Grouper Users - Open Discussion List

[Chris Hyzer <>]

I found an AD I can use at Penn, and my sample Java program worked fine.  Does it work for you?  I ran a sample loader job against it and it worked too.  Your connecting user has all the privileges it needs (can read the member attribute?)  right?  That might be a dumb question, not sure what is going on here…  i.e. when you browse the directory in an LDAP browser, using the connecting user you are using, you see the member attribute and values, right?

 

2013-04-15 10:06:14,876: [main] DEBUG GrouperLoaderResultset$1.callback(582) -  - Found 3 results, (23 sub-results) for serverId: personLdap2, searchDn: OU=security_grp_ou, filter: '(|(CN=aitAdmin)(CN=aitConsultant)(CN=aitDirectors))', returning subject attribute: member, some results: {groups:aitAdmin=[CN=John Smith,OU=ait_ou,DC=somedc,DC=upenn,DC=edu, CN=Mr Anderson,OU=ait_ou,...

 

 

Thanks,

Chris

 

From: Chris Hyzer
Sent: Saturday, April 13, 2013 5:31 PM
To: 'Bryan E. Wooten'; Gagné Sébastien;
Subject: RE: [grouper-users] Can't get "list of groups" to populate members

 

The log messages show no members being returned from AD I believe.  I ran the example on the doc page against openldap, and it worked, and these are the logs.  I highlighted the important parts…  also, look below, I would like you to try something against AD which works in my openldap.

 

 

log4j.logger.edu.internet2.middleware.grouper.app.loader = DEBUG

 

#######################################

 

gsh 3% loaderRunOneJob(group);

2013-04-13 16:54:35,098: [main] DEBUG GrouperLoaderConfig.retrieveLdapProfile(375) -  - LDAP config for server id: personLdap: GrouperLoaderLdapServer [batchSize=-1, countLimit=-1, driver=null, expirationTime=-1, maxPoolSize=-1, minPoolSize=-1, pass=XXXXX, pruneTimerPeriod=-1, saslAuthorizationId=, saslRealm=, timeLimit=-1, timeout=-1, tls=false, url="ldaps://xxxxxxx:636/dc=upenn,dc=edu," user=uid=xxxxxxxxxxxx,ou=entities,dc=upenn,dc=edu, validateOnCheckIn=false, validateOnCheckOut=true, validatePeriodically=false, validateTimerPeriod=-1]

2013-04-13 16:54:35,101: [main] DEBUG GrouperLoaderConfig.retrieveLdapProfile(375) -  - LDAP config for server id: personLdap: GrouperLoaderLdapServer [batchSize=-1, countLimit=-1, driver=null, expirationTime=-1, maxPoolSize=-1, minPoolSize=-1, pass=XXXXX, pruneTimerPeriod=-1, saslAuthorizationId=, saslRealm=, timeLimit=-1, timeout=-1, tls=false, url="ldaps://xxxxxxxxx:636/dc=upenn,dc=edu," user=uid=xxxxxxxxxx,ou=entities,dc=upenn,dc=edu, validateOnCheckIn=false, validateOnCheckOut=true, validatePeriodically=false, validateTimerPeriod=-1]

2013-04-13 16:54:35,103: [main] DEBUG GrouperLoaderResultset$1.callback(582) -  - Found 2 results, (5 sub-results) for serverId: personLdap, searchDn: ou=groups, filter: '(|(cn=test:testGroup)(cn=test:ldaptesting:test1)(cn=test:testEmptyGroup))', returning subject attribute: hasMember, some results: {anotherStem:groups:test:ldapTesting:test1=[netmon], anotherStem:groups:test:testGroup=[convery, ...

