Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] LDAP auth and the wheel group?

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] LDAP auth and the wheel group?


Chronological Thread 
  • From: "Peter St. Onge" <>
  • To:
  • Subject: Re: [grouper-users] LDAP auth and the wheel group?
  • Date: Fri, 23 Jan 2015 17:02:00 -0500

On 15-01-20 10:29 AM, Michael White wrote:
Hi Carl,

When you change the wheel settings in the config, are you rebuilding the WAR
file and redeploying it?

Nope! It's obvious when you say it, but it hadn't occurred to me to do this!
:-(

So, I deleted the expanded WARs from Tomcat, rebuilt and redeployed the
Grouper UI and Bingo, it worked!!!!!! :-)

I'm now able to log on via LDAP using my own account and I now appear to have the appropriate
admin privileges as expected (and no "Error" in the "Browse folders" panel).

Phew! I feel a little bit of a banana for not realising I needed to do this, but also
relieved that it was "that simple" :-)

Thanks again Carl.

Peter - any chance this is the cause of your problems too?

It was indeed - I now see the 'act as admin' box in the Admin UI.

Apparently, I'm still learning where configuration info has to go so that it survives redeployment, however. :)

Thanks and Best, -- pete




Regards,

Mike

Michael White
eLearning Liaison and Development (eLD)
Information Services
S8, Library
University of Stirling
Stirling SCOTLAND
FK9 4LA
Email:

Tel: +44 (0) 1786 466877
Fax: +44 (0) 1786 466880
http://www.stir.ac.uk/is/staff/about/teams/aldt/#eld


-----Original Message-----
From: Waldbieser, Carl
[mailto:]
Sent: 20 January 2015 15:06
To: Michael White
Cc:

Subject: Re: [grouper-users] LDAP auth and the wheel group?

Michael,

When you change the wheel settings in the config, are you rebuilding the
WAR file and redeploying it? I tended to do that a lot when I was playing
around with settings, including manually deleting files from the tomcat
`webapps` folder before copying the new WAR file there and starting tomcat.

Thanks,
Carl

----- Original Message -----
From: "Michael White"
<>
To: "Carl Waldbieser"
<>,
grouper-

Sent: Tuesday, January 20, 2015 9:54:39 AM
Subject: RE: [grouper-users] LDAP auth and the wheel group?

Hi Carl,

Did you create the wheel group and add yourself to it via the web UI or via
GSH?

I did it via the (new) web UI (as a Grouper newbie I've not been brought up on
the gsh command line stuff ;-) ) . . .

If you drop into GSH and create the group and add your account to it,
it ought to work.

Thanks for this suggestion - I've been trying it, but still no joy :-(

I deleted the wheel group via the web UI and then tried recreating it via gsh,
using:

gsh 0% addGroup("etc", "sysadmingroup", "SysAdmin Group")
group: name='etc:sysadmingroup' displayName='etc:SysAdmin Group'
uuid='58c1d8dc6360450d93aac212c139b047'
gsh 1% addMember("etc:sysadmingroup", "mw6") true

- the group is created with me as a member as expected, but when I switch
back to LDAP authentication I'm still not getting any kind of Admin privileges
when I log on using my account - I still see the "Error" in the "Browse
Folders"
panel on the new UI, and I don't have access to any Groups via the Admin GUI
that I've not been allocated explicit privileges for (i.e. I've still got no
admin
privileges via the Admin UI either) :-(

I also tried deleting the group and getting Grouper to recreate it
automatically
via "configuration.autocreate.system.groups = true" in grouper.properties . .
.

This worked in terms of creating the group - I then added myself to it via
gsh,
but still no (admin) joy . . .

I've also checked via gsh that Grouper knows I'm a member of the
sysadmingroup:

gsh 0% GrouperSession.startRootSession();
edu.internet2.middleware.grouper.GrouperSession:
46bca74ce06f40f085da324a2d4c79ca,'GrouperSystem','application'
gsh 1% subj = findSubject("mw6")
subject: id='mw6' type='person' source='jndi' name='Michael White'
gsh 2% sess = GrouperSession.start(subj)
edu.internet2.middleware.grouper.GrouperSession:
68ce3eb0ee3a4ab787466d80ba4885a5,'mw6','person'
gsh 3% member = MemberFinder.findBySubject(sess, subj)
member: id='mw6' type='person' source='jndi'
uuid='5c605c2715de4640829cda8e88aab41f'
gsh 4% member.getGroups()
group: name='etc:grouperUi:grouperUiUserData'
displayName='etc:grouperUi:grouperUiUserData'
uuid='58cd349ec9904e9786e9c6cbda02e4e2'
group: name='etc:sysadmingroup' displayName='etc:SysAdmin Group'
uuid='58c1d8dc6360450d93aac212c139b047'
group: name='uos_test:apps:vpn:all_users'
displayName='uos_test:apps:vpn:all_users'
uuid='197f152a977547c8be432a3888136092'
.... + other groups snipped out ...

