Grouper Users - Open Discussion List

[Chris Hyzer <>]

The log messages show no members being returned from AD I believe.  I ran the example on the doc page against openldap, and it worked, and these are the logs.  I highlighted the important parts…  also, look below, I would like you to try something against AD which works in my openldap.

 

 

log4j.logger.edu.internet2.middleware.grouper.app.loader = DEBUG

 

#######################################

 

gsh 3% loaderRunOneJob(group);

2013-04-13 16:54:35,098: [main] DEBUG GrouperLoaderConfig.retrieveLdapProfile(375) -  - LDAP config for server id: personLdap: GrouperLoaderLdapServer [batchSize=-1, countLimit=-1, driver=null, expirationTime=-1, maxPoolSize=-1, minPoolSize=-1, pass=XXXXX, pruneTimerPeriod=-1, saslAuthorizationId=, saslRealm=, timeLimit=-1, timeout=-1, tls=false, url="ldaps://xxxxxxx:636/dc=upenn,dc=edu," user=uid=xxxxxxxxxxxx,ou=entities,dc=upenn,dc=edu, validateOnCheckIn=false, validateOnCheckOut=true, validatePeriodically=false, validateTimerPeriod=-1]

2013-04-13 16:54:35,101: [main] DEBUG GrouperLoaderConfig.retrieveLdapProfile(375) -  - LDAP config for server id: personLdap: GrouperLoaderLdapServer [batchSize=-1, countLimit=-1, driver=null, expirationTime=-1, maxPoolSize=-1, minPoolSize=-1, pass=XXXXX, pruneTimerPeriod=-1, saslAuthorizationId=, saslRealm=, timeLimit=-1, timeout=-1, tls=false, url="ldaps://xxxxxxxxx:636/dc=upenn,dc=edu," user=uid=xxxxxxxxxx,ou=entities,dc=upenn,dc=edu, validateOnCheckIn=false, validateOnCheckOut=true, validatePeriodically=false, validateTimerPeriod=-1]

2013-04-13 16:54:35,103: [main] DEBUG GrouperLoaderResultset$1.callback(582) -  - Found 2 results, (5 sub-results) for serverId: personLdap, searchDn: ou=groups, filter: '(|(cn=test:testGroup)(cn=test:ldaptesting:test1)(cn=test:testEmptyGroup))', returning subject attribute: hasMember, some results: {anotherStem:groups:test:ldapTesting:test1=[netmon], anotherStem:groups:test:testGroup=[convery, ...

2013-04-13 16:54:35,141: [main] DEBUG GrouperLoaderType$7.runJob(862) -  - anotherStem:groupListLdapGroup: start syncing membership

2013-04-13 16:54:35,141: [main] DEBUG GrouperLoaderType.syncGroupList(1114) -  - anotherStem:groupListLdapGroup: found 5 members overall

2013-04-13 16:54:35,142: [main] DEBUG GrouperLoaderType.syncGroupList(1124) -  - anotherStem:groupListLdapGroup: syncing membership for 2 groups

2013-04-13 16:54:35,142: [main] DEBUG GrouperLoaderType.syncGroupList(1340) -  - anotherStem:groupListLdapGroup: syncing membership for anotherStem:groups:test:ldapTesting:test1 1 out of 2 groups

2013-04-13 16:54:35,148: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1926) -  - anotherStem:groups:test:ldapTesting:test1 start syncing membership

2013-04-13 16:54:35,149: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1942) -  - anotherStem:groups:test:ldapTesting:test1 syncing 1 rows

2013-04-13 16:54:35,169: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1960) -  - anotherStem:groups:test:ldapTesting:test1: saving group if necessary, result type: NO_CHANGE

2013-04-13 16:54:35,170: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2055) -  - Done assigning privilege to related groups: anotherStem:groups:test:ldapTesting:test1

2013-04-13 16:54:35,176: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - anotherStem:groups:test:ldapTesting:test1 will add subject to group: Penn person/12345678, 1 of 1 subjects

2013-04-13 16:54:35,237: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: anotherStem:groups:test:ldapTesting:test1 add Subject id: 12345678, sourceId: pennperson, alreadyAdded: false

2013-04-13 16:54:35,238: [main] INFO  GrouperLoaderType.syncOneGroupMembership(2301) -  - anotherStem:groups:test:ldapTesting:test1 done syncing membership, processed 1 records.  Total members: 1, inserts: 1, deletes: 0

