Skip to Content.
Sympa Menu

grouper-users - [grouper-users] matching subjects when loading groups from AD LDAP

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] matching subjects when loading groups from AD LDAP

Chronological Thread 
  • From: Rob Gorrell <>
  • To:
  • Subject: [grouper-users] matching subjects when loading groups from AD LDAP
  • Date: Mon, 22 Jul 2013 14:18:20 -0400

So I'm working on my LDAP_SIMPLE grouper loader configuration from the Chris Hyzer videos... I'm able to connect to my JNDI source (Active Directory), locate the group, retrieve its members, and then it comes time for grouper to resolve them using a source I've previous configured in the subject API which hits a different LDAP directory of ours. My loader job is configured to use subjectIdentifier as its subject ID type and my searchSubjectIdentifier is configured to match on cn=%TERM%.

The problem appears to be that when the loader retrieves the 'member' attribute from the AD group, this attribute contains the complete object DN so when it feeds it back through my searchSubjectIdentifier, it isn't just querying for the cn, but an entire DN that isn't valid in my 2nd directory... therefor I get subject not found. Is there a way to strip this so the search occurs with just the cn value?

here's the error:
2013-07-22 13:56:09,098: [main] ERROR GrouperLoaderResultset$Row.getSubject(1153) -  - Problem with subjectIdentifier: CN=RWGORREL,OU=Users,OU=ITS-23101,OU=UNIT-InformationTechnologyServices-2D031,OU=DIV-InformationTechnologyServices-DIV02,OU=FACSTAFF,DC=campus,DC=uncg,DC=edu, subjectSourceId: uncg-person, in jobName: LDAP_SIMPLE__loader:ldapSimpleGroup__0f502b7b394b4535a8278d41bda3b316
edu.internet2.middleware.subject.SubjectNotFoundException: No results: searchSubjectByIdentifier filter:(& (cn=%TERM%) (objectclass=userProxy)) searchValue: CN=RWGORREL,OU=Users,OU=ITS-23101,OU=UNIT-InformationTechnologyServices-2D031,OU=DIV-InformationTechnologyServices-DIV02,OU=FACSTAFF,DC=campus,DC=uncg,DC=edu
and my searchSubjectIdentifier is configured to search for 'CN=RWGORREL'... no that long DN path from above.

how to deal with this as a I guess a group's member attribute is typically a DN representation in LDAP but yet, when you're calling searchSubjectIdentifier, undoubtly you don't want to be searching on that attribute value as exactly retrieved from the member attribute of the LDAP group.


Robert W. Gorrell
Middleware Engineer, Identity and Access Management
University of NC at Greensboro

Archive powered by MHonArc 2.6.16.

Top of Page