Grouper Users - Open Discussion List

[Chris Hyzer <>]

You can do an EL that does a directory call…  LdapSession might help you do a lookup by object class, if you want to bind as the user, you need to not use the same pool of directory connections I think…  if you need help let  me know

 

Chris

 

From: Gagné Sébastien [mailto:]
Sent: Thursday, May 10, 2012 2:10 PM
To: Chris Hyzer;
Subject: RE: Grouper Loader LDAP with AD

 

Wow thanks a lot, I figure that with that option I have to leave the Source ID empty for the loader to try the AD source then the g :gsa source (which strangely doesn’t have any search or filter configuration but I guess it’s managed in grouper).

 

Unfortunately, groups and users are both under People (I know… you don’t have to tell me it’s wrong, we’re trying to fix this) so the Suffix condition might not work. I’ll have to check with our experts here, there might be some string we could check for if where only managing a subset of groups, but I might not be foolproof (or any-user proof). I will give it a try to make it work if we want (or can) to go that way, it will eventually be useful.

 

What would be best is if we could check against LDAP with loginID and if it fails check in Grouper Groups with a GroupID, but it might not be possible to configure that part of the process.

 

Another option would be to get the objectClass of the member DN and then transform the ID accordingly, but that would require a new connexion and search in LDAP. Is there some utilities in Grouper to help with that ?

 

Could I just create my own EL class that does the insert instead of the loader’s standard way ? Would it be practical ?

 

Thanks

 

 

De : Chris Hyzer []
Envoyé : 10 mai 2012 11:48
À : Gagné Sébastien;
Objet : RE: Grouper Loader LDAP with AD

 

I think it can do it, but we have to adapt the convertDbToSpecificValue part…

 

Ie. A person DN is CN=gagns,OU=People,DC=dev,DC=umontreal,DC=ca

A group DN is (Im making this up): CN=someGroup,OU=Groups,DC=dev,DC=umontreal,DC=ca

 

Then we need a simple Java method that we will add to the LDAP subject _expression_ which:

 

Looks at the DB, and if it is in People, then return the CN value, if it is Groups (or wherever), then we need the group name in Grouper: umontreal:adgroups:someGroup or whatever the translation is…

 

1.       Edit the grouper-loader.properties:

 

(edit this existing entry)

loader.ldap.el.classes = ca.umontreal.grouper.UmontrealLoaderElUtils

 

(add these [and configure to your env] )

umontreal.ad.group.suffix =,OU=Groups,DC=dev,DC=umontreal,DC=ca

umontreal.grouper.ad.group.prefix = umontreal:adgroups:

 

2.       Add the attached jar to your lib dir

 

3.       Change your attribute:

 

LDAP subject _expression_              ${umontrealLoaderElUtils.convertAdDnToSpecificValue(subjectId)}

 

I didn’t test it… see if it helps… J

 

Chris

 

Btw, the source of that jar is one file.. look at the logic, will it work or do you need something different?

 

/**

* @author mchyzer

* $Id$

*/

package ca.umontreal.grouper;

 

import org.apache.commons.lang.StringUtils;

 

import edu.internet2.middleware.grouper.app.loader.GrouperLoaderConfig;

import edu.internet2.middleware.grouper.app.loader.ldap.LoaderLdapElUtils;

import edu.internet2.middleware.grouper.util.GrouperUtil;

 

 

/**

*

*/

public class UmontrealLoaderElUtils {

 

 

  /**

   * convert a user dn to a user, and a group dn to a group

   * @param dn

   * @return the dn

   */

  public static String convertAdDnToSpecificValue(String dn) {

   

    //e.g. ,OU=Groups,DC=dev,DC=umontreal,DC=ca

    String adGroupSuffix = GrouperLoaderConfig.getPropertyString("umontreal.ad.group.suffix", true);

   

    //not sure why this would happen

    if (dn == null) {

      return dn;

    }

   

    if (dn.toLowerCase().endsWith(adGroupSuffix.toLowerCase())) {

      String cn = dn.substring(0, dn.length()-adGroupSuffix.length());

     

      if (StringUtils.countMatches(cn, "=") != 1) {

        throw new RuntimeException("Why is there not 1 equals in this CN??? '" + cn + "'");

      }

     

      //this should be CN=groupName, convert to groupName

      cn = GrouperUtil.prefixOrSuffix(cn, "=", false);

     

      //e.g. umontreal.grouper.ad.group.prefix = umontreal:adgroups:

      String grouperGroupPrefix = GrouperLoaderConfig.getPropertyString("umontreal.grouper.ad.group.prefix", true);

     

      return grouperGroupPrefix + cn;

 

    }

    //not a group

    return LoaderLdapElUtils.convertDnToSpecificValue(dn);

  }

 

}

 

 

From: On Behalf Of Gagné Sébastien
Sent: Thursday, May 10, 2012 11:13 AM
To:
Subject: RE: [grouper-users] RE: Grouper Loader LDAP with AD

 

Hello,

I have a new question : Does the Loader LDAP support group membership in a group (i.e GroupA is a member of GroupB in LDAP)

 

It seems the standard Grouper Loader can do this : “Penn is using it in production to load membership for groups, and for groups of groups”

 

When I tried it, the loader couldn’t find GroupA in the subject source (since I filter using objectClass=person). I removed this part of the filter, it added the group, but not as a Grouper group but as an AD subject. So I put the filter back like it was with the objectClass=person and removed the source ID thinking the loader could search the Group Source Adapter (g:gsa), but it didn’t work.

