grouper-users - [grouper-users] LDAPPCNG - Members not being provisioned
Subject: Grouper Users - Open Discussion List
List archive
- From: Richard James <>
- To: "" <>
- Subject: [grouper-users] LDAPPCNG - Members not being provisioned
- Date: Mon, 20 Sep 2010 15:37:48 +0100
- Accept-language: en-US, en-GB
- Acceptlanguage: en-US, en-GB
|
Hi All, We have been successfully provisioning Grouper groups
into our live Active Directory using LDAPPC and we are now looking at using
LDAPPCNG in order to keep up to date. Our current progress is that we have been able to
provision the groups into the active directory (see attached successresponse.txt)
but unfortunately we have not been able to get members to be provisioned. The
following messages are logged in the logs, 2010-09-20 15:06:48,126:
[main] ERROR PSP.execute(202) - - CalcResponse[id=test,status=failure,error=noSuchIdentifier,errorMessages={Unable
to calculate provisioned object.},requestID=2010/09/20-15:06:47.658_QOLO3QXH] 2010-09-20 15:06:48,140:
[main] WARN PSOReferenceDefinition.getReferences(126) - - get
references for 'test:test' ref 'members-jdbc' unable to resolve identifier 'test' 2010-09-20 15:06:48,773:
[main] ERROR PSP.execute(202) - - CalcResponse[id=test,status=failure,error=noSuchIdentifier,errorMessages={Unable
to calculate provisioned object.},requestID=2010/09/20-15:06:48.444_QOLO3QXN] 2010-09-20 15:06:48,774:
[main] ERROR PSP.execute(227) - - DiffResponse[id=test,status=failure,error=noSuchIdentifier,errorMessages={Unable
to calculate provisioned object.},requestID=2010/09/20-15:06:48.444_QOLO3QXM] 2010-09-20 15:06:49,079:
[main] ERROR PSP.execute(626) - -
BulkDiffResponse[responses=5,status=failure,error=<null>,errorMessages={},requestID=2010/09/20-15:06:43.986_QOLO3QWS] From the log it does show that it is finding the correct
members from the group membership list, but for some reason it is not able to
make use of this user identifier. Within the ldappc-resolver the ldappc filter
is configured to search against the CN for user which takes the same format as
the id shown in the log entry. I have attached sanitized versions of the main
config files that we are using to do this. The main change to the
ldappc-resolver.xml file that we made was to create the group in the AD with
the grouper extension attribute rather than the name attribute. We have attempted to amend the ldappc-resolve to see if
we could this working but to no avail, the versions of the files attached
currently allow us to create the groups. Could anyone point us in the right direction for where
the problem may be occurring? We are a bit unsure if we have missed something
out of our configuration or if we referencing an incorrect attribute, or if
indeed it is something on the AD side. We are using version 1.6.1. Many Thanks Richie ISS Middleware Team Newcastle University |
status='success' requestID='2010/09/20-14:54:12.753_QOLONMY9'>
<ldappc:syncResponse>
<addResponse xmlns='urn:oasis:names:tc:SPML:2:0' status='success'
requestID='2010/09/20-14:54:14.189_QOLONMZM'>
<pso entityName='stem'>
<psoID ID='ou=etc,ou=GrouperTest,dc=testcampus,dc=ncl,dc=ac,dc=uk'
targetID='ldap'/>
<data>
<dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core'
name='objectClass'>
<dsml:value>organizationalUnit</dsml:value>
<dsml:value>top</dsml:value>
</dsml:attr>
<dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' name='ou'>
<dsml:value>etc</dsml:value>
</dsml:attr>
</data>
</pso>
</addResponse>
<ldappc:id ID='etc'/>
</ldappc:syncResponse>
<ldappc:syncResponse>
<addResponse xmlns='urn:oasis:names:tc:SPML:2:0' status='success'
requestID='2010/09/20-14:54:15.210_QOLONMZR'>
<pso entityName='stem'>
<psoID ID='ou=test,ou=GrouperTest,dc=testcampus,dc=ncl,dc=ac,dc=uk'
targetID='ldap'/>
<data>
<dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core'
name='objectClass'>
