACL to "write", the formerly observed "Error" occures again.

So, it appears that's really a JNDI-bug handling encrypted values.



Lutz has

Lutz Suhrbier wrote:

meanwhile, I found a solution to that error.
Within the sources.xml, I have had to include at least those LDAP elements within "attribute" elements, which are requested in the subject, subjectId and description items of the source. If not, then the error described in my last posting (see below) occures.

As the wiki documentation states, that NOT including "attribute" elements just leads to requesting all available attributes from the given LDAP-source, this would mean that there is a bug in the implementation, or not ?
Or, is it a feature of the implementation, since looking through the documentation, I did not found a hint that Grouper-UI can be configured somewhere else as in sources.xml to define those attributes from the sources, which shall be presented to the user in the UI ?

best regards


I configured grouper to use LDAP as source for member.
Meanwhile, I can search for members, and I get a complete list of their names when searching for "*"

Now, when I am clicking any item on that list, I only get an error page. Also, when logging in, then instead of the login name, I see only "Error", but, as I configured a wheel group, I can change between myself and the admin role.

I get the following in grouper-ui.log:
2008-11-07 01:40:50,396 ERROR actions.GrouperCapableAction: < l.suhrbier A4D166A577715C4EDA80085103C1F6DA-0055 ec
33e9bc-c490-469b-964a-a56aa10548d2 l.suhrbier edit-dev > java.lang.ClassCastException: [B
at edu.internet2.middleware.subject.provider.JNDISourceAdapter.loadAttributes(Unknown Source)
at edu.internet2.middleware.subject.provider.JNDISubject.getAttributes(Unknown Source)
at edu.internet2.middleware.grouper.ui.actions.PopulateSubjectSummaryAction.grouperExecute(PopulateSubjec
at edu.internet2.middleware.grouper.ui.actions.GrouperCapableAction$1.callback(
at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3TransactionDAO$1.callback(Hib3TransactionDAO.ja
at edu.internet2.middleware.grouper.hibernate.HibernateSession.callbackHibernateSession(HibernateSession.
at edu.internet2.middleware.grouper.internal.dao.hib3.Hib3TransactionDAO.transactionCallback(Hib3Transact
at edu.internet2.middleware.grouper.hibernate.GrouperTransaction.callbackGrouperTransaction(GrouperTransa
at edu.internet2.middleware.grouper.hibernate.GrouperTransaction.callbackGrouperTransaction(GrouperTransa
at edu.internet2.middleware.grouper.ui.actions.GrouperCapableAction.grouperTransactionExecute(GrouperCapa
at edu.internet2.middleware.grouper.ui.actions.GrouperCapableAction.execute(
at org.apache.struts.action.RequestProcessor.processActionPerform(
at org.apache.struts.action.RequestProcessor.process(
at org.apache.struts.action.ActionServlet.process(
at org.apache.struts.action.ActionServlet.doGet(
at javax.servlet.http.HttpServlet.service(
at javax.servlet.http.HttpServlet.service(
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
at org.apache.catalina.core.ApplicationFilterChain.doFilter(
at edu.internet2.middleware.grouper.ui.LoginCheckFilter.doFilter(
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
at org.apache.catalina.core.ApplicationFilterChain.doFilter(
at edu.internet2.middleware.grouper.ui.ErrorFilter.doFilter(
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
at org.apache.catalina.core.ApplicationFilterChain.doFilter(
at org.apache.catalina.core.StandardWrapperValve.invoke(
at org.apache.catalina.core.StandardContextValve.invoke(
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(
at org.apache.catalina.core.StandardHostValve.invoke(
at org.apache.catalina.valves.ErrorReportValve.invoke(
at org.apache.catalina.core.StandardEngineValve.invoke(
at org.apache.catalina.connector.CoyoteAdapter.service(
at org.apache.jk.server.JkCoyoteHandler.invoke(
at org.apache.jk.common.HandlerRequest.invoke(
at org.apache.jk.common.ChannelSocket.invoke(
at org.apache.jk.common.ChannelSocket.processConnection(
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(

I already set ACL in my slapd.conf to allow write access to everybody. So, I guess, that LDAP access rights could not be the cause, why attributes are not loaded.
Does the LDAP Dir has to provide any specific attributes for members (besides those I defined in sources.xml), which perhaps I do not offer ?

Does anybody any hint what could cause that error ?


Archive powered by MHonArc 2.6.16.

Top of Page