Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] LDAP auth and the wheel group?

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] LDAP auth and the wheel group?


Chronological Thread 
  • From: Michael White <>
  • To: "Waldbieser, Carl" <>, "" <>
  • Subject: RE: [grouper-users] LDAP auth and the wheel group?
  • Date: Tue, 20 Jan 2015 14:54:39 +0000
  • Accept-language: en-US, en-GB
  • Acceptlanguage: en-US, en-GB

Hi Carl,

> Did you create the wheel group and add yourself to it via the web UI or via
> GSH?

I did it via the (new) web UI (as a Grouper newbie I've not been brought up
on the gsh command line stuff ;-) ) . . .

> If you drop into GSH and create the group and add your account to it, it
> ought
> to work.

Thanks for this suggestion - I've been trying it, but still no joy :-(

I deleted the wheel group via the web UI and then tried recreating it via
gsh, using:

gsh 0% addGroup("etc", "sysadmingroup", "SysAdmin Group")
group: name='etc:sysadmingroup' displayName='etc:SysAdmin Group'
uuid='58c1d8dc6360450d93aac212c139b047'
gsh 1% addMember("etc:sysadmingroup", "mw6")
true

- the group is created with me as a member as expected, but when I switch
back to LDAP authentication I'm still not getting any kind of Admin
privileges when I log on using my account - I still see the "Error" in the
"Browse Folders" panel on the new UI, and I don't have access to any Groups
via the Admin GUI that I've not been allocated explicit privileges for (i.e.
I've still got no admin privileges via the Admin UI either) :-(

I also tried deleting the group and getting Grouper to recreate it
automatically via "configuration.autocreate.system.groups = true" in
grouper.properties . . .

This worked in terms of creating the group - I then added myself to it via
gsh, but still no (admin) joy . . .

I've also checked via gsh that Grouper knows I'm a member of the
sysadmingroup:

gsh 0% GrouperSession.startRootSession();
edu.internet2.middleware.grouper.GrouperSession:
46bca74ce06f40f085da324a2d4c79ca,'GrouperSystem','application'
gsh 1% subj = findSubject("mw6")
subject: id='mw6' type='person' source='jndi' name='Michael White'
gsh 2% sess = GrouperSession.start(subj)
edu.internet2.middleware.grouper.GrouperSession:
68ce3eb0ee3a4ab787466d80ba4885a5,'mw6','person'
gsh 3% member = MemberFinder.findBySubject(sess, subj)
member: id='mw6' type='person' source='jndi'
uuid='5c605c2715de4640829cda8e88aab41f'
gsh 4% member.getGroups()
group: name='etc:grouperUi:grouperUiUserData'
displayName='etc:grouperUi:grouperUiUserData'
uuid='58cd349ec9904e9786e9c6cbda02e4e2'
group: name='etc:sysadmingroup' displayName='etc:SysAdmin Group'
uuid='58c1d8dc6360450d93aac212c139b047'
group: name='uos_test:apps:vpn:all_users'
displayName='uos_test:apps:vpn:all_users'
uuid='197f152a977547c8be432a3888136092'
.... + other groups snipped out ...

Finally, I've also been trying to upgrade as per Chris's suggestion, but the
installer is falling on its face when I try and upgrade the UI (saying it
can't find the UI properties file, even though it appears to be there to the
naked eye - the API upgrade that I did first appears to have worked OK) so I
can't say whether or not that would resolve my problem!

Any additional thoughts, observations or suggestions (on fixing the wheel
group issue or getting the installer to upgrade from v2.2.0 to v2.2.1
successfully) would be most welcome!

Cheers,

Mike

Michael White
eLearning Liaison and Development (eLD)
Information Services
S8, Library
University of Stirling
Stirling SCOTLAND
FK9 4LA
Email:


Tel: +44 (0) 1786 466877
Fax: +44 (0) 1786 466880
http://www.stir.ac.uk/is/staff/about/teams/aldt/#eld


> -----Original Message-----
> From: Waldbieser, Carl
> [mailto:]
> Sent: 19 January 2015 17:23
> To: Michael White
> Cc:
>
> Subject: Re: [grouper-users] LDAP auth and the wheel group?
>
> Michael,
>
> Did you create the wheel group and add yourself to it via the web UI or via
> GSH?
> Using the web UI to do this did not work for me. There is a note about it
> in the
> online docs, somewhere.
> If you drop into GSH and create the group and add your account to it, it
> ought
> to work.
>
> I seem to recall the first time when I made the mistake of creating the
> wheel
> group via the new UI, I was able to drop into GSH, remove my account, re-add
> it, and save the group, and that straightened everything out.
>
> Thanks,
> Carl Waldbieser
> ITS System Programmer
> Lafayette College
>
> ----- Original Message -----
> From: "Michael White"
> <>
> To:
>
> Sent: Monday, January 19, 2015 11:31:04 AM
> Subject: [grouper-users] LDAP auth and the wheel group?
>
> Hi,
>
> I'm still in the early stages of playing and learning with Grouper v2.2.0.
> I've got
> a basic folder/group hierarchy set up, subjects coming from AD, and a number
> of groups being successfully populated via the Loader :-).
>
> I'm now trying to switch to using our AD for authentication by switching to
> a
> JNDIRealm in Tomcat's server.xml - of course this means that I can no longer
> log on using the GrouperSystem account, so I've been trying to enable my AD
> account to be an admin account in Grouper by adding it to my "wheel" group .
> . .
>
> I've added:
>
> groups.wheel.use = true
>
> - to "grouper.properties", and I note:
>
> groups.wheel.group = etc:sysadmingroup
>
> - in "grouper.base.properties".
>
> I created "etc:sysadmingroup" (as the Grouper System user) and added myself
> to it, however this doesn't appear to be working as hoped/expected.
>
> If I log on using my AD username, authentication appears to work and I
> arrive
> at the Grouper (new) UI and I'm correctly identified as me in the "Logged in
> as" line, but in the "Browse Folders" panel, it just shows "Error", which is
> reflected in the logs (appropriate snippet attached).
>
> If I switch to the old UI, I can browse the folder hierarchy, but I can
> only see
> groups that I have been granted explicit permissions for (i.e. still not
> behaving
> as an admin user).
>
> Have I misunderstood how this is supposed to work? or am I missing
> something obvious (or done something stupid!)?
>
> Any thoughts, observations, or pointers would be most welcome as I'm not
> sure what to try next.
>
> Cheers,
>
> Mike
>
> Michael White
> eLearning Liaison and Development (eLD)
> Information Services
> S8, Library
> University of Stirling
> Stirling SCOTLAND
> FK9 4LA
> Email:
>
> Tel: +44 (0) 1786 466877
> Fax: +44 (0) 1786 466880
> http://www.stir.ac.uk/is/staff/about/teams/aldt/#eld
>
>
>
> --
> The University of Stirling has been ranked in the top 12 of UK universities
> for
> graduate employment*.
> 94% of our 2012 graduates were in work and/or further study within six
> months of graduation.
> *The Telegraph
> The University of Stirling is a charity registered in Scotland, number SC
> 011159.


--
The University of Stirling has been ranked in the top 12 of UK universities
for graduate employment*.
94% of our 2012 graduates were in work and/or further study within six months
of graduation.
*The Telegraph
The University of Stirling is a charity registered in Scotland, number SC
011159.




Archive powered by MHonArc 2.6.16.

Top of Page