grouper-users - RE: [grouper-users] Subject Identifiers for provisioning to Active Directory
Subject: Grouper Users - Open Discussion List
List archive
- From: Richard James <>
- To: "'Tom Zeller'" <>
- Cc: Chris Hyzer <>, "" <>
- Subject: RE: [grouper-users] Subject Identifiers for provisioning to Active Directory
- Date: Fri, 6 Aug 2010 16:50:56 +0100
- Accept-language: en-US, en-GB
- Acceptlanguage: en-US, en-GB
I amended the sources.xml file as Chris advised and amended the
subject-attribute on the ldap search to sAMAccountName, but when attempting
to provision we get the following error in our log.
2010-08-06 16:49:01,084: [main] ERROR Ldappc.run(283) - Grouper Provision
Failed
edu.internet2.middleware.ldappc.exception.LdappcException: Subject null ] has
no value for attribute [ sAMAccountName ]
at
edu.internet2.middleware.ldappc.util.SubjectCache.findSubjectDn(SubjectCache.java:222)
at
edu.internet2.middleware.ldappc.synchronize.GroupEntrySynchronizer.storeGroupData(GroupEntrySynchronizer.java:778)
at
edu.internet2.middleware.ldappc.synchronize.GroupEntrySynchronizer.updateGroupEntry(GroupEntrySynchronizer.java:510)
at
edu.internet2.middleware.ldappc.synchronize.GroupEntrySynchronizer.performInclude(GroupEntrySynchronizer.java:459)
at
edu.internet2.middleware.ldappc.synchronize.GroupEntrySynchronizer.synchronize(GroupEntrySynchronizer.java:357)
at
edu.internet2.middleware.ldappc.Ldappc.provisionGroups(Ldappc.java:568)
at edu.internet2.middleware.ldappc.Ldappc.provision(Ldappc.java:376)
at edu.internet2.middleware.ldappc.Ldappc.run(Ldappc.java:253)
at edu.internet2.middleware.ldappc.Ldappc.main(Ldappc.java:208)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
edu.internet2.middleware.grouper.app.gsh.GrouperShell.handleSpecialCase(GrouperShell.java:188)
at
edu.internet2.middleware.grouper.app.gsh.GrouperShell.main(GrouperShell.java:128)
at
edu.internet2.middleware.grouper.app.gsh.GrouperShellWrapper.main(GrouperShellWrapper.java:16)
We are just trying to provision one member at the moment, and they have a
value assigned to both the sAMAccountName and loginname fields within the
database.
Thanks
Richard
>-----Original Message-----
>From:
>
>
>[mailto:]
> On Behalf Of Tom
>Zeller
>Sent: 06 August 2010 16:42
>To: Richard James
>Cc: Chris Hyzer;
>
>Subject: Re: [grouper-users] Subject Identifiers for provisioning to
>Active Directory
>
>If I follow correctly, in ldappc.xml
>
><source-subject-identifier source="jdbc" subject-attribute="id">
>
>should be
>
><source-subject-identifier source="jdbc" subject-
>attribute="sAMAccountName">
>
>since the sAMAccountName subject-attribute is now defined in sources.xml
>
> <init-param>
> <param-name>subjectAttributeCol1</param-name>
> <param-value>sAMAccountName</param-value>
> </init-param>
> <init-param>
> <param-name>subjectAttributeName1</param-name>
> <param-value>sAMAccountName</param-value>
> </init-param>
>
>On Fri, Aug 6, 2010 at 10:29 AM, Richard James
><>
> wrote:
>> Thanks Chris that was indeed a typo, I hadn't realised that it wasn't
>working correctly.
>>
>> I'm not sure if that will be directly related to what we are trying to
>accomplish. It is within the LDAP search in our ldappc.xml file that we
>want to use the sAMAccountName value rather than the login name. At the
>moment it uses
>
> as the search argument, we need it to use
>just ntest.
>>
>> <source-subject-identifiers>
>> <source-subject-identifier source="jdbc" subject-attribute="id">
>> <ldap-search
>> base="CN=Users,dc=testcampus,dc=ncl,dc=ac,dc=uk"
>> scope="onelevel_scope"
>> filter="(sAMAccountName={0})" />
>>
>> Thanks
>>
>> Richard
>>
>>>-----Original Message-----
>>>From: Chris Hyzer
>>>[mailto:]
>>>Sent: 06 August 2010 16:07
>>>To: Richard James; 'Tom Zeller'
>>>Cc:
>>>
>>>Subject: RE: [grouper-users] Subject Identifiers for provisioning to
>>>Active Directory
>>>
>>>Isnt this a typo?
>>>
>>> <init-param>
>>> <!-- col which identifies the row, perhaps not subjectId, add
>>>multiple by incrementing the 0 index -->
>>> <param-name>subjectIdentifierCol0</param-name>
>>> <param-value>loginname</param-value>
>>> </init-param>
>>> <init-param>
>>> <!-- col which identifies the row, perhaps not subjectId, add
>>>multiple by incrementing the 0 index -->
>>> <param-name>subjectIdentifierCol1</param-name>
>>> <param-value>loginname</param-value>
>>> </init-param>
>>>
>>>Maybe it should be something like (or whatever the sam account column
>>>is):
>>>
>>> <init-param>
>>> <!-- col which identifies the row, perhaps not subjectId, add
>>>multiple by incrementing the 0 index -->
>>> <param-name>subjectIdentifierCol0</param-name>
>>> <param-value>loginname</param-value>
>>> </init-param>
>>> <init-param>
>>> <!-- col which identifies the row, perhaps not subjectId, add
>>>multiple by incrementing the 0 index -->
>>> <param-name>subjectIdentifierCol1</param-name>
>>> <param-value>sAMAccountName</param-value>
>>> </init-param>
>>>
>>>Then add that attribute:
>>>
>>> <init-param>
>>> <param-name>subjectAttributeCol1</param-name>
>>> <param-value>sAMAccountName</param-value>
>>> </init-param>
>>> <init-param>
>>> <param-name>subjectAttributeName1</param-name>
>>> <param-value>sAMAccountName</param-value>
>>> </init-param>
>>>
>>>Sorry if this is off track, not exactly sure what you want. Are you
>>>asking for the subject search in grouper to find subject by two ways,
>>>netid, and
>>>?