2013-04-13 16:54:35,141: [main] DEBUG GrouperLoaderType$7.runJob(862) -  - anotherStem:groupListLdapGroup: start syncing membership

2013-04-13 16:54:35,141: [main] DEBUG GrouperLoaderType.syncGroupList(1114) -  - anotherStem:groupListLdapGroup: found 5 members overall

2013-04-13 16:54:35,142: [main] DEBUG GrouperLoaderType.syncGroupList(1124) -  - anotherStem:groupListLdapGroup: syncing membership for 2 groups

2013-04-13 16:54:35,142: [main] DEBUG GrouperLoaderType.syncGroupList(1340) -  - anotherStem:groupListLdapGroup: syncing membership for anotherStem:groups:test:ldapTesting:test1 1 out of 2 groups

2013-04-13 16:54:35,148: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1926) -  - anotherStem:groups:test:ldapTesting:test1 start syncing membership

2013-04-13 16:54:35,149: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1942) -  - anotherStem:groups:test:ldapTesting:test1 syncing 1 rows

2013-04-13 16:54:35,169: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1960) -  - anotherStem:groups:test:ldapTesting:test1: saving group if necessary, result type: NO_CHANGE

2013-04-13 16:54:35,170: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2055) -  - Done assigning privilege to related groups: anotherStem:groups:test:ldapTesting:test1

2013-04-13 16:54:35,176: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - anotherStem:groups:test:ldapTesting:test1 will add subject to group: Penn person/12345678, 1 of 1 subjects

2013-04-13 16:54:35,237: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: anotherStem:groups:test:ldapTesting:test1 add Subject id: 12345678, sourceId: pennperson, alreadyAdded: false

2013-04-13 16:54:35,238: [main] INFO  GrouperLoaderType.syncOneGroupMembership(2301) -  - anotherStem:groups:test:ldapTesting:test1 done syncing membership, processed 1 records.  Total members: 1, inserts: 1, deletes: 0

2013-04-13 16:54:35,256: [main] DEBUG GrouperLoaderType.syncGroupList(1340) -  - anotherStem:groupListLdapGroup: syncing membership for anotherStem:groups:test:testGroup 2 out of 2 groups

2013-04-13 16:54:35,263: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1926) -  - anotherStem:groups:test:testGroup start syncing membership

2013-04-13 16:54:35,264: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1942) -  - anotherStem:groups:test:testGroup syncing 4 rows

2013-04-13 16:54:35,275: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1960) -  - anotherStem:groups:test:testGroup: saving group if necessary, result type: NO_CHANGE

2013-04-13 16:54:35,276: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2055) -  - Done assigning privilege to related groups: anotherStem:groups:test:testGroup

2013-04-13 16:54:35,311: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - anotherStem:groups:test:testGroup will add subject to group: Penn person/13345678, 1 of 3 subjects

2013-04-13 16:54:35,312: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - anotherStem:groups:test:testGroup will add subject to group: Penn person/22345678, 2 of 3 subjects

2013-04-13 16:54:35,313: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2149) -  - anotherStem:groups:test:testGroup will add subject to group: Penn person/12345679, 3 of 3 subjects

2013-04-13 16:54:35,384: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: anotherStem:groups:test:testGroup add Subject id: 22345678, sourceId: pennperson, alreadyAdded: false

2013-04-13 16:54:35,426: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: anotherStem:groups:test:testGroup add Subject id: 13345678, sourceId: pennperson, alreadyAdded: false

2013-04-13 16:54:35,460: [main] DEBUG GrouperLoaderType$10.callback(2256) -  - Group: anotherStem:groups:test:testGroup add Subject id: 12345679, sourceId: pennperson, alreadyAdded: false

2013-04-13 16:54:35,460: [main] INFO  GrouperLoaderType.syncOneGroupMembership(2301) -  - anotherStem:groups:test:testGroup done syncing membership, processed 4 records.  Total members: 4, inserts: 3, deletes: 0

2013-04-13 16:54:35,469: [main] DEBUG GrouperLoaderType.syncGroupList(1433) -  - anotherStem:groupListLdapGroup: done syncing membership

loader ran successfully, inserted 4 memberships, deleted 0 memberships, total membership count: 5

gsh 4%

 

##############################################

 

(note, if you are using a mac or unix, the semi-colon in the classpath when running below should be a colon…)

 

Here is the file LdapPoc.java (change the yellow stuff).  Does this work against AD?

