Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Subject Identifiers for provisioning to Active Directory

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Subject Identifiers for provisioning to Active Directory


Chronological Thread 
  • From: Tom Zeller <>
  • To: Richard James <>
  • Cc: Chris Hyzer <>, "" <>
  • Subject: Re: [grouper-users] Subject Identifiers for provisioning to Active Directory
  • Date: Fri, 6 Aug 2010 10:41:42 -0500
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=JeuHAPB9rTS5/nRxn/UDULTxEBof1HtdIhbwxxp1C7/zHFZJY2Nepeym+qSZT5yGrJ GTN6rnfXwsnFpboyT/t47+QBjFaa/h3iyp/YV0JDPvN2JVI1P/OTp1HDkUrHSTSOBnCi v7nPvC+7lR2CoYM2caIGJHYY+8bUdERCkPrCE=

If I follow correctly, in ldappc.xml

<source-subject-identifier source="jdbc" subject-attribute="id">

should be

<source-subject-identifier source="jdbc" subject-attribute="sAMAccountName">

since the sAMAccountName subject-attribute is now defined in sources.xml

<init-param>
<param-name>subjectAttributeCol1</param-name>
<param-value>sAMAccountName</param-value>
</init-param>
<init-param>
<param-name>subjectAttributeName1</param-name>
<param-value>sAMAccountName</param-value>
</init-param>

On Fri, Aug 6, 2010 at 10:29 AM, Richard James
<>
wrote:
> Thanks Chris that was indeed a typo, I hadn't realised that it wasn't
> working correctly.
>
> I'm not sure if that will be directly related to what we are trying to
> accomplish. It is within the LDAP search in our ldappc.xml file that we
> want to use the sAMAccountName value rather than the login name. At the
> moment it uses
>
> as the search argument, we need it to use just ntest.
>
> <source-subject-identifiers>
> <source-subject-identifier source="jdbc" subject-attribute="id">
> <ldap-search
> base="CN=Users,dc=testcampus,dc=ncl,dc=ac,dc=uk"
> scope="onelevel_scope"
> filter="(sAMAccountName={0})" />
>
> Thanks
>
> Richard
>
>>-----Original Message-----
>>From: Chris Hyzer
>>[mailto:]
>>Sent: 06 August 2010 16:07
>>To: Richard James; 'Tom Zeller'
>>Cc:
>>
>>Subject: RE: [grouper-users] Subject Identifiers for provisioning to
>>Active Directory
>>
>>Isnt this a typo?
>>
>>     <init-param>
>>       <!-- col which identifies the row, perhaps not subjectId, add
>>multiple by incrementing the 0 index -->
>>       <param-name>subjectIdentifierCol0</param-name>
>>       <param-value>loginname</param-value>
>>     </init-param>
>>     <init-param>
>>       <!-- col which identifies the row, perhaps not subjectId, add
>>multiple by incrementing the 0 index -->
>>       <param-name>subjectIdentifierCol1</param-name>
>>       <param-value>loginname</param-value>
>>     </init-param>
>>
>>Maybe it should be something like (or whatever the sam account column
>>is):
>>
>>     <init-param>
>>       <!-- col which identifies the row, perhaps not subjectId, add
>>multiple by incrementing the 0 index -->
>>       <param-name>subjectIdentifierCol0</param-name>
>>       <param-value>loginname</param-value>
>>     </init-param>
>>     <init-param>
>>       <!-- col which identifies the row, perhaps not subjectId, add
>>multiple by incrementing the 0 index -->
>>       <param-name>subjectIdentifierCol1</param-name>
>>       <param-value>sAMAccountName</param-value>
>>     </init-param>
>>
>>Then add that attribute:
>>
>>     <init-param>
>>       <param-name>subjectAttributeCol1</param-name>
>>       <param-value>sAMAccountName</param-value>
>>     </init-param>
>>     <init-param>
>>       <param-name>subjectAttributeName1</param-name>
>>       <param-value>sAMAccountName</param-value>
>>     </init-param>
>>
>>Sorry if this is off track, not exactly sure what you want.  Are you
>>asking for the subject search in grouper to find subject by two ways,
>>netid, and
>>?
>>  If so, then the above should help.
>>
>>Thanks,
>>Chris
>>
>>
>>-----Original Message-----
>>From:
>>
>> [
>>]
>> On Behalf Of Richard James
>>Sent: Friday, August 06, 2010 10:48 AM
>>To: 'Tom Zeller'
>>Cc:
>>
>>Subject: RE: [grouper-users] Subject Identifiers for provisioning to
>>Active Directory
>>
>>I have attached our sources.xml file which we are using in our test
>>environment and therefore is configured just for staff members
>>currently.
>>
>>Richard
>>
>>>-----Original Message-----
>>>From:
>>>
>>>
>>>[mailto:]
>>> On Behalf Of Tom
>>>Zeller
>>>Sent: 06 August 2010 15:24
>>>To: Richard James
>>>Cc:
>>>
>>>Subject: Re: [grouper-users] Subject Identifiers for provisioning to
>>>Active Directory
>>>
>>>What Source/Subject adapter are you using ? Is it custom ? If not
>>>custom, posting your (sanitized) sources.xml will help.
>>>
>>>TomZ
>>>
>>>On Fri, Aug 6, 2010 at 8:59 AM, Richard James
>>><>
>>> wrote:
>>>> Hi All,
>>>>
>>>> With some very much appreciated help from the community, we are able
>>>to successfully provision from grouper into our active directory, yet
>>>we do have an area which we would appreciate some advice on.
>>>>
>>>> Our current Grouper setup uses
>>>>
>>>> as the subject
>>>identifier, this is to ensure that our Grouper install is future proof
>>>if we begin to allow multi institutional federated access.
>>>>
>>>> The issue we encounter is that within the active directory, there are
>>>no attributes attached to a user object which use the
>>>
>>>scope. The attribute we would ideally like to be able to search is the
>>>sAMAccountName, which uses just the login id, without the @ncl.ac.uk.
>>>To currently be able to find subjects in the AD, we are setting the
>>>subject 'name' attribute to be the login id so that we can use this is
>>>the ldap- search,
>>>>
>>>> <source-subject-identifiers>
>>>>    <source-subject-identifier source="jdbc" subject-attribute="name">
>>>>      <ldap-search
>>>>        base="CN=Users,dc=testcampus,dc=ncl,dc=ac,dc=uk"
>>>>        scope="onelevel_scope"
>>>>        filter="(sAMAccountName={0})" />
>>>>    </source-subject-identifier>
>>>>  </source-subject-identifiers>
>>>>
>>>> What we are wondering is if there is any way to attach a custom
>>>attribute to the subject which we can define as sAMAccountName, and be
>>>able to use this in the LDAP search? Or alternatively be able to trim
>>>the @ncl.ac.uk from the ID for searching, similar to the process used
>>>for replacing colons for the sAMAccountName in the creation of a new
>>>group?
>>>>
>>>> Any hints or possible approaches would be very much appreciated.
>>>>
>>>> Regards
>>>>
>>>> Richard James
>>>> ISS Middleware Team
>>>>
>>>>
>>>>
>



Archive powered by MHonArc 2.6.16.

Top of Page