Skip to Content.
Sympa Menu

grouper-users - Re: [siad] [grouper-users] Grouper loader LDAP with 2 ldap filters

Subject: Grouper Users - Open Discussion List

List archive

Re: [siad] [grouper-users] Grouper loader LDAP with 2 ldap filters


Chronological Thread 
  • From: SIAD <>
  • To: Chris Hyzer <>
  • Cc: "" <>
  • Subject: Re: [siad] [grouper-users] Grouper loader LDAP with 2 ldap filters
  • Date: Thu, 10 Oct 2013 10:29:54 +0200

Yes, i could do that. But, we have over 50 000 entries (certainly a lot more) only for the employee branche ...And i reach the limit on the number of LDAP entries returned... :-[
We use an LDAP SUN, and there is no possibilities for paging the result... :-\

But my solution works, i only have errors due to the creation of empty groups (cf : https://lists.internet2.edu/sympa/arc/grouper-users/2013-07/msg00041.html).

I understand that you have more important to do. But, one day, if you can have the time, this is what i see for the configuration of the job :

3 more attributes Grouper loader LDAP.

- Grouper loader LDAP Extra Attribute Filter : Attribute LDAP name where the value will be use for the Grouper loader LDAP Second filter.
- Grouper loader LDAP Extra DN : DN where the extra filter will be applied.
- Grouper loader LDAP Extra filter : LDAP filter with the variable attributeFilter.

for example, with an LDAP_SIMPLE Grouper loader type :

Attribute name Assignment values
Grouper loader LDAP
Grouper loader LDAP search base DN ou=school
Grouper loader LDAP filter (&(typensi=PU)|(typensi=EEPU)(typensi=EMPU))
Grouper loader LDAP Extra DN ou=people
Grouper loader LDAP Extra Attribute Filter rne
Grouper loader LDAP Extra filter rne = ${attributeFilter}
Grouper loader LDAP subject attribute name uid
Grouper loader LDAP quartz cron 0 0 0/4 ? * MON-FRI *
Grouper loader LDAP source ID ldap
Grouper loader LDAP type LDAP_SIMPLE
Grouper loader LDAP server ID personLdap


With this configuration, the first query will extract all rne attributes. Then those attributes will be use to query the extra DN based on Grouper loader LDAP Extra filter.
Same logic for LDAP_GROUP_FROM_ATTRIBUTES and LDAP_GROUPS_LIST.

I don't know if it's possible. But if you think that will take a lot of your time and this evolution is not really usefull for the community. I understand. Like i said, my solution works despite the fact it's not really clean (some errors...). :-)

Thanks a lot.

Yoann.









 

Yoann Delattre 03 20 95 69 61
Équipe SIAD (Systèmes d'Information et Aide à la Décision)
DSI de l'académie de Lille (Direction des Systèmes d'Information)
110 avenue Gaston Berger - 59000 Lille
Le 09/10/2013 16:46, Chris Hyzer a écrit :

Well, you could have two loader jobs… one for all the schools to make groups like this:

 

Group: community:schools:0591234A

-          Member: dupont

-          Member: robert

Group: community:schools:0595678B

-          Member: durand

etc

 

Then do a loder job for all the group attributes

 

Group:community:schoolAttribute:LP

-          Member: community:schools:0591234A

Group:community:schoolAttribute:PR

-          Member: community:schools:0591234A

-          Member: community:schools:0599101C

 

Then you can do your manual rollups (this part is not a loader job)

 

Group:community:schoolRollups:highSchool

-          Member: community:schoolAttribute:LP

-          Member: community:schoolAttribute:CLG

-          Member: community:schoolAttribute:LGT

Group:community:schoolRollups:privateHighSchool

-          Composite of Group:community:schoolAttribute:PR and Group:community:schoolRollups:highSchool

 

 

Is that ok, or do you need a way to do this in the loader?  Im not sure I have time to do much work on it, so Im trying to find a way to get this handled as is J

 

If you did want more with the loader, can you give a sample config of how you would configure your job to make it work?

 

Thanks,

Chris

 

From: SIAD []
Sent: Wednesday, October 09, 2013 5:09 AM
To: Chris Hyzer
Subject: Re: [siad] [grouper-users] Grouper loader LDAP with 2 ldap filters

 

Not exactly, sorry english is not my best skill :-\

I'll try to explain more clearly.

We have two branches. RNE is the id that we use to identify, in the person (employee) branche, the school where employee works. Typensi is an multivalued attribute that carry the school type (public/private school, an elementary school, an high school...).

