Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] sources confusion

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] sources confusion


Chronological Thread 
  • From: Julio Polo <>
  • To:
  • Subject: RE: [grouper-users] sources confusion
  • Date: Fri, 25 Feb 2011 10:00:48 -1000 (HST)
If Chris is not using LDAP as a subject source, does this mean this is not
common? What is everyone using instead? The Grouper registry? The person
registry?

Julio Polo
Identity and Access Management
University of Hawaii
Information Technology Services
(808) 956-4625


On Thu, 24 Feb 2011, Chris Hyzer wrote:

Date: Thu, 24 Feb 2011 21:11:51 -0500
From: Chris Hyzer
<>
To: Baron Fujimoto
<>,

""

<>
Subject: RE: [grouper-users] sources confusion

First, I will say I haven't done subject sources with ldap... but let me
*try* to help :)

There are three ways to search for a subject:

By id
By identifier
By search string (returns list)

The ID is usually the attribute of the user which doesn't change (probably
opaque). At Penn, this is the penn_id which is e.g. 12345678

An identifier (could be multiple) is what you can lookup a subject by. At
penn, this is the pennkey, or e.g. mchyzer

So... this part is the subject id:

<init-param>
<param-name>SubjectID_AttributeType</param-name>
<param-value>uid</param-value>
</init-param>

Is uid something about the user which doesn't change?

This should match (I think):

FROM:
<search>
<searchType>searchSubject</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(&amp; (cn=%TERM%) (objectclass=uhEduPerson))
</param-value>
</param>

TO:
<search>
<searchType>searchSubject</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(&amp; (uid=%TERM%) (objectclass=uhEduPerson))
</param-value>
</param>

Then the search by identifier can be the other:

FROM:
<search>
<searchType>searchSubjectByIdentifier</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(&amp; (uid=%TERM%) (objectclass=uhEduPerson))
</param-value>
</param>

TO:
<search>
<searchType>searchSubjectByIdentifier</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(&amp; (cn=%TERM%) (objectclass=uhEduPerson))
</param-value>
</param>

Right? Anyone else chime in :)

You can test this command line:

[appadmin@lorenzo
bin]$ ./gsh.sh
Type help() for instructions
gsh 0% grouperSession = GrouperSession.startRootSession();
edu.internet2.middleware.grouper.GrouperSession:
993610149d3b4cfc8ff2cdd89cd126cc,'GrouperSystem','application'
gsh 1% SubjectFinder.findById("10021368");
subject: id='10021368' type='person' source='pennperson' name='Michael
Christopher Hyzer'
gsh 2% SubjectFinder.findByIdentifier("mchyzer");
subject: id='10021368' type='person' source='pennperson' name='Michael
Christopher Hyzer'
gsh 4% SubjectFinder.findAll("Chris Hyzer");
subject: id='10021368' type='person' source='pennperson' name='Michael
Christopher Hyzer'
gsh 5% SubjectFinder.findAll("Chris Hyzer").iterator().next().getId();
10021368
gsh 6%

Note, the ID of the result must match what you findById()...

Thanks,
Chris

-----Original Message-----
From:


[mailto:]
On Behalf Of Baron Fujimoto
Sent: Thursday, February 24, 2011 4:08 PM
To:

Subject: [grouper-users] sources confusion

Hello,

After numerous trials and tribulations, I've managed to finally stand up
a non-quickstart version of grouper/grouper-ui that I can interact with.

I'm still running into problems though and am perhaps confused about some
fundamental questions I haven't been able to find answers to in the
Grouper Wiki.

I suppose my current primary question is, how do you seed grouper with
basic person-type entities? I assumed, based on what I could glean from
the documentation, that could be done by connecting to a subject source
in the sources.xml conf file[1]. I managed to get our instance of grouper
to talk to our LDAP continaing our users, and if I, say, search for
myself, in the Grouper UI, it returns a result displayed as the value of
the LDAP cn attribute. However, if I click on that result, I receive the
following error messages:

Error: Subject [baron] is unresolvable i.e. unavailable from the registered
source [LDAP example].

There was an unexpected error retrieving the requested entity as a member.
The error has been logged and the administrator notified.

In the grouper_error.log file I see

2011-02-24 10:52:38,840: [http-172.16.4.137-8443-4] ERROR
PopulateSubjectSummaryAction.grouperExecute(351) - < GrouperSystem
CB6B4125EB93662BF9BCEBA59AF94347-0009 1fde40e57a094fd2add86e96ffda0cab GrouperSystem
g:isa > - edu.internet2.middleware.subject.SubjectNotFoundException: No results:
searchSubject filter:(& (cn=%TERM%) (objectclass=uhEduPerson)) searchValue: baron
2011-02-24 10:52:38,842: [http-172.16.4.137-8443-4] ERROR
PopulateSubjectSummaryAction.grouperExecute(418) - < GrouperSystem
CB6B4125EB93662BF9BCEBA59AF94347-0009 1fde40e57a094fd2add86e96ffda0cab
GrouperSystem g:isa > -
edu.internet2.middleware.grouper.exception.MemberNotFoundException: Unresolvable
subject is also not a Member

Any assistance or pointers to the appropriate documentation would be
greatly appreciated. It's possible I'm completely on the wrong track
here, which would also be good to know.

[1] excerpt of my source.xml file for connecting to our LDAP:

<source
adapterClass="edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter">
<id>LDAP example</id>
<name>UH LDAP</name>
<type>person</type>
<init-param>
<param-name>INITIAL_CONTEXT_FACTORY</param-name>
<param-value>com.sun.jndi.ldap.LdapCtxFactory</param-value>
</init-param>
<init-param>
<param-name>PROVIDER_URL</param-name>
<param-value>ldaps://ourLDAPhost:636</param-value>
</init-param>
<init-param>
<param-name>SECURITY_AUTHENTICATION</param-name>
<param-value>simple</param-value>
</init-param>
<init-param>
<param-name>SECURITY_PRINCIPAL</param-name>
<param-value>cn=ourPrincipal,dc=hawaii,dc=edu</param-value>
</init-param>
<init-param>
<param-name>SECURITY_CREDENTIALS</param-name>
<param-value>**********</param-value>
</init-param>
<init-param>
<param-name>SubjectID_AttributeType</param-name>
<param-value>uid</param-value>
</init-param>
<init-param>
<param-name>Name_AttributeType</param-name>
<param-value>cn</param-value>
</init-param>
<init-param>
<param-name>Description_AttributeType</param-name>
<param-value>cn</param-value>
</init-param>

/// Scope Values can be: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE
/// For filter use

<search>
<searchType>searchSubject</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(&amp; (cn=%TERM%) (objectclass=uhEduPerson))
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>
SUBTREE_SCOPE
</param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>
ou=people,dc=hawaii,dc=edu
</param-value>
</param>

</search>
<search>
<searchType>searchSubjectByIdentifier</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(&amp; (uid=%TERM%) (objectclass=uhEduPerson))
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>
SUBTREE_SCOPE
</param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>
ou=people,dc=hawaii,dc=edu
</param-value>
</param>
</search>
<search>
<searchType>search</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(&amp; (|(uid=%TERM%)(cn=%TERM%)) (objectclass=uhEduPerson))
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>
SUBTREE_SCOPE
</param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>
ou=people,dc=hawaii,dc=edu
</param-value>
</param>

</search>

///Attributes you would like to display when doing a search
<attribute>uid</attribute>
<attribute>cn</attribute>

</source>


Archive powered by MHonArc 2.6.16.

Top of Page