grouper-users - FW: [grouper-users] AD / LDAP Provisioning with PSP - One last hurdle?
Subject: Grouper Users - Open Discussion List
List archive
- From: "Bryan E. Wooten" <>
- To: "" <>
- Subject: FW: [grouper-users] AD / LDAP Provisioning with PSP - One last hurdle?
- Date: Thu, 14 Mar 2013 14:16:26 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport04.merit.edu; dkim=neutral (message not signed) header.i=none
From: Bryan E. Wooten
In my psp.xml I have 2 psos, one for ad and one for ldap: <!-- Do not provision grouper members, but enable lookup. --> <!—AD member à <pso id="ADmember"> <!-- The ldap member DN. --> <identifier ref="ADmemberDn" targetId="ad" containerId="${edu.internet2.middleware.psp.ad.peopleBaseDn}" /> <!-- Identifies member objects which exist on the target by objectclass attribute value. --> <identifyingAttribute name="objectclass" value="person" /> </pso> And <!-- Do not provision grouper members, but enable lookup. --> <pso id="member"> <!-- The ldap member DN. --> <identifier ref="memberDn" targetId="ldap" containerId="${edu.internet2.middleware.psp.peopleBaseDn}" /> <!-- Identifies member objects which exist on the target by objectclass attribute value. --> <identifyingAttribute name="objectclass" value="person" /> </pso> -Bryan From: Gagné Sébastien [mailto:]
What does you psp.xml file look like ? Mainly, what do you have as pso id=”member” ? De : Bryan E. Wooten []
Yes, I believe it is correct. I have this in both my ad.properties and ldap.properties: Ad.properties: # The base DN for people. edu.internet2.middleware.psp.peopleBaseDn=ou=people,dc=testad,dc=utah,dc=edu edu.internet2.middleware.psp.ad.peopleBaseDn=ou=people,dc=testad,dc=utah,dc=edu ldap.properties: # The base DN for people. edu.internet2.middleware.psp.peopleBaseDn=ou=people,o=utah.edu edu.internet2.middleware.psp.ad.peopleBaseDn=ou=people,dc=testad,dc=utah,dc=edu I started by getting everything to work with just ldap. Then I add both ad and ldap to the subject source for the UI. I then reconfigured so that the PSP would work against just AD. After that I used the the
psp-example-grouper-openldap-multiple as a template to combine both ldap and AD into the psp. Everything seems to work except provisioning subjects to AD groups. After watching yesterday’s IAM Online I beginning to think we may be starting off with a too complicated initial plan. -Bryan From: Gagné Sébastien []
I assume you checked that you used the right
ad.peopleBaseDn in your psp configuration. Other than that it confusing. AbstractLdap seems to be a vt-ldap class, so maybe there’s a problem in which files vt-ldap uses for
properties ? I had a question about your setup : did you try to make it work using only one subject source for both LDAP and AD ? Assuming both directories have the same users, do you think it would be possible
or will we have to always select the subject source ? De :
[]
De la part de Bryan E. Wooten All, Below is link showing my Grouper configuration. The goal of the exercise was to create folders, groups and add members to a group using the UI. Then use gsh to provision these items into both an LDAP and Active Directory using the PSP: (gsh 2% loaderRunOneJob("CHANGE_LOG_changeLogTempToChangeLog") loader ran successfully: Ran the changeLogTempToChangeLog daemon gsh 3% loaderRunOneJob("CHANGE_LOG_consumer_psp") https://www.lucidchart.com/publicSegments/view/5140e0fd-c828-43f4-a5d8-19b90a005178 Everything works except adding members. Adding members works partially. Using the UI I can select a subject from LDAP data source and add to a group. When I run loaderRunOneJob this subject is correctly provisioned to LDAP. From the grouper_error.log it appears that no attempt is made to provision the subject
to AD. Using the UI if I select a subject from AD data source and add to a group running the PSP does not provision the user into either LDAP or AD. I have found the error. 2013-03-13 11:35:24,687: [main] DEBUG Psp.execute(1069) - - PSP 'psp' - Calc CalcRequest[id=u0000401,requestID=<null>,returnData=identifier,schemaEntityRef=SchemaEntityRef[targetID=ldap,entityName=member,isContainer=false]] Resolving attributes
'[memberDn]'. 2013-03-13 11:35:24,687: [main] DEBUG SimpleAttributeAuthority.getAttributes(86) - - get attributes 'u0000401' aa 'psp.AttributeAuthority' 2013-03-13 11:35:24,688: [main] DEBUG AbstractLdap.search(193) - - Search with the following parameters: 2013-03-13 11:35:24,689: [main] DEBUG AbstractLdap.search(194) - - dn = ou=people,o=utah.edu 2013-03-13 11:35:24,689: [main] DEBUG AbstractLdap.search(195) - - filter = (& (unid=u0000401) (objectclass=inetOrgPerson)) 2013-03-13 11:35:24,689: [main] DEBUG AbstractLdap.search(196) - - filterArgs = [] 2013-03-13 11:35:24,690: [main] DEBUG AbstractLdap.search(197) - - searchControls =
2013-03-13 11:35:24,690: [main] DEBUG AbstractLdap.search(198) - - handler = [edu.internet2.middleware.psp.ldap.QuotedDnResultHandler@7c30cd64,
] For some reason the dn is from the peopleBaseDn for LDAP and not the peopleBaseDn I configured for AD. As an experiment I set peopleBaseDn for both ldap and ad to be the value used by AD. This did change the results. Any thoughts? Thanks, Bryan |
- [grouper-users] AD / LDAP Provisioning with PSP - One last hurdle?, Bryan E. Wooten, 03/13/2013
- <Possible follow-up(s)>
- RE: [grouper-users] AD / LDAP Provisioning with PSP - One last hurdle?, Bryan E. Wooten, 03/14/2013
- Message not available
- FW: [grouper-users] AD / LDAP Provisioning with PSP - One last hurdle?, Bryan E. Wooten, 03/14/2013
- Message not available
- FW: [grouper-users] AD / LDAP Provisioning with PSP - One last hurdle?, Bryan E. Wooten, 03/14/2013
- Re: FW: [grouper-users] AD / LDAP Provisioning with PSP - One last hurdle?, Tom Zeller, 03/14/2013
- FW: [grouper-users] AD / LDAP Provisioning with PSP - One last hurdle?, Bryan E. Wooten, 03/14/2013
- Message not available
- Message not available
- Message not available
- FW: [grouper-users] AD / LDAP Provisioning with PSP - One last hurdle?, Bryan E. Wooten, 03/14/2013
- RE: [grouper-users] AD / LDAP Provisioning with PSP - One last hurdle?, Gagné Sébastien, 03/14/2013
- FW: [grouper-users] AD / LDAP Provisioning with PSP - One last hurdle?, Bryan E. Wooten, 03/14/2013
- Message not available
- Message not available
- Message not available
Archive powered by MHonArc 2.6.16.