Grouper Users - Open Discussion List

[Richard James <>]

Thanks for both of your help on this, with a bit of tinkering in our sources 
file I have managed to declare and assign the attribute as required. And we 
can now use this attribute as the search parameter in our LDAP search. 

I will create a wiki entry on our pages on the Grouper Wiki soon which 
documents our setup for provisioning to an Active Directory, hopefully it 
will be a useful reference point for any new users.

Thanks

Richard  

>-----Original Message-----
>From: 
>
> [
>]
> On Behalf Of Chris Hyzer
>Sent: 06 August 2010 17:03
>To: Richard James; 'Tom Zeller'
>Cc: 
>
>Subject: RE: [grouper-users] Subject Identifiers for provisioning to
>Active Directory
>
>Can you get the subject attribute from gsh?  If you are using oracle or
>maybe other dbs, sometimes the attribute name col (or attribute name?)
>needs to be in all caps.  We have a jira about this to fix at some
>point...  try changing caps and see if it works in gsh, then ldappc:
>
>gsh 1% subject = findSubject("10021368");
>subject: id='10021368' type='person' source='pennperson' name='Michael
>Christopher Hyzer'
>gsh 3% subject.getAttributeValue("EMAIL");
>mchyzer AT isc DOT upenn DOT edu (note, this is sanitized, not really
>what prints out :) )
>
>Chris
>
>
>
>-----Original Message-----
>From: Richard James 
>[mailto:]
>Sent: Friday, August 06, 2010 11:51 AM
>To: 'Tom Zeller'
>Cc: Chris Hyzer; 
>
>Subject: RE: [grouper-users] Subject Identifiers for provisioning to
>Active Directory
>
>I amended the sources.xml file as Chris advised and amended the subject-
>attribute on the ldap search to sAMAccountName, but when attempting to
>provision we get the following error in our log.
>
>2010-08-06 16:49:01,084: [main] ERROR Ldappc.run(283) - Grouper
>Provision Failed
>edu.internet2.middleware.ldappc.exception.LdappcException: Subject null
>] has no value for attribute [ sAMAccountName ]
>        at
>edu.internet2.middleware.ldappc.util.SubjectCache.findSubjectDn(SubjectC
>ache.java:222)
>        at
>edu.internet2.middleware.ldappc.synchronize.GroupEntrySynchronizer.store
>GroupData(GroupEntrySynchronizer.java:778)
>        at
>edu.internet2.middleware.ldappc.synchronize.GroupEntrySynchronizer.updat
>eGroupEntry(GroupEntrySynchronizer.java:510)
>        at
>edu.internet2.middleware.ldappc.synchronize.GroupEntrySynchronizer.perfo
>rmInclude(GroupEntrySynchronizer.java:459)
>        at
>edu.internet2.middleware.ldappc.synchronize.GroupEntrySynchronizer.synch
>ronize(GroupEntrySynchronizer.java:357)
>        at
>edu.internet2.middleware.ldappc.Ldappc.provisionGroups(Ldappc.java:568)
>        at
>edu.internet2.middleware.ldappc.Ldappc.provision(Ldappc.java:376)
>        at edu.internet2.middleware.ldappc.Ldappc.run(Ldappc.java:253)
>        at edu.internet2.middleware.ldappc.Ldappc.main(Ldappc.java:208)
>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>        at
>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
>a:39)
>        at
>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
>Impl.java:25)
>        at java.lang.reflect.Method.invoke(Method.java:597)
>        at
>edu.internet2.middleware.grouper.app.gsh.GrouperShell.handleSpecialCase(
>GrouperShell.java:188)
>        at
>edu.internet2.middleware.grouper.app.gsh.GrouperShell.main(GrouperShell.
>java:128)
>        at