 

 

###########################################

 

import java.util.*;

 

import javax.naming.directory.*;

 

import edu.vt.middleware.ldap.*;

import edu.vt.middleware.ldap.pool.*;

 

 

public class LdapPoc {

 

  public static void main(String[] args) throws Exception {

 

    LdapConfig ldapConfig = new LdapConfig("ldaps://xxxxxxxxx:636", "dc=upenn,dc=edu");

 

    ldapConfig.setBindDn("uid=xxxxxxxxxx,ou=entities,dc=upenn,dc=edu");

    ldapConfig.setBindCredential("xxxxxxxx");

 

    DefaultLdapFactory factory = new DefaultLdapFactory(ldapConfig);

 

    BlockingLdapPool pool = new BlockingLdapPool(factory);

 

    Ldap ldap = pool.checkOut();

 

    String attributeName = "hasMember";

    Iterator<SearchResult> results = ldap.search("ou=groups,dc=upenn,dc=edu",

        new SearchFilter("(|(cn=test:testGroup)(cn=test:ldaptesting:test1)(cn=test:testEmptyGroup))"), new String[]{attributeName});

 

    while (results.hasNext()) {

 

      SearchResult searchResult = results.next();

 

      System.out.println(searchResult.getName());

 

      Attribute attribute = searchResult.getAttributes().get(attributeName);

      System.out.println("results: " + attribute.size());

 

      for (int i=0;i<attribute.size();i++) {

        System.out.println(" - " + attribute.get(i));

      }

    }

    pool.checkIn(ldap);

  }

}

#############################################

 

C:\temp>javac -classpath C:\mchyzer\grouper\v2_1\grouper\lib\grouper\vt-ldap.jar    LdapPoc.java

 

C:\temp>java  -classpath .;C:\mchyzer\grouper\v2_1\grouper\lib\grouper\* LdapPoc

log4j:WARN No appenders could be found for logger (edu.vt.middleware.ldap.handler.DefaultConnectionHandler).

log4j:WARN Please initialize the log4j system properly.

cn=test:ldapTesting:test1,ou=groups,dc=upenn,dc=edu

results: 1

- netmon

cn=test:testGroup,ou=groups,dc=upenn,dc=edu

results: 4

- convery

- mchyzer

- bwh

- harveycg

 

C:\temp>

 

From: [] On Behalf Of Bryan E. Wooten
Sent: Friday, April 12, 2013 3:17 PM
To: Gagné Sébastien;
Subject: RE: [grouper-users] Can't get "list of groups" to populate members

 

I changed subjectIdentifier to subject ID and set this in lo4j.properties log4j.logger.edu.internet2.middleware = DEBUG.

 

In my sources.xml searchSubject and searchSubjectIdentifier have the same filter: cn=.

 

I have a another single Grouper Loader LDAP that is LDAP_SIMPLE. It works just fine. Its subject ID type is subjectIdentifier. When I watch the log when this group is populated I see all the ldap queries for the members. Still scratching my head.

 

Still no members added. I see this in the log file:

 

2013-04-12 13:08:59,812: [main] DEBUG GrouperUtil.substituteExpressionLanguage(9018) -  - Subsituting EL: 'groups:${groupAttributes['cn']}', and with env vars: loaderLdapElUtils, groupAttributes, grouperUtil with result: 'groups:HSC Users'

2013-04-12 13:08:59,815: [main] DEBUG GrouperLoaderConfig.retrieveLdapProfile(375) -  - LDAP config for server id: personLdap: GrouperLoaderLdapServer [batchSize=-1, countLimit=-1, driver=null, expirationTime=-1, maxPoolSize=-1, minPoolSize=-1, pass=XXXXX, pruneTimerPeriod=-1, saslAuthorizationId=, saslRealm=, timeLimit=-1, timeout=-1, tls=false, url="ldap://idm-win1.acs.utah.edu:389," user=cn=IDMFull,OU=Services,OU=Administration,dc=testad,dc=utah,dc=edu, validateOnCheckIn=false, validateOnCheckOut=true, validatePeriodically=false, validateTimerPeriod=-1]

