Grouper Users - Open Discussion List

[Richard James <>]

It seems just sending this email was enough for me to get this to work :)

The issue was that it was just retrieving the cn for the member and not the full dn.  

The following change

sourceAttributeID="distinguishedName" in the memberDn attribute definition.

Got this to work and got rid of the error message and now provisions members into the AD group. (I had previously set the source attribute to "dn", but in order for it to work it requires "distinguishedName")

I'm still interested to know if anyone else has this set-up and whether it differs from this approach.

I will document this set-up on the Newcastle University contributions page.

Many thanks

Richie

---

From: [] on behalf of Richard James
Sent: 17 December 2013 15:24
To:
Subject: [grouper-users] PSP Configuration - JDBC subject source

Hi,

I am in the process of setting up PSP version 2.1.5 for our Grouper install. As a proof of concept I have successfully set this up so that it provisions groups to our active directory using the active directory as our subject source in a development environment.  

Our production grouper uses JDBC as the subject source and therefore I need to configure PSP to use the jdbc source for retrieving members from groups and provisioning the memberships into the AD. Unfortunately I haven't managed to get this working successfully so far. 

I was not entirely sure how to achieve this and therefore have tried a few changes to the configuration. Up until now, we have been getting a memberDn source attribute could not be resolved.

 I presumed that this was due to it not being able to retrieve a dn/cn for the member. I therefore added the following in (based upon the configuration for openldap-multiple);

 <resolver:AttributeDefinition

    id="memberDn"

    xsi:type="psp:PSOIdentifier"

    sourceAttributeID="cn">

    <resolver:Dependency ref="LDAPMemberPersonLookup2" />

  </resolver:AttributeDefinition>

<resolver:DataConnector

    id="LDAPMemberPersonLookup2"

    xsi:type="dc:LDAPDirectory"

    ldapURL="ldap://**.**.**.**:389"

    baseDN="${edu.internet2.middleware.psp.peopleBaseDn}"

    principal="${edu.vt.middleware.ldap.bindDn}"

    principalCredential="${edu.vt.middleware.ldap.bindCredential}"

    maxResultSize="1">

    <dc:FilterTemplate>

        <![CDATA[

            (&(uid=${requestContext.principalName})(objectclass=person))

        ]]>

    </dc:FilterTemplate>

  </resolver:DataConnector>

By adding this into the psp-resolver.xml file it is now able to resolve the source attribute for jdbc members. However when I come to run ./gsh.sh -psp -bulkSync the following error is displayed,

<psp:syncResponse status='failure' requestID='2013/12/17-14:57:55.416' error='customError'>

    <addResponse xmlns='urn:oasis:names:tc:SPML:2:0' status='failure' requestID='2013/12/17-14:57:57.746' error='customError'>

      <errorMessage>[LDAP: error code 53 - 0000054F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0

_]</errorMessage>

    </addResponse>

    <errorMessage>[LDAP: error code 53 - 0000054F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0

_]</errorMessage>

    <psp:id ID='Applications:test:ISS_Auto_Dev_Baton_Rouge'/>

  </psp:syncResponse>

</psp:bulkSyncResponse>

Has anyone else set up PSP with JDBC as a source? Is this the correct way of going about it? If so, are we missing any further configuration.

Any help would be gratefully received. I've attached the psp.xml, psp-resolver.xml, sources.xml and the grouper_error.log for this Sync attempt.  

Many thanks,

Richard James

Infrastructure Systems Administrator

ISS Systems Architecture

Newcastle University

0191 2228638

m.ncl.ac.uk 
facebook.com/ITbytes
@NU_ITservice