>>> If so, then the above should help.
>>>
>>>Thanks,
>>>Chris
>>>
>>>
>>>-----Original Message-----
>>>From:
>>>
>>> [
>>>]
>>> On Behalf Of Richard James
>>>Sent: Friday, August 06, 2010 10:48 AM
>>>To: 'Tom Zeller'
>>>Cc:
>>>
>>>Subject: RE: [grouper-users] Subject Identifiers for provisioning to
>>>Active Directory
>>>
>>>I have attached our sources.xml file which we are using in our test
>>>environment and therefore is configured just for staff members
>>>currently.
>>>
>>>Richard
>>>
>>>>-----Original Message-----
>>>>From:
>>>>
>>>>
>>>>[mailto:]
>>>> On Behalf Of Tom
>>>>Zeller
>>>>Sent: 06 August 2010 15:24
>>>>To: Richard James
>>>>Cc:
>>>>
>>>>Subject: Re: [grouper-users] Subject Identifiers for provisioning to
>>>>Active Directory
>>>>
>>>>What Source/Subject adapter are you using ? Is it custom ? If not
>>>>custom, posting your (sanitized) sources.xml will help.
>>>>
>>>>TomZ
>>>>
>>>>On Fri, Aug 6, 2010 at 8:59 AM, Richard James
>>>><>
>>>> wrote:
>>>>> Hi All,
>>>>>
>>>>> With some very much appreciated help from the community, we are
>able
>>>>to successfully provision from grouper into our active directory, yet
>>>>we do have an area which we would appreciate some advice on.
>>>>>
>>>>> Our current Grouper setup uses
>>>>>
>>>>> as the subject
>>>>identifier, this is to ensure that our Grouper install is future
>proof
>>>>if we begin to allow multi institutional federated access.
>>>>>
>>>>> The issue we encounter is that within the active directory, there
>are
>>>>no attributes attached to a user object which use the
>
>>>>scope. The attribute we would ideally like to be able to search is
>the
>>>>sAMAccountName, which uses just the login id, without the @ncl.ac.uk.
>>>>To currently be able to find subjects in the AD, we are setting the
>>>>subject 'name' attribute to be the login id so that we can use this
>is
>>>>the ldap- search,
>>>>>
>>>>> <source-subject-identifiers>
>>>>> <source-subject-identifier source="jdbc" subject-
>attribute="name">
>>>>> <ldap-search
>>>>> base="CN=Users,dc=testcampus,dc=ncl,dc=ac,dc=uk"
>>>>> scope="onelevel_scope"
>>>>> filter="(sAMAccountName={0})" />
>>>>> </source-subject-identifier>
>>>>> </source-subject-identifiers>
>>>>>
>>>>> What we are wondering is if there is any way to attach a custom
>>>>attribute to the subject which we can define as sAMAccountName, and
>be
>>>>able to use this in the LDAP search? Or alternatively be able to trim
>>>>the @ncl.ac.uk from the ID for searching, similar to the process used
>>>>for replacing colons for the sAMAccountName in the creation of a new
>>>>group?
>>>>>
>>>>> Any hints or possible approaches would be very much appreciated.
>>>>>
>>>>> Regards
>>>>>
>>>>> Richard James
>>>>> ISS Middleware Team
>>>>>
>>>>>
>>>>>
>>
- [grouper-users] Subject Identifiers for provisioning to Active Directory, Richard James, 08/06/2010
- Re: [grouper-users] Subject Identifiers for provisioning to Active Directory, Tom Zeller, 08/06/2010
- RE: [grouper-users] Subject Identifiers for provisioning to Active Directory, Richard James, 08/06/2010
- RE: [grouper-users] Subject Identifiers for provisioning to Active Directory, Chris Hyzer, 08/06/2010
- RE: [grouper-users] Subject Identifiers for provisioning to Active Directory, Richard James, 08/06/2010
- Re: [grouper-users] Subject Identifiers for provisioning to Active Directory, Tom Zeller, 08/06/2010
- RE: [grouper-users] Subject Identifiers for provisioning to Active Directory, Richard James, 08/06/2010
- RE: [grouper-users] Subject Identifiers for provisioning to Active Directory, Chris Hyzer, 08/06/2010
- RE: [grouper-users] Subject Identifiers for provisioning to Active Directory, Richard James, 08/09/2010
- RE: [grouper-users] Subject Identifiers for provisioning to Active Directory, Richard James, 08/06/2010
- Re: [grouper-users] Subject Identifiers for provisioning to Active Directory, Tom Zeller, 08/06/2010
- RE: [grouper-users] Subject Identifiers for provisioning to Active Directory, Richard James, 08/06/2010
- RE: [grouper-users] Subject Identifiers for provisioning to Active Directory, Chris Hyzer, 08/06/2010
- RE: [grouper-users] Subject Identifiers for provisioning to Active Directory, Richard James, 08/06/2010
- Re: [grouper-users] Subject Identifiers for provisioning to Active Directory, Tom Zeller, 08/06/2010
Archive powered by MHonArc 2.6.16.