Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Loader LDAP - Group name expression

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Loader LDAP - Group name expression


Chronological Thread 
  • From: Chris Hyzer <>
  • To: Gagné Sébastien <>, "" <>
  • Subject: [grouper-users] RE: Loader LDAP - Group name expression
  • Date: Wed, 6 Jun 2012 13:23:19 +0000
  • Accept-language: en-US

Yes, that was another one of my changes. 

 

i.e. if you set this to:

 

# if you dont specify a groupNameExpression, groups will be loaded into this folder

# if this property doesnt exist, it will be groups:    if it is blank, then there is no top level folder

# e.g. loader:groups

loader.ldap.defaultGroupFolder =

 

Then it will be top level (no defaultGroupFolder)

 

We will be rolling 2.1.1 sometime soon, will discuss in the dev call today.  Yes, it will have the PSP fix.

 

 

Thanks,

Chris

 

 

From: Gagné Sébastien [mailto:]
Sent: Wednesday, June 06, 2012 8:54 AM
To: Chris Hyzer;
Subject: RE: Loader LDAP - Group name _expression_

 

Thanks !

One thing I find strange  is if I don’t put a “group name _expression_” (i.e. leave it blank) the structure is saved in the Root under stem “groups”, NOT in the top stem from the loaderLdap Group. I find this behaviour to be a little confusing since one could think (like I did) that you could start the group name at the root.

 

I’ll try out your new fix. Will there be an official release of Grouper 2.1.1 ? It seems many fixes are already queued up, but it might be worth waiting for Tom’s PSP performance fix.

 

 

De : Chris Hyzer []
Envoyé : 5 juin 2012 17:35
À : Gagné Sébastien;
Objet : RE: Loader LDAP - Group name _expression_

 

Yeah, in 2.1.1 I added options to make this more flexible…

 

https://bugs.internet2.edu/jira/browse/GRP-803

 

If you want this in 2.1.0 you could add this to the grouper-loader.properties:

 

# by default the top folder for an ldap group of groups is the folder where the config group lives.

# set to false if you want to be able to provision groups to anywhere

loader.ldap.requireTopStemAsStemFromConfigGroup = true

 

# if you dont specify a groupNameExpression, groups will be loaded into this folder

# if this property doesnt exist, it will be groups:    if it is blank, then there is no top level folder

# e.g. loader:groups

loader.ldap.defaultGroupFolder = groups:

 

Change the first one to false, and blank out the second one.  Then I think just leave the group name _expression_ attribute blank and it will just work…

 

You need to merge the attached file with the source in grouper, and rebuild the grouper jar.  If you want me to send you a new fast.jar with this in there I can…

 

Thanks,

Chris

 

From: Gagné Sébastien
Sent: Tuesday, June 05, 2012 4:04 PM
To: Chris Hyzer;
Subject: RE: Loader LDAP - Group name _expression_

 

Argh! I had tried this syntax, but I just figured that my method was private! (and I was using dn instead of distinguishedName at that time)

 

One last thing, is there some way to create the groups/stems outside of top stem ? I thought giving the full group name in the _expression_ would bypass this but apparently not…

 

If it cannot by configured in some way (that would be the best), I’m thinking that maybe I could use the pre-job hook to manually create the group before the run.

(I think I saw it somewhere in the code, but can’t seem to find it now)

 

I thought I could place the group in the Root, but it doesn’t allow me to. So I might have to place it in the baseStem and be sure not to include it in the group name I’m building.

 

Thanks

 

De : Chris Hyzer []
Envoyé : 5 juin 2012 15:33
À : Gagné Sébastien;
Objet : RE: Loader LDAP - Group name _expression_

 

Argh!  Im really sorry, Im looking at the doc test cases:

 

https://spaces.internet2.edu/display/Grouper/Grouper+-+Loader+LDAP#Grouper-LoaderLDAP-LDAPGROUPLISTtestcase

 

I misread the Java source, the correct syntax is:

 

groups:${loaderLdapElUtils.convertDnToSubPath(groupAttributes['dn'], null, null)}

 

if you just want the dn in your case, try this:

 

${udemLoaderElUtils.convertDnToGroupName(groupAttributes['dn'])}

 

You probably get access to other group attributes as well (cn, etc)

 

I verified this works:

 

Note, I guess the top stem is always the stem where the group is which controls the job… hmmm

 

 

grouperSession = GrouperSession.startRootSession();

group = new GroupSave(grouperSession).assignName("anotherStem:groupListLdapGroup").assignCreateParentStemsIfNotExist(true).save();

attributeAssign = group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign();

attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true);

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_GROUP_LIST");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(|(cn=test:testGroup)(cn=test:ldaptesting:test1))");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=groups");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "personLdap");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSourceIdName(), "pennperson");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "hasMember");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectIdentifier");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapExtraAttributesName(), "cn");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupNameExpressionName(), "groups:${loaderLdapElUtils.convertDnToSubPath(groupAttributes['dn'], null, null)}");

group = GroupFinder.findByName(grouperSession, "anotherStem:groupListLdapGroup");

loaderRunOneJob(group);

getGroups("anotherStem")