2013-04-13 16:54:35,256: [main] DEBUG GrouperLoaderType.syncGroupList(1340) -  - anotherStem:groupListLdapGroup: syncing membership for anotherStem:groups:test:testGroup 2 out of 2 groups

2013-04-13 16:54:35,263: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1926) -  - anotherStem:groups:test:testGroup start syncing membership

2013-04-13 16:54:35,264: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1942) -  - anotherStem:groups:test:testGroup syncing 4 rows

2013-04-13 16:54:35,275: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1960) -  - anotherStem:groups:test:testGroup: saving group if necessary, result type: NO_CHANGE

2013-04-13 16:54:35,276: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2055) -  - Done assigning privilege to related groups: anotherStem:groups:test:testGroup

2013-04-13 16:54:35,311: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - anotherStem:groups:test:testGroup will add subject to group: Penn person/13345678, 1 of 3 subjects

2013-04-13 16:54:35,312: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - anotherStem:groups:test:testGroup will add subject to group: Penn person/22345678, 2 of 3 subjects

2013-04-13 16:54:35,313: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - anotherStem:groups:test:testGroup will add subject to group: Penn person/12345679, 3 of 3 subjects

2013-04-13 16:54:35,384: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: anotherStem:groups:test:testGroup add Subject id: 22345678, sourceId: pennperson, alreadyAdded: false

2013-04-13 16:54:35,426: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: anotherStem:groups:test:testGroup add Subject id: 13345678, sourceId: pennperson, alreadyAdded: false

2013-04-13 16:54:35,460: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: anotherStem:groups:test:testGroup add Subject id: 12345679, sourceId: pennperson, alreadyAdded: false

2013-04-13 16:54:35,460: [main] INFO  GrouperLoaderType.syncOneGroupMembership(2301) -  - anotherStem:groups:test:testGroup done syncing membership, processed 4 records.  Total members: 4, inserts: 3, deletes: 0

2013-04-13 16:54:35,469: [main] DEBUG GrouperLoaderType.syncGroupList(1433) -  - anotherStem:groupListLdapGroup: done syncing membership

loader ran successfully, inserted 4 memberships, deleted 0 memberships, total membership count: 5

gsh 4%

 

##############################################

 

(note, if you are using a mac or unix, the semi-colon in the classpath when running below should be a colon…)

 

Here is the file LdapPoc.java (change the yellow stuff).  Does this work against AD?

 

 

###########################################

 

import java.util.*;

 

import javax.naming.directory.*;

 

import edu.vt.middleware.ldap.*;

import edu.vt.middleware.ldap.pool.*;

 

 

public class LdapPoc {

 

  public static void main(String[] args) throws Exception {

 

    LdapConfig ldapConfig = new LdapConfig("ldaps://xxxxxxxxx:636", "dc=upenn,dc=edu");

 

    ldapConfig.setBindDn("uid=xxxxxxxxxx,ou=entities,dc=upenn,dc=edu");

    ldapConfig.setBindCredential("xxxxxxxx");

 

    DefaultLdapFactory factory = new DefaultLdapFactory(ldapConfig);

 

    BlockingLdapPool pool = new BlockingLdapPool(factory);

 

    Ldap ldap = pool.checkOut();

 

    String attributeName = "hasMember";

    Iterator<SearchResult> results = ldap.search("ou=groups,dc=upenn,dc=edu",

        new SearchFilter("(|(cn=test:testGroup)(cn=test:ldaptesting:test1)(cn=test:testEmptyGroup))"), new String[]{attributeName});

 

    while (results.hasNext()) {

 

      SearchResult searchResult = results.next();

 

      System.out.println(searchResult.getName());

 

      Attribute attribute = searchResult.getAttributes().get(attributeName);

      System.out.println("results: " + attribute.size());

 

      for (int i=0;i<attribute.size();i++) {

        System.out.println(" - " + attribute.get(i));

      }

    }

    pool.checkIn(ldap);

  }

}

#############################################

 

C:\temp>javac -classpath C:\mchyzer\grouper\v2_1\grouper\lib\grouper\vt-ldap.jar    LdapPoc.java

 

C:\temp>java  -classpath .;C:\mchyzer\grouper\v2_1\grouper\lib\grouper\* LdapPoc

log4j:WARN No appenders could be found for logger (edu.vt.middleware.ldap.handler.DefaultConnectionHandler).

log4j:WARN Please initialize the log4j system properly.

cn=test:ldapTesting:test1,ou=groups,dc=upenn,dc=edu

results: 1

- netmon

cn=test:testGroup,ou=groups,dc=upenn,dc=edu

results: 4

- convery

- mchyzer

- bwh

- harveycg

 

C:\temp>

 

From: [mailto:] On Behalf Of Bryan E. Wooten
Sent: Friday, April 12, 2013 3:17 PM
To: Gagné Sébastien;
Subject: RE: [grouper-users] Can't get "list of groups" to populate members

 

I changed subjectIdentifier to subject ID and set this in lo4j.properties log4j.logger.edu.internet2.middleware = DEBUG.

