grouper-users - Re: [grouper-users] sources confusion
Subject: Grouper Users - Open Discussion List
List archive
- From: Tom Barton <>
- To: "" <>
- Subject: Re: [grouper-users] sources confusion
- Date: Fri, 25 Feb 2011 08:50:41 -0600
Chris is right, of course. I'll just emphasize that the LDAP attribute
that contains the subjectId you've chosen for your implementation must
be what your searchSubject filter looks in. Since you've got
<init-param>
<param-name>SubjectID_AttributeType</param-name>
<param-value>uid</param-value>
</init-param>
declaring uid to be the attribute bearing the subjectId, you must use
uid in the equality filter in the definition of the searchSubject
searchType:
<search>
<searchType>searchSubject</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(& (uid=%TERM%) (objectclass=uhEduPerson))
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>
SUBTREE_SCOPE
</param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>
ou=people,dc=hawaii,dc=edu
</param-value>
</param>
</search>
Hope this helps,
Tom
On 2/24/2011 8:11 PM, Chris Hyzer wrote:
> First, I will say I haven't done subject sources with ldap... but let me
> *try* to help :)
>
> There are three ways to search for a subject:
>
> By id
> By identifier
> By search string (returns list)
>
> The ID is usually the attribute of the user which doesn't change (probably
> opaque). At Penn, this is the penn_id which is e.g. 12345678
>
> An identifier (could be multiple) is what you can lookup a subject by. At
> penn, this is the pennkey, or e.g. mchyzer
>
> So... this part is the subject id:
>
> <init-param>
> <param-name>SubjectID_AttributeType</param-name>
> <param-value>uid</param-value>
> </init-param>
>
> Is uid something about the user which doesn't change?
>
> This should match (I think):
>
> FROM:
> <search>
> <searchType>searchSubject</searchType>
> <param>
> <param-name>filter</param-name>
> <param-value>
> (& (cn=%TERM%) (objectclass=uhEduPerson))
> </param-value>
> </param>
>
> TO:
> <search>
> <searchType>searchSubject</searchType>
> <param>
> <param-name>filter</param-name>
> <param-value>
> (& (uid=%TERM%) (objectclass=uhEduPerson))
> </param-value>
> </param>
>
> Then the search by identifier can be the other:
>
> FROM:
> <search>
> <searchType>searchSubjectByIdentifier</searchType>
> <param>
> <param-name>filter</param-name>
> <param-value>
> (& (uid=%TERM%) (objectclass=uhEduPerson))
> </param-value>
> </param>
>
> TO:
> <search>
> <searchType>searchSubjectByIdentifier</searchType>
> <param>
> <param-name>filter</param-name>
> <param-value>
> (& (cn=%TERM%) (objectclass=uhEduPerson))
> </param-value>
> </param>
>
> Right? Anyone else chime in :)
>
> You can test this command line:
>
> [appadmin@lorenzo
> bin]$ ./gsh.sh
> Type help() for instructions
> gsh 0% grouperSession = GrouperSession.startRootSession();
> edu.internet2.middleware.grouper.GrouperSession:
> 993610149d3b4cfc8ff2cdd89cd126cc,'GrouperSystem','application'
> gsh 1% SubjectFinder.findById("10021368");
> subject: id='10021368' type='person' source='pennperson' name='Michael
> Christopher Hyzer'
> gsh 2% SubjectFinder.findByIdentifier("mchyzer");
> subject: id='10021368' type='person' source='pennperson' name='Michael
> Christopher Hyzer'
> gsh 4% SubjectFinder.findAll("Chris Hyzer");
> subject: id='10021368' type='person' source='pennperson' name='Michael
> Christopher Hyzer'
> gsh 5% SubjectFinder.findAll("Chris Hyzer").iterator().next().getId();
> 10021368
> gsh 6%
>
> Note, the ID of the result must match what you findById()...
>
> Thanks,
> Chris
>
> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Baron Fujimoto
> Sent: Thursday, February 24, 2011 4:08 PM
> To:
>
> Subject: [grouper-users] sources confusion
>
> Hello,
>
> After numerous trials and tribulations, I've managed to finally stand up
> a non-quickstart version of grouper/grouper-ui that I can interact with.
>
> I'm still running into problems though and am perhaps confused about some
> fundamental questions I haven't been able to find answers to in the
> Grouper Wiki.
>
> I suppose my current primary question is, how do you seed grouper with
> basic person-type entities? I assumed, based on what I could glean from
> the documentation, that could be done by connecting to a subject source
> in the sources.xml conf file[1]. I managed to get our instance of grouper
> to talk to our LDAP continaing our users, and if I, say, search for
> myself, in the Grouper UI, it returns a result displayed as the value of
> the LDAP cn attribute. However, if I click on that result, I receive the
> following error messages:
>
> Error: Subject [baron] is unresolvable i.e. unavailable from the registered
> source [LDAP example].
>
> There was an unexpected error retrieving the requested entity as a member.
> The error has been logged and the administrator notified.
