Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Subject Identifiers for provisioning to Active Directory

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Subject Identifiers for provisioning to Active Directory


Chronological Thread 
  • From: Richard James <>
  • To: "'Tom Zeller'" <>
  • Cc: "" <>
  • Subject: RE: [grouper-users] Subject Identifiers for provisioning to Active Directory
  • Date: Fri, 6 Aug 2010 15:48:03 +0100
  • Accept-language: en-US, en-GB
  • Acceptlanguage: en-US, en-GB
I have attached our sources.xml file which we are using in our test
environment and therefore is configured just for staff members currently.

Richard

>-----Original Message-----
>From:
>
>
>[mailto:]
> On Behalf Of Tom
>Zeller
>Sent: 06 August 2010 15:24
>To: Richard James
>Cc:
>
>Subject: Re: [grouper-users] Subject Identifiers for provisioning to
>Active Directory
>
>What Source/Subject adapter are you using ? Is it custom ? If not
>custom, posting your (sanitized) sources.xml will help.
>
>TomZ
>
>On Fri, Aug 6, 2010 at 8:59 AM, Richard James
><>
> wrote:
>> Hi All,
>>
>> With some very much appreciated help from the community, we are able
>to successfully provision from grouper into our active directory, yet we
>do have an area which we would appreciate some advice on.
>>
>> Our current Grouper setup uses
>>
>> as the subject
>identifier, this is to ensure that our Grouper install is future proof
>if we begin to allow multi institutional federated access.
>>
>> The issue we encounter is that within the active directory, there are
>no attributes attached to a user object which use the
>
>scope. The attribute we would ideally like to be able to search is the
>sAMAccountName, which uses just the login id, without the @ncl.ac.uk. To
>currently be able to find subjects in the AD, we are setting the subject
>'name' attribute to be the login id so that we can use this is the ldap-
>search,
>>
>> <source-subject-identifiers>
>>    <source-subject-identifier source="jdbc" subject-attribute="name">
>>      <ldap-search
>>        base="CN=Users,dc=testcampus,dc=ncl,dc=ac,dc=uk"
>>        scope="onelevel_scope"
>>        filter="(sAMAccountName={0})" />
>>    </source-subject-identifier>
>>  </source-subject-identifiers>
>>
>> What we are wondering is if there is any way to attach a custom
>attribute to the subject which we can define as sAMAccountName, and be
>able to use this in the LDAP search? Or alternatively be able to trim
>the @ncl.ac.uk from the ID for searching, similar to the process used
>for replacing colons for the sAMAccountName in the creation of a new
>group?
>>
>> Any hints or possible approaches would be very much appreciated.
>>
>> Regards
>>
>> Richard James
>> ISS Middleware Team
>>
>>
>>
<?xml version="1.0" encoding="utf-8"?>

<!--
Grouper's subject resolver configuration
$Id: sources.example.xml,v 1.8 2009-08-11 20:18:09 mchyzer Exp $
-->

<sources>

  
  <!-- 
    NOTE: It is recommended that you **not** change the default
          values for this source adapter.
  -->
  <source adapterClass="edu.internet2.middleware.grouper.GrouperSourceAdapter">
    <id>g:gsa</id>
    <name>Grouper: Group Source Adapter</name>
    <type>group</type>
  </source>
  <!-- Group Subject Resolver -->   

 <source adapterClass="edu.internet2.middleware.grouper.subj.GrouperJdbcSourceAdapter2">
    <id>jdbc</id>
    <name>NCL Staff</name>
     <type>person</type>
     <init-param>
       <param-name>jdbcConnectionProvider</param-name>
       <param-value>edu.internet2.middleware.grouper.subj.GrouperJdbcConnectionProvider</param-value>
     </init-param>

      <init-param>
       <param-name>dbTableOrView</param-name>
       <param-value>NCL_staff</param-value>
     </init-param>
      <init-param>
       <param-name>subjectIdCol</param-name>
       <param-value>loginname</param-value>
 </init-param>
     <init-param>
       <param-name>nameCol</param-name>
       <param-value>surname</param-value>
     </init-param>
     <init-param>
       <param-name>Description_AttributeType</param-name>
       <param-value>fullname</param-value>
     </init-param>
     <init-param>
       <!-- search col where general searches take place, lower case -->
       <param-name>lowerSearchCol</param-name>
       <param-value>searchvalues</param-value>
     </init-param>
     <init-param>
       <!--optional col if you want the search results sorted in the API (note, UI might override)-->
       <param-name>defaultSortCol</param-name>
       <param-value>loginname</param-value>
     </init-param>
     <init-param>
       <!-- col which identifies the row, perhaps not subjectId, add multiple by incrementing the 0 index -->
       <param-name>subjectIdentifierCol0</param-name>
       <param-value>loginname</param-value>
     </init-param>
     <init-param>
       <!-- col which identifies the row, perhaps not subjectId, add multiple by incrementing the 0 index -->
       <param-name>subjectIdentifierCol1</param-name>
       <param-value>loginname</param-value>
     </init-param>
     <!-- now you can count up from 0 to N of attributes for various cols.  
          The name is how to reference in subject.getAttribute() -->
     <init-param>
       <param-name>subjectAttributeCol0</param-name>
       <param-value>loginname</param-value>
     </init-param>
     <init-param>
       <param-name>subjectAttributeName0</param-name>
       <param-value>loginname</param-value>
     </init-param>

   </source>


</sources>

Archive powered by MHonArc 2.6.16.

Top of Page