 

In my sources.xml searchSubject and searchSubjectIdentifier have the same filter: cn=.

 

I have a another single Grouper Loader LDAP that is LDAP_SIMPLE. It works just fine. Its subject ID type is subjectIdentifier. When I watch the log when this group is populated I see all the ldap queries for the members. Still scratching my head.

 

Still no members added. I see this in the log file:

 

2013-04-12 13:08:59,812: [main] DEBUG GrouperUtil.substituteExpressionLanguage(9018) -  - Subsituting EL: 'groups:${groupAttributes['cn']}', and with env vars: loaderLdapElUtils, groupAttributes, grouperUtil with result: 'groups:HSC Users'

2013-04-12 13:08:59,815: [main] DEBUG GrouperLoaderConfig.retrieveLdapProfile(375) -  - LDAP config for server id: personLdap: GrouperLoaderLdapServer [batchSize=-1, countLimit=-1, driver=null, expirationTime=-1, maxPoolSize=-1, minPoolSize=-1, pass=XXXXX, pruneTimerPeriod=-1, saslAuthorizationId=, saslRealm=, timeLimit=-1, timeout=-1, tls=false, url="ldap://idm-win1.acs.utah.edu:389," user=cn=IDMFull,OU=Services,OU=Administration,dc=testad,dc=utah,dc=edu, validateOnCheckIn=false, validateOnCheckOut=true, validatePeriodically=false, validateTimerPeriod=-1]

2013-04-12 13:08:59,818: [main] DEBUG GrouperUtil.substituteExpressionLanguage(9018) -  - Subsituting EL: 'groups:${groupAttributes['cn']}', and with env vars: loaderLdapElUtils, groupAttributes, grouperUtil with result: 'groups:AllgNIDs'

2013-04-12 13:08:59,820: [main] DEBUG GrouperLoaderConfig.retrieveLdapProfile(375) -  - LDAP config for server id: personLdap: GrouperLoaderLdapServer [batchSize=-1, countLimit=-1, driver=null, expirationTime=-1, maxPoolSize=-1, minPoolSize=-1, pass=XXXXX, pruneTimerPeriod=-1, saslAuthorizationId=, saslRealm=, timeLimit=-1, timeout=-1, tls=false, url="ldap://idm-win1.acs.utah.edu:389," user=cn=IDMFull,OU=Services,OU=Administration,dc=testad,dc=utah,dc=edu, validateOnCheckIn=false, validateOnCheckOut=true, validatePeriodically=false, validateTimerPeriod=-1]

2013-04-12 13:08:59,823: [main] DEBUG GrouperUtil.substituteExpressionLanguage(9018) -  - Subsituting EL: 'groups:${groupAttributes['cn']}', and with env vars: loaderLdapElUtils, groupAttributes, grouperUtil with result: 'groups:All uNIDS'

2013-04-12 13:08:59,825: [main] DEBUG GrouperLoaderResultset$1.callback(582) -  - Found 3 results, (0 sub-results) for serverId: personLdap, searchDn: ou=Security Groups,dc=testad,dc=utah,dc=edu, filter: '(|(cn=All uNIDS)(cn=AllgNIDs)(cn=HSC Users))', returning subject attribute: member, some results: {ActiveDirectory:groups:HSC Users=[], ActiveDirectory:groups:All uNIDS=[], ActiveDirectory:groups...

