Skip to Content.
Sympa Menu

grouper-users - [grouper-users] LDAP and AD provisioning failure - I think I found the root issue

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] LDAP and AD provisioning failure - I think I found the root issue


Chronological Thread 
  • From: "Bryan E. Wooten" <>
  • To: "" <>
  • Subject: [grouper-users] LDAP and AD provisioning failure - I think I found the root issue
  • Date: Mon, 18 Mar 2013 18:56:30 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport04.merit.edu; dkim=neutral (message not signed) header.i=none

Background, I have configured both AD and LDAP as subject sources in both the UI and PSP. The UI side works fine. I am unable to provision subjects to AD groups, provisioning to LDAP groups works fine.

 

After much log file reading and testing various configurations I have come to this.

 

When the PSP tries to provision a subject selected from the AD souce I see this in the grouper_error.log file:

 

2013-03-18 12:47:46,609: [DefaultQuartzScheduler_Worker-1] DEBUG Psp.execute(1069) -  - PSP 'psp' - Calc CalcRequest[id=u0000348,requestID=<null>,returnData=identifier,schemaEntityRef=SchemaEntityRef[targetID=ldap,entityName=member,isContainer=false]] Resolving attributes '[memberDn]'.

2013-03-18 12:47:46,610: [DefaultQuartzScheduler_Worker-1] DEBUG SimpleAttributeAuthority.getAttributes(86) -  - get attributes 'u0000348' aa 'psp.AttributeAuthority'

2013-03-18 12:47:46,612: [DefaultQuartzScheduler_Worker-1] DEBUG AbstractLdap.search(193) -  - Search with the following parameters:

2013-03-18 12:47:46,613: [DefaultQuartzScheduler_Worker-1] DEBUG AbstractLdap.search(194) -  -   dn = ou=people,o=utah.edu

2013-03-18 12:47:46,614: [DefaultQuartzScheduler_Worker-1] DEBUG AbstractLdap.search(195) -  -   filter = (& (unid=u0000348) (objectclass=inetOrgPerson))

2013-03-18 12:47:46,615: [DefaultQuartzScheduler_Worker-1] DEBUG AbstractLdap.search(196) -  -   filterArgs = []

2013-03-18 12:47:46,616: [DefaultQuartzScheduler_Worker-1] DEBUG AbstractLdap.search(197) -  -   searchControls = javax.naming.directory.SearchControls@284d0371

2013-03-18 12:47:46,617: [DefaultQuartzScheduler_Worker-1] DEBUG AbstractLdap.search(198) -  -   handler = [edu.internet2.middleware.psp.ldap.QuotedDnResultHandler@3bd48043, ]

 

The DN is for my LDAP source and not AD, this results in the user not being provisioned to the AD group.

 

My sources.xml has a section for AD and a section for LDAP. It seems the PSP is not recognizing the AD section as it is using the base DN and subject search filter from LDAP section. To verify this I changed the LDAP section to use values from the AD section and could see the corresponding changes in the error log.

 

I believe this is the root cause of why the PSP can’t provision users into AD groups when both LDAP and AD are configured in the sources.xml

 

Can someone verify this behavior or give me some insight? My sources.xml file follows.

 

Thanks,

 

Bryan

 

<?xml version="1.0" encoding="utf-8"?>

 

<!--

Grouper's subject resolver configuration

$Id: sources.example.xml,v 1.8 2009-08-11 20:18:09 mchyzer Exp $

-->

 

<sources>

 

  <!-- Group Subject Resolver -->

 

  <!--

     You can flag a source as not throwing exception on a findAll (general search) i.e. if it is

     ok if it is down.  Generally you probably won't want to do this.  It defaults to true if omitted.

 

     <init-param>

       <param-name>throwErrorOnFindAllFailure</param-name>

       <param-value>false</param-value>

     </init-param>

   -->

 

  <!--

      You can make virtual attributes (attributes with formatting or based on other attributes) like this:

      init-param name is subjectVirtualAttribute_<index>_<name> where index is the order to be processed

      if some depend on others (0 to 99).  The value is the jexl _expression_ language.  You can use subjectUtils

      methods (aliased with "subjectUtils", or you can register your own class (must have default constructor).

