Grouper Users - Open Discussion List

[Tom Zeller <>]

If I follow correctly, in ldappc.xml

<source-subject-identifier source="jdbc" subject-attribute="id">

should be

<source-subject-identifier source="jdbc" subject-attribute="sAMAccountName">

since the sAMAccountName subject-attribute is now defined in sources.xml

    <init-param>
      <param-name>subjectAttributeCol1</param-name>
      <param-value>sAMAccountName</param-value>
    </init-param>
    <init-param>
      <param-name>subjectAttributeName1</param-name>
      <param-value>sAMAccountName</param-value>
    </init-param>

On Fri, Aug 6, 2010 at 10:29 AM, Richard James
<>
 wrote:
> Thanks Chris that was indeed a typo, I hadn't realised that it wasn't 
> working correctly.
>
> I'm not sure if that will be directly related to what we are trying to 
> accomplish. It is within the LDAP search in our ldappc.xml file that we 
> want to use the sAMAccountName value rather than the login name. At the 
> moment it uses 
> 
>  as the search argument, we need it to use just ntest.
>
> <source-subject-identifiers>
> <source-subject-identifier source="jdbc" subject-attribute="id">
> <ldap-search
> base="CN=Users,dc=testcampus,dc=ncl,dc=ac,dc=uk"
> scope="onelevel_scope"
> filter="(sAMAccountName={0})" />
>
> Thanks
>
> Richard
>
>>-----Original Message-----
>>From: Chris Hyzer 
>>[mailto:]
>>Sent: 06 August 2010 16:07
>>To: Richard James; 'Tom Zeller'
>>Cc: 
>>
>>Subject: RE: [grouper-users] Subject Identifiers for provisioning to
>>Active Directory
>>
>>Isnt this a typo?
>>
>>     <init-param>
>>       <!-- col which identifies the row, perhaps not subjectId, add
>>multiple by incrementing the 0 index -->
>>       <param-name>subjectIdentifierCol0</param-name>
>>       <param-value>loginname</param-value>
>>     </init-param>
>>     <init-param>
>>       <!-- col which identifies the row, perhaps not subjectId, add
>>multiple by incrementing the 0 index -->
>>       <param-name>subjectIdentifierCol1</param-name>
>>       <param-value>loginname</param-value>
>>     </init-param>
>>
>>Maybe it should be something like (or whatever the sam account column
>>is):
>>
>>     <init-param>
>>       <!-- col which identifies the row, perhaps not subjectId, add
>>multiple by incrementing the 0 index -->
>>       <param-name>subjectIdentifierCol0</param-name>
>>       <param-value>loginname</param-value>
>>     </init-param>
>>     <init-param>
>>       <!-- col which identifies the row, perhaps not subjectId, add
>>multiple by incrementing the 0 index -->
>>       <param-name>subjectIdentifierCol1</param-name>
>>       <param-value>sAMAccountName</param-value>
>>     </init-param>
>>
>>Then add that attribute:
>>
>>     <init-param>
>>       <param-name>subjectAttributeCol1</param-name>
>>       <param-value>sAMAccountName</param-value>
>>     </init-param>
>>     <init-param>
>>       <param-name>subjectAttributeName1</param-name>
>>       <param-value>sAMAccountName</param-value>
>>     </init-param>
>>
>>Sorry if this is off track, not exactly sure what you want.  Are you
>>asking for the subject search in grouper to find subject by two ways,
>>netid, and 
>>?
>>  If so, then the above should help.
>>
>>Thanks,
>>Chris
>>
>>
>>-----Original Message-----
>>From: 
>>
>> [
>>]
>> On Behalf Of Richard James
>>Sent: Friday, August 06, 2010 10:48 AM
>>To: 'Tom Zeller'
>>Cc: 
>>
>>Subject: RE: [grouper-users] Subject Identifiers for provisioning to
>>Active Directory
>>
>>I have attached our sources.xml file which we are using in our test
>>environment and therefore is configured just for staff members
>>currently.
>>
>>Richard
>>
>>>-----Original Message-----
>>>From: 
>>>
>>> 
>>>[mailto:]
>>> On Behalf Of Tom
>>>Zeller
>>>Sent: 06 August 2010 15:24
>>>To: Richard James
>>>Cc: 
>>>
>>>Subject: Re: [grouper-users] Subject Identifiers for provisioning to
>>>Active Directory
>>>
>>>What Source/Subject adapter are you using ? Is it custom ? If not
>>>custom, posting your (sanitized) sources.xml will help.
>>>
>>>TomZ
>>>
>>>On Fri, Aug 6, 2010 at 8:59 AM, Richard James
>>><>
>>> wrote:
>>>> Hi All,
>>>>
>>>> With some very much appreciated help from the community, we are able
>>>to successfully provision from grouper into our active directory, yet
>>>we do have an area which we would appreciate some advice on.
>>>>
>>>> Our current Grouper setup uses 
>>>> 
>>>>  as the subject
>>>identifier, this is to ensure that our Grouper install is future proof
>>>if we begin to allow multi institutional federated access.
>>>>
>>>> The issue we encounter is that within the active directory, there are
>>>no attributes attached to a user object which use the 
>>>
>>>scope. The attribute we would ideally like to be able to search is the
>>>sAMAccountName, which uses just the login id, without the @ncl.ac.uk.
>>>To currently be able to find subjects in the AD, we are setting the
>>>subject 'name' attribute to be the login id so that we can use this is
>>>the ldap- search,
>>>>
>>>> <source-subject-identifiers>
>>>>    <source-subject-identifier source="jdbc" subject-attribute="name">
>>>>      <ldap-search
>>>>        base="CN=Users,dc=testcampus,dc=ncl,dc=ac,dc=uk"
>>>>        scope="onelevel_scope"
>>>>        filter="(sAMAccountName={0})" />
>>>>    </source-subject-identifier>
>>>>  </source-subject-identifiers>
>>>>
>>>> What we are wondering is if there is any way to attach a custom
>>>attribute to the subject which we can define as sAMAccountName, and be
>>>able to use this in the LDAP search? Or alternatively be able to trim
>>>the @ncl.ac.uk from the ID for searching, similar to the process used
>>>for replacing colons for the sAMAccountName in the creation of a new
>>>group?
>>>>
>>>> Any hints or possible approaches would be very much appreciated.
>>>>
>>>> Regards
>>>>
>>>> Richard James
>>>> ISS Middleware Team
>>>>
>>>>
>>>>
>