<dsml:value>organizationalUnit</dsml:value>
<dsml:value>top</dsml:value>
</dsml:attr>
<dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' name='ou'>
<dsml:value>test</dsml:value>
</dsml:attr>
</data>
</pso>
</addResponse>
<ldappc:id ID='test'/>
</ldappc:syncResponse>
<ldappc:syncResponse>
<addResponse xmlns='urn:oasis:names:tc:SPML:2:0' status='success'
requestID='2010/09/20-14:54:16.303_QOLONMZX'>
<pso entityName='group'>
<psoID
ID='cn=wheel,ou=etc,ou=GrouperTest,dc=testcampus,dc=ncl,dc=ac,dc=uk'
targetID='ldap'/>
<data>
<dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core'
name='objectClass'>
<dsml:value>group</dsml:value>
<dsml:value>top</dsml:value>
</dsml:attr>
<dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' name='cn'>
<dsml:value>wheel</dsml:value>
</dsml:attr>
</data>
</pso>
</addResponse>
<ldappc:id ID='etc:wheel'/>
</ldappc:syncResponse>
<ldappc:syncResponse>
<addResponse xmlns='urn:oasis:names:tc:SPML:2:0' status='success'
requestID='2010/09/20-14:54:17.142_QOLONMZ7'>
<pso entityName='group'>
<psoID
ID='cn=test,ou=test,ou=GrouperTest,dc=testcampus,dc=ncl,dc=ac,dc=uk'
targetID='ldap'/>
<data>
<dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core'
name='objectClass'>
<dsml:value>group</dsml:value>
<dsml:value>top</dsml:value>
</dsml:attr>
<dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' name='cn'>
<dsml:value>test</dsml:value>
</dsml:attr>
</data>
</pso>
</addResponse>
<ldappc:id ID='test:test'/>
</ldappc:syncResponse>
</ldappc:bulkSyncResponse>
<?xml version="1.0" encoding="utf-8"?>
<!--
Grouper's subject resolver configuration
$Id: sources.example.xml,v 1.7.2.1 2009/05/22 19:27:34 mchyzer Exp $
-->
<sources>
<!-- Group Subject Resolver -->
<!--
NOTE: It is recommended that you **not** change the default
values for this source adapter.
-->
<source adapterClass="edu.internet2.middleware.grouper.GrouperSourceAdapter">
<id>g:gsa</id>
<name>Grouper: Group Source Adapter</name>
<type>group</type>
</source>
<source adapterClass="edu.internet2.middleware.grouper.subj.GrouperJdbcSourceAdapter2">
<id>jdbc</id>
<name>NCL_staff</name>
<type>person</type>
<init-param>
<param-name>jdbcConnectionProvider</param-name>
<param-value>edu.internet2.middleware.grouper.subj.GrouperJdbcConnectionProvider</param-value>
</init-param>
<init-param>
<param-name>dbTableOrView</param-name>
<param-value>NCL_staff</param-value>
</init-param>
<init-param>
<param-name>subjectIdCol</param-name>
<param-value>loginname</param-value>
</init-param>
<init-param>
<param-name>nameCol</param-name>
<param-value>surname</param-value>
</init-param>
<init-param>
<param-name>name2Col</param-name>
<param-value>forenames</param-value>
</init-param>
<init-param>
<param-name>descriptionCol</param-name>
<param-value>fullname</param-value>
</init-param>
<init-param>
<!-- search col where general searches take place, lower case -->
<param-name>lowerSearchCol</param-name>
<param-value>searchvalues</param-value>
</init-param>
<init-param>
<!-- optional col if you want the search results sorted in the API (note, UI might override) -->
<param-name>defaultSortCol</param-name>
<param-value>known_as</param-value>
</init-param>
<init-param>
<!-- col which identifies the row, perhaps not subjectId -->
<param-name>subjectIdentifierCol0</param-name>
<param-value>loginname</param-value>
</init-param>
<init-param>
<param-name>subjectIdentifierCol1</param-name>
<param-value>SAMA</param-value>
</init-param>
<!-- now you can count up from 0 to N of attributes for various cols -->
<init-param>
<param-name>subjectAttributeCol0</param-name>
<param-value>SAMA</param-value>
</init-param>
<init-param>
<param-name>subjectAttributeName0</param-name>
<param-value>SAMA</param-value>
</init-param>
</source>
</sources>
