Grouper Users - Open Discussion List

[Mark Cairney <>]

Hi Dave,

Here you go (minus the password). I've also attached our psp-vt-ldap.xml
file too in case that's relevant.


On 15/09/14 21:58, David Langenberg wrote:
> Hi Mark,
> 
> What does your ldap.properties look like (sanitized of course)?
> 
> Dave
> 
> On Fri, Sep 12, 2014 at 8:41 AM, Mark Cairney 
> <>
>  wrote:
> 
>> Hi,
>>
>> We've made a bit of progress re: provisioning our LDAP from Grouper.
>> It's now creating the stem and group objects but we can't get it to
>> create user accounts.
>> If we use ldap as the source for members it doesn't do anything at all-
>> as far as I can tell it's not even attempting to look up user DNs.
>>
>> It we use grouper as the source we were having the same issue however
>> adding an additional field of the form: "uid=<uid>" in the Grouper does
>> populate members but without the people baseDN so the user objects
>> aren't actually members as far as LDAP is concerned and the memberOf
>> attribute isn't updated. As our current LDAP target has a flat users OU
>> we could construct the full user DN in the database and use that as the
>> source field but this would limit us going forward e.g. if we were to
>> provision to AD as well as our AD doesn't have a flat namespace for user
>> DNs.
>>
>> Having compared the relevant sections of psp-resolver.xml, psp.xml and
>> sources.xml I can't see any obvious differences between what we have and
>> what's in the examples.
>>
>> I've got a feeling we're close but I'm a bit puzzled by this as I would
>> have thought this should be standard behaviour.
>>
>> I've attached the psp-resolver.xml and sources.xml files both with and
>> without LDAP set up, our psp.xml (which wasn't actually changed) and the
>> error log for a bulksync run using only a small stem. The posixGroup
>> errors can be ignored as these are just groups which don't have a gid
>> field in Grouper.
>>
>> --
>> /****************************
>>
>> Mark Cairney
>> ITI UNIX Section
>> Information Services
>> University of Edinburgh
>>
>> Tel: 0131 650 6565
>> Email: 
>> 
>> PGP: 0x435A9621
>>
>> *******************************/
>>
>> The University of Edinburgh is a charitable body, registered in
>> Scotland, with registration number SC005336.
>>
> 
> 
> 

-- 
/****************************

Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email: 

PGP: 0x435A9621

*******************************/

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
# This is the configuration file for vt-ldap.
# See http://code.google.com/p/vt-middleware/wiki/vtldapProperties

edu.vt.middleware.ldap.ldapUrl=ldaps://bonsai.authorise-dev.is.ed.ac.uk:636
edu.vt.middleware.ldap.searchScope=SUBTREE

# authn if simple
edu.vt.middleware.ldap.bindDn=cn=Manager,dc=authorise-dev,dc=ed,dc=ac,dc=uk
edu.vt.middleware.ldap.bindCredential=*************
# The bind credential may be external and encrypted: 
https://bugs.internet2.edu/jira/browse/GRP-122
# edu.vt.middleware.ldap.bindCredential=/path/to/ldap.pwd
edu.vt.middleware.ldap.authtype=simple

# encryption
edu.vt.middleware.ldap.ssl=true
edu.vt.middleware.ldap.tls=false

# pooling options
edu.vt.middleware.ldap.pool.minPoolSize = 2
edu.vt.middleware.ldap.pool.maxPoolSize = 5

# paged results
edu.vt.middleware.ldap.pagedResultsSize=0

# authn for sasl external (certificates)
# edu.vt.middleware.ldap.authtype=EXTERNAL
# edu.vt.middleware.ldap.tls=true
# edu.vt.middleware.ldap.serviceUser=cn=admin.example.edu
# these to use PEM format cert and key
# pemCaFile=/path/to/ca.pem
# pemCertFile=/path/to/cert.pem
# pemKeyFile=/path/to/key.pem


# The default base DN for searches.
# All subordinate objects will be deleted during tests !
edu.vt.middleware.ldap.baseDn=dc=authorise-dev,dc=ed,dc=ac,dc=uk

# The base DN for groups.
edu.internet2.middleware.psp.groupsBaseDn=ou=grouper,dc=authorise-dev,dc=ed,dc=ac,dc=uk

# The base DN for people.
edu.internet2.middleware.psp.peopleBaseDn=ou=people,ou=central,dc=authorise-dev,dc=ed,dc=ac,dc=uk