2013-04-12 13:08:59,827: [main] DEBUG GrouperLoaderType$7.runJob(862) -  - ActiveDirectory:groupListLdapGroup: start syncing membership

2013-04-12 13:08:59,829: [main] DEBUG GrouperLoaderType.syncGroupList(1114) -  - ActiveDirectory:groupListLdapGroup: found 0 members overall

2013-04-12 13:08:59,830: [main] DEBUG GrouperLoaderType.syncGroupList(1124) -  - ActiveDirectory:groupListLdapGroup: syncing membership for 0 groups

2013-04-12 13:08:59,832: [main] DEBUG GrouperLoaderType.syncGroupList(1340) -  - ActiveDirectory:groupListLdapGroup: syncing membership for ActiveDirectory:groups:HSC Users 1 out of 3 groups

2013-04-12 13:08:59,841: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1926) -  - ActiveDirectory:groups:HSC Users start syncing membership

2013-04-12 13:08:59,843: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1942) -  - ActiveDirectory:groups:HSC Users syncing 0 rows

2013-04-12 13:08:59,984: [main] INFO  EhcacheController.getCache(192) -  - cache not configured explicitly: edu.internet2.middleware.grouper.changeLog.ChangeLogTypeFinder.typeCache, to override default values, configure in the resource /ehcache.xml.  Default values are:maxElementsInMemory: 10000, eternal: false, timeToIdleSeconds: 600, timeToLiveSeconds: 600, overFlowToDisk: false

2013-04-12 13:09:00,069: [main] INFO  EhcacheController.getCache(192) -  - cache not configured explicitly: edu.internet2.middleware.grouper.rules.RuleEngine.ruleEngine, to override default values, configure in the resource /ehcache.xml.  Default values are:maxElementsInMemory: 100, eternal: false, timeToIdleSeconds: 300, timeToLiveSeconds: 300, overFlowToDisk: false

2013-04-12 13:09:00,071: [main] INFO  EhcacheController.getCache(192) -  - cache not configured explicitly: RuleEngine.hasAccessToElApi, to override default values, configure in the resource /ehcache.xml.  Default values are:maxElementsInMemory: 1000, eternal: false, timeToIdleSeconds: 150, timeToLiveSeconds: 150, overFlowToDisk: false

2013-04-12 13:09:00,128: [main] DEBUG RuleEngine.fireRule(474) -  - Rules engine processing rulesBean: stem: ActiveDirectory:groups, , found 0 matching rule definitions, shouldFire count: 0

2013-04-12 13:09:00,288: [main] INFO  EhcacheController.getCache(192) -  - cache not configured explicitly: edu.internet2.middleware.grouper.audit.AuditTypeFinder.typeCache, to override default values, configure in the resource /ehcache.xml.  Default values are:maxElementsInMemory: 10000, eternal: false, timeToIdleSeconds: 600, timeToLiveSeconds: 600, overFlowToDisk: false

2013-04-12 13:09:00,302: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] add stem: 'ActiveDirectory:groups' (427ms)

2013-04-12 13:09:00,341: [main] DEBUG GrouperSubject._populateAttributes(364) -  - [ActiveDirectory:groups:HSC Users] attached 0 new attributes: 8

2013-04-12 13:09:00,361: [main] INFO  EhcacheController.getCache(192) -  - cache not configured explicitly: edu.internet2.middleware.grouper.internal.dao.hib3.Hib3GroupDAO.exists, to override default values, configure in the resource /ehcache.xml.  Default values are:maxElementsInMemory: 1000, eternal: false, timeToIdleSeconds: 30, timeToLiveSeconds: 120, overFlowToDisk: false

2013-04-12 13:09:00,400: [main] INFO  EhcacheController.getCache(192) -  - cache not configured explicitly: edu.internet2.middleware.grouper.hooks.beans.HooksContext.groupNameToGroupCache, to override default values, configure in the resource /ehcache.xml.  Default values are:maxElementsInMemory: 2000, eternal: false, timeToIdleSeconds: 0, timeToLiveSeconds: 300, overFlowToDisk: false

2013-04-12 13:09:00,402: [main] INFO  EhcacheController.getCache(192) -  - cache not configured explicitly: edu.internet2.middleware.grouper.hooks.beans.HooksContext.subjectInGroupCache, to override default values, configure in the resource /ehcache.xml.  Default values are:maxElementsInMemory: 2000, eternal: false, timeToIdleSeconds: 0, timeToLiveSeconds: 300, overFlowToDisk: false

2013-04-12 13:09:00,403: [main] DEBUG GrouperHooksUtils.executeHook(490) -  - START: Hook GroupTypeSecurityHook.groupTypeTuplePostInsert id: RPP0KTPC