2013-04-12 13:08:59,818: [main] DEBUG GrouperUtil.substituteExpressionLanguage(9018) -  - Subsituting EL: 'groups:${groupAttributes['cn']}', and with env vars: loaderLdapElUtils, groupAttributes, grouperUtil with result: 'groups:AllgNIDs'

2013-04-12 13:08:59,820: [main] DEBUG GrouperLoaderConfig.retrieveLdapProfile(375) -  - LDAP config for server id: personLdap: GrouperLoaderLdapServer [batchSize=-1, countLimit=-1, driver=null, expirationTime=-1, maxPoolSize=-1, minPoolSize=-1, pass=XXXXX, pruneTimerPeriod=-1, saslAuthorizationId=, saslRealm=, timeLimit=-1, timeout=-1, tls=false, url="ldap://idm-win1.acs.utah.edu:389," user=cn=IDMFull,OU=Services,OU=Administration,dc=testad,dc=utah,dc=edu, validateOnCheckIn=false, validateOnCheckOut=true, validatePeriodically=false, validateTimerPeriod=-1]

2013-04-12 13:08:59,823: [main] DEBUG GrouperUtil.substituteExpressionLanguage(9018) -  - Subsituting EL: 'groups:${groupAttributes['cn']}', and with env vars: loaderLdapElUtils, groupAttributes, grouperUtil with result: 'groups:All uNIDS'

2013-04-12 13:08:59,825: [main] DEBUG GrouperLoaderResultset$1.callback(582) -  - Found 3 results, (0 sub-results) for serverId: personLdap, searchDn: ou=Security Groups,dc=testad,dc=utah,dc=edu, filter: '(|(cn=All uNIDS)(cn=AllgNIDs)(cn=HSC Users))', returning subject attribute: member, some results: {ActiveDirectory:groups:HSC Users=[], ActiveDirectory:groups:All uNIDS=[], ActiveDirectory:groups...

2013-04-12 13:08:59,827: [main] DEBUG GrouperLoaderType$7.runJob(862) -  - ActiveDirectory:groupListLdapGroup: start syncing membership

2013-04-12 13:08:59,829: [main] DEBUG GrouperLoaderType.syncGroupList(1114) -  - ActiveDirectory:groupListLdapGroup: found 0 members overall

2013-04-12 13:08:59,830: [main] DEBUG GrouperLoaderType.syncGroupList(1124) -  - ActiveDirectory:groupListLdapGroup: syncing membership for 0 groups

2013-04-12 13:08:59,832: [main] DEBUG GrouperLoaderType.syncGroupList(1340) -  - ActiveDirectory:groupListLdapGroup: syncing membership for ActiveDirectory:groups:HSC Users 1 out of 3 groups

2013-04-12 13:08:59,841: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1926) -  - ActiveDirectory:groups:HSC Users start syncing membership

2013-04-12 13:08:59,843: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1942) -  - ActiveDirectory:groups:HSC Users syncing 0 rows

2013-04-12 13:08:59,984: [main] INFO  EhcacheController.getCache(192) -  - cache not configured explicitly: edu.internet2.middleware.grouper.changeLog.ChangeLogTypeFinder.typeCache, to override default values, configure in the resource /ehcache.xml.  Default values are:maxElementsInMemory: 10000, eternal: false, timeToIdleSeconds: 600, timeToLiveSeconds: 600, overFlowToDisk: false

2013-04-12 13:09:00,069: [main] INFO  EhcacheController.getCache(192) -  - cache not configured explicitly: edu.internet2.middleware.grouper.rules.RuleEngine.ruleEngine, to override default values, configure in the resource /ehcache.xml.  Default values are:maxElementsInMemory: 100, eternal: false, timeToIdleSeconds: 300, timeToLiveSeconds: 300, overFlowToDisk: false

2013-04-12 13:09:00,071: [main] INFO  EhcacheController.getCache(192) -  - cache not configured explicitly: RuleEngine.hasAccessToElApi, to override default values, configure in the resource /ehcache.xml.  Default values are:maxElementsInMemory: 1000, eternal: false, timeToIdleSeconds: 150, timeToLiveSeconds: 150, overFlowToDisk: false