      Here are examples:

 

     <init-param>

       <param-name>subjectVirtualAttribute_0_loginIdLfName</param-name>

       <param-value>Hey ${subject.getAttributeValue('LOGINID')} and ${subject.getAttributeValue('LFNAME')}</param-value>

     </init-param>

     <init-param>

       <param-name>subjectVirtualAttribute_1_loginIdLfNameLoginId</param-name>

       <param-value>${subject.getAttributeValue('loginIdLfName')} Hey ${subject.getAttributeValue('LOGINID')} and ${subject.getAttributeValue('LFNAME')}</param-value>

     </init-param>

     <init-param>

       <param-name>subjectVirtualAttributeVariable_JDBCSourceAdapterTest</param-name>

       <param-value>edu.internet2.middleware.subject.provider.JDBCSourceAdapterTest</param-value>

     </init-param>

     <init-param>

       <param-name>subjectVirtualAttribute_2_loginIdSquared</param-name>

       <param-value>${JDBCSourceAdapterTest.appendToSelf(subject.getAttributeValue('LOGINID'))}</param-value>

     </init-param>

 

    The first virtual attribute is accessible via: subject.getAttributeValue("loginIdLfNameLoginId");

 

   -->

 

  <!--

    NOTE: It is recommended that you **not** change the default

          values for this source adapter.

  -->

  <source adapterClass="edu.internet2.middleware.grouper.GrouperSourceAdapter">

    <id>g:gsa</id>

    <name>Grouper: Group Source Adapter</name>

    <type>group</type>

 

    <init-param>

      <param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>

      <param-value>${subject.getAttributeValue('name')},${subject.getAttributeValue('displayName')},${subject.getAttributeValue('alternateName')}</param-value>

    </init-param>

    <init-param>

      <param-name>sortAttribute0</param-name>

      <param-value>displayExtension</param-value>

    </init-param>

    <init-param>

      <param-name>searchAttribute0</param-name>

      <param-value>searchAttribute0</param-value>

    </init-param>

    <!-- on a findPage() this is the most results returned -->

    <init-param>

      <param-name>maxPageSize</param-name>

      <param-value>100</param-value>

    </init-param>

    <internal-attribute>searchAttribute0</internal-attribute>

  </source>

  <!-- Group Subject Resolver -->

 

  <!--

    NOTE: It is recommended that you **not** change the default

          values for this source adapter.

  -->

  <source adapterClass="edu.internet2.middleware.grouper.entity.EntitySourceAdapter">

    <id>grouperEntities</id>

    <name>Grouper: Entity Source Adapter</name>

    <type>application</type>

 

    <init-param>

      <param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>

      <!-- TODO add attribute for subject identifier -->

      <param-value>${subject.getAttributeValue('name')},${subject.getAttributeValue('displayName')},${subject.getAttributeValue('alternateName')}</param-value>

    </init-param>

    <init-param>

      <param-name>sortAttribute0</param-name>

      <param-value>name</param-value>

    </init-param>

    <init-param>

      <param-name>searchAttribute0</param-name>

      <param-value>searchAttribute0</param-value>

    </init-param>

    <internal-attribute>searchAttribute0</internal-attribute>

  </source>

  <!-- Entity Subject Resolver -->

 

<source adapterClass="edu.internet2.middleware.grouper.subj.GrouperJdbcSourceAdapter">

    <id>jdbc</id>

    <name>Example JDBC Source Adapter</name>

     <type>person</type>

    

     <!-- edu.internet2.middleware.subject.provider.C3p0JdbcConnectionProvider (default)

          edu.internet2.middleware.subject.provider.DbcpJdbcConnectionProvider (legacy)

          edu.internet2.middleware.grouper.subj.GrouperJdbcConnectionProvider

            (same settings as grouper.hibernate.properties, the driver, url, pass, maxActive, maxIdle, maxWait are forbidden -->

     <init-param>

       <param-name>jdbcConnectionProvider</param-name>

       <param-value>edu.internet2.middleware.grouper.subj.GrouperJdbcConnectionProvider </param-value>