>
> In the grouper_error.log file I see
>
> 2011-02-24 10:52:38,840: [http-172.16.4.137-8443-4] ERROR
> PopulateSubjectSummaryAction.grouperExecute(351) - < GrouperSystem
> CB6B4125EB93662BF9BCEBA59AF94347-0009 1fde40e57a094fd2add86e96ffda0cab
> GrouperSystem g:isa > -
> edu.internet2.middleware.subject.SubjectNotFoundException: No results:
> searchSubject filter:(& (cn=%TERM%) (objectclass=uhEduPerson)) searchValue:
> baron
> 2011-02-24 10:52:38,842: [http-172.16.4.137-8443-4] ERROR
> PopulateSubjectSummaryAction.grouperExecute(418) - < GrouperSystem
> CB6B4125EB93662BF9BCEBA59AF94347-0009 1fde40e57a094fd2add86e96ffda0cab
> GrouperSystem g:isa > -
> edu.internet2.middleware.grouper.exception.MemberNotFoundException:
> Unresolvable subject is also not a Member
>
> Any assistance or pointers to the appropriate documentation would be
> greatly appreciated. It's possible I'm completely on the wrong track
> here, which would also be good to know.
>
> [1] excerpt of my source.xml file for connecting to our LDAP:
>
> <source
> adapterClass="edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter">
> <id>LDAP example</id>
> <name>UH LDAP</name>
> <type>person</type>
> <init-param>
> <param-name>INITIAL_CONTEXT_FACTORY</param-name>
> <param-value>com.sun.jndi.ldap.LdapCtxFactory</param-value>
> </init-param>
> <init-param>
> <param-name>PROVIDER_URL</param-name>
> <param-value>ldaps://ourLDAPhost:636</param-value>
> </init-param>
> <init-param>
> <param-name>SECURITY_AUTHENTICATION</param-name>
> <param-value>simple</param-value>
> </init-param>
> <init-param>
> <param-name>SECURITY_PRINCIPAL</param-name>
> <param-value>cn=ourPrincipal,dc=hawaii,dc=edu</param-value>
> </init-param>
> <init-param>
> <param-name>SECURITY_CREDENTIALS</param-name>
> <param-value>**********</param-value>
> </init-param>
> <init-param>
> <param-name>SubjectID_AttributeType</param-name>
> <param-value>uid</param-value>
> </init-param>
> <init-param>
> <param-name>Name_AttributeType</param-name>
> <param-value>cn</param-value>
> </init-param>
> <init-param>
> <param-name>Description_AttributeType</param-name>
> <param-value>cn</param-value>
> </init-param>
>
> /// Scope Values can be: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE
> /// For filter use
>
> <search>
> <searchType>searchSubject</searchType>
> <param>
> <param-name>filter</param-name>
> <param-value>
> (& (cn=%TERM%) (objectclass=uhEduPerson))
> </param-value>
> </param>
> <param>
> <param-name>scope</param-name>
> <param-value>
> SUBTREE_SCOPE
> </param-value>
> </param>
> <param>
> <param-name>base</param-name>
> <param-value>
> ou=people,dc=hawaii,dc=edu
> </param-value>
> </param>
>
> </search>
> <search>
> <searchType>searchSubjectByIdentifier</searchType>
> <param>
> <param-name>filter</param-name>
> <param-value>
> (& (uid=%TERM%) (objectclass=uhEduPerson))
> </param-value>
> </param>
> <param>
> <param-name>scope</param-name>
> <param-value>
> SUBTREE_SCOPE
> </param-value>
> </param>
> <param>
> <param-name>base</param-name>
> <param-value>
> ou=people,dc=hawaii,dc=edu
> </param-value>
> </param>
> </search>
> <search>
> <searchType>search</searchType>
> <param>
> <param-name>filter</param-name>
> <param-value>
> (& (|(uid=%TERM%)(cn=%TERM%)) (objectclass=uhEduPerson))
> </param-value>
> </param>
> <param>
> <param-name>scope</param-name>
> <param-value>
> SUBTREE_SCOPE
> </param-value>
> </param>
> <param>
> <param-name>base</param-name>
> <param-value>
> ou=people,dc=hawaii,dc=edu
> </param-value>
> </param>
>
> </search>
>
> ///Attributes you would like to display when doing a search
> <attribute>uid</attribute>
> <attribute>cn</attribute>
>
> </source>
- [grouper-users] sources confusion, Baron Fujimoto, 02/24/2011
- RE: [grouper-users] sources confusion, Chris Hyzer, 02/24/2011
- Re: [grouper-users] sources confusion, Tom Barton, 02/25/2011
- Re: [grouper-users] sources confusion, Baron Fujimoto, 02/25/2011
- Re: [grouper-users] sources confusion, Tom Barton, 02/26/2011
- Re: [grouper-users] sources confusion, Baron Fujimoto, 02/25/2011
- RE: [grouper-users] sources confusion, Julio Polo, 02/25/2011
- RE: [grouper-users] sources confusion, Chris Hyzer, 02/25/2011
- Re: [grouper-users] sources confusion, Tom Barton, 02/25/2011
- RE: [grouper-users] sources confusion, Chris Hyzer, 02/24/2011
Archive powered by MHonArc 2.6.16.