Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] sources confusion

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] sources confusion


Chronological Thread 
  • From: Chris Hyzer <>
  • To: Julio Polo <>, "" <>
  • Subject: RE: [grouper-users] sources confusion
  • Date: Fri, 25 Feb 2011 15:17:32 -0500
  • Accept-language: en-US
  • Acceptlanguage: en-US

I don't do the most common things, trust me. I think it is split between SQL
and ldap, and maybe some with custom. My SQL is the second revision of the
original SQL one which does smart searches... i.e. if the search col is
"chris hyzer", and you search for "hyz chr" it will find it... our SQL is
based on another table, not the built in grouper ones...

Thanks,
Chris

-----Original Message-----
From:


[mailto:]
On Behalf Of Julio Polo
Sent: Friday, February 25, 2011 3:01 PM
To:

Subject: RE: [grouper-users] sources confusion

If Chris is not using LDAP as a subject source, does this mean this is not
common? What is everyone using instead? The Grouper registry? The person
registry?

Julio Polo
Identity and Access Management
University of Hawaii
Information Technology Services
(808) 956-4625


On Thu, 24 Feb 2011, Chris Hyzer wrote:

> Date: Thu, 24 Feb 2011 21:11:51 -0500
> From: Chris Hyzer
> <>
> To: Baron Fujimoto
> <>,
>
> ""
>
> <>
> Subject: RE: [grouper-users] sources confusion
>
> First, I will say I haven't done subject sources with ldap... but let me
> *try* to help :)
>
> There are three ways to search for a subject:
>
> By id
> By identifier
> By search string (returns list)
>
> The ID is usually the attribute of the user which doesn't change (probably
> opaque). At Penn, this is the penn_id which is e.g. 12345678
>
> An identifier (could be multiple) is what you can lookup a subject by. At
> penn, this is the pennkey, or e.g. mchyzer
>
> So... this part is the subject id:
>
> <init-param>
> <param-name>SubjectID_AttributeType</param-name>
> <param-value>uid</param-value>
> </init-param>
>
> Is uid something about the user which doesn't change?
>
> This should match (I think):
>
> FROM:
> <search>
> <searchType>searchSubject</searchType>
> <param>
> <param-name>filter</param-name>
> <param-value>
> (&amp; (cn=%TERM%) (objectclass=uhEduPerson))
> </param-value>
> </param>
>
> TO:
> <search>
> <searchType>searchSubject</searchType>
> <param>
> <param-name>filter</param-name>
> <param-value>
> (&amp; (uid=%TERM%) (objectclass=uhEduPerson))
> </param-value>
> </param>
>
> Then the search by identifier can be the other:
>
> FROM:
> <search>
> <searchType>searchSubjectByIdentifier</searchType>
> <param>
> <param-name>filter</param-name>
> <param-value>
> (&amp; (uid=%TERM%) (objectclass=uhEduPerson))
> </param-value>
> </param>
>
> TO:
> <search>
> <searchType>searchSubjectByIdentifier</searchType>
> <param>
> <param-name>filter</param-name>
> <param-value>
> (&amp; (cn=%TERM%) (objectclass=uhEduPerson))
> </param-value>
> </param>
>
> Right? Anyone else chime in :)
>
> You can test this command line:
>
> [appadmin@lorenzo
> bin]$ ./gsh.sh
> Type help() for instructions
> gsh 0% grouperSession = GrouperSession.startRootSession();
> edu.internet2.middleware.grouper.GrouperSession:
> 993610149d3b4cfc8ff2cdd89cd126cc,'GrouperSystem','application'
> gsh 1% SubjectFinder.findById("10021368");
> subject: id='10021368' type='person' source='pennperson' name='Michael
> Christopher Hyzer'
> gsh 2% SubjectFinder.findByIdentifier("mchyzer");
> subject: id='10021368' type='person' source='pennperson' name='Michael
> Christopher Hyzer'
> gsh 4% SubjectFinder.findAll("Chris Hyzer");
> subject: id='10021368' type='person' source='pennperson' name='Michael
> Christopher Hyzer'
> gsh 5% SubjectFinder.findAll("Chris Hyzer").iterator().next().getId();
> 10021368
> gsh 6%
>
> Note, the ID of the result must match what you findById()...
>
> Thanks,
> Chris
>
> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Baron Fujimoto
> Sent: Thursday, February 24, 2011 4:08 PM
> To:
>
> Subject: [grouper-users] sources confusion
>
> Hello,
>
> After numerous trials and tribulations, I've managed to finally stand up
> a non-quickstart version of grouper/grouper-ui that I can interact with.
>
> I'm still running into problems though and am perhaps confused about some
> fundamental questions I haven't been able to find answers to in the
> Grouper Wiki.
>
> I suppose my current primary question is, how do you seed grouper with