     </init-param>

    

     <!-- If using emails and need email addresses in sources, set which attribute has the email address in this source -->

     <init-param>

       <param-name>emailAttributeName</param-name>

       <param-value>email</param-value>

     </init-param>

    

     <!-- if more than this many results are returned, then throw a too many subjects exception -->

     <init-param>

       <param-name>maxResults</param-name>

       <param-value>1000</param-value>

     </init-param>

 

    <!-- on a findPage() this is the most results returned -->

    <init-param>

      <param-name>maxPageSize</param-name>

      <param-value>100</param-value>

    </init-param>

 

     <!-- note: again, if you use GrouperJdbcConnectionProvider, then you should not fill out maxActive, maxIdle,

       maxWait, dbDriver, dbUrl, dbUser, dbPwd, since it will use the grouper.hibernate.properties db settings -->

 

     <!--   init-param>

       <param-name>maxActive</param-name>

       <param-value>16</param-value>

     </init-param>

     <init-param>

       <param-name>maxIdle</param-name>

       <param-value>16</param-value>

     </init-param>

     <init-param>

       <param-name>maxWait</param-name>

       <param-value>-1</param-value>

     </init-param -->

    

     <!--     

       e.g. mysql:           com.mysql.jdbc.Driver

       e.g. p6spy (log sql): com.p6spy.engine.spy.P6SpyDriver

         for p6spy, put the underlying driver in spy.properties

       e.g. oracle:          oracle.jdbc.driver.OracleDriver

       e.g. hsqldb:          org.hsqldb.jdbcDriver

       e.g. postgres:        org.postgresql.Driver -->

 

     <!-- init-param>

       <param-name>dbDriver</param-name>

       <param-value>org.hsqldb.jdbcDriver</param-value>

     </init-param -->

    

     <!--

       e.g. mysql:           jdbc:mysql://localhost:3306/grouper

       e.g. p6spy (log sql): [use the URL that your DB requires]

       e.g. oracle:          jdbc:oracle:thin:@server.school.edu:1521:sid

       e.g. hsqldb (a):      jdbc:hsqldb:dist/run/grouper;create=true

       e.g. hsqldb (b):      jdbc:hsqldb:hsql://localhost:9001

       e.g. postgres:        jdbc:postgresql:grouper -->

    

     <!-- init-param>

       <param-name>dbUrl</param-name>

       <param-value>jdbc:hsqldb:C:/projects/GrouperI2MI_1-2/grouper/dist/run/grouper</param-value>

     </init-param>

     <init-param>

       <param-name>dbUser</param-name>

       <param-value>sa</param-value>

     </init-param>

     <init-param>

       <param-name>dbPwd</param-name>

       <param-value></param-value>

     </init-param -->

    

      <init-param>

       <param-name>SubjectID_AttributeType</param-name>

       <param-value>id</param-value>

     </init-param>

     <init-param>

       <param-name>Name_AttributeType</param-name>

       <param-value>name</param-value>

     </init-param>

     <init-param>

       <param-name>Description_AttributeType</param-name>

       <param-value>description</param-value>

     </init-param>

     <init-param>

       <param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>

       <param-value>${subject.name},${subjectUtils.defaultIfBlank(subject.getAttributeValue('LFNAME'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValue('LOGINID'), "")},${subjectUtils.defaultIfBlank(subject.description, "")},${subjectUtils.defaultIfBlank(subject.getAttributeValue('EMAIL'), "")}</param-value>

     </init-param>

     <init-param>

       <param-name>sortAttribute0</param-name>

       <param-value>LFNAME</param-value>

     </init-param>

     <init-param>

       <param-name>sortAttribute1</param-name>

       <param-value>LOGINID</param-value>

     </init-param>

     <init-param>

       <param-name>searchAttribute0</param-name>

       <param-value>searchAttribute0</param-value>

     </init-param>

     <internal-attribute>searchAttribute0</internal-attribute>

    

     <!-- if you are going to use the inclause attribute

       on the search to make the queries batchable when searching

       by id or identifier -->

     <init-param>

       <param-name>useInClauseForIdAndIdentifier</param-name>

       <param-value>true</param-value>

     </init-param>

    