# The group object class.
# OpenLDAP, RedHat, 389, ApacheDS, etc.
edu.internet2.middleware.psp.groupObjectClass=groupOfNames
# Active Directory
# edu.internet2.middleware.psp.groupObjectClass=group

#edu.internet2.middleware.psp.groupObjectClass=posixGroup

# The base Grouper stem to be provisioned.
edu.internet2.middleware.psp.baseStem=adhoc

# The ldap DN structure may be either flat or bushy.
# In a flat structure all groups are provisioned under a single base DN 
(container ID).
# A flat group's ldap RDN is its Grouper name or displayName.
# edu.internet2.middleware.psp.structure=flat
# edu.internet2.middleware.psp.cnSourceAttributeID=name

# In a bushy structure groups are provisioned hierarchically, with stems as 
branches in the tree.
# A bushy group's RDN is its Grouper extension or displayExtension.
edu.internet2.middleware.psp.structure=bushy
edu.internet2.middleware.psp.cnSourceAttributeID=extension

# The QuotedDnResultHandler removes quotes from DNs of the form 
"CN=quoted/name",DC=edu.
# The FqdnSearchResultHandler makes sure that all ldap dns are fully 
qualified.
# You may wish to comment out the following property for the Grouper UI or WS.
edu.vt.middleware.ldap.searchResultHandlers=edu.internet2.middleware.psp.ldap.QuotedDnResultHandler,edu.vt.middleware.ldap.handler.FqdnSearchResultHandler

# handle Active Directory groups with a large (>1500) number of members
# see https://bugs.internet2.edu/jira/browse/GRP-335
# see http://code.google.com/p/vt-middleware/wiki/vtldapAD#Range_Attributes
# 
edu.vt.middleware.ldap.searchResultHandlers=edu.internet2.middleware.ldappc.util.QuotedDnResultHandler,edu.vt.middleware.ldap.handler.FqdnSearchResultHandler,edu.internet2.middleware.ldappc.util.RangeSearchResultHandler
<?xml version="1.0" encoding="UTF-8"?>

<beans
  xmlns="http://www.springframework.org/schema/beans";
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
  xmlns:p="http://www.springframework.org/schema/p";
  xmlns:util="http://www.springframework.org/schema/util";
  xsi:schemaLocation="
    http://www.springframework.org/schema/beans classpath:/schema/spring-beans-2.5.xsd
    http://www.springframework.org/schema/util classpath:/schema/spring-util-2.5.xsd">

  <bean
    id="ldapFactory"
    class="edu.vt.middleware.ldap.pool.DefaultLdapFactory"
    p:connectOnCreate="false">
    <constructor-arg
      index="0"
      ref="ldapConfig" />
  </bean>

  <bean
    id="ldap"
    class="edu.vt.middleware.ldap.pool.SoftLimitLdapPool"
    init-method="initialize"
    p:blockWaitTime="1000">
    <constructor-arg index="0">
      <bean
        class="edu.vt.middleware.ldap.pool.LdapPoolConfig"
        p:minPoolSize="5"
        p:maxPoolSize="20"
        p:validatePeriodically="true"
        p:validateTimerPeriod="30000"
        p:expirationTime="600000"
        p:pruneTimerPeriod="60000" />
    </constructor-arg>
    <constructor-arg
      index="1"
      ref="ldapFactory" />
  </bean>

  <bean
    id="ldapConfig"
    class="edu.vt.middleware.ldap.LdapConfig"
    p:ldapUrl="${edu.vt.middleware.ldap.ldapUrl}"
    p:tls="${edu.vt.middleware.ldap.tls}"
    p:ssl="${edu.vt.middleware.ldap.ssl}"
    p:baseDn="${edu.vt.middleware.ldap.baseDn}"
    p:authtype="${edu.vt.middleware.ldap.authtype}"
    p:serviceUser="${edu.vt.middleware.ldap.bindDn}">
    <property
      name="serviceCredential"
      value="${edu.vt.middleware.ldap.bindCredential}" />

    <property name="searchResultHandlers">
      <list>
        <bean
          id="quotedDnSrh"
          class="edu.internet2.middleware.psp.ldap.QuotedDnResultHandler" />
        <bean
          id="fqdnSrh"
          class="edu.vt.middleware.ldap.handler.FqdnSearchResultHandler" />
        <bean
          id="entryDnSrh"
          class="edu.vt.middleware.ldap.handler.EntryDnSearchResultHandler" />
      </list>
    </property>

  </bean>

</beans>

Attachment: signature.asc
Description: OpenPGP digital signature