grouper-users - [grouper-users] LDAPPCNG Subject Identifiers
Subject: Grouper Users - Open Discussion List
List archive
- From: Richard James <>
- To: grouper users list <>
- Subject: [grouper-users] LDAPPCNG Subject Identifiers
- Date: Fri, 11 Feb 2011 14:43:35 +0000
- Accept-language: en-US, en-GB
- Acceptlanguage: en-US, en-GB
Hi,
Hopefully this will be a nice simple query to help with, and apologies if
this has already been discussed/documented elsewhere.
We have been using LDAPPC for the past 4 months or so and have successfully
been provisioning groups and memberships into our Active Directory. To do
this we provision our subjects using a subject attribute we defined in our
sources.xml file called SAMA. With LDAPPC we were able to configure in the
LDAPPC.xml file to use the SAMA attribute when searching in the Active
Directory.
I have been installing LDAPPCNG and have been able to provision groups into
the AD, but when we provision the memberships it uses the default subject ID,
which unfortunately means that it will not be able to find a match against
the CN attribute in the AD. If we change the subject id to a format which
matches the CN attribute in the AD it will successfully provision the
membership.
See the response we get from running bulkCalc, which shows trying to
provision the 2 different formats of subject ID.
<ldappc:calcResponse status='failure'
requestID='2011/02/11-14:24:26.644_QUBG45LX' error='noSuchIdentifier'>
<errorMessage>Unable to calculate provisioned object.</errorMessage>
<ldappc:id
'/>
</ldappc:calcResponse>
<ldappc:calcResponse status='success'
requestID='2011/02/11-14:24:26.699_QUBG45L0'>
<ldappc:id ID='nrj17'/>
<ldappc:pso entityName='member'>
<psoID ID='cn=nrj17,ou=Staff Users,ou=Campus
Users,dc=campus,dc=ncl,dc=ac,dc=uk' targetID='ldap'/>
</ldappc:pso>
</ldappc:calcResponse>
</ldappc:bulkCalcResponse>
Would you be able to point me in the right direction of where you can change
the subject identifier that LDAPPCNG will use when provisioning memberships
i.e. for it to use the SAMA attribute? I have attempted to amend the
Ldappc-resolver.xml but with no success. I have attached sanitized versions
of some of our Ldappc config files.
Thanks
Richie
Richard James
Infrastructure Systems Administrator
ISS Systems Architecture
Newcastle University
<?xml version="1.0" encoding="utf-8"?> <ldappc xmlns="http://grouper.internet2.edu/ldappc"; xmlns:ldappc="http://grouper.internet2.edu/ldappc"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://grouper.internet2.edu/ldappc classpath:/schema/ldappc.xsd"> <targets id="LDAP"> <target id="ldap" provider="ldap-provider" /> <object id="stem"> <identifier ref="stem-dn" baseId="${groupsOU}"> <identifyingAttribute name="objectclass" value="organizationalUnit" /> </identifier> <attribute name="objectClass" ref="stem-objectclass" /> <attribute name="ou" ref="stem-ou" /> <attribute name="description" ref="stem-description" /> </object> <object id="group" authoritative="true"> <identifier ref="group-dn" baseId="${groupsOU}"> <identifyingAttribute name="objectClass" value="${groupObjectClass}" /> </identifier> <attribute name="objectClass" ref="group-objectclass" /> <attribute name="cn" /> <attribute name="description" /> <references name="member"> <reference ref="members-jdbc" toObject="member" /> <reference ref="members-g:gsa" toObject="group" /> </references> </object> <object id="member"> <identifier ref="member-dn" baseId="${peopleOU}"> <identifyingAttribute name="objectclass" value="person" /> </identifier> </object> </targets> </ldappc>
<?xml version="1.0" encoding="UTF-8"?> <AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:resolver="urn:mace:shibboleth:2.0:resolver" xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc" xmlns:grouper="http://grouper.internet2.edu/shibboleth/2.0"; xmlns:ldappc="http://grouper.internet2.edu/ldappc"; xsi:schemaLocation=" urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd http://grouper.internet2.edu/shibboleth/2.0 classpath:/schema/shibboleth-2.0-grouper.xsd http://grouper.internet2.edu/ldappc classpath:/schema/ldappc.xsd"> <resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector"> <grouper:Attribute id="members" /> <grouper:Attribute id="groups" /> </resolver:DataConnector> <resolver:DataConnector id="StemDataConnector" xsi:type="grouper:StemDataConnector"> </resolver:DataConnector> <resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector"> <grouper:Attribute id="groups" /> </resolver:DataConnector> <resolver:DataConnector id="StaticDataConnector" xsi:type="dc:Static"> <dc:Attribute id="group-objectclass"> <dc:Value>top</dc:Value> <dc:Value>${groupObjectClass}</dc:Value> </dc:Attribute> <dc:Attribute