>edu.internet2.middleware.grouper.app.gsh.GrouperShellWrapper.main(Groupe
>rShellWrapper.java:16)
>
>We are just trying to provision one member at the moment, and they have
>a value assigned to both the sAMAccountName and loginname fields within
>the database.
>
>Thanks
>
>Richard
>
>
>>-----Original Message-----
>>From: 
>>
>> 
>>[mailto:]
>> On Behalf Of Tom
>>Zeller
>>Sent: 06 August 2010 16:42
>>To: Richard James
>>Cc: Chris Hyzer; 
>>
>>Subject: Re: [grouper-users] Subject Identifiers for provisioning to
>>Active Directory
>>
>>If I follow correctly, in ldappc.xml
>>
>><source-subject-identifier source="jdbc" subject-attribute="id">
>>
>>should be
>>
>><source-subject-identifier source="jdbc" subject-
>>attribute="sAMAccountName">
>>
>>since the sAMAccountName subject-attribute is now defined in
>sources.xml
>>
>>    <init-param>
>>      <param-name>subjectAttributeCol1</param-name>
>>      <param-value>sAMAccountName</param-value>
>>    </init-param>
>>    <init-param>
>>      <param-name>subjectAttributeName1</param-name>
>>      <param-value>sAMAccountName</param-value>
>>    </init-param>
>>
>>On Fri, Aug 6, 2010 at 10:29 AM, Richard James
>><>
>> wrote:
>>> Thanks Chris that was indeed a typo, I hadn't realised that it wasn't
>>working correctly.
>>>
>>> I'm not sure if that will be directly related to what we are trying
>to
>>accomplish. It is within the LDAP search in our ldappc.xml file that we
>>want to use the sAMAccountName value rather than the login name. At the
>>moment it uses 
>>
>> as the search argument, we need it to
>use
>>just ntest.
>>>
>>> <source-subject-identifiers>
>>> <source-subject-identifier source="jdbc" subject-attribute="id">
>>> <ldap-search
>>> base="CN=Users,dc=testcampus,dc=ncl,dc=ac,dc=uk"
>>> scope="onelevel_scope"
>>> filter="(sAMAccountName={0})" />
>>>
>>> Thanks
>>>
>>> Richard
>>>
>>>>-----Original Message-----
>>>>From: Chris Hyzer 
>>>>[mailto:]
>>>>Sent: 06 August 2010 16:07
>>>>To: Richard James; 'Tom Zeller'
>>>>Cc: 
>>>>
>>>>Subject: RE: [grouper-users] Subject Identifiers for provisioning to
>>>>Active Directory
>>>>
>>>>Isnt this a typo?
>>>>
>>>>     <init-param>
>>>>       <!-- col which identifies the row, perhaps not subjectId, add
>>>>multiple by incrementing the 0 index -->
>>>>       <param-name>subjectIdentifierCol0</param-name>
>>>>       <param-value>loginname</param-value>
>>>>     </init-param>
>>>>     <init-param>
>>>>       <!-- col which identifies the row, perhaps not subjectId, add
>>>>multiple by incrementing the 0 index -->
>>>>       <param-name>subjectIdentifierCol1</param-name>
>>>>       <param-value>loginname</param-value>
>>>>     </init-param>
>>>>
>>>>Maybe it should be something like (or whatever the sam account column
>>>>is):
>>>>
>>>>     <init-param>
>>>>       <!-- col which identifies the row, perhaps not subjectId, add
>>>>multiple by incrementing the 0 index -->
>>>>       <param-name>subjectIdentifierCol0</param-name>
>>>>       <param-value>loginname</param-value>
>>>>     </init-param>
>>>>     <init-param>
>>>>       <!-- col which identifies the row, perhaps not subjectId, add
>>>>multiple by incrementing the 0 index -->
>>>>       <param-name>subjectIdentifierCol1</param-name>
>>>>       <param-value>sAMAccountName</param-value>
>>>>     </init-param>
>>>>
>>>>Then add that attribute:
>>>>
>>>>     <init-param>