Finally, I've also been trying to upgrade as per Chris's suggestion, but the
installer is falling on its face when I try and upgrade the UI (saying it
can't find
the UI properties file, even though it appears to be there to the naked eye -
the API upgrade that I did first appears to have worked OK) so I can't say
whether or not that would resolve my problem!

Any additional thoughts, observations or suggestions (on fixing the wheel
group issue or getting the installer to upgrade from v2.2.0 to v2.2.1
successfully) would be most welcome!

Cheers,

Mike

Michael White
eLearning Liaison and Development (eLD)
Information Services
S8, Library
University of Stirling
Stirling SCOTLAND
FK9 4LA
Email:

Tel: +44 (0) 1786 466877
Fax: +44 (0) 1786 466880
http://www.stir.ac.uk/is/staff/about/teams/aldt/#eld


-----Original Message-----
From: Waldbieser, Carl
[mailto:]
Sent: 19 January 2015 17:23
To: Michael White
Cc:

Subject: Re: [grouper-users] LDAP auth and the wheel group?

Michael,

Did you create the wheel group and add yourself to it via the web UI
or via GSH?
Using the web UI to do this did not work for me. There is a note
about it in the online docs, somewhere.
If you drop into GSH and create the group and add your account to it,
it ought to work.

I seem to recall the first time when I made the mistake of creating
the wheel group via the new UI, I was able to drop into GSH, remove my
account, re-add it, and save the group, and that straightened everything out.

Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College

----- Original Message -----
From: "Michael White"
<>
To:

Sent: Monday, January 19, 2015 11:31:04 AM
Subject: [grouper-users] LDAP auth and the wheel group?

Hi,

I'm still in the early stages of playing and learning with Grouper
v2.2.0. I've got a basic folder/group hierarchy set up, subjects
coming from AD, and a number of groups being successfully populated via
the Loader :-).

I'm now trying to switch to using our AD for authentication by
switching to a JNDIRealm in Tomcat's server.xml - of course this means
that I can no longer log on using the GrouperSystem account, so I've
been trying to enable my AD account to be an admin account in Grouper by
adding it to my "wheel" group .
. .

I've added:

groups.wheel.use = true

- to "grouper.properties", and I note:

groups.wheel.group = etc:sysadmingroup

- in "grouper.base.properties".

I created "etc:sysadmingroup" (as the Grouper System user) and added
myself to it, however this doesn't appear to be working as hoped/expected.

If I log on using my AD username, authentication appears to work and I
arrive at the Grouper (new) UI and I'm correctly identified as me in
the "Logged in as" line, but in the "Browse Folders" panel, it just
shows "Error", which is reflected in the logs (appropriate snippet attached).

If I switch to the old UI, I can browse the folder hierarchy, but I
can only see groups that I have been granted explicit permissions for
(i.e. still not behaving as an admin user).

Have I misunderstood how this is supposed to work? or am I missing
something obvious (or done something stupid!)?

Any thoughts, observations, or pointers would be most welcome as I'm
not sure what to try next.

Cheers,

Mike

Michael White
eLearning Liaison and Development (eLD) Information Services S8,
Library University of Stirling Stirling SCOTLAND
FK9 4LA
Email:

Tel: +44 (0) 1786 466877
Fax: +44 (0) 1786 466880
http://www.stir.ac.uk/is/staff/about/teams/aldt/#eld



--
The University of Stirling has been ranked in the top 12 of UK
universities for graduate employment*.
94% of our 2012 graduates were in work and/or further study within six
months of graduation.
*The Telegraph
The University of Stirling is a charity registered in Scotland, number
SC 011159.


--
The University of Stirling has been ranked in the top 12 of UK universities
for
graduate employment*.
94% of our 2012 graduates were in work and/or further study within six
months of graduation.
*The Telegraph
The University of Stirling is a charity registered in Scotland, number SC
011159.




--
Peter St. Onge

Information Security Architect (416)978-5030
Business Continuity and Communications
Information + Technology Services University of Toronto



Archive powered by MHonArc 2.6.16.

Top of Page