2013-04-12 13:09:00,413: [main] DEBUG GroupTypeSecurityHook.vetoIfNecessary(200) -  - Allowing since cant find rule for groupType: base, adding type, on group: ActiveDirectory:groups:HSC Users only have rules for wheel: grouperLoader, grouperGroupMembershipSettings, and groups: empty

2013-04-12 13:09:00,414: [main] DEBUG GrouperHooksUtils.executeHook(496) -  - END (normal): Hook GroupTypeSecurityHook.groupTypeTuplePostInsert id: RPP0KTPC (11ms)

2013-04-12 13:09:00,485: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:HSC Users' priv='view' subject='GrouperAll'/'application'/'g:isa' (22ms)

2013-04-12 13:09:00,503: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:HSC Users' priv='read' subject='GrouperAll'/'application'/'g:isa' (16ms)

2013-04-12 13:09:00,505: [main] DEBUG RuleEngine.fireRule(474) -  - Rules engine processing rulesBean: group: ActiveDirectory:groups:HSC Users, , found 0 matching rule definitions, shouldFire count: 0

2013-04-12 13:09:00,510: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] add group: 'ActiveDirectory:groups:HSC Users' (198ms)

2013-04-12 13:09:00,581: [main] DEBUG GrouperSubject._populateAttributes(364) -  - [ActiveDirectory:groups:HSC Users] attached 0 new attributes: 8

2013-04-12 13:09:00,601: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1960) -  - ActiveDirectory:groups:HSC Users: saving group if necessary, result type: INSERT

2013-04-12 13:09:00,607: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2055) -  - Done assigning privilege to related groups: ActiveDirectory:groups:HSC Users

2013-04-12 13:09:00,673: [main] INFO  GrouperLoaderType.syncOneGroupMembership(2301) -  - ActiveDirectory:groups:HSC Users done syncing membership, processed 0 records.  Total members: 0, inserts: 0, deletes: 0

2013-04-12 13:09:00,718: [main] DEBUG GrouperLoaderType.syncGroupList(1340) -  - ActiveDirectory:groupListLdapGroup: syncing membership for ActiveDirectory:groups:All uNIDS 2 out of 3 groups

2013-04-12 13:09:00,738: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1926) -  - ActiveDirectory:groups:All uNIDS start syncing membership

2013-04-12 13:09:00,740: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1942) -  - ActiveDirectory:groups:All uNIDS syncing 0 rows

2013-04-12 13:09:00,769: [main] DEBUG GrouperSubject._populateAttributes(364) -  - [ActiveDirectory:groups:All uNIDS] attached 0 new attributes: 8

2013-04-12 13:09:00,831: [main] DEBUG GrouperHooksUtils.executeHook(490) -  - START: Hook GroupTypeSecurityHook.groupTypeTuplePostInsert id: RPP0KTPF

2013-04-12 13:09:00,839: [main] DEBUG GroupTypeSecurityHook.vetoIfNecessary(200) -  - Allowing since cant find rule for groupType: base, adding type, on group: ActiveDirectory:groups:All uNIDS only have rules for wheel: grouperLoader, grouperGroupMembershipSettings, and groups: empty

2013-04-12 13:09:00,842: [main] DEBUG GrouperHooksUtils.executeHook(496) -  - END (normal): Hook GroupTypeSecurityHook.groupTypeTuplePostInsert id: RPP0KTPF (11ms)

2013-04-12 13:09:00,915: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:All uNIDS' priv='view' subject='GrouperAll'/'application'/'g:isa' (26ms)

2013-04-12 13:09:00,937: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:All uNIDS' priv='read' subject='GrouperAll'/'application'/'g:isa' (20ms)

2013-04-12 13:09:00,938: [main] DEBUG RuleEngine.fireRule(474) -  - Rules engine processing rulesBean: group: ActiveDirectory:groups:All uNIDS, , found 0 matching rule definitions, shouldFire count: 0

2013-04-12 13:09:00,943: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] add group: 'ActiveDirectory:groups:All uNIDS' (194ms)

2013-04-12 13:09:00,965: [main] DEBUG GrouperSubject._populateAttributes(364) -  - [ActiveDirectory:groups:All uNIDS] attached 0 new attributes: 8

2013-04-12 13:09:00,986: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1960) -  - ActiveDirectory:groups:All uNIDS: saving group if necessary, result type: INSERT

2013-04-12 13:09:00,988: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2055) -  - Done assigning privilege to related groups: ActiveDirectory:groups:All uNIDS