     <!-- comma separate the identifiers for this row, this is for the findByIdentifiers if using an in clause -->

     <init-param>

       <param-name>identifierAttributes</param-name>

       <param-value>LOGINID</param-value>

     </init-param>

 

     <search>

         <searchType>searchSubject</searchType>

         <param>

             <param-name>sql</param-name>

             <param-value>

select

   s.subjectid as id, s.name as name,

   (select sa2.value from subjectattribute sa2 where name='name' and sa2.SUBJECTID = s.subjectid) as lfname,

   (select sa3.value from subjectattribute sa3 where name='loginid' and sa3.SUBJECTID = s.subjectid) as loginid,

   (select sa4.value from subjectattribute sa4 where name='description' and sa4.SUBJECTID = s.subjectid) as description,

   (select sa5.value from subjectattribute sa5 where name='email' and sa5.SUBJECTID = s.subjectid) as email

from

   subject s

where

   {inclause}

            </param-value>

         </param>

         <param>

             <param-name>inclause</param-name>

             <param-value>

s.subjectid = ?

            </param-value>

         </param>

     </search>

     <search>

         <searchType>searchSubjectByIdentifier</searchType>

         <param>

             <param-name>sql</param-name>

             <param-value>

select

   s.subjectid as id, s.name as name,

   (select sa2.value from subjectattribute sa2 where name='name' and sa2.SUBJECTID = s.subjectid) as lfname,

   (select sa3.value from subjectattribute sa3 where name='loginid' and sa3.SUBJECTID = s.subjectid) as loginid,

   (select sa4.value from subjectattribute sa4 where name='description' and sa4.SUBJECTID = s.subjectid) as description,

   (select sa5.value from subjectattribute sa5 where name='email' and sa5.SUBJECTID = s.subjectid) as email

from

   subject s, subjectattribute a

where

   a.name='loginid' and s.subjectid = a.subjectid and {inclause}

             </param-value>

         </param>

         <param>

             <param-name>inclause</param-name>

             <param-value>

   a.value = ?

            </param-value>

         </param>

     </search>

     <search>

        <searchType>search</searchType>

         <param>

             <param-name>sql</param-name>

            

             <!--  for postgres, use this query since no concat() exists:

            

             select

   subject.subjectid as id, subject.name as name,

   lfnamet.lfname as lfname, loginidt.loginid as loginid,

   desct.description as description, emailt.email as email

from

   subject

   left join (select subjectid, value as lfname from subjectattribute

     where name='name') lfnamet

     on subject.subjectid=lfnamet.subjectid

   left join (select subjectid, value as loginid from subjectattribute

     where name='loginid') loginidt

     on subject.subjectid=loginidt.subjectid

   left join (select subjectid, value as description from subjectattribute

      where name='description') desct

     on subject.subjectid=desct.subjectid

   left join (select subjectid, value as email from subjectattribute

      where name='email') emailt

     on subject.subjectid=emailt.subjectid

where

   (lower(name) like '%' || ? || '%')

   or (lower(lfnamet.lfname) like '%' || ? || '%')

   or (lower(loginidt.loginid) like '%' || ? || '%')

   or (lower(desct.description) like '%' || ? || '%')

   or (lower(emailt.email) like '%' || ? || '%')

             

for SQL-server:

 

select

   subject.subjectid as id, subject.name as name,

   lfnamet.lfname as lfname, loginidt.loginid as loginid,

   desct.description as description, emailt.email as email

from

   subject

   left join (select subjectid, value as lfname from subjectattribute

     where name='name') lfnamet

     on subject.subjectid=lfnamet.subjectid

   left join (select subjectid, value as loginid from subjectattribute

     where name='loginid') loginidt

     on subject.subjectid=loginidt.subjectid

   left join (select subjectid, value as description from subjectattribute

      where name='description') desct

     on subject.subjectid=desct.subjectid

   left join (select subjectid, value as email from subjectattribute

      where name='email') emailt

     on subject.subjectid=emailt.subjectid

where

   (lower(name) like '%' + ? + '%')

   or (lower(lfnamet.lfname) like '%' + ? + '%')

   or (lower(loginidt.loginid) like '%' + ? + '%')

   or (lower(desct.description) like '%' + ? + '%')

   or (lower(emailt.email) like '%' + ? + '%')