>>>>       <param-name>subjectAttributeCol1</param-name>
>>>>       <param-value>sAMAccountName</param-value>
>>>>     </init-param>
>>>>     <init-param>
>>>>       <param-name>subjectAttributeName1</param-name>
>>>>       <param-value>sAMAccountName</param-value>
>>>>     </init-param>
>>>>
>>>>Sorry if this is off track, not exactly sure what you want.  Are you
>>>>asking for the subject search in grouper to find subject by two ways,
>>>>netid, and 
>>>>?
>>>>  If so, then the above should help.
>>>>
>>>>Thanks,
>>>>Chris
>>>>
>>>>
>>>>-----Original Message-----
>>>>From: 
>>>>
>>>> [
>>>>]
>>>> On Behalf Of Richard James
>>>>Sent: Friday, August 06, 2010 10:48 AM
>>>>To: 'Tom Zeller'
>>>>Cc: 
>>>>
>>>>Subject: RE: [grouper-users] Subject Identifiers for provisioning to
>>>>Active Directory
>>>>
>>>>I have attached our sources.xml file which we are using in our test
>>>>environment and therefore is configured just for staff members
>>>>currently.
>>>>
>>>>Richard
>>>>
>>>>>-----Original Message-----
>>>>>From: 
>>>>>
>>>>> 
>>>>>[mailto:]
>>>>> On Behalf Of
>Tom
>>>>>Zeller
>>>>>Sent: 06 August 2010 15:24
>>>>>To: Richard James
>>>>>Cc: 
>>>>>
>>>>>Subject: Re: [grouper-users] Subject Identifiers for provisioning to
>>>>>Active Directory
>>>>>
>>>>>What Source/Subject adapter are you using ? Is it custom ? If not
>>>>>custom, posting your (sanitized) sources.xml will help.
>>>>>
>>>>>TomZ
>>>>>
>>>>>On Fri, Aug 6, 2010 at 8:59 AM, Richard James
>>>>><>
>>>>> wrote:
>>>>>> Hi All,
>>>>>>
>>>>>> With some very much appreciated help from the community, we are
>>able
>>>>>to successfully provision from grouper into our active directory,
>yet
>>>>>we do have an area which we would appreciate some advice on.
>>>>>>
>>>>>> Our current Grouper setup uses 
>>>>>> 
>>>>>>  as the subject
>>>>>identifier, this is to ensure that our Grouper install is future
>>proof
>>>>>if we begin to allow multi institutional federated access.
>>>>>>
>>>>>> The issue we encounter is that within the active directory, there
>>are
>>>>>no attributes attached to a user object which use the
>>
>>>>>scope. The attribute we would ideally like to be able to search is
>>the
>>>>>sAMAccountName, which uses just the login id, without the
>@ncl.ac.uk.
>>>>>To currently be able to find subjects in the AD, we are setting the
>>>>>subject 'name' attribute to be the login id so that we can use this
>>is
>>>>>the ldap- search,
>>>>>>
>>>>>> <source-subject-identifiers>
>>>>>>    <source-subject-identifier source="jdbc" subject-
>>attribute="name">
>>>>>>      <ldap-search
>>>>>>        base="CN=Users,dc=testcampus,dc=ncl,dc=ac,dc=uk"
>>>>>>        scope="onelevel_scope"
>>>>>>        filter="(sAMAccountName={0})" />
>>>>>>    </source-subject-identifier>
>>>>>>  </source-subject-identifiers>
>>>>>>
>>>>>> What we are wondering is if there is any way to attach a custom
>>>>>attribute to the subject which we can define as sAMAccountName, and
>>be
>>>>>able to use this in the LDAP search? Or alternatively be able to
>trim
>>>>>the @ncl.ac.uk from the ID for searching, similar to the process
>used
>>>>>for replacing colons for the sAMAccountName in the creation of a new
>>>>>group?
>>>>>>
>>>>>> Any hints or possible approaches would be very much appreciated.
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Richard James
>>>>>> ISS Middleware Team
>>>>>>
>>>>>>
>>>>>>
>>>