Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Subject Identifiers for provisioning to Active Directory

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Subject Identifiers for provisioning to Active Directory


Chronological Thread 
  • From: Chris Hyzer <>
  • To: Richard James <>, 'Tom Zeller' <>
  • Cc: "" <>
  • Subject: RE: [grouper-users] Subject Identifiers for provisioning to Active Directory
  • Date: Fri, 6 Aug 2010 12:02:52 -0400
  • Accept-language: en-US
  • Acceptlanguage: en-US

Can you get the subject attribute from gsh? If you are using oracle or maybe
other dbs, sometimes the attribute name col (or attribute name?) needs to be
in all caps. We have a jira about this to fix at some point... try changing
caps and see if it works in gsh, then ldappc:

gsh 1% subject = findSubject("10021368");
subject: id='10021368' type='person' source='pennperson' name='Michael
Christopher Hyzer'
gsh 3% subject.getAttributeValue("EMAIL");
mchyzer AT isc DOT upenn DOT edu (note, this is sanitized, not really what
prints out :) )

Chris



-----Original Message-----
From: Richard James
[mailto:]

Sent: Friday, August 06, 2010 11:51 AM
To: 'Tom Zeller'
Cc: Chris Hyzer;

Subject: RE: [grouper-users] Subject Identifiers for provisioning to Active
Directory

I amended the sources.xml file as Chris advised and amended the
subject-attribute on the ldap search to sAMAccountName, but when attempting
to provision we get the following error in our log.

2010-08-06 16:49:01,084: [main] ERROR Ldappc.run(283) - Grouper Provision
Failed
edu.internet2.middleware.ldappc.exception.LdappcException: Subject null ] has
no value for attribute [ sAMAccountName ]
at
edu.internet2.middleware.ldappc.util.SubjectCache.findSubjectDn(SubjectCache.java:222)
at
edu.internet2.middleware.ldappc.synchronize.GroupEntrySynchronizer.storeGroupData(GroupEntrySynchronizer.java:778)
at
edu.internet2.middleware.ldappc.synchronize.GroupEntrySynchronizer.updateGroupEntry(GroupEntrySynchronizer.java:510)
at
edu.internet2.middleware.ldappc.synchronize.GroupEntrySynchronizer.performInclude(GroupEntrySynchronizer.java:459)
at
edu.internet2.middleware.ldappc.synchronize.GroupEntrySynchronizer.synchronize(GroupEntrySynchronizer.java:357)
at
edu.internet2.middleware.ldappc.Ldappc.provisionGroups(Ldappc.java:568)
at edu.internet2.middleware.ldappc.Ldappc.provision(Ldappc.java:376)
at edu.internet2.middleware.ldappc.Ldappc.run(Ldappc.java:253)
at edu.internet2.middleware.ldappc.Ldappc.main(Ldappc.java:208)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
edu.internet2.middleware.grouper.app.gsh.GrouperShell.handleSpecialCase(GrouperShell.java:188)
at
edu.internet2.middleware.grouper.app.gsh.GrouperShell.main(GrouperShell.java:128)
at
edu.internet2.middleware.grouper.app.gsh.GrouperShellWrapper.main(GrouperShellWrapper.java:16)

We are just trying to provision one member at the moment, and they have a
value assigned to both the sAMAccountName and loginname fields within the
database.

