Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Ldappc Provisioning to Active Directory

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Ldappc Provisioning to Active Directory


Chronological Thread 
  • From: Richard James <>
  • To: "" <>
  • Subject: RE: [grouper-users] Ldappc Provisioning to Active Directory
  • Date: Tue, 3 Aug 2010 08:58:40 +0100
  • Accept-language: en-US, en-GB
  • Acceptlanguage: en-US, en-GB

Hi Tom,

I have attached our ldappc.xml file and also the properties file for which I
have removed any user credentials.

Regards

Richard

>-----Original Message-----
>From:
>
>
>[mailto:]
> On Behalf Of Tom
>Zeller
>Sent: 02 August 2010 17:56
>To: Richard James
>Cc:
>
>Subject: Re: [grouper-users] Ldappc Provisioning to Active Directory
>
>Could you reply with a sanitized (passwordless) version of your
>configuration, ldappc.xml, please ?
>
>On Mon, Aug 2, 2010 at 10:39 AM, Richard James
><>
> wrote:
>> Hi All,
>>
>> We have recently started testing the provisioning of grouper groups
>into our test Active directory using ldappc (we will move towards using
>ldappcng once we have got ldappc working correctly). We have managed to
>load a number of groups into the active directory but when it comes to
>assigning members to these groups we are coming across a few issues.
>>
>> I have configured our ldappc.xml file in line with the example active
>directory configuration which is documented here,
>https://spaces.internet2.edu/display/GrouperWG/LDAPPC. Initially I
>commented out any memberships config, as per the guidance, but on trying
>to provision memberships, I got the error attached in
>nomembershipconfig.txt. There is definitely a member within the group we
>are trying to provision, so I'm not sure why this message is being
>returned.
>>
>> I have then tried to add the memberships section into the config file,
>this time it recognises that there is a member of the group and locates
>the user with the correct path of the AD, but returns an attribute
>conversion error on attempting to provision the membership.
>(membershipconfig.txt).
>>
>> Unfortunately our experience of provisioning items into an ldap
>directory is very limited. The fact that we are able to create the
>groups in the active directory is very promising, but the assigning of
>members is leaving us a little baffled at the moment, so any
>pointers/guidance would be very much appreciated.
>>
>> Many thanks in advance
>>
>> Richard James
>> ISS Middleware Team
>> Newcastle University
>>
>>
>>
<?xml version="1.0" encoding="utf-8"?>

  <!-- see https://spaces.internet2.edu/display/GrouperWG/LDAPPC -->

<ldappc>
  <grouper>
    <group-queries>

      <subordinate-stem-queries>
        <stem-list>
          <stem>test</stem>
        </stem-list>
      </subordinate-stem-queries>

      <!-- attribute-matching-queries>
        <attribute-list>
          <attribute
            name="_attr_name_"
            value="_attr_value_" />
        </attribute-list>
      </attribute-matching-queries -->

    </group-queries>

    <groups
      structure="bushy"
      root-dn="OU=GrouperTest,${edu.vt.middleware.ldap.base}"
      ldap-object-class="group"
      ldap-rdn-attribute="cn"
      grouper-attribute="name">

      <group-members-dn-list list-object-class="group" list-attribute="member" />


<group-members-name-list list-object-class="eduMember" list-attribute="hasMember">
        <source-subject-name-mapping>
          <source-subject-name-map source="jdbc" subject-attribute="id" />
          </source-subject-name-mapping>
      </group-members-name-list>


      <group-attribute-mapping ldap-object-class="group">
        <group-attribute-map group-attribute="description" ldap-attribute="description" />
         </group-attribute-mapping>

<resolver-attribute-mapping ldap-object-class="group">
        <resolver-attribute-map resolver-attribute="sAMAccountName" ldap-attribute="sAMAccountName" />
      </resolver-attribute-mapping>

    </groups>



<memberships>
      <member-groups-list list-object-class="eduMember" list-attribute="isMemberOf" naming-attribute="name" />
    </memberships>


  </grouper>
 <source-subject-identifiers>
    <source-subject-identifier source="jdbc" subject-attribute="id">
      <ldap-search
        base="CN=Users,${edu.vt.middleware.ldap.base}"
        scope="subtree_scope"
        filter="(cn={0})" />
    </source-subject-identifier>
  </source-subject-identifiers>

</ldappc>
#
# ldappc.properties
#

# Macros of the form ${name} in your configuration
# will be replaced with the values of the matching keys of this file.

edu.vt.middleware.ldap.ldapUrl=****
edu.vt.middleware.ldap.base=dc=testcampus,dc=ncl,dc=ac,dc=uk
edu.vt.middleware.ldap.authtype=simple
edu.vt.middleware.ldap.serviceUser=
edu.vt.middleware.ldap.serviceCredential=
edu.vt.middleware.ldap.ssl=false
edu.vt.middleware.ldap.tls=false

# For Active Directory
edu.vt.middleware.ldap.pagedResultsSize=100

# DNstructure=flat|bushy
DNstructure=bushy

# Group objectClass for OpenLDAP, RedHat/Fedora, ApacheDS, etc.
#groupObjectClass=groupOfNames

# Group objectClass for Active Directory
groupObjectClass=group

# Base DN for members
peopleOU=CN=Users,DC= testcampus,DC =ncl,DC =ac,DC= uk

# Base DN for groups
#groupsOU=OU=GrouperTest,DC=testcampus,DC=ncl,DC=ac,DC=uk
groupsOU=OU=GrouperTest,DC=testcampus,DC=ncl,DC=ac,DC=uk

# For LDAPPC (not LDAPPCNG)
# The QuotedDnResultHandler removes quotes from DNs of the form
"CN=quoted/name",DC=edu.
# The FqdnSearchResultHandler makes sure that all ldap dns are fully
qualified.
#edu.vt.middleware.ldap.searchResultHandlers=edu.internet2.middleware.ldappc.util.QuotedDnResultHandler,edu.vt.middleware.ldap.handler.FqdnSearchResultHandler

# handle Active Directory groups with a large (>1500) number of members
# see https://bugs.internet2.edu/jira/browse/GRP-335
# see http://code.google.com/p/vt-middleware/wiki/vtldapAD#Range_Attributes
#
edu.vt.middleware.ldap.searchResultHandlers=edu.internet2.middleware.ldappc.util.QuotedDnResultHandler,edu.vt.middleware.ldap.handler.FqdnSearchResultHandler,
edu.internet2.middleware.ldappc.util.RangeSearchResultHandler



Archive powered by MHonArc 2.6.16.

Top of Page