 

              -->

            

             <param-value>

select

   s.subjectid as id, s.name as name,

   (select sa2.value from subjectattribute sa2 where name='name' and sa2.SUBJECTID = s.subjectid) as lfname,

   (select sa3.value from subjectattribute sa3 where name='loginid' and sa3.SUBJECTID = s.subjectid) as loginid,

   (select sa4.value from subjectattribute sa4 where name='description' and sa4.SUBJECTID = s.subjectid) as description,

   (select sa5.value from subjectattribute sa5 where name='email' and sa5.SUBJECTID = s.subjectid) as email

from

   subject s

where

   s.subjectid in (

      select subjectid from subject where lower(name) like concat('%',concat(?,'%')) union

      select subjectid from subjectattribute where searchvalue like concat('%',concat(?,'%'))

   )

             </param-value>

         </param>

     </search>

   </source>

  

   <!-- 

    <!- - This is an alternate jdbc source which allows for more complex searches, assumes

      all data is in one table or view, and that all attributes are single valued.  There are

      not queries to configure in sources.xml - - >

    <source adapterClass="edu.internet2.middleware.grouper.subj.GrouperJdbcSourceAdapter2">

    <id>sourceId</id>

    <name>Source name</name>

     <type>person</type>

     <init-param>

       <param-name>jdbcConnectionProvider</param-name>

       <param-value>edu.internet2.middleware.grouper.subj.GrouperJdbcConnectionProvider</param-value>

     </init-param>

 

     <init-param>

       <param-name>maxResults</param-name>

       <param-value>1000</param-value>

     </init-param>

 

      <init-param>

       <param-name>dbTableOrView</param-name>

       <param-value>person_source_v</param-value>

     </init-param>

      <init-param>

       <param-name>subjectIdCol</param-name>

       <param-value>some_id</param-value>

     </init-param>

     <init-param>

       <param-name>nameCol</param-name>

       <param-value>name</param-value>

     </init-param>

     <init-param>

       <param-name>descriptionCol</param-name>

       <param-value>description</param-value>

     </init-param>

     <init-param>

       <!- - search col where general searches take place, lower case - - >

       <param-name>lowerSearchCol</param-name>

       <param-value>description_lower</param-value>

     </init-param>

     <init-param>

       <!- - optional col if you want the search results sorted in the API (note, UI might override) - - >

       <param-name>defaultSortCol</param-name>

       <param-value>description</param-value>

     </init-param>

     <init-param>

       <!- - col which identifies the row, perhaps not subjectId, add multiple by incrementing the 0 index - - >

       <param-name>subjectIdentifierCol0</param-name>

       <param-value>pennname</param-value>

     </init-param>

     <init-param>

       <!- - col which identifies the row, perhaps not subjectId, add multiple by incrementing the 0 index - - >

       <param-name>subjectIdentifierCol1</param-name>

       <param-value>penn_id</param-value>

     </init-param>

     <!- - now you can count up from 0 to N of attributes for various cols. 

          The name is how to reference in subject.getAttribute() - - >

     <init-param>

       <param-name>subjectAttributeCol0</param-name>

       <param-value>pennname</param-value>

     </init-param>

     <init-param>

       <param-name>subjectAttributeName0</param-name>

       <param-value>PENNNAME</param-value>

     </init-param>

     <init-param>

       <param-name>subjectAttributeCol1</param-name>

       <param-value>description_lower</param-value>

     </init-param>

     <init-param>

       <param-name>subjectAttributeName1</param-name>

       <param-value>searchAttribute0</param-value>

     </init-param>

     <init-param>

       <param-name>sortAttribute0</param-name>

       <param-value>description</param-value>

     </init-param>

     <init-param>

       <param-name>searchAttribute0</param-name>

       <param-value>searchAttribute0</param-value>

     </init-param>

     <internal-attribute>searchAttribute0</internal-attribute>

 

   </source>

   -->

  

<!-- Active Directory Subject Resolver -->

 

 

 

  <source adapterClass="edu.internet2.middleware.subject.provider.LdapSourceAdapter">

    <id>ad</id>

    <name>ADSourceAdapter</name>

    <type>person</type>

 

    <!-- Note that most of the ldap configuration is in the properties file.

