Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] PSP configuration- multiple named stems

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] PSP configuration- multiple named stems


Chronological Thread 
  • From: Mark Cairney <>
  • To: David Langenberg <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] PSP configuration- multiple named stems
  • Date: Fri, 05 Sep 2014 15:49:30 +0100

OK here it is, minus the password:

I've attached my psp-vt-ldap.xml too in case it's useful.

Mentioning the ldap.properties one thing has just occured to me. We're
using the "posixGroup" objectClass which requires a UNIX GID field
(gidNumber). I'm not sure if that's currently being exposed from Grouper
and I remember having to do something in LDAPPC to push that field out.
Does that sound like a possible cause?



On 05/09/14 15:17, David Langenberg wrote:
> The first error is fairly safe to ignore. It generally can be described as
> "this change doesn't match our criteria for pushing to LDAP". The second
> error though makes me think you are missing something perhaps in your
> ldap.properties. It would be helpful to see a sanitized version of that
> file.
>
> Dave
>
>
> On Fri, Sep 5, 2014 at 3:53 AM, Mark Cairney
> <>
> wrote:
>
>> OK I'm trying to proceed with the simplest case i.e. no baseStem set.
>> The process is still on-going but I'm seeing a lot of errors being
>> generated which seem to fall into 2 types. So far it's been running for
>> about 13 hours with no changes yet being made to the LDAP server.
>>
>> 1.
>> 2014-09-05 00:00:00,025: [main] ERROR Psp.execute(1187) - - Psp 'psp' -
>> Diff
>>
>> DiffResponse[id=1C5998B7-EB74-4D38-8DB8-94E251A07174,status=failure,error=noSuchIdentifier,errorMessages={Unable
>> to calculate provisioned object.},requestID=2014/09/04-23:59:59.742]
>> 2014-09-05 00:00:00,025: [main] ERROR Psp.execute(1189) - - Psp 'psp' -
>> Diff XML:
>> <psp:diffResponse xmlns:psp='http://grouper.internet2.edu/psp'
>> status='failure' requestID='2014/09/04-23:59:59.742'
>> error='noSuchIdentifier'>
>> <errorMessage>Unable to calculate provisioned object.</errorMessage>
>> <psp:id ID='1C5998B7-EB74-4D38-8DB8-94E251A07174'/>
>> </psp:diffResponse>
>>
>> (this looks like it's just complaining about not being able to find a
>> match for that ID. Given the Dev LDAP server is simply a clone of one of
>> our Test ones this doesn't worry/surprise me too much as we haven't done
>> a full sync of the user accounts on both).
>>
>>
>> 2.
>>
>> 2014-09-05 00:58:00,539: [main] ERROR Psp.doesIdentifierExist(445) - -
>> The lookup response is not a success
>>
>> 'LookupResponse[pso=<null>,status=failure,error=customError,errorMessages={Unable
>> to determine schema entity for
>>
>> uid=******,ou=people,ou=central,dc=authorise-dev,dc=ed,dc=ac,dc=uk},requestID=2014/09/05-00:58:00.533]'
>>
>>
>> Should I be worrying about these errors? I'm also wondering if I've
>> choosed the wrong example set for my config as I run an OpenLDAP server
>> but looking at the config there's a whole bunch of attributes we don't
>> currently have like "isMemberOf, hasMember, seeAlso" etc. I've just
>> spotted an "eduMember.schema" file so I've added that to the server and
>> re-started the bulkSync. In the meantime my config files are attached in
>> case there's anywhere obvious I'm going wrong.
>>
>>
>>
>> On 03/09/14 09:25, Mark Cairney wrote:
>>> OK that sounds equally as complicated- I'm even having trouble picturing
>>> what the config looks like in my head. Ultimately what I'd like to have
>>> is Grouper exporting only specified stems (e.g.
>>> affiliations,courses,org) to an individual target LDAP server.
>>>
>>> I've been pointed in the direction of some docs + powerpoints by Bryan,
>>> looking through this it looks like this could be do-able using Group
>>> Filters in the GroupDataConnector in psp-resolver.xml. This is likely to
>>> result in the group OU's changing but we may have to live with that as
>>> they are themselves a result of us provisioning each stem individually
>>> on Grouper 1.5 which was a workaround to do this.
>>>
>>> I'm probably trying to run before I can walk anyway so I'll proceed with
>>> a base config to provision all stems on Dev and once that's working look
>>> at this side of things.
>>>
>>> Kind regards,
>>>
>>> Mark
>>>
>>> On 02/09/14 16:10, David Langenberg wrote:
>>>> Hi Mark,
>>>>
>>>> Even in the multiple case, you'll still have one ldap.properties, but
>>>> you'll now also have the individual ldap connector configs. I don't
>> think
>>>> there's going to be a sane way to break up the configs unfortunately.
>>>>
>>>> Dave
>>>>
>>>>
>>>> On Tue, Sep 2, 2014 at 3:47 AM, Mark Cairney
>>>> <>
>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> We're looking to upgrade from our existing 1.5 install to 2.2 and this
>>>>> means moving from LDAPPC to PSP.
>>>>>
>>>>> In our current setup which I'd like to replicate we a subset of stems
>>>>> provisioned, each of which has it's own separate ldappc.xml file.
>>>>>
>>>>> Looking at the examples there is a multiple openLDAP example so my
>>>>> current thinking is to have multiple "ldap.properties" files for each
>>>>> stem. Is this possible/ sensible?
>>>>>
>>>>> We use the "memberOf" overlay so we would only be looking to export the
>>>>> groups and their members.
>>>>>
>>>>> I'll admit that having not looked much at Grouper since we initially
>> got
>>>>> it working the new approach seems to have a baffling amount of
>>>>> configuration options and files so a helping hand would be appreciated
>> :-)
>>>>>
>>>>> Kind regards,
>>>>>
>>>>> Mark
>>>>>
>>>>> --
>>>>> /****************************
>>>>>
>>>>> Mark Cairney
>>>>> ITI UNIX Section
>>>>> Information Services
>>>>> University of Edinburgh
>>>>>
>>>>> Tel: 0131 650 6565
>>>>> Email:
>>>>>
>>>>> PGP: 0x435A9621
>>>>>
>>>>> *******************************/
>>>>>
>>>>> The University of Edinburgh is a charitable body, registered in
>>>>> Scotland, with registration number SC005336.
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>> --
>> /****************************
>>
>> Mark Cairney
>> ITI UNIX Section
>> Information Services
>> University of Edinburgh
>>
>> Tel: 0131 650 6565
>> Email:
>>
>> PGP: 0x435A9621
>>
>> *******************************/
>>
>> The University of Edinburgh is a charitable body, registered in
>> Scotland, with registration number SC005336.
>>
>
>
>