2013-04-12 13:09:01,002: [main] INFO  GrouperLoaderType.syncOneGroupMembership(2301) -  - ActiveDirectory:groups:All uNIDS done syncing membership, processed 0 records.  Total members: 0, inserts: 0, deletes: 0

2013-04-12 13:09:01,031: [main] DEBUG GrouperLoaderType.syncGroupList(1340) -  - ActiveDirectory:groupListLdapGroup: syncing membership for ActiveDirectory:groups:AllgNIDs 3 out of 3 groups

2013-04-12 13:09:01,040: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1926) -  - ActiveDirectory:groups:AllgNIDs start syncing membership

2013-04-12 13:09:01,042: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1942) -  - ActiveDirectory:groups:AllgNIDs syncing 0 rows

2013-04-12 13:09:01,076: [main] DEBUG GrouperSubject._populateAttributes(364) -  - [ActiveDirectory:groups:AllgNIDs] attached 0 new attributes: 8

2013-04-12 13:09:01,100: [main] DEBUG GrouperHooksUtils.executeHook(490) -  - START: Hook GroupTypeSecurityHook.groupTypeTuplePostInsert id: RPP0KTPI

2013-04-12 13:09:01,104: [main] DEBUG GroupTypeSecurityHook.vetoIfNecessary(200) -  - Allowing since cant find rule for groupType: base, adding type, on group: ActiveDirectory:groups:AllgNIDs only have rules for wheel: grouperLoader, grouperGroupMembershipSettings, and groups: empty

2013-04-12 13:09:01,105: [main] DEBUG GrouperHooksUtils.executeHook(496) -  - END (normal): Hook GroupTypeSecurityHook.groupTypeTuplePostInsert id: RPP0KTPI (5ms)

2013-04-12 13:09:01,129: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:AllgNIDs' priv='view' subject='GrouperAll'/'application'/'g:isa' (9ms)

2013-04-12 13:09:01,139: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:AllgNIDs' priv='read' subject='GrouperAll'/'application'/'g:isa' (9ms)

2013-04-12 13:09:01,140: [main] DEBUG RuleEngine.fireRule(474) -  - Rules engine processing rulesBean: group: ActiveDirectory:groups:AllgNIDs, , found 0 matching rule definitions, shouldFire count: 0

2013-04-12 13:09:01,148: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] add group: 'ActiveDirectory:groups:AllgNIDs' (96ms)

2013-04-12 13:09:01,173: [main] DEBUG GrouperSubject._populateAttributes(364) -  - [ActiveDirectory:groups:AllgNIDs] attached 0 new attributes: 8

2013-04-12 13:09:01,179: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1960) -  - ActiveDirectory:groups:AllgNIDs: saving group if necessary, result type: INSERT

2013-04-12 13:09:01,180: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2055) -  - Done assigning privilege to related groups: ActiveDirectory:groups:AllgNIDs

2013-04-12 13:09:01,186: [main] INFO  GrouperLoaderType.syncOneGroupMembership(2301) -  - ActiveDirectory:groups:AllgNIDs done syncing membership, processed 0 records.  Total members: 0, inserts: 0, deletes: 0

2013-04-12 13:09:01,203: [main] DEBUG GrouperLoaderType.syncGroupList(1433) -  - ActiveDirectory:groupListLdapGroup: done syncing membership

 

 

From: Gagné Sébastien []
Sent: Friday, April 12, 2013 12:21 PM
To: Bryan E. Wooten;
Subject: RE: [grouper-users] Can't get "list of groups" to populate members

 

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectIdentifier");

 

Is it really subjectIdentifier ? I was using “subjectId” as defined as in the sources.xml. The member attribute returns DN, do you have to convert it to a subject ID or is the DN a subjectIdentifier ?

 

grouperLoaderLdapSubjectExpression = ${udemLoaderElUtils.convertAdMemberDnToSpecificValue(subjectId)}

 

Maybe you could increase the log level and see if there are subject not found errors or are you already at DEBUG for everything ?

 

De : [] De la part de Bryan E. Wooten
Envoyé : 12 avril 2013 13:05
À :
Objet : [grouper-users] Can't get "list of groups" to populate members

 

Following Part 2 of the Group loader LDAP training video I can’t get the loader to add members to the groups.