id="group-objectclass-eduMember"> <dc:Value>top</dc:Value> <dc:Value>${groupObjectClass}</dc:Value> <dc:Value>eduMember</dc:Value> </dc:Attribute> <dc:Attribute id="stem-objectclass"> <dc:Value>top</dc:Value> <dc:Value>organizationalUnit</dc:Value> </dc:Attribute> <dc:Attribute id="member-objectclass"> <dc:Value>eduMember</dc:Value> </dc:Attribute> </resolver:DataConnector> <resolver:AttributeDefinition id="stem-dn" xsi:type="ldappc:LdapDnPSOIdentifier" structure="${DNstructure}" sourceAttributeID="name" rdnAttributeName="ou" base="${groupsOU}"> <resolver:Dependency ref="StemDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="stem-objectclass" xsi:type="ad:Simple"> <resolver:Dependency ref="StaticDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="stem-ou" xsi:type="ad:Simple" sourceAttributeID="extension"> <resolver:Dependency ref="StemDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="stem-description" xsi:type="ad:Simple" sourceAttributeID="description"> <resolver:Dependency ref="StemDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="group-dn" xsi:type="ldappc:LdapDnPSOIdentifier" structure="${DNstructure}" sourceAttributeID="displayExtension" rdnAttributeName="cn" base="${groupsOU}"> <resolver:Dependency ref="GroupDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="group-objectclass" xsi:type="ad:Simple"> <resolver:Dependency ref="StaticDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="group-objectclass-eduMember" xsi:type="ad:Simple"> <resolver:Dependency ref="StaticDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="description" xsi:type="ad:Simple"> <resolver:Dependency ref="GroupDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="cn" xsi:type="ad:Simple" sourceAttributeID="displayExtension"> <resolver:Dependency ref="GroupDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="sAMAccountName" sourceAttributeID="displayExtension"> <resolver:Dependency ref="GroupDataConnector" /> <Script><![CDATA[ // Import Shibboleth attribute provider importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider); value = name.getValues().get(0); value = value.replaceAll("\\/", "_"); value = value.replaceAll("\\/", "_"); value = value.replaceAll("\\[", "_"); value = value.replaceAll("\\]", "_"); value = value.replaceAll("\\:", "_"); value = value.replaceAll("\\;", "_"); value = value.replaceAll("\\|", "_"); value = value.replaceAll("\\=", "_"); value = value.replaceAll("\\,", "_"); value = value.replaceAll("\\+", "_"); value = value.replaceAll("\\*", "_"); value = value.replaceAll("\\?", "_"); sAMAccountName = new BasicAttribute("sAMAccountName"); sAMAccountName.getValues().add(value); ]]></Script> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="hasMember" xsi:type="grouper:Member" sourceAttributeID="members"> <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="id" source="jdbc" /> <grouper:Attribute id="name" source="g:gsa" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="groupIsMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups"> <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="name" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="members-jdbc" xsi:type="grouper:Member" sourceAttributeID="members"> <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="id" source="jdbc" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="members-g:gsa" xsi:type="grouper:Member" sourceAttributeID="members"> <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="displayExtension" source="g:gsa" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="member-dn" xsi:type="ad:Simple" sourceAttributeID="psoID"> <resolver:Dependency ref="SpmlDataConnector" /> </resolver:AttributeDefinition> <resolver:DataConnector id="SpmlDataConnector" provider="ldap-provider" xsi:type="ldappc:SPMLDataConnector" scope="subTree" base="${peopleOU}" returnData="identifier"> <resolver:Dependency ref="MemberDataConnector" /> <ldappc:FilterTemplate>(cn=${id.get(0)})</ldappc:FilterTemplate> </resolver:DataConnector> <resolver:AttributeDefinition id="member-objectclass" xsi:type="ad:Simple"> <resolver:Dependency ref="StaticDataConnector" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="memberIsMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups"> <resolver:Dependency ref="MemberDataConnector" /> <grouper:Attribute id="displayExtension" /> </resolver:AttributeDefinition> </AttributeResolver>
<?xml version="1.0" encoding="utf-8"?>
<!--
Grouper's subject resolver configuration
$Id: sources.example.xml,v 1.7.2.1 2009/05/22 19:27:34 mchyzer Exp $
-->
<sources>
<!-- Group Subject Resolver -->
<!--
NOTE: It is recommended that you **not** change the default
values for this source adapter.