--
/****************************

Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email:

PGP: 0x435A9621

*******************************/

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
# This is the configuration file for vt-ldap.
# See http://code.google.com/p/vt-middleware/wiki/vtldapProperties

edu.vt.middleware.ldap.ldapUrl=ldaps://bonsai.authorise-dev.is.ed.ac.uk:636
edu.vt.middleware.ldap.searchScope=SUBTREE

# authn if simple
edu.vt.middleware.ldap.bindDn=cn=Manager,dc=authorise-dev,dc=ed,dc=ac,dc=uk
edu.vt.middleware.ldap.bindCredential=
# The bind credential may be external and encrypted:
https://bugs.internet2.edu/jira/browse/GRP-122
# edu.vt.middleware.ldap.bindCredential=/path/to/ldap.pwd
edu.vt.middleware.ldap.authtype=simple

# encryption
edu.vt.middleware.ldap.ssl=true
edu.vt.middleware.ldap.tls=false

# pooling options
edu.vt.middleware.ldap.pool.minPoolSize = 2
edu.vt.middleware.ldap.pool.maxPoolSize = 5

# paged results
edu.vt.middleware.ldap.pagedResultsSize=0

# authn for sasl external (certificates)
# edu.vt.middleware.ldap.authtype=EXTERNAL
# edu.vt.middleware.ldap.tls=true
# edu.vt.middleware.ldap.serviceUser=cn=admin.example.edu
# these to use PEM format cert and key
# pemCaFile=/path/to/ca.pem
# pemCertFile=/path/to/cert.pem
# pemKeyFile=/path/to/key.pem


# The default base DN for searches.
# All subordinate objects will be deleted during tests !
edu.vt.middleware.ldap.baseDn=dc=authorise-dev,dc=ed,dc=ac,dc=uk

# The base DN for groups.
edu.internet2.middleware.psp.groupsBaseDn=ou=grouper,dc=authorise-dev,dc=ed,dc=ac,dc=uk

# The base DN for people.
edu.internet2.middleware.psp.peopleBaseDn=ou=people,ou=central,dc=authorise-dev,dc=ed,dc=ac,dc=uk