Thanks

Richard


>-----Original Message-----
>From:
>
>
>[mailto:]
> On Behalf Of Tom
>Zeller
>Sent: 06 August 2010 16:42
>To: Richard James
>Cc: Chris Hyzer;
>
>Subject: Re: [grouper-users] Subject Identifiers for provisioning to
>Active Directory
>
>If I follow correctly, in ldappc.xml
>
><source-subject-identifier source="jdbc" subject-attribute="id">
>
>should be
>
><source-subject-identifier source="jdbc" subject-
>attribute="sAMAccountName">
>
>since the sAMAccountName subject-attribute is now defined in sources.xml
>
> <init-param>
> <param-name>subjectAttributeCol1</param-name>
> <param-value>sAMAccountName</param-value>
> </init-param>
> <init-param>
> <param-name>subjectAttributeName1</param-name>
> <param-value>sAMAccountName</param-value>
> </init-param>
>
>On Fri, Aug 6, 2010 at 10:29 AM, Richard James
><>
> wrote:
>> Thanks Chris that was indeed a typo, I hadn't realised that it wasn't
>working correctly.
>>
>> I'm not sure if that will be directly related to what we are trying to
>accomplish. It is within the LDAP search in our ldappc.xml file that we
>want to use the sAMAccountName value rather than the login name. At the
>moment it uses
>
> as the search argument, we need it to use
>just ntest.
>>
>> <source-subject-identifiers>
>> <source-subject-identifier source="jdbc" subject-attribute="id">
>> <ldap-search
>> base="CN=Users,dc=testcampus,dc=ncl,dc=ac,dc=uk"
>> scope="onelevel_scope"
>> filter="(sAMAccountName={0})" />
>>
>> Thanks
>>
>> Richard
>>
>>>-----Original Message-----
>>>From: Chris Hyzer
>>>[mailto:]
>>>Sent: 06 August 2010 16:07
>>>To: Richard James; 'Tom Zeller'
>>>Cc:
>>>
>>>Subject: RE: [grouper-users] Subject Identifiers for provisioning to
>>>Active Directory
>>>
>>>Isnt this a typo?
>>>
>>>     <init-param>
>>>       <!-- col which identifies the row, perhaps not subjectId, add
>>>multiple by incrementing the 0 index -->
>>>       <param-name>subjectIdentifierCol0</param-name>
>>>       <param-value>loginname</param-value>
>>>     </init-param>
>>>     <init-param>
>>>       <!-- col which identifies the row, perhaps not subjectId, add
>>>multiple by incrementing the 0 index -->
>>>       <param-name>subjectIdentifierCol1</param-name>
>>>       <param-value>loginname</param-value>
>>>     </init-param>
>>>
>>>Maybe it should be something like (or whatever the sam account column
>>>is):
>>>
>>>     <init-param>
>>>       <!-- col which identifies the row, perhaps not subjectId, add
>>>multiple by incrementing the 0 index -->
>>>       <param-name>subjectIdentifierCol0</param-name>
>>>       <param-value>loginname</param-value>
>>>     </init-param>
>>>     <init-param>
>>>       <!-- col which identifies the row, perhaps not subjectId, add
>>>multiple by incrementing the 0 index -->
>>>       <param-name>subjectIdentifierCol1</param-name>
>>>       <param-value>sAMAccountName</param-value>
>>>     </init-param>
>>>
>>>Then add that attribute:
>>>
>>>     <init-param>
>>>       <param-name>subjectAttributeCol1</param-name>
>>>       <param-value>sAMAccountName</param-value>
>>>     </init-param>
>>>     <init-param>
>>>       <param-name>subjectAttributeName1</param-name>
>>>       <param-value>sAMAccountName</param-value>
>>>     </init-param>
>>>
>>>Sorry if this is off track, not exactly sure what you want.  Are you
>>>asking for the subject search in grouper to find subject by two ways,
>>>netid, and
>>>?
>>>  If so, then the above should help.
>>>
>>>Thanks,
>>>Chris
>>>
>>>
>>>-----Original Message-----
>>>From:
>>>
>>> [
>>>]
>>> On Behalf Of Richard James
>>>Sent: Friday, August 06, 2010 10:48 AM
>>>To: 'Tom Zeller'
>>>Cc:
>>>
>>>Subject: RE: [grouper-users] Subject Identifiers for provisioning to
>>>Active Directory
>>>
>>>I have attached our sources.xml file which we are using in our test
>>>environment and therefore is configured just for staff members
>>>currently.
>>>
>>>Richard
>>>
>>>>-----Original Message-----
>>>>From:
>>>>
>>>>
>>>>[mailto:]
>>>> On Behalf Of Tom
>>>>Zeller
>>>>Sent: 06 August 2010 15:24
>>>>To: Richard James
>>>>Cc:
>>>>
>>>>Subject: Re: [grouper-users] Subject Identifiers for provisioning to
>>>>Active Directory
>>>>
>>>>What Source/Subject adapter are you using ? Is it custom ? If not
>>>>custom, posting your (sanitized) sources.xml will help.
>>>>
>>>>TomZ
>>>>
>>>>On Fri, Aug 6, 2010 at 8:59 AM, Richard James
>>>><>
>>>> wrote:
>>>>> Hi All,
>>>>>
>>>>> With some very much appreciated help from the community, we are
>able
>>>>to successfully provision from grouper into our active directory, yet
>>>>we do have an area which we would appreciate some advice on.
>>>>>
>>>>> Our current Grouper setup uses
>>>>>
>>>>> as the subject
>>>>identifier, this is to ensure that our Grouper install is future
>proof
>>>>if we begin to allow multi institutional federated access.
>>>>>
>>>>> The issue we encounter is that within the active directory, there
>are
>>>>no attributes attached to a user object which use the
>
>>>>scope. The attribute we would ideally like to be able to search is
>the
>>>>sAMAccountName, which uses just the login id, without the @ncl.ac.uk.
>>>>To currently be able to find subjects in the AD, we are setting the
>>>>subject 'name' attribute to be the login id so that we can use this
>is
>>>>the ldap- search,
>>>>>
>>>>> <source-subject-identifiers>
>>>>>    <source-subject-identifier source="jdbc" subject-
>attribute="name">
>>>>>      <ldap-search
>>>>>        base="CN=Users,dc=testcampus,dc=ncl,dc=ac,dc=uk"
>>>>>        scope="onelevel_scope"
>>>>>        filter="(sAMAccountName={0})" />
>>>>>    </source-subject-identifier>
>>>>>  </source-subject-identifiers>
>>>>>
>>>>> What we are wondering is if there is any way to attach a custom
>>>>attribute to the subject which we can define as sAMAccountName, and
>be
>>>>able to use this in the LDAP search? Or alternatively be able to trim
>>>>the @ncl.ac.uk from the ID for searching, similar to the process used
>>>>for replacing colons for the sAMAccountName in the creation of a new
>>>>group?
>>>>>
>>>>> Any hints or possible approaches would be very much appreciated.
>>>>>
>>>>> Regards
>>>>>
>>>>> Richard James
>>>>> ISS Middleware Team
>>>>>
>>>>>
>>>>>
>>



Archive powered by MHonArc 2.6.16.

Top of Page