Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Subject Identifiers for provisioning to Active Directory

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Subject Identifiers for provisioning to Active Directory


Chronological Thread 
  • From: Richard James <>
  • To: "'Chris Hyzer'" <>, "'Tom Zeller'" <>
  • Cc: "" <>
  • Subject: RE: [grouper-users] Subject Identifiers for provisioning to Active Directory
  • Date: Fri, 6 Aug 2010 16:29:54 +0100
  • Accept-language: en-US, en-GB
  • Acceptlanguage: en-US, en-GB

Thanks Chris that was indeed a typo, I hadn't realised that it wasn't working
correctly.

I'm not sure if that will be directly related to what we are trying to
accomplish. It is within the LDAP search in our ldappc.xml file that we want
to use the sAMAccountName value rather than the login name. At the moment it
uses

as the search argument, we need it to use just ntest.

<source-subject-identifiers>
<source-subject-identifier source="jdbc" subject-attribute="id">
<ldap-search
base="CN=Users,dc=testcampus,dc=ncl,dc=ac,dc=uk"
scope="onelevel_scope"
filter="(sAMAccountName={0})" />

Thanks

Richard

>-----Original Message-----
>From: Chris Hyzer
>[mailto:]
>Sent: 06 August 2010 16:07
>To: Richard James; 'Tom Zeller'
>Cc:
>
>Subject: RE: [grouper-users] Subject Identifiers for provisioning to
>Active Directory
>
>Isnt this a typo?
>
> <init-param>
> <!-- col which identifies the row, perhaps not subjectId, add
>multiple by incrementing the 0 index -->
> <param-name>subjectIdentifierCol0</param-name>
> <param-value>loginname</param-value>
> </init-param>
> <init-param>
> <!-- col which identifies the row, perhaps not subjectId, add
>multiple by incrementing the 0 index -->
> <param-name>subjectIdentifierCol1</param-name>
> <param-value>loginname</param-value>
> </init-param>
>
>Maybe it should be something like (or whatever the sam account column
>is):
>
> <init-param>
> <!-- col which identifies the row, perhaps not subjectId, add
>multiple by incrementing the 0 index -->
> <param-name>subjectIdentifierCol0</param-name>
> <param-value>loginname</param-value>
> </init-param>
> <init-param>
> <!-- col which identifies the row, perhaps not subjectId, add
>multiple by incrementing the 0 index -->
> <param-name>subjectIdentifierCol1</param-name>
> <param-value>sAMAccountName</param-value>
> </init-param>
>
>Then add that attribute:
>
> <init-param>
> <param-name>subjectAttributeCol1</param-name>
> <param-value>sAMAccountName</param-value>
> </init-param>
> <init-param>
> <param-name>subjectAttributeName1</param-name>
> <param-value>sAMAccountName</param-value>
> </init-param>
>
>Sorry if this is off track, not exactly sure what you want. Are you
>asking for the subject search in grouper to find subject by two ways,
>netid, and
>?
> If so, then the above should help.
>
>Thanks,
>Chris
>
>
>-----Original Message-----
>From:
>
> [
>]
> On Behalf Of Richard James
>Sent: Friday, August 06, 2010 10:48 AM
>To: 'Tom Zeller'
>Cc:
>
>Subject: RE: [grouper-users] Subject Identifiers for provisioning to
>Active Directory
>
>I have attached our sources.xml file which we are using in our test
>environment and therefore is configured just for staff members
>currently.
>
>Richard
>
>>-----Original Message-----
>>From:
>>
>>
>>[mailto:]
>> On Behalf Of Tom
>>Zeller
>>Sent: 06 August 2010 15:24
>>To: Richard James
>>Cc:
>>
>>Subject: Re: [grouper-users] Subject Identifiers for provisioning to
>>Active Directory
>>
>>What Source/Subject adapter are you using ? Is it custom ? If not
>>custom, posting your (sanitized) sources.xml will help.
>>
>>TomZ
>>
>>On Fri, Aug 6, 2010 at 8:59 AM, Richard James
>><>
>> wrote:
>>> Hi All,
>>>
>>> With some very much appreciated help from the community, we are able
>>to successfully provision from grouper into our active directory, yet
>>we do have an area which we would appreciate some advice on.
>>>
>>> Our current Grouper setup uses
>>>
>>> as the subject
>>identifier, this is to ensure that our Grouper install is future proof
>>if we begin to allow multi institutional federated access.
>>>
>>> The issue we encounter is that within the active directory, there are
>>no attributes attached to a user object which use the
>>
>>scope. The attribute we would ideally like to be able to search is the
>>sAMAccountName, which uses just the login id, without the @ncl.ac.uk.
>>To currently be able to find subjects in the AD, we are setting the
>>subject 'name' attribute to be the login id so that we can use this is
>>the ldap- search,
>>>
>>> <source-subject-identifiers>
>>>    <source-subject-identifier source="jdbc" subject-attribute="name">
>>>      <ldap-search
>>>        base="CN=Users,dc=testcampus,dc=ncl,dc=ac,dc=uk"
>>>        scope="onelevel_scope"
>>>        filter="(sAMAccountName={0})" />
>>>    </source-subject-identifier>
>>>  </source-subject-identifiers>
>>>
>>> What we are wondering is if there is any way to attach a custom
>>attribute to the subject which we can define as sAMAccountName, and be
>>able to use this in the LDAP search? Or alternatively be able to trim
>>the @ncl.ac.uk from the ID for searching, similar to the process used
>>for replacing colons for the sAMAccountName in the creation of a new
>>group?
>>>
>>> Any hints or possible approaches would be very much appreciated.
>>>
>>> Regards
>>>
>>> Richard James
>>> ISS Middleware Team
>>>
>>>
>>>



Archive powered by MHonArc 2.6.16.

Top of Page