<?xml version="1.0" encoding="utf-8"?> <ldappc xmlns="http://grouper.internet2.edu/ldappc"; xmlns:ldappc="http://grouper.internet2.edu/ldappc"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://grouper.internet2.edu/ldappc classpath:/schema/ldappc.xsd"> <targets id="LDAP"> <target id="ldap" provider="ldap-provider" /> <object id="stem"> <identifier ref="stem-dn" baseId="${groupsOU}"> <identifyingAttribute name="objectclass" value="organizationalUnit" /> </identifier> <attribute name="objectClass" ref="stem-objectclass" /> <attribute name="ou" ref="stem-ou" /> <attribute name="description" ref="stem-description" /> </object> <object id="group" authoritative="true"> <identifier ref="group-dn" baseId="${groupsOU}"> <identifyingAttribute name="objectClass" value="${groupObjectClass}" /> </identifier> <attribute name="objectClass" ref="group-objectclass" /> <attribute name="cn" /> <attribute name="description" /> <references name="member"> <reference ref="members-jdbc" toObject="member" /> <reference ref="members-g:gsa" toObject="group" /> </references> </object> <object id="member"> <identifier ref="member-dn" baseId="${peopleOU}"> <identifyingAttribute name="objectclass" value="person" /> </identifier> </object> </targets> </ldappc>
<?xml version="1.0" encoding="UTF-8"?> <AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:resolver="urn:mace:shibboleth:2.0:resolver" xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc" xmlns:grouper="http://grouper.internet2.edu/shibboleth/2.0"; xmlns:ldappc="http://grouper.internet2.edu/ldappc"; xsi:schemaLocation=" urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd http://grouper.internet2.edu/shibboleth/2.0 classpath:/schema/shibboleth-2.0-grouper.xsd http://grouper.internet2.edu/ldappc classpath:/schema/ldappc.xsd"> <resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector"> <grouper:Attribute id="members" /> <grouper:Attribute id="groups" /> </resolver:DataConnector> <resolver:DataConnector id="StemDataConnector" xsi:type="grouper:StemDataConnector"> </resolver:DataConnector> <resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector"> <grouper:Attribute id="groups" /> </resolver:DataConnector> <resolver:DataConnector id="StaticDataConnector" xsi:type="dc:Static"> <dc:Attribute id="group-objectclass"> <dc:Value>top</dc:Value> <dc:Value>${groupObjectClass}</dc:Value> </dc:Attribute> <dc:Attribute id="group-objectclass-eduMember"> <dc:Value>top</dc:Value> <dc:Value>${groupObjectClass}</dc:Value> <dc:Value>eduMember</dc:Value> </dc:Attribute> <dc:Attribute id="stem-objectclass"> <dc:Value>top</dc:Value> <dc:Value>organizationalUnit</dc:Value> </dc:Attribute> <dc:Attribute id="member-objectclass"> <dc:Value>eduMember</dc:Value> </dc:Attribute> </resolver:DataConnector> <resolver:AttributeDefinition id="stem-dn" xsi:type="ldappc:LdapDnPSOIdentifier" structure="${DNstructure}" sourceAttributeID="name" rdnAttributeName="ou" base="${groupsOU}"> <resolver:Dependency ref="StemDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="stem-objectclass" xsi:type="ad:Simple"> <resolver:Dependency ref="StaticDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="stem-ou" xsi:type="ad:Simple" sourceAttributeID="extension"> <resolver:Dependency ref="StemDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="stem-description" xsi:type="ad:Simple" sourceAttributeID="description"> <resolver:Dependency ref="StemDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="group-dn" xsi:type="ldappc:LdapDnPSOIdentifier" structure="${DNstructure}" sourceAttributeID="extension" rdnAttributeName="cn" base="${groupsOU}"> <resolver:Dependency ref="GroupDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="group-objectclass" xsi:type="ad:Simple"> <resolver:Dependency ref="StaticDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="group-objectclass-eduMember" xsi:type="ad:Simple"> <resolver:Dependency ref="StaticDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="description" xsi:type="ad:Simple"> <resolver:Dependency