 

group: name='anotherStem:groups:edu:upenn:groups:test:testGroup' displayName='anotherStem:groups:edu:upenn:groups:test:testGroup' uuid='e4521d491c3d440f9bd61805625d6d7c'

group: name='anotherStem:groups:edu:upenn:groups:test:ldapTesting:test1' displayName='anotherStem:groups:edu:upenn:groups:test:ldapTesting:test1' uuid='eaad5bd7062d453aa8c0acfbe64d14ce'

group: name='anotherStem:groupListLdapGroup' displayName='anotherStem:groupListLdapGroup' uuid='f5dd6ed32a9b4c8ea86b352f945e5110'

 

getMembers("anotherStem:groups:edu:upenn:groups:test:testGroup");

member: id='12345678' type='person' source='pennperson' uuid='09dd1b2226ae4452bef5213cd2073951'

member: id='22345678' type='person' source='pennperson' uuid='13801a6e1c564ce0b79e90fcfd36f17e'

member: id='44567890' type='person' source='pennperson' uuid='4dc08acb1efa4934b6955dcf430a8479'

member: id='33456789' type='person' source='pennperson' uuid='57f6c27766fd4f6f83f5942612905ff5'

 

getMembers("anotherStem:groups:edu:upenn:groups:test:ldapTesting:test1");

 

member: id='10000000' type='person' source='pennperson' uuid='4d8d3fa5e8324c6690b7562fa0245dba'

 

 

 

 

I updated some of the docs to reflect this

 

Thanks,

Chris

 

 

From: Gagné Sébastien
Sent: Tuesday, June 05, 2012 8:37 AM
To: Chris Hyzer;
Subject: RE: Loader LDAP - Group name _expression_

 

Thanks, but I tried it again and there’s still a problem :

 

LDAP extra attributes = distinguishedName,dn,cn

LDAP group name _expression_ = ${udemLoaderElUtils.convertDnToGroupName(distinguishedName)}

 

I get these exceptions :

2012-06-05 08:08:16,266: [main] ERROR GrouperLoaderJob.runJobLdap(537) -  - Error on job: LDAP_GROUP_LIST__etc:confLDAPLoader__e7b97262558b477fab09c0b48f98ed1c

edu.internet2.middleware.grouper.exception.ExpressionLanguageMissingVariableException: variable 'distinguishedName' is not defined in script: 'udemLoaderElUtils.convertDnToGroupName(distinguishedName)',

Problem with ldap conection: personLdap,

Error querying ldap server id: personLdap, searchDn: null, filter: '(objectClass=group)', returning subject attribute: member

[…]

Caused by: org.apache.commons.jexl2.JexlException: ]: 'udemLoaderElUtils.convertDnToGroupName(distinguishedName);' undefined variable distinguishedName

[…]

 

I tried with both distinguishedName, dn, cn and subjectId, and all of them give me an “undefined variable” error.

 

 

De : Chris Hyzer []
Envoyé : 4 juin 2012 17:02
À : Gagné Sébastien;
Objet : RE: Loader LDAP - Group name _expression_

 

Almost got it J

 

${udemLoaderElUtils.convertDnToGroupName(dn)}

 

I think there is a built-in that might do this too, not sure:

 

${loaderLdapElUtils.convertDnToGroupName(dn, null, null)}

 

If you want some of it stripped off, put that as an arg:

 

${loaderLdapElUtils.convertDnToGroupName(dn, “,dc=school,dc=edu”, null)}

 

Let me know if it works

 

Thanks,

Chris

 

From: On Behalf Of Gagné Sébastien
Sent: Monday, June 04, 2012 4:42 PM
To:
Subject: [grouper-users] Loader LDAP - Group name _expression_

 

Hello,

When configuring the Loader LDAP, how can you specify the stem where the LDAP structure will be provisioned ? It seems that the attribute “grouperLoaderLdapGroupNameExpression” is the way to go, but I can’t seem to configure it properly.

 

If I leave it empty, I have my bushy LDAP structure, but not in the right base stem, i.e.

 

groups

- stem1

  - group1

   - stem11

     - group2

- stem2

   - stem21

     - group3

 

What I would like to have is the same thing, but with a different base stem. I tried with :

 

grouperLoaderLdapGroupNameExpression =  udem:${groupAttributes['cn']}

 

But I get a flat structure under etc (the stem where my loaderLdap configuration group is)

etc

  - udem

    - group1

    - group2

    - group3

 

I tried using a custom class which builds the proper bushy group name with the right base stem, but each of the following gives me an error when the loader starts

 

grouperLoaderLdapGroupNameExpression

= ${udemLoaderElUtils.convertDnToGroupName(${groupAttributes['dn']})}

= ${udemLoaderElUtils.convertDnToGroupName(groupAttributes['dn'])}

= ${udemLoaderElUtils.convertDnToGroupName(subjectId)}

= ${udemLoaderElUtils.convertDnToGroupName(['dn'])}

= ${udemLoaderElUtils.convertDnToGroupName('dn')}

= udemLoaderElUtils.convertDnToGroupName(${groupAttributes['dn']})

(this last one does not fail, but does the same thing as the flat structure above, but with a huge prefix (udemLoaderEl…) )

 

 

I successfully used this class with the Subject _expression_ and don’t understand why it doesn’t work with the group name _expression_ :

grouperLoaderLdapSubjectExpression = ${udemLoaderElUtils.convertAdMemberDnToSpecificValue(subjectId)}

 

 

Thank you for you help

 

 

 

 

Sébastien Gagné,     | Analyste en informatique

514-343-6111 x33844  | Université de Montréal,

                     | Pavillon Roger-Gaudry, local X-100-11

 


Archive powered by MHonArc 2.6.16.

Top of Page