Grouper Users - Open Discussion List

["Peter St. Onge" <>]

On 15-01-20 10:29 AM, Michael White wrote:
> Hi Carl,
>
> > When you change the wheel settings in the config, are you rebuilding the WAR 
> > file and redeploying it?
>
> Nope! It's obvious when you say it, but it hadn't occurred to me to do this! 
> :-(
>
> So, I deleted the expanded WARs from Tomcat, rebuilt and redeployed the 
> Grouper UI and Bingo, it worked!!!!!! :-)
>
> I'm now able to log on via LDAP using my own account and I now appear to have the appropriate 
> admin privileges as expected (and no "Error" in the "Browse folders" panel).
>
> Phew! I feel a little bit of a banana for not realising I needed to do this, but also 
> relieved that it was "that simple" :-)
>
> Thanks again Carl.
>
> Peter - any chance this is the cause of your problems too?

It was indeed - I now see the 'act as admin' box in the Admin UI.

Apparently, I'm still learning where configuration info has to go so 
that it survives redeployment, however. :)

Thanks and Best, -- pete



> Regards,
>
> Mike
>
> Michael White
> eLearning Liaison and Development (eLD)
> Information Services
> S8, Library
> University of Stirling
> Stirling SCOTLAND
> FK9 4LA
> Email: 
>
> Tel: +44 (0) 1786 466877
> Fax: +44 (0) 1786 466880
> http://www.stir.ac.uk/is/staff/about/teams/aldt/#eld
>
>
> > -----Original Message-----
> > From: Waldbieser, Carl 
> > [mailto:]
> > Sent: 20 January 2015 15:06
> > To: Michael White
> > Cc: 
> >
> > Subject: Re: [grouper-users] LDAP auth and the wheel group?
> >
> > Michael,
> >
> > When you change the wheel settings in the config, are you rebuilding the
> > WAR file and redeploying it?  I tended to do that a lot when I was playing
> > around with settings, including manually deleting files from the tomcat
> > `webapps` folder before copying the new WAR file there and starting tomcat.
> >
> > Thanks,
> > Carl
> >
> > ----- Original Message -----
> > From: "Michael White" 
> > <>
> > To: "Carl Waldbieser" 
> > <>,
> >  grouper-
> >
> > Sent: Tuesday, January 20, 2015 9:54:39 AM
> > Subject: RE: [grouper-users] LDAP auth and the wheel group?
> >
> > Hi Carl,
> >
> > > Did you create the wheel group and add yourself to it via the web UI or via
> > GSH?
> >
> > I did it via the (new) web UI (as a Grouper newbie I've not been brought up on
> > the gsh command line stuff ;-) ) . .  .
> >
> > > If you drop into GSH and create the group and add your account to it,
> > > it ought to work.
> >
> > Thanks for this suggestion - I've been trying it, but still no joy :-(
> >
> > I deleted the wheel group via the web UI and then tried recreating it via gsh,
> > using:
> >
> > gsh 0% addGroup("etc", "sysadmingroup", "SysAdmin Group")
> > group: name='etc:sysadmingroup' displayName='etc:SysAdmin Group'
> > uuid='58c1d8dc6360450d93aac212c139b047'
> > gsh 1% addMember("etc:sysadmingroup", "mw6") true
> >
> > - the group is created with me as a member as expected, but when I switch
> > back to LDAP authentication I'm still not getting any kind of Admin privileges
> > when I log on using my account - I still see the "Error" in the "Browse 
> > Folders"
> > panel on the new UI, and I don't have access to any Groups via the Admin GUI
> > that I've not been allocated explicit privileges for (i.e. I've still got no 
> > admin
> > privileges via the Admin UI either) :-(
> >
> > I also tried deleting the group and getting Grouper to recreate it 
> > automatically
> > via "configuration.autocreate.system.groups = true" in grouper.properties . . 
> > .
> >
> > This worked in terms of creating the group - I then added myself to it via 
> > gsh,
> > but still no (admin) joy . . .
> >
> > I've also checked via gsh that Grouper knows I'm a member of the
> > sysadmingroup:
> >
> > gsh 0% GrouperSession.startRootSession();
> > edu.internet2.middleware.grouper.GrouperSession:
> > 