ref="GroupDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="cn" xsi:type="ad:Simple" sourceAttributeID="extension"> <resolver:Dependency ref="GroupDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="sAMAccountName" sourceAttributeID="name"> <resolver:Dependency ref="GroupDataConnector" /> <Script><![CDATA[ // Import Shibboleth attribute provider importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); value = name.getValues().get(0); value = value.replaceAll("\\/", "_"); value = value.replaceAll("\\/", "_"); value = value.replaceAll("\\[", "_"); value = value.replaceAll("\\]", "_"); value = value.replaceAll("\\:", "_"); value = value.replaceAll("\\;", "_"); value = value.replaceAll("\\|", "_"); value = value.replaceAll("\\=", "_"); value = value.replaceAll("\\,", "_"); value = value.replaceAll("\\+", "_"); value = value.replaceAll("\\*", "_"); value = value.replaceAll("\\?", "_"); sAMAccountName = new BasicAttribute("sAMAccountName"); sAMAccountName.getValues().add(value); ]]></Script> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="hasMember" xsi:type="grouper:Member" sourceAttributeID="members"> <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="name" source="jdbc" /> <grouper:Attribute id="name" source="g:gsa" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="groupIsMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups"> <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="name" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="members-jdbc" xsi:type="grouper:Member" sourceAttributeID="members"> <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="id" source="jdbc" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="members-g:gsa" xsi:type="grouper:Member" sourceAttributeID="members"> <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="name" source="g:gsa" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="member-dn" xsi:type="ad:Simple" sourceAttributeID="psoID"> <resolver:Dependency ref="SpmlDataConnector" /> </resolver:AttributeDefinition> <resolver:DataConnector id="SpmlDataConnector" provider="ldap-provider" xsi:type="ldappc:SPMLDataConnector" scope="subTree" base="${peopleOU}" returnData="identifier"> <resolver:Dependency ref="MemberDataConnector" /> <ldappc:FilterTemplate>(cn=${id.get(0)})</ldappc:FilterTemplate> </resolver:DataConnector> <resolver:AttributeDefinition id="member-objectclass" xsi:type="ad:Simple"> <resolver:Dependency ref="StaticDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="memberIsMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups"> <resolver:Dependency ref="MemberDataConnector" /> <grouper:Attribute id="name" /> </resolver:AttributeDefinition> </AttributeResolver>
Attachment:
ldappc.properties
Description: ldappc.properties
- [grouper-users] LDAPPCNG - Members not being provisioned, Richard James, 09/20/2010
- Re: [grouper-users] LDAPPCNG - Members not being provisioned, Tom Zeller, 09/20/2010
- RE: [grouper-users] LDAPPCNG - Members not being provisioned, Richard James, 09/21/2010
- Re: [grouper-users] LDAPPCNG - Members not being provisioned, Tom Zeller, 09/21/2010
- RE: [grouper-users] LDAPPCNG - Members not being provisioned, Richard James, 09/22/2010
- Re: [grouper-users] LDAPPCNG - Members not being provisioned, Tom Zeller, 09/22/2010
- [grouper-users] How to import pre-existing groups to grouper, Francesco Malvezzi, 09/23/2010
- Re: [grouper-users] How to import pre-existing groups to grouper, Tom Zeller, 09/23/2010
- RE: [grouper-users] LDAPPCNG - Members not being provisioned, Richard James, 09/22/2010
- Re: [grouper-users] LDAPPCNG - Members not being provisioned, Tom Zeller, 09/21/2010
- RE: [grouper-users] LDAPPCNG - Members not being provisioned, Richard James, 09/21/2010
- Re: [grouper-users] LDAPPCNG - Members not being provisioned, Tom Zeller, 09/20/2010
Archive powered by MHonArc 2.6.16.