-->
<source adapterClass="edu.internet2.middleware.grouper.GrouperSourceAdapter">
<id>g:gsa</id>
<name>Grouper: Group Source Adapter</name>
<type>group</type>
</source>
<source adapterClass="edu.internet2.middleware.grouper.subj.GrouperJdbcSourceAdapter2">
<id>jdbc</id>
<name>NCL_staff</name>
<type>person</type>
<init-param>
<param-name>jdbcConnectionProvider</param-name>
<param-value>edu.internet2.middleware.grouper.subj.GrouperJdbcConnectionProvider</param-value>
</init-param>
<init-param>
<param-name>dbTableOrView</param-name>
<param-value>NCL_staff</param-value>
</init-param>
<init-param>
<param-name>subjectIdCol</param-name>
<param-value>loginname</param-value>
</init-param>
<init-param>
<param-name>nameCol</param-name>
<param-value>surname</param-value>
</init-param>
<init-param>
<param-name>name2Col</param-name>
<param-value>forenames</param-value>
</init-param>
<init-param>
<param-name>descriptionCol</param-name>
<param-value>fullname</param-value>
</init-param>
<init-param>
<!-- search col where general searches take place, lower case -->
<param-name>lowerSearchCol</param-name>
<param-value>searchvalues</param-value>
</init-param>
<init-param>
<!-- optional col if you want the search results sorted in the API (note, UI might override) -->
<param-name>defaultSortCol</param-name>
<param-value>known_as</param-value>
</init-param>
<init-param>
<!-- col which identifies the row, perhaps not subjectId -->
<param-name>subjectIdentifierCol0</param-name>
<param-value>loginname</param-value>
</init-param>
<init-param>
<param-name>subjectIdentifierCol1</param-name>
<param-value>SAMA</param-value>
</init-param>
<!-- now you can count up from 0 to N of attributes for various cols -->
<init-param>
<param-name>subjectAttributeCol0</param-name>
<param-value>SAMA</param-value>
</init-param>
<init-param>
<param-name>subjectAttributeName0</param-name>
<param-value>SAMA</param-value>
</init-param>
</source>
<source adapterClass="edu.internet2.middleware.grouper.subj.GrouperJdbcSourceAdapter2">
<id>jdbc2</id>
<name>NCL_students</name>
<type>person</type>
<init-param>
<param-name>jdbcConnectionProvider</param-name>
<param-value>edu.internet2.middleware.grouper.subj.GrouperJdbcConnectionProvider</param-value>
</init-param>
<init-param>
<param-name>dbTableOrView</param-name>
<param-value>NCL_students</param-value>
</init-param>
<init-param>
<param-name>subjectIdCol</param-name>
<param-value>loginname</param-value>
</init-param>
<init-param>
<param-name>nameCol</param-name>
<param-value>surname</param-value>
</init-param>
<init-param>
<param-name>name2Col</param-name>
<param-value>forenames</param-value>
</init-param>
<init-param>
<param-name>descriptionCol</param-name>
<param-value>fullname</param-value>
</init-param>
<init-param>
<!-- search col where general searches take place, lower case -->
<param-name>lowerSearchCol</param-name>
<param-value>searchvalues</param-value>
</init-param>
<init-param>
<!-- optional col if you want the search results sorted in the API (note, UI might override) -->
<param-name>defaultSortCol</param-name>
<param-value>surname</param-value>
</init-param>
<init-param>
<!-- col which identifies the row, perhaps not subjectId -->
<param-name>subjectIdentifierCol0</param-name>
<param-value>loginname</param-value>
</init-param>
<init-param>
<param-name>subjectIdentifierCol1</param-name>
<param-value>loginname</param-value>
</init-param>
<!-- now you can count up from 0 to N of attributes for various cols -->
<init-param>
<param-name>subjectAttributeCol0</param-name>
<param-value>SAMA</param-value>
</init-param>
<init-param>
<param-name>subjectAttributeName0</param-name>
<param-value>SAMA</param-value>
</init-param>
</source>
<source adapterClass="edu.internet2.middleware.grouper.subj.GrouperJdbcSourceAdapter2">
<id>jdbc3</id>
<name>NCL_visitors</name>
<type>person</type>
<init-param>
<param-name>jdbcConnectionProvider</param-name>
<param-value>edu.internet2.middleware.grouper.subj.GrouperJdbcConnectionProvider</param-value>
</init-param>
<init-param>
<param-name>dbTableOrView</param-name>
<param-value>NCL_Visitors</param-value>
</init-param>
<init-param>
<param-name>subjectIdCol</param-name>
<param-value>loginname</param-value>
</init-param>
<init-param>
<param-name>nameCol</param-name>
<param-value>surname</param-value>
</init-param>
<init-param>
<param-name>name2Col</param-name>
<param-value>forenames</param-value>
</init-param>
<init-param>
<param-name>descriptionCol</param-name>