 

I ran the following script:

 

grouperSession = GrouperSession.startRootSession();

group = new GroupSave(grouperSession).assignName("ActiveDirectory:groupListLdapGroup").assignCreateParentStemsIfNotExist(true).save();

attributeAssign = group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign();

attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true);

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_GROUP_LIST");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(|(cn=All uNIDS)(cn=AllgNIDs)(cn=HSC Users))");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=Security Groups,dc=testad,dc=utah,dc=edu");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "personLdap");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSourceIdName(), "ldap");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "member");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectIdentifier");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapExtraAttributesName(), "cn");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupNameExpressionName(), "groups:${groupAttributes['cn']}");

group = GroupFinder.findByName(grouperSession, "ActiveDirectory:groupListLdapGroup");

 

 

And then I ran the following:

 

gsh 0%  grouperSession = GrouperSession.startRootSession();

edu.internet2.middleware.grouper.GrouperSession: 127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'

gsh 1%  group = GroupFinder.findByName(grouperSession,"ActiveDirectory:groupListLdapGroup");

group: name='ActiveDirectory:groupListLdapGroup' displayName='Active Directory Groups:groupListLdapGroup' uuid='7f979dfdf0614017bcf2eab0ff990ce0'

gsh 2% loaderRunOneJob(group);

loader ran successfully, inserted 0 memberships, deleted 0 memberships, total membership count: 0

gsh 3% exit

 

Then using the lite UI I added the Grouper loader LDAP subject _expression_ attribute with a value of ${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}.

 

 

In the grouper_error.log I see this:

 

2013-04-12 11:02:38,285: [main] DEBUG DefaultConnectionHandler.connectInternal(74) -  - Bind with the following parameters:

2013-04-12 11:02:38,287: [main] DEBUG DefaultConnectionHandler.connectInternal(75) -  -   authtype = simple

2013-04-12 11:02:38,288: [main] DEBUG DefaultConnectionHandler.connectInternal(76) -  -   dn = cn=IDMFull,OU=Services,OU=Administration,dc=testad,dc=utah,dc=edu

2013-04-12 11:02:38,289: [main] DEBUG DefaultConnectionHandler.connectInternal(83) -  -   credential = <suppressed>

2013-04-12 11:02:38,302: [main] WARN  AbstractLdapFactory.validate(165) -  - validate called, but no validator configured

2013-04-12 11:02:38,304: [main] DEBUG AbstractLdap.search(193) -  - Search with the following parameters:

2013-04-12 11:02:38,305: [main] DEBUG AbstractLdap.search(194) -  -   dn = ou=Security Groups,dc=testad,dc=utah,dc=edu

2013-04-12 11:02:38,306: [main] DEBUG AbstractLdap.search(195) -  -   filter = (|(cn=All uNIDS)(cn=AllgNIDs)(cn=HSC Users))

2013-04-12 11:02:38,307: [main] DEBUG AbstractLdap.search(196) -  -   filterArgs = []

2013-04-12 11:02:38,308: [main] DEBUG AbstractLdap.search(197) -  -   searchControls =

2013-04-12 11:02:38,309: [main] DEBUG AbstractLdap.search(198) -  -   handler = [edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@573ce184]

2013-04-12 11:02:39,280: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] add stem: 'ActiveDirectory:groups' (674ms)

2013-04-12 11:02:39,532: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:HSC Users' priv='view' subject='GrouperAll'/'application'/'g:isa' (34ms)

2013-04-12 11:02:39,561: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:HSC Users' priv='read' subject='GrouperAll'/'application'/'g:isa' (27ms)

2013-04-12 11:02:39,569: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] add group: 'ActiveDirectory:groups:HSC Users' (271ms)

2013-04-12 11:02:39,878: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:All uNIDS' priv='view' subject='GrouperAll'/'application'/'g:isa' (26ms)

2013-04-12 11:02:39,906: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:All uNIDS' priv='read' subject='GrouperAll'/'application'/'g:isa' (26ms)

2013-04-12 11:02:39,915: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] add group: 'ActiveDirectory:groups:All uNIDS' (176ms)

2013-04-12 11:02:40,218: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:AllgNIDs' priv='view' subject='GrouperAll'/'application'/'g:isa' (22ms)

2013-04-12 11:02:40,244: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:AllgNIDs' priv='read' subject='GrouperAll'/'application'/'g:isa' (24ms)

2013-04-12 11:02:40,266: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] add group: 'ActiveDirectory:groups:AllgNIDs' (193ms)

 

The groups get added to Grouper but there is no attempt to add members. Am I missing something?

 

Thanks,

 

Bryan