> basic person-type entities? I assumed, based on what I could glean from
> the documentation, that could be done by connecting to a subject source
> in the sources.xml conf file[1]. I managed to get our instance of grouper
> to talk to our LDAP continaing our users, and if I, say, search for
> myself, in the Grouper UI, it returns a result displayed as the value of
> the LDAP cn attribute. However, if I click on that result, I receive the
> following error messages:
>
> Error: Subject [baron] is unresolvable i.e. unavailable from the registered
> source [LDAP example].
>
> There was an unexpected error retrieving the requested entity as a member.
> The error has been logged and the administrator notified.
>
> In the grouper_error.log file I see
>
> 2011-02-24 10:52:38,840: [http-172.16.4.137-8443-4] ERROR
> PopulateSubjectSummaryAction.grouperExecute(351) - < GrouperSystem
> CB6B4125EB93662BF9BCEBA59AF94347-0009 1fde40e57a094fd2add86e96ffda0cab
> GrouperSystem g:isa > -
> edu.internet2.middleware.subject.SubjectNotFoundException: No results:
> searchSubject filter:(& (cn=%TERM%) (objectclass=uhEduPerson)) searchValue:
> baron
> 2011-02-24 10:52:38,842: [http-172.16.4.137-8443-4] ERROR
> PopulateSubjectSummaryAction.grouperExecute(418) - < GrouperSystem
> CB6B4125EB93662BF9BCEBA59AF94347-0009 1fde40e57a094fd2add86e96ffda0cab
> GrouperSystem g:isa > -
> edu.internet2.middleware.grouper.exception.MemberNotFoundException:
> Unresolvable subject is also not a Member
>
> Any assistance or pointers to the appropriate documentation would be
> greatly appreciated. It's possible I'm completely on the wrong track
> here, which would also be good to know.
>
> [1] excerpt of my source.xml file for connecting to our LDAP:
>
> <source
> adapterClass="edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter">
> <id>LDAP example</id>
> <name>UH LDAP</name>
> <type>person</type>
> <init-param>
> <param-name>INITIAL_CONTEXT_FACTORY</param-name>
> <param-value>com.sun.jndi.ldap.LdapCtxFactory</param-value>
> </init-param>
> <init-param>
> <param-name>PROVIDER_URL</param-name>
> <param-value>ldaps://ourLDAPhost:636</param-value>
> </init-param>
> <init-param>
> <param-name>SECURITY_AUTHENTICATION</param-name>
> <param-value>simple</param-value>
> </init-param>
> <init-param>
> <param-name>SECURITY_PRINCIPAL</param-name>
> <param-value>cn=ourPrincipal,dc=hawaii,dc=edu</param-value>
> </init-param>
> <init-param>
> <param-name>SECURITY_CREDENTIALS</param-name>
> <param-value>**********</param-value>
> </init-param>
> <init-param>
> <param-name>SubjectID_AttributeType</param-name>
> <param-value>uid</param-value>
> </init-param>
> <init-param>
> <param-name>Name_AttributeType</param-name>
> <param-value>cn</param-value>
> </init-param>
> <init-param>
> <param-name>Description_AttributeType</param-name>
> <param-value>cn</param-value>
> </init-param>
>
> /// Scope Values can be: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE
> /// For filter use
>
> <search>
> <searchType>searchSubject</searchType>
> <param>
> <param-name>filter</param-name>
> <param-value>
> (&amp; (cn=%TERM%) (objectclass=uhEduPerson))
> </param-value>
> </param>
> <param>
> <param-name>scope</param-name>
> <param-value>
> SUBTREE_SCOPE
> </param-value>
> </param>
> <param>
> <param-name>base</param-name>
> <param-value>
> ou=people,dc=hawaii,dc=edu
> </param-value>
> </param>
>
> </search>
> <search>
> <searchType>searchSubjectByIdentifier</searchType>
> <param>
> <param-name>filter</param-name>
> <param-value>
> (&amp; (uid=%TERM%) (objectclass=uhEduPerson))
> </param-value>
> </param>
> <param>
> <param-name>scope</param-name>
> <param-value>
> SUBTREE_SCOPE
> </param-value>
> </param>
> <param>
> <param-name>base</param-name>
> <param-value>
> ou=people,dc=hawaii,dc=edu
> </param-value>
> </param>
> </search>
> <search>
> <searchType>search</searchType>
> <param>
> <param-name>filter</param-name>
> <param-value>
> (&amp; (|(uid=%TERM%)(cn=%TERM%)) (objectclass=uhEduPerson))
> </param-value>
> </param>
> <param>
> <param-name>scope</param-name>
> <param-value>
> SUBTREE_SCOPE
> </param-value>
> </param>
> <param>
> <param-name>base</param-name>
> <param-value>
> ou=people,dc=hawaii,dc=edu
> </param-value>
> </param>
>
> </search>
>
> ///Attributes you would like to display when doing a search
> <attribute>uid</attribute>
> <attribute>cn</attribute>
>
> </source>
>



Archive powered by MHonArc 2.6.16.

Top of Page