<param-value>fullname</param-value>
</init-param>
<init-param>
<!-- search col where general searches take place, lower case -->
<param-name>lowerSearchCol</param-name>
<param-value>searchvalues</param-value>
</init-param>
<init-param>
<!-- optional col if you want the search results sorted in the API (note, UI might override) -->
<param-name>defaultSortCol</param-name>
<param-value>surname</param-value>
</init-param>
<init-param>
<!-- col which identifies the row, perhaps not subjectId -->
<param-name>subjectIdentifierCol0</param-name>
<param-value>loginname</param-value>
</init-param>
<init-param>
<param-name>subjectIdentifierCol1</param-name>
<param-value>loginname</param-value>
</init-param>
<!-- now you can count up from 0 to N of attributes for various cols -->
</source>
<source adapterClass="edu.internet2.middleware.grouper.subj.GrouperJdbcSourceAdapter2">
<id>jdbc4</id>
<name>NCL_external</name>
<type>person</type>
<init-param>
<param-name>jdbcConnectionProvider</param-name>
<param-value>edu.internet2.middleware.grouper.subj.GrouperJdbcConnectionProvider</param-value>
</init-param>
<init-param>
<param-name>dbTableOrView</param-name>
<param-value>NCL_external</param-value>
</init-param>
<init-param>
<param-name>subjectIdCol</param-name>
<param-value>loginname</param-value>
</init-param>
<init-param>
<param-name>nameCol</param-name>
<param-value>surname</param-value>
</init-param>
<init-param>
<param-name>name2Col</param-name>
<param-value>forenames</param-value>
</init-param>
<init-param>
<param-name>descriptionCol</param-name>
<param-value>fullname</param-value>
</init-param>
<init-param>
<!-- search col where general searches take place, lower case -->
<param-name>lowerSearchCol</param-name>
<param-value>searchValues</param-value>
</init-param>
<init-param>
<!-- optional col if you want the search results sorted in the API (note, UI might override) -->
<param-name>defaultSortCol</param-name>
<param-value>surname</param-value>
</init-param>
<init-param>
<!-- col which identifies the row, perhaps not subjectId -->
<param-name>subjectIdentifierCol0</param-name>
<param-value>loginname</param-value>
</init-param>
<init-param>
<param-name>subjectIdentifierCol1</param-name>
<param-value>loginname</param-value>
</init-param>
<!-- now you can count up from 0 to N of attributes for various cols -->
</source>
<source adapterClass="edu.internet2.middleware.grouper.subj.GrouperJdbcSourceAdapter2">
<id>jdbc5</id>
<name>NCL_students_no_prog</name>
<type>person</type>
<init-param>
<param-name>jdbcConnectionProvider</param-name>
<param-value>edu.internet2.middleware.grouper.subj.GrouperJdbcConnectionProvider</param-value>
</init-param>
<init-param>
<param-name>dbTableOrView</param-name>
<param-value>NCL_students_not_enrolled</param-value>
</init-param>
<init-param>
<param-name>subjectIdCol</param-name>
<param-value>loginname</param-value>
</init-param>
<init-param>
<param-name>nameCol</param-name>
<param-value>surname</param-value>
</init-param>
<init-param>
<param-name>name2Col</param-name>
<param-value>forenames</param-value>
</init-param>
<init-param>
<param-name>descriptionCol</param-name>
<param-value>fullname</param-value>
</init-param>
<init-param>
<!-- search col where general searches take place, lower case -->
<param-name>lowerSearchCol</param-name>
<param-value>searchvalues</param-value>
</init-param>
<init-param>
<!-- optional col if you want the search results sorted in the API (note, UI might override) -->
<param-name>defaultSortCol</param-name>
<param-value>surname</param-value>
</init-param>
<init-param>
<!-- col which identifies the row, perhaps not subjectId -->
<param-name>subjectIdentifierCol0</param-name>
<param-value>loginname</param-value>
</init-param>
<init-param>
<param-name>subjectIdentifierCol1</param-name>
<param-value>loginname</param-value>
</init-param>
<!-- now you can count up from 0 to N of attributes for various cols -->
<init-param>
<param-name>subjectAttributeCol0</param-name>
<param-value>SAMA</param-value>
</init-param>
<init-param>
<param-name>subjectAttributeName0</param-name>
<param-value>SAMA</param-value>
</init-param>
</source>
</sources>
- [grouper-users] LDAPPCNG Subject Identifiers, Richard James, 02/11/2011
- Re: [grouper-users] LDAPPCNG Subject Identifiers, Tom Zeller, 02/11/2011
- RE: [grouper-users] LDAPPCNG Subject Identifiers, Richard James, 02/11/2011
- Re: [grouper-users] LDAPPCNG Subject Identifiers, Tom Zeller, 02/11/2011
Archive powered by MHonArc 2.6.16.