# The group object class.
# OpenLDAP, RedHat, 389, ApacheDS, etc.
#edu.internet2.middleware.psp.groupObjectClass=groupOfNames
# Active Directory
# edu.internet2.middleware.psp.groupObjectClass=group

edu.internet2.middleware.psp.groupObjectClass=posixGroup

# The base Grouper stem to be provisioned.
edu.internet2.middleware.psp.baseStem=

# The ldap DN structure may be either flat or bushy.
# In a flat structure all groups are provisioned under a single base DN
(container ID).
# A flat group's ldap RDN is its Grouper name or displayName.
# edu.internet2.middleware.psp.structure=flat
# edu.internet2.middleware.psp.cnSourceAttributeID=name

# In a bushy structure groups are provisioned hierarchically, with stems as
branches in the tree.
# A bushy group's RDN is its Grouper extension or displayExtension.
edu.internet2.middleware.psp.structure=bushy
edu.internet2.middleware.psp.cnSourceAttributeID=extension

# The QuotedDnResultHandler removes quotes from DNs of the form
"CN=quoted/name",DC=edu.
# The FqdnSearchResultHandler makes sure that all ldap dns are fully
qualified.
# You may wish to comment out the following property for the Grouper UI or WS.
edu.vt.middleware.ldap.searchResultHandlers=edu.internet2.middleware.psp.ldap.QuotedDnResultHandler,edu.vt.middleware.ldap.handler.FqdnSearchResultHandler

# handle Active Directory groups with a large (>1500) number of members
# see https://bugs.internet2.edu/jira/browse/GRP-335
# see http://code.google.com/p/vt-middleware/wiki/vtldapAD#Range_Attributes
#
edu.vt.middleware.ldap.searchResultHandlers=edu.internet2.middleware.ldappc.util.QuotedDnResultHandler,edu.vt.middleware.ldap.handler.FqdnSearchResultHandler,edu.internet2.middleware.ldappc.util.RangeSearchResultHandler
<?xml version="1.0" encoding="UTF-8"?>

<beans
  xmlns="http://www.springframework.org/schema/beans";
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
  xmlns:p="http://www.springframework.org/schema/p";
  xmlns:util="http://www.springframework.org/schema/util";
  xsi:schemaLocation="
    http://www.springframework.org/schema/beans classpath:/schema/spring-beans-2.5.xsd
    http://www.springframework.org/schema/util classpath:/schema/spring-util-2.5.xsd">

  <bean
    id="ldapFactory"
    class="edu.vt.middleware.ldap.pool.DefaultLdapFactory"
    p:connectOnCreate="false">
    <constructor-arg
      index="0"
      ref="ldapConfig" />
  </bean>

  <bean
    id="ldapPool"
    class="edu.vt.middleware.ldap.pool.SoftLimitLdapPool"
    init-method="initialize"
    p:blockWaitTime="1000">
    <constructor-arg index="0">
      <bean
        class="edu.vt.middleware.ldap.pool.LdapPoolConfig"
        p:minPoolSize="5"
        p:maxPoolSize="20"
        p:validatePeriodically="true"
        p:validateTimerPeriod="30000"
        p:expirationTime="600000"
        p:pruneTimerPeriod="60000" />
    </constructor-arg>
    <constructor-arg
      index="1"
      ref="ldapFactory" />
  </bean>

  <bean
    id="ldapConfig"
    class="edu.vt.middleware.ldap.LdapConfig"
    p:ldapUrl="${edu.vt.middleware.ldap.ldapUrl}"
    p:tls="${edu.vt.middleware.ldap.tls}"
    p:ssl="${edu.vt.middleware.ldap.ssl}"
    p:baseDn="${edu.vt.middleware.ldap.baseDn}"
    p:authtype="${edu.vt.middleware.ldap.authtype}"
    p:serviceUser="${edu.vt.middleware.ldap.bindDn}">
    <property
      name="serviceCredential"
      value="${edu.vt.middleware.ldap.bindCredential}" />

    <property name="searchResultHandlers">
      <list>
        <bean
          id="quotedDnSrh"
          class="edu.internet2.middleware.psp.ldap.QuotedDnResultHandler" />
        <bean
          id="fqdnSrh"
          class="edu.vt.middleware.ldap.handler.FqdnSearchResultHandler" />
        <bean
          id="entryDnSrh"
          class="edu.vt.middleware.ldap.handler.EntryDnSearchResultHandler" />
      </list>
    </property>

  </bean>

</beans>

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.16.

Top of Page