         The filename can be a file in your classpath or an absolute pathname. -->

 

    <init-param>

      <param-name>ldapProperties_file</param-name>

      <param-value>ad.properties</param-value>

    </init-param>

    <init-param>

      <param-name>INITIAL_CONTEXT_FACTORY</param-name>

      <param-value>com.sun.jndi.ldap.LdapCtxFactory</param-value>

    </init-param>

    <init-param>

      <param-name>Multiple_Results</param-name>

      <param-value>false</param-value>

    </init-param>

   

    <init-param>

      <param-name>sortAttribute0</param-name>

      <param-value>cn</param-value>

    </init-param>

    <init-param>

      <param-name>searchAttribute0</param-name>

      <param-value>cn</param-value>

    </init-param>    

    

     <init-param>

      <param-name>SubjectID_AttributeType</param-name>

      <param-value>cn</param-value>

    </init-param>

    <init-param>

      <param-name>SubjectID_formatToLowerCase</param-name>

      <param-value>false</param-value>

    </init-param>

    <init-param>

      <param-name>Name_AttributeType</param-name>

      <param-value>displayName</param-value>

    </init-param>

    <init-param>

      <param-name>Description_AttributeType</param-name>

      <param-value>displayName</param-value>

    </init-param>

 

    <search>

        <searchType>searchSubject</searchType>

        <param>

            <param-name>filter</param-name>

            <param-value>

                (&amp;(cn=%TERM%)(objectclass=person))

            </param-value>

        </param>

        <param>

            <param-name>scope</param-name>

            <param-value>SUBTREE_SCOPE</param-value>

        </param>

        <param>

            <param-name>base</param-name>

            <param-value>ou=people,dc=testad,dc=utah,dc=edu</param-value>           

        </param>

        

    </search>

    <search>

        <searchType>searchSubjectByIdentifier</searchType>

        <param>

            <param-name>filter</param-name>

            <param-value>

                (&amp;(cn=%TERM%)(objectclass=person))

            </param-value>

        </param>

        <param>

            <param-name>scope</param-name>

            <param-value>SUBTREE_SCOPE</param-value>

        </param>

        <param>

            <param-name>base</param-name>

            <param-value>ou=people,dc=testad,dc=utah,dc=edu</param-value>

        </param>

    </search>

 

    <!-- use the firstlastfilter to allow: last, first lookup -->

   

    <search>

       <searchType>search</searchType>

         <param>

            <param-name>filter</param-name>

            <param-value>

                 (&amp;(cn=%TERM%)(objectclass=person))

            </param-value>

        </param>

       

        

         <param>

            <param-name>firstlastfilter</param-name>

            <param-value>

                (&amp;(sn=%TERM%)(objectclass=person)))

            </param-value>

        </param>

       

        

        <param>

            <param-name>scope</param-name>

            <param-value>SUBTREE_SCOPE</param-value>

        </param>

         <param>

            <param-name>base</param-name>

            <param-value>ou=people,dc=testad,dc=utah,dc=edu</param-value>

        </param>

    </search>

    <init-param>

      <param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>

      <param-value>${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('exampleEduRegId'), "")}</param-value>

    </init-param>

    <init-param>

      <param-name>sortAttribute0</param-name>

      <param-value>cn</param-value>

    </init-param>

    <init-param>

      <param-name>searchAttribute0</param-name>

      <param-value>searchAttribute0</param-value>

    </init-param>

    <internal-attribute>searchAttribute0</internal-attribute>

    ///Attributes you would like to display when doing a search

    <attribute>cn</attribute>

    <attribute>displayName</attribute>

    <attribute>unid</attribute>

  

  </source>

  

  