2013-04-12 13:09:00,128: [main] DEBUG RuleEngine.fireRule(474) -  - Rules engine processing rulesBean: stem: ActiveDirectory:groups, , found 0 matching rule definitions, shouldFire count: 0

2013-04-12 13:09:00,288: [main] INFO  EhcacheController.getCache(192) -  - cache not configured explicitly: edu.internet2.middleware.grouper.audit.AuditTypeFinder.typeCache, to override default values, configure in the resource /ehcache.xml.  Default values are:maxElementsInMemory: 10000, eternal: false, timeToIdleSeconds: 600, timeToLiveSeconds: 600, overFlowToDisk: false

2013-04-12 13:09:00,302: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] add stem: 'ActiveDirectory:groups' (427ms)

2013-04-12 13:09:00,341: [main] DEBUG GrouperSubject._populateAttributes(364) -  - [ActiveDirectory:groups:HSC Users] attached 0 new attributes: 8

2013-04-12 13:09:00,361: [main] INFO  EhcacheController.getCache(192) -  - cache not configured explicitly: edu.internet2.middleware.grouper.internal.dao.hib3.Hib3GroupDAO.exists, to override default values, configure in the resource /ehcache.xml.  Default values are:maxElementsInMemory: 1000, eternal: false, timeToIdleSeconds: 30, timeToLiveSeconds: 120, overFlowToDisk: false

2013-04-12 13:09:00,400: [main] INFO  EhcacheController.getCache(192) -  - cache not configured explicitly: edu.internet2.middleware.grouper.hooks.beans.HooksContext.groupNameToGroupCache, to override default values, configure in the resource /ehcache.xml.  Default values are:maxElementsInMemory: 2000, eternal: false, timeToIdleSeconds: 0, timeToLiveSeconds: 300, overFlowToDisk: false

2013-04-12 13:09:00,402: [main] INFO  EhcacheController.getCache(192) -  - cache not configured explicitly: edu.internet2.middleware.grouper.hooks.beans.HooksContext.subjectInGroupCache, to override default values, configure in the resource /ehcache.xml.  Default values are:maxElementsInMemory: 2000, eternal: false, timeToIdleSeconds: 0, timeToLiveSeconds: 300, overFlowToDisk: false

2013-04-12 13:09:00,403: [main] DEBUG GrouperHooksUtils.executeHook(490) -  - START: Hook GroupTypeSecurityHook.groupTypeTuplePostInsert id: RPP0KTPC

2013-04-12 13:09:00,413: [main] DEBUG GroupTypeSecurityHook.vetoIfNecessary(200) -  - Allowing since cant find rule for groupType: base, adding type, on group: ActiveDirectory:groups:HSC Users only have rules for wheel: grouperLoader, grouperGroupMembershipSettings, and groups: empty

2013-04-12 13:09:00,414: [main] DEBUG GrouperHooksUtils.executeHook(496) -  - END (normal): Hook GroupTypeSecurityHook.groupTypeTuplePostInsert id: RPP0KTPC (11ms)

2013-04-12 13:09:00,485: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:HSC Users' priv='view' subject='GrouperAll'/'application'/'g:isa' (22ms)

2013-04-12 13:09:00,503: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:HSC Users' priv='read' subject='GrouperAll'/'application'/'g:isa' (16ms)

2013-04-12 13:09:00,505: [main] DEBUG RuleEngine.fireRule(474) -  - Rules engine processing rulesBean: group: ActiveDirectory:groups:HSC Users, , found 0 matching rule definitions, shouldFire count: 0

2013-04-12 13:09:00,510: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] add group: 'ActiveDirectory:groups:HSC Users' (198ms)

2013-04-12 13:09:00,581: [main] DEBUG GrouperSubject._populateAttributes(364) -  - [ActiveDirectory:groups:HSC Users] attached 0 new attributes: 8

2013-04-12 13:09:00,601: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1960) -  - ActiveDirectory:groups:HSC Users: saving group if necessary, result type: INSERT