PU is for public
PR is for private
LP, CLG, LGT is for high school
EEPU, EMPU is for elementary school

For example :

person (employee)

     - uid = dupont
     - rne = 0591234A

     - uid = durand
     - rne = 0595678B

     - uid = dubois
     - rne = 0591112D

     - uid = martin
     - rne = 0599101C

     - uid = bernard
     - rne = 0591314E

     - uid = robert
     - rne = 0591234A

     - uid = dumont
     - rne = 0591314E

     - uid = fontaine
     - rne = 0591112D

school

    - rne = 0591234A
    - typensi = LP
    - typensi = PR

    - rne = 0595678B
    - typensi = CLG
    - typensi = PU

    - rne = 0599101C
    - typensi = EMPU
    - typensi = PR

    - rne = 0591112D
    - typensi = EEPU
    - typensi = PU

    - rne = 0591314E
    - typensi = LGT
    - typensi = PU


Let's say, i want all the person who works in public elementary school. For doing this, i need a first ldap query on the school branche like : (&(typensi=PU)|(typensi=EEPU)(typensi=EMPU)).

the result of this query will be :

    - rne = 0599101C
    - typensi = EMPU
    - typensi = PR

    - rne = 0591112D
    - typensi = EEPU
    - typensi = PU

now, i need rne attribute to query the person branche. (&(rne=0599101C)(rne = 0591112D)).

the result will be :

     - uid = dubois
     - rne = 0591112D

     - uid = martin
     - rne = 0599101C

     - uid = fontaine
     - rne = 0591112D

and finally result in two Grouper groups :

name = 0591112D
member = dubois
member = fontaine

name = 0599101C
member = martin

This is the process that i try to do with Grouper loader (and i did it, but it's not really clean...).

Thanks a lot for your help.
Yoann.
Le 08/10/2013 16:20, Chris Hyzer a écrit :

I think you can do this.
 
Focus on the second query to build the groups with the loader.
 
LDAP_GROUP_FROM_ATTRIBUTES
 
Person
  - id: abc
  - school: 12, 34
Person
  - id: bcd
  - school: 23, 34
 
There would be 3 groups from this, for schools 12, 23, 34
 
But you want the name from another filter, right?
 
School
  - name: Something School
  - id: 12
 
I think you can write a simple java class that does the LDAP query, caches the results, and you can register this in _expression_ language, and use it in grouperLoaderLdapGroupDisplayNameExpression...  (or Name, Description, etc).
 
Can this work for you?  Do you need a proof of concept?
 
Thanks,
Chris
 
 
-----Original Message-----
From: SIAD [] 
Sent: Tuesday, October 08, 2013 5:21 AM
To: Chris Hyzer
Cc: 
Subject: Re: [siad] [grouper-users] Grouper loader LDAP with 2 ldap filters
 
Hmmmmm, i don't think so. I would extract a specific attribute value 
from the first request and reuse it for building the second filter.
Actually, i have a first loader job (LDAP_GROUPS_FROM_ATTRIBUTES) who 
initialize empty groups, based on several attributes LDAP (if it's a 
public/private school, an elementary school, an high school...) and the 
school LDAP branche.  There is an ID number for each school and i use it 
as the group name. This ID is the only thing that we have to identify, 
in the employee branche,  the school where employee works.
So, on each empty group (created with the first loader job), i have a 
second loader job (LDAP_SIMPLE) for querying the employee LDAP branche 
with an ldap filter base on each group's name.
It works but it's not really clean. That's why i try to find another 
solution...
 
I don't know if it's clear for you :-\
 
Anyway, thanks for your help !
 
Yoann.
 
Le 07/10/2013 17:12, Chris Hyzer a écrit :
Is this something you can do with two loader jobs and intersect the results to an overall group?
 
Thanks,
Chris
 
-----Original Message-----
From:  [] On Behalf Of SIAD
Sent: Monday, October 07, 2013 8:53 AM
To: 
Subject: [grouper-users] Grouper loader LDAP with 2 ldap filters
 
Hi,
 
I have a request, is it possible to improve the Grouper loader LDAP with
the possibility to use 2 ldap filters ?
Explication : in our LDAP, we have multiple branches. Especially one
with all schools and second with the employees.
i would query the school branche and extract a specific attribute value
in the results entries. Then, use this extract attribute in a second
filter to query the employee branche and finally create groups with the
result.
Pretty much the same behaviour than include_ldap_2level_query option in
SYMPA :
http://www.sympa.org/manual/parameters-data-sources#include_ldap_2level_query
 
Do you think this is possible ?
 
Thanks,
Yoann.
 
 
 
 
 

 





Archive powered by MHonArc 2.6.16.

Top of Page