  <source adapterClass="edu.internet2.middleware.subject.provider.LdapSourceAdapter">

    <id>ldap</id>

    <name>LdapSourceAdapter</name>

    <type>person</type>

 

    <init-param>

      <param-name>ldapProperties_file</param-name>

      <param-value>ldap.properties</param-value>

    </init-param>

   

<!--

    <init-param>

      <param-name>INITIAL_CONTEXT_FACTORY</param-name>

      <param-value>com.sun.jndi.ldap.LdapCtxFactory</param-value>

    </init-param>

    <init-param>

      <param-name>PROVIDER_URL</param-name>

      <param-value>ldap://idm-6.acs.utah.edu:389</param-value>

    </init-param>

    <init-param>

      <param-name>SECURITY_AUTHENTICATION</param-name>

      <param-value>simple</param-value>

    </init-param>

    <init-param>

      <param-name>SECURITY_PRINCIPAL</param-name>

      <param-value>cn=Directory Manager</param-value>

    </init-param>

    <init-param>

      <param-name>SECURITY_CREDENTIALS</param-name>

      <param-value>secrect</param-value>

    </init-param>

 

-->

     <init-param>

      <param-name>SubjectID_AttributeType</param-name>

      <param-value>unid</param-value>

    </init-param>

     <init-param>

      <param-name>SubjectID_formatToLowerCase</param-name>

      <param-value>false</param-value>

    </init-param>

    <init-param>

      <param-name>Name_AttributeType</param-name>

      <param-value>cn</param-value>

    </init-param>

    <init-param>

      <param-name>Description_AttributeType</param-name>

      <param-value>displayName</param-value>

    </init-param>

   

    /// Scope Values can be: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE

    /// For filter use

    

    <search>

        <searchType>searchSubject</searchType>

        <param>

            <param-name>filter</param-name>

            <param-value>

                (&amp; (unid=%TERM%) (objectclass=inetOrgPerson))

            </param-value>

        </param>

        <param>

            <param-name>scope</param-name>

            <param-value>

                SUBTREE_SCOPE           

            </param-value>

        </param>

        <param>

            <param-name>base</param-name>

            <param-value>

                ou=people,o=utah.edu

            </param-value>

        </param>

        

    </search>

    <search>

        <searchType>searchSubjectByIdentifier</searchType>

        <param>

            <param-name>filter</param-name>

            <param-value>

                (&amp; (unid=%TERM%) (objectclass=iNetOrgPerson))

            </param-value>

        </param>

        <param>

            <param-name>scope</param-name>

            <param-value>

                SUBTREE_SCOPE           

            </param-value>

        </param>

        <param>

            <param-name>base</param-name>

            <param-value>

                ou=people,o=utah.edu

            </param-value>

        </param>

    </search>

   

    <search>

       <searchType>search</searchType>

         <param>

            <param-name>filter</param-name>

            <param-value>

                (&amp; (|(unid=%TERM%)(cn=*%TERM%*)(unid=%TERM%))(objectclass=iNetOrgPerson))

            </param-value>

        </param>

        <param>

            <param-name>scope</param-name>

            <param-value>

                SUBTREE_SCOPE           

            </param-value>

        </param>

         <param>

            <param-name>base</param-name>

            <param-value>

                ou=people,o=utah.edu

            </param-value>

        </param>

    </search>

    <init-param>

      <param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>

      <param-value>${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('unid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('unid'), "")}</param-value>

    </init-param>

    <init-param>

      <param-name>sortAttribute0</param-name>

      <param-value>cn</param-value>

    </init-param>

    <init-param>

      <param-name>searchAttribute0</param-name>

      <param-value>searchAttribute0</param-value>

    </init-param>

    <internal-attribute>searchAttribute0</internal-attribute>

 

    ///Attributes you would like to display when doing a search

    <attribute>cn</attribute>

    <attribute>sn</attribute>

    <attribute>uid</attribute>

    <attribute>mail</attribute>

    <attribute>unid</attribute>

  

  </source>

 

 

 

</sources>

 

 

 

 




Archive powered by MHonArc 2.6.16.

Top of Page