Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Subject Identifiers for provisioning to Active Directory

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Subject Identifiers for provisioning to Active Directory


Chronological Thread 
  • From: Chris Hyzer <>
  • To: Richard James <>, 'Tom Zeller' <>
  • Cc: "" <>
  • Subject: RE: [grouper-users] Subject Identifiers for provisioning to Active Directory
  • Date: Fri, 6 Aug 2010 11:06:37 -0400
  • Accept-language: en-US
  • Acceptlanguage: en-US

Isnt this a typo?

<init-param>
<!-- col which identifies the row, perhaps not subjectId, add multiple
by incrementing the 0 index -->
<param-name>subjectIdentifierCol0</param-name>
<param-value>loginname</param-value>
</init-param>
<init-param>
<!-- col which identifies the row, perhaps not subjectId, add multiple
by incrementing the 0 index -->
<param-name>subjectIdentifierCol1</param-name>
<param-value>loginname</param-value>
</init-param>

Maybe it should be something like (or whatever the sam account column is):

<init-param>
<!-- col which identifies the row, perhaps not subjectId, add multiple
by incrementing the 0 index -->
<param-name>subjectIdentifierCol0</param-name>
<param-value>loginname</param-value>
</init-param>
<init-param>
<!-- col which identifies the row, perhaps not subjectId, add multiple
by incrementing the 0 index -->
<param-name>subjectIdentifierCol1</param-name>
<param-value>sAMAccountName</param-value>
</init-param>

Then add that attribute:

<init-param>
<param-name>subjectAttributeCol1</param-name>
<param-value>sAMAccountName</param-value>
</init-param>
<init-param>
<param-name>subjectAttributeName1</param-name>
<param-value>sAMAccountName</param-value>
</init-param>

Sorry if this is off track, not exactly sure what you want. Are you asking
for the subject search in grouper to find subject by two ways, netid, and
?
If so, then the above should help.

Thanks,
Chris


-----Original Message-----
From:


[mailto:]
On Behalf Of Richard James
Sent: Friday, August 06, 2010 10:48 AM
To: 'Tom Zeller'
Cc:

Subject: RE: [grouper-users] Subject Identifiers for provisioning to Active
Directory

I have attached our sources.xml file which we are using in our test
environment and therefore is configured just for staff members currently.

Richard

>-----Original Message-----
>From:
>
>
>[mailto:]
> On Behalf Of Tom
>Zeller
>Sent: 06 August 2010 15:24
>To: Richard James
>Cc:
>
>Subject: Re: [grouper-users] Subject Identifiers for provisioning to
>Active Directory
>
>What Source/Subject adapter are you using ? Is it custom ? If not
>custom, posting your (sanitized) sources.xml will help.
>
>TomZ
>
>On Fri, Aug 6, 2010 at 8:59 AM, Richard James
><>
> wrote:
>> Hi All,
>>
>> With some very much appreciated help from the community, we are able
>to successfully provision from grouper into our active directory, yet
>we do have an area which we would appreciate some advice on.
>>
>> Our current Grouper setup uses
>>
>> as the subject
>identifier, this is to ensure that our Grouper install is future proof
>if we begin to allow multi institutional federated access.
>>
>> The issue we encounter is that within the active directory, there are
>no attributes attached to a user object which use the
>
>
>scope. The attribute we would ideally like to be able to search is the
>sAMAccountName, which uses just the login id, without the @ncl.ac.uk.
>To currently be able to find subjects in the AD, we are setting the
>subject 'name' attribute to be the login id so that we can use this is
>the ldap- search,
>>
>> <source-subject-identifiers>
>>    <source-subject-identifier source="jdbc" subject-attribute="name">
>>      <ldap-search
>>        base="CN=Users,dc=testcampus,dc=ncl,dc=ac,dc=uk"
>>        scope="onelevel_scope"
>>        filter="(sAMAccountName={0})" />
>>    </source-subject-identifier>
>>  </source-subject-identifiers>
>>
>> What we are wondering is if there is any way to attach a custom
>attribute to the subject which we can define as sAMAccountName, and be
>able to use this in the LDAP search? Or alternatively be able to trim
>the @ncl.ac.uk from the ID for searching, similar to the process used
>for replacing colons for the sAMAccountName in the creation of a new
>group?
>>
>> Any hints or possible approaches would be very much appreciated.
>>
>> Regards
>>
>> Richard James
>> ISS Middleware Team
>>
>>
>>



Archive powered by MHonArc 2.6.16.

Top of Page