Grouper Users - Open Discussion List

[Gagné Sébastien <>]

Come to think about it, they actually don't have a sAMAccountName attribute. 
The stem object doesn't have any reference to sAMAccountName :

    <object id="stem">
      <identifier ref="stem-dn" baseId="${groupsOU}">
        <identifyingAttribute name="objectclass" value="organizationalUnit" />
      </identifier>
      <attribute name="objectClass" ref="stem-objectclass" />
      <attribute name="ou" ref="stem-ou" />
      <attribute name="description" ref="stem-description" />
    </object>

I tested adding the StemDataConnector and it seems to work now for stems. As 
you can see there is no sAMAccountName in the response:

    <pso entityName='stem'>
      <psoID ID='ou=SubStem,ou=UdeM,ou=people,dc=devsim,dc=umontreal,dc=ca' 
targetID='ldap'/>
      <data>
        <dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' 
name='objectClass'>
          <dsml:value>organizationalUnit</dsml:value>
          <dsml:value>top</dsml:value>
        </dsml:attr>
        <dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' name='ou'>
          <dsml:value>SubStem</dsml:value>
        </dsml:attr>
        <dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' 
name='description'>
          <dsml:value>Sub Stem to crash</dsml:value>
        </dsml:attr>
      </data>
    </pso>

I don't know exactly how Grouper works, but maybe it's loading all the 
AttributeDefinitions even if they aren't needed. So it tries to load the 
script when provisioning a stem and fails to do so without the dependency.


-----Message d'origine-----
De : 

 
[mailto:]
 De la part de Tom Zeller
Envoyé : 19 janvier 2012 20:12
À : Gagné Sébastien
Cc : 

Objet : Re: [grouper-users] LDAPPCNG configuration with Active Directory

Oh. If you are provisioning a stem, you will need to add the
StemDataConnector as a dependency. For example

 <resolver:AttributeDefinition xsi:type="Script"
xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="sAMAccountName"
sourceAttributeID="extension">
    <resolver:Dependency ref="GroupDataConnector" />
    <resolver:Dependency ref="StemDataConnector" />
    ...

And the script should check variables, for example

 if (typeof extension != "undefined" && extension != null ){
  value = extension.getValues().get(0);
  ...

I did not think that stems, which usually are provisioned as OUs, had
sAMAccountName since they are not "security" objects in AD, like
groups can be.

2012/1/19 Gagné Sébastien 
<>:
> Exactly.
>
> When I provision a group it works :
> $GROUPER_HOME/bin/gsh.sh -ldappcng -sync UdeM:SubStem:LalalaHumansteps
>
> But if I delete the SubStem OU from ad and run
> $GROUPER_HOME/bin/gsh.sh -ldappcng -sync UdeM:SubStem
>
> It fails with error :
> 2012-01-19 13:57:12,934: [main] ERROR 
> ScriptedAttributeDefinition.doResolve(134) -  - 
> ScriptletAttributeDefinition sAMAccountName unable to execute script
> com.sun.phobos.script.util.ExtendedScriptException: 
> org.mozilla.javascript.EcmaError: ReferenceError: "extension" is not 
> defined. (<Unknown Source>#4) in <Unknown Source> at line number 4
>
> My attribute definition is :
>
> <resolver:AttributeDefinition xsi:type="Script" 
> xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="sAMAccountName" 
> sourceAttributeID="extension">
>    <resolver:Dependency ref="GroupDataConnector" />
>    <Script><![CDATA[
>      // Import Shibboleth attribute provider
>      
> importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
>
>      value = extension.getValues().get(0);
>
>      value = value.replaceAll("\\/", "_");
>      value = value.replaceAll("\\/", "_");
>      value = value.replaceAll("\\[", "_");
>      value = value.replaceAll("\\]", "_");
>      value = value.replaceAll("\\:", "_");
>      value = value.replaceAll("\\;", "_");
>      value = value.replaceAll("\\|", "_");
>      value = value.replaceAll("\\=", "_");
>      value = value.replaceAll("\\,", "_");
>      value = value.replaceAll("\\+", "_");
>      value = value.replaceAll("\\*", "_");
>      value = value.replaceAll("\\?", "_");
>
>      sAMAccountName = new BasicAttribute("sAMAccountName");
>      sAMAccountName.getValues().add(value);
>      ]]></Script>
>  </resolver:AttributeDefinition>
>
>
> Maybe it has something to do with the import not importing all the 
> variables ?
>
>
> -----Message d'origine-----
> De : 
> 
>  
> [mailto:]
>  De la part de Tom Zeller
> Envoyé : 19 janvier 2012 13:49
> À : Gagné Sébastien
> Cc : 
> 
> Objet : Re: [grouper-users] LDAPPCNG configuration with Active Directory
>
>> I tried changing definition to use sourceAttributeID="extension", but 
>> there was some exception while provisioning stems (javascript variable 
>> "name" wasn't defined, tried putting extension in the script with no luck)
>
> You changed
>
>  <resolver:AttributeDefinition ... id="sAMAccountName" 
> sourceAttributeID="name">
>  ...
>  value = name.getValues().get(0);
>
> to
>
>  <resolver:AttributeDefinition ... id="sAMAccountName"
> sourceAttributeID="extension">
>  ...
>  value = extension.getValues().get(0);
>
> and the script fails ? That seems buggy.