Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] help configuring the Subject API for a JNDI source

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] help configuring the Subject API for a JNDI source


Chronological Thread 
  • From: Chris Hyzer <>
  • To: Rob Gorrell <>, Shilen Patel <>
  • Cc: "" <>
  • Subject: RE: [grouper-users] help configuring the Subject API for a JNDI source
  • Date: Fri, 7 Jun 2013 17:40:52 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport04.merit.edu; dkim=neutral (message not signed) header.i=none

SubjectID: should be unchanging (probably opaque).  At Penn we use PennID, e.g. 12345678.  There is one of these for a subject, and it would be nice if multiple sources did not have the same subjectId.

 

SubjectIdentifier: can be anything that resolves to a subject.  At Penn we use PennKey (netId), e.g. mchyzer, or eppn, e.g. .  This can be non-opaque, can change for a user, etc.  In one source, two identifiers cannot point to the same subject.  It would be nice if multiple sources did not have the same subjectIdentifier.

 

So… I would recommend eppn for external users’ subjectId, since that is likely the best thing you’ve got.  Note: external users could be a separate source than local users.  For local users’ source, I think uidNumber is not a bad choice, and eppn could be a subjectIdentifier that could lookup that user.

 

Ok?

 

Thanks,

Chris

 

From: Rob Gorrell [mailto:]
Sent: Friday, June 07, 2013 1:16 PM
To: Shilen Patel
Cc: Chris Hyzer;
Subject: Re: [grouper-users] help configuring the Subject API for a JNDI source

 

So let me ask a couple more questions along this vein...

The goal of the Subject API is to add subjects to the Subjects table from a data connector (such as JNDI), correct? The subjects I've added manually so far (through gsh) so I can use the system, i've used eppn as the subjectid since my UI install authentication is shibbolized. I'm assuming I would like subjects loaded by the Subject API to also use eppn as the subjectid. trouble is, our ldap directory doesn't store eppn as an attribute, our shibb IdP computes it by scoping the cn attribute. Can grouper do a similar thing in sources.xml when it comes to the subjectid attribute? I would rather load subjects as eppn, not uidNumber, as shibb won't be authenticating users to my grouper UI based on uidNumber but rather eppn.

-Rob



On Thu, Jun 6, 2013 at 3:40 PM, Shilen Patel <> wrote:

In your sources.xml file, is your filter perhaps not right for the "searchSubject" search type?  This is the search to find the user by subject id.  The logs below seem to suggest that your filter is this:  (& (uncgPreferredName=%TERM%) (objectclass=userProxy))

 

But you previously said your subject id attribute is uidNumber.

 

Thanks!

 

-- Shilen

 

From: Rob Gorrell <>
Date: Wednesday, June 5, 2013 2:14 PM
To: Chris Hyzer <>
Cc: "" <>


Subject: Re: [grouper-users] help configuring the Subject API for a JNDI source

 

So thank you for the education about logging... I think i have a grasp on where to look now.

what I get in the grouper_error.log when i try to bring up/show a subject's attributes is:
2013-06-05 14:09:37,738: [TP-Processor8] ERROR PopulateSubjectSummaryAction.grouperExecute(369) - < 50FB33F3960149BC379AA3ADC3E3AA5C-0008 10088e20ca0d4ad2af3cf7c71aea5d3c jdbc > - edu.internet2.middleware.subject.SubjectNotFoundException: No results: searchSubject filter:(& (uncgPreferredName=%TERM%) (objectclass=userProxy)) searchValue: 33668
2013-06-05 14:09:37,747: [TP-Processor8] ERROR PopulateSubjectSummaryAction.grouperExecute(436) - < 50FB33F3960149BC379AA3ADC3E3AA5C-0008 10088e20ca0d4ad2af3cf7c71aea5d3c jdbc > - edu.internet2.middleware.grouper.exception.MemberNotFoundException: Unresolvable subject is also not a Member

and when I try to assign privileges, I get:
2013-06-05 14:12:04,207: [TP-Processor2] ERROR DoAssignNewMembersAction.grouperExecute(246) - < 50FB33F3960149BC379AA3ADC3E3AA5C-0011 10088e20ca0d4ad2af3cf7c71aea5d3c jdbc > - edu.internet2.middleware.subject.SubjectNotFoundException: No results: searchSubject filter:(& (uncgPreferredName=%TERM%) (objectclass=userProxy)) searchValue: 33668
2013-06-05 14:12:04,211: [TP-Processor2] ERROR NavExceptionHelper.getMessage(107) - < 50FB33F3960149BC379AA3ADC3E3AA5C-0011 10088e20ca0d4ad2af3cf7c71aea5d3c jdbc > - Missing nav key: The entity does not exist.

which is odd considering i can match the subject in the LDAP source, but then it seems to fall apart from there.

-Rob


On Tue, Jun 4, 2013 at 5:16 PM, Chris Hyzer <> wrote:

Can you put an absolute path in the log4j.properties and restart and reproduce?  (or log to stdout)

 

You should see something like this in the catalina.out

 

“Grouper is logging to file:”

 

Thanks,

Chris

 

 

From: [mailto:] On Behalf Of Rob Gorrell


Sent: Tuesday, June 04, 2013 4:29 PM
To: Chris Hyzer
Cc:

Subject: Re: [grouper-users] help configuring the Subject API for a JNDI source

 

Guess i'm not sure where this would be logged exactly? By the UI? where does the UI output its logs? i'm not seeing anything in Tomcat's logging?

-Rob

On Tue, Jun 4, 2013 at 4:25 PM, Chris Hyzer <> wrote:

Are there stacks in the logs that describe the error?

 

Thanks,

Chris

 

From: [mailto:] On Behalf Of Rob Gorrell
Sent: Tuesday, June 04, 2013 4:12 PM
To:
Subject: [grouper-users] help configuring the Subject API for a JNDI source

 

So I'm attempting to configure the Subject API to pull in subjects from our LDAP directory. Using the example sources.xml, I was able to configure the LDAP section such that when in the UI, I'm able to search and locate a subject based on username (the description appears next to their check box), however, when I attempt to assign  privileges, I get an "error retrieving entity [33668]. the entity does not exist." and likewise, when i click on the description of the located subject to bring up their attributes, I get an "error: there was an unexpected error retrieving the requested entity as a member". I feel like I'm missing something in the attribute mappings preventing the user from being added, just not sure what that something is.

I have the following attributes defined like this in sources.xml...

     <init-param>
      <param-name>SubjectID_AttributeType</param-name>
      <param-value>uidNumber</param-value>
    </init-param>
     <init-param>
      <param-name>SubjectID_formatToLowerCase</param-name>
      <param-value>false</param-value>
    </init-param>
    <init-param>
      <param-name>Name_AttributeType</param-name>
      <param-value>cn</param-value>
    </init-param>
    <init-param>
      <param-name>Description_AttributeType</param-name>
      <param-value>displayName</param-value>
    </init-param>

--

Robert W. Gorrell
Middleware Engineer, Identity and Access Management

University of NC at Greensboro
336-334-5954




--

Robert W. Gorrell
Middleware Engineer, Identity and Access Management

University of NC at Greensboro
336-334-5954




--

Robert W. Gorrell
Middleware Engineer, Identity and Access Management

University of NC at Greensboro
336-334-5954




--

Robert W. Gorrell
Middleware Engineer, Identity and Access Management

University of NC at Greensboro
336-334-5954




Archive powered by MHonArc 2.6.16.

Top of Page