 

Here are my current configuration, I tried to keep it as plain as possible :

LDAP type	LDAP_GROUP_LIST
LDAP filter	(objectClass=group)
LDAP subject attribute name	member
LDAP source ID
LDAP subject ID type	subjectId
LDAP server ID	personLdap
LDAP quartz cron	30 * * * * ?
LDAP subject _expression_	${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}

 

In the Group’s member attribute contains both Group DNs and Member DNs with no

 

Thank you again.

 

De : [] De la part de Chris Hyzer
Envoyé : 9 mai 2012 11:51
À : Gagné Sébastien;
Objet : [grouper-users] RE: Grouper Loader LDAP with AD

 

This is what TomB asked at the member meeting and I said, “Uh, I think it does that”  J

 

I think you need:

 

grouperLoaderLdapSubjectExpression

 

To the value:

 

${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}

 

That should work for subjectId, or subjectIdentifier, or subjectIdOrIdentifier.  See if that works.

 

If not can you let me know all the loader job attributes and values you have set?

 

Thanks,

Chris

 

 

From: On Behalf Of Gagné Sébastien
Sent: Wednesday, May 09, 2012 11:30 AM
To:
Subject: [grouper-users] Grouper Loader LDAP with AD

 

Hello,

I’m trying to configure the Grouper Loader LDAP to work with our AD, but I’m stuck with a problem. Basically what we would like is to retrieve all groups in AD and load them in Grouper.

 

I’ve set the loader type to LDAP_GROUP_LIST with a filter (objectClass=group) (dev AD has 5-6 groups). This properly returns all groups and they are added in Grouper.

 

The problem is with the members : it sees them in the AD group, but cannot find them in the source, which is the same AD.

 

I’ve set the subject attribute name to member and my source ID is ldap (I’m also using the PSP)

The group’s member attribute is a multivalued set of “Distinguished Name” (e.g. CN=gagns,OU=People,DC=dev,DC=umontreal,DC=ca). This is a problem since my subject ID is the sAMAccountName (i.e. gagns). What I did, is use the search type subjectIdentifier and modified the filter in sources.xml to use the full DN :

 

<searchType>searchSubjectByIdentifier</searchType>

    <param>

        <param-name>filter</param-name>

        <param-value>

            (&amp;(distinguishedName=%TERM%)(objectclass=person))

        </param-value>

    </param>

 

Unfortunately it doesn’t work and I don’t know why. When manually running the loader job (i.e. loaderRunOneJob(group) in gsh.sh), in the logs I see that it find the members of the groups, but that the every search for one of the subject fails :

 

2012-05-09 09:06:24,001: [main] ERROR GrouperLoaderResultset$Row.getSubject(1112) -  - Problem with subjectIdentifier: CN=gagns,OU=People,DC=dev,DC=umontreal,DC=ca, subjectSourceId: ldap, in jobName: LDAP_GROUP_LIST__etc:confLDAPLoader__e7b97262558b477fab09c0b48f98ed1c

 

edu.internet2.middleware.subject.SubjectNotFoundException: No results: searchSubjectByIdentifier filter:(&(distinguishedName=%TERM%)(objectclass=person)) searchValue: CN=gagns,OU=People,DC=dev,DC=umontreal,DC=ca

 

        at edu.internet2.middleware.subject.provider.LdapSourceAdapter.getLdapUnique(LdapSourceAdapter.java:655)

        at edu.internet2.middleware.subject.provider.LdapSourceAdapter.getSubjectByIdentifier(LdapSourceAdapter.java:336)

        at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.findByIdentifier(SourcesXmlResolver.java:403)

        [contd...]

 

 

I tried an ldapsearch and manually changing the %TERM% to the DN and it works fine :

 

ldapsearch -h husky.devsim.umontreal.ca -D "<grouper service account DN>" -w <pass> -b "OU=People,DC=dev,DC=umontreal,DC=ca"  "(&(distinguishedName=CN=gagns,OU=People,DC=dev,DC=umontreal,DC=ca)(objectclass=person))"

 

CN=gagns,OU=People,DC=devsim,DC=umontreal,DC=ca

objectClass=top

objectClass=person

objectClass=organizationalPerson

objectClass=user

cn=gagns

[continued...]

 

 

Anyone has an idea what might be happening here ? Anyone did a successful AD configuration ?

 

Thank you

 

 

What I find weird is if I use subjectId (not subjectIdentifier), I get slightly different results in the exceptions. JobName is different and membership count also.

 

2012-05-09 10:22:49,165: [main] ERROR GrouperLoaderResultset$Row.getSubject(1112) -  - Problem with subjectId: CN=gagns,OU=People,DC=devsim,DC=umontreal,DC=ca, subjectSourceId: ldap, in jobName: groups:UdeM:fromAD1

 

edu.internet2.middleware.subject.SubjectNotFoundException: No results: searchSubject filter:(&(sAMAccountName=%TERM%)(objectclass=person)) searchValue: CN=gagns,OU=People,DC=devsim,DC=umontreal,DC=ca

 

with subjectIdentifier :

loader ran successfully, inserted 0 memberships, deleted 0 memberships, total membership count: 0

with subjectId :

loader ran successfully, inserted 0 memberships, deleted 0 memberships, total membership count: 40

 

 

 

 

Sébastien Gagné,     | Analyste en informatique

514-343-6111 x33844  | Université de Montréal,

                     | Pavillon Roger-Gaudry, local X-100-11