2013-04-12 13:09:00,607: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2055) -  - Done assigning privilege to related groups: ActiveDirectory:groups:HSC Users

2013-04-12 13:09:00,673: [main] INFO  GrouperLoaderType.syncOneGroupMembership(2301) -  - ActiveDirectory:groups:HSC Users done syncing membership, processed 0 records.  Total members: 0, inserts: 0, deletes: 0

2013-04-12 13:09:00,718: [main] DEBUG GrouperLoaderType.syncGroupList(1340) -  - ActiveDirectory:groupListLdapGroup: syncing membership for ActiveDirectory:groups:All uNIDS 2 out of 3 groups

2013-04-12 13:09:00,738: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1926) -  - ActiveDirectory:groups:All uNIDS start syncing membership

2013-04-12 13:09:00,740: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1942) -  - ActiveDirectory:groups:All uNIDS syncing 0 rows

2013-04-12 13:09:00,769: [main] DEBUG GrouperSubject._populateAttributes(364) -  - [ActiveDirectory:groups:All uNIDS] attached 0 new attributes: 8

2013-04-12 13:09:00,831: [main] DEBUG GrouperHooksUtils.executeHook(490) -  - START: Hook GroupTypeSecurityHook.groupTypeTuplePostInsert id: RPP0KTPF

2013-04-12 13:09:00,839: [main] DEBUG GroupTypeSecurityHook.vetoIfNecessary(200) -  - Allowing since cant find rule for groupType: base, adding type, on group: ActiveDirectory:groups:All uNIDS only have rules for wheel: grouperLoader, grouperGroupMembershipSettings, and groups: empty

2013-04-12 13:09:00,842: [main] DEBUG GrouperHooksUtils.executeHook(496) -  - END (normal): Hook GroupTypeSecurityHook.groupTypeTuplePostInsert id: RPP0KTPF (11ms)

2013-04-12 13:09:00,915: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:All uNIDS' priv='view' subject='GrouperAll'/'application'/'g:isa' (26ms)

2013-04-12 13:09:00,937: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:All uNIDS' priv='read' subject='GrouperAll'/'application'/'g:isa' (20ms)

2013-04-12 13:09:00,938: [main] DEBUG RuleEngine.fireRule(474) -  - Rules engine processing rulesBean: group: ActiveDirectory:groups:All uNIDS, , found 0 matching rule definitions, shouldFire count: 0

2013-04-12 13:09:00,943: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] add group: 'ActiveDirectory:groups:All uNIDS' (194ms)

2013-04-12 13:09:00,965: [main] DEBUG GrouperSubject._populateAttributes(364) -  - [ActiveDirectory:groups:All uNIDS] attached 0 new attributes: 8

2013-04-12 13:09:00,986: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1960) -  - ActiveDirectory:groups:All uNIDS: saving group if necessary, result type: INSERT

2013-04-12 13:09:00,988: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2055) -  - Done assigning privilege to related groups: ActiveDirectory:groups:All uNIDS

2013-04-12 13:09:01,002: [main] INFO  GrouperLoaderType.syncOneGroupMembership(2301) -  - ActiveDirectory:groups:All uNIDS done syncing membership, processed 0 records.  Total members: 0, inserts: 0, deletes: 0

2013-04-12 13:09:01,031: [main] DEBUG GrouperLoaderType.syncGroupList(1340) -  - ActiveDirectory:groupListLdapGroup: syncing membership for ActiveDirectory:groups:AllgNIDs 3 out of 3 groups

2013-04-12 13:09:01,040: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1926) -  - ActiveDirectory:groups:AllgNIDs start syncing membership

2013-04-12 13:09:01,042: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1942) -  - ActiveDirectory:groups:AllgNIDs syncing 0 rows

2013-04-12 13:09:01,076: [main] DEBUG GrouperSubject._populateAttributes(364) -  - [ActiveDirectory:groups:AllgNIDs] attached 0 new attributes: 8

2013-04-12 13:09:01,100: [main] DEBUG GrouperHooksUtils.executeHook(490) -  - START: Hook GroupTypeSecurityHook.groupTypeTuplePostInsert id: RPP0KTPI

2013-04-12 13:09:01,104: [main] DEBUG GroupTypeSecurityHook.vetoIfNecessary(200) -  - Allowing since cant find rule for groupType: base, adding type, on group: ActiveDirectory:groups:AllgNIDs only have rules for wheel: grouperLoader, grouperGroupMembershipSettings, and groups: empty

2013-04-12 13:09:01,105: [main] DEBUG GrouperHooksUtils.executeHook(496) -  - END (normal): Hook GroupTypeSecurityHook.groupTypeTuplePostInsert id: RPP0KTPI (5ms)

2013-04-12 13:09:01,129: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:AllgNIDs' priv='view' subject='GrouperAll'/'application'/'g:isa' (9ms)

2013-04-12 13:09:01,139: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:AllgNIDs' priv='read' subject='GrouperAll'/'application'/'g:isa' (9ms)

2013-04-12 13:09:01,140: [main] DEBUG RuleEngine.fireRule(474) -  - Rules engine processing rulesBean: group: ActiveDirectory:groups:AllgNIDs, , found 0 matching rule definitions, shouldFire count: 0

2013-04-12 13:09:01,148: [main] INFO  EventLog.info(156) -  - [3fa7906e1b404f1ea316fd112bacaef2,'GrouperSystem','application'] add group: 'ActiveDirectory:groups:AllgNIDs' (96ms)

2013-04-12 13:09:01,173: [main] DEBUG GrouperSubject._populateAttributes(364) -  - [ActiveDirectory:groups:AllgNIDs] attached 0 new attributes: 8

2013-04-12 13:09:01,179: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(1960) -  - ActiveDirectory:groups:AllgNIDs: saving group if necessary, result type: INSERT

2013-04-12 13:09:01,180: [main] DEBUG GrouperLoaderType.syncOneGroupMembership(2055) -  - Done assigning privilege to related groups: ActiveDirectory:groups:AllgNIDs

2013-04-12 13:09:01,186: [main] INFO  GrouperLoaderType.syncOneGroupMembership(2301) -  - ActiveDirectory:groups:AllgNIDs done syncing membership, processed 0 records.  Total members: 0, inserts: 0, deletes: 0

2013-04-12 13:09:01,203: [main] DEBUG GrouperLoaderType.syncGroupList(1433) -  - ActiveDirectory:groupListLdapGroup: done syncing membership

 

 

From: Gagné Sébastien []
Sent: Friday, April 12, 2013 12:21 PM
To: Bryan E. Wooten;
Subject: RE: [grouper-users] Can't get "list of groups" to populate members

 

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectIdentifier");

 

Is it really subjectIdentifier ? I was using “subjectId” as defined as in the sources.xml. The member attribute returns DN, do you have to convert it to a subject ID or is the DN a subjectIdentifier ?

 

grouperLoaderLdapSubjectExpression = ${udemLoaderElUtils.convertAdMemberDnToSpecificValue(subjectId)}

 

Maybe you could increase the log level and see if there are subject not found errors or are you already at DEBUG for everything ?

 

De : [] De la part de Bryan E. Wooten
Envoyé : 12 avril 2013 13:05
À :
Objet : [grouper-users] Can't get "list of groups" to populate members

 

Following Part 2 of the Group loader LDAP training video I can’t get the loader to add members to the groups.

 

I ran the following script:

 

grouperSession = GrouperSession.startRootSession();

group = new GroupSave(grouperSession).assignName("ActiveDirectory:groupListLdapGroup").assignCreateParentStemsIfNotExist(true).save();

attributeAssign = group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign();

attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true);

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_GROUP_LIST");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(|(cn=All uNIDS)(cn=AllgNIDs)(cn=HSC Users))");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=Security Groups,dc=testad,dc=utah,dc=edu");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "personLdap");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSourceIdName(), "ldap");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "member");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectIdentifier");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapExtraAttributesName(), "cn");

attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupNameExpressionName(), "groups:${groupAttributes['cn']}");

group = GroupFinder.findByName(grouperSession, "ActiveDirectory:groupListLdapGroup");

 

 

And then I ran the following:

 

gsh 0%  grouperSession = GrouperSession.startRootSession();

edu.internet2.middleware.grouper.GrouperSession: 127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'

gsh 1%  group = GroupFinder.findByName(grouperSession,"ActiveDirectory:groupListLdapGroup");

group: name='ActiveDirectory:groupListLdapGroup' displayName='Active Directory Groups:groupListLdapGroup' uuid='7f979dfdf0614017bcf2eab0ff990ce0'

gsh 2% loaderRunOneJob(group);

loader ran successfully, inserted 0 memberships, deleted 0 memberships, total membership count: 0

gsh 3% exit

 

Then using the lite UI I added the Grouper loader LDAP subject _expression_ attribute with a value of ${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}.

 

 

In the grouper_error.log I see this:

 

2013-04-12 11:02:38,285: [main] DEBUG DefaultConnectionHandler.connectInternal(74) -  - Bind with the following parameters:

2013-04-12 11:02:38,287: [main] DEBUG DefaultConnectionHandler.connectInternal(75) -  -   authtype = simple

2013-04-12 11:02:38,288: [main] DEBUG DefaultConnectionHandler.connectInternal(76) -  -   dn = cn=IDMFull,OU=Services,OU=Administration,dc=testad,dc=utah,dc=edu

2013-04-12 11:02:38,289: [main] DEBUG DefaultConnectionHandler.connectInternal(83) -  -   credential = <suppressed>

2013-04-12 11:02:38,302: [main] WARN  AbstractLdapFactory.validate(165) -  - validate called, but no validator configured

2013-04-12 11:02:38,304: [main] DEBUG AbstractLdap.search(193) -  - Search with the following parameters:

2013-04-12 11:02:38,305: [main] DEBUG AbstractLdap.search(194) -  -   dn = ou=Security Groups,dc=testad,dc=utah,dc=edu

2013-04-12 11:02:38,306: [main] DEBUG AbstractLdap.search(195) -  -   filter = (|(cn=All uNIDS)(cn=AllgNIDs)(cn=HSC Users))

2013-04-12 11:02:38,307: [main] DEBUG AbstractLdap.search(196) -  -   filterArgs = []

2013-04-12 11:02:38,308: [main] DEBUG AbstractLdap.search(197) -  -   searchControls =

2013-04-12 11:02:38,309: [main] DEBUG AbstractLdap.search(198) -  -   handler = [edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@573ce184]

2013-04-12 11:02:39,280: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] add stem: 'ActiveDirectory:groups' (674ms)

2013-04-12 11:02:39,532: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:HSC Users' priv='view' subject='GrouperAll'/'application'/'g:isa' (34ms)

2013-04-12 11:02:39,561: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:HSC Users' priv='read' subject='GrouperAll'/'application'/'g:isa' (27ms)

2013-04-12 11:02:39,569: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] add group: 'ActiveDirectory:groups:HSC Users' (271ms)

2013-04-12 11:02:39,878: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:All uNIDS' priv='view' subject='GrouperAll'/'application'/'g:isa' (26ms)

2013-04-12 11:02:39,906: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:All uNIDS' priv='read' subject='GrouperAll'/'application'/'g:isa' (26ms)

2013-04-12 11:02:39,915: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] add group: 'ActiveDirectory:groups:All uNIDS' (176ms)

2013-04-12 11:02:40,218: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:AllgNIDs' priv='view' subject='GrouperAll'/'application'/'g:isa' (22ms)

2013-04-12 11:02:40,244: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] grant access priv: group='ActiveDirectory:groups:AllgNIDs' priv='read' subject='GrouperAll'/'application'/'g:isa' (24ms)

2013-04-12 11:02:40,266: [main] INFO  EventLog.info(156) -  - [127016ac3022414e80d76861fe49ba28,'GrouperSystem','application'] add group: 'ActiveDirectory:groups:AllgNIDs' (193ms)

 

The groups get added to Grouper but there is no attempt to add members. Am I missing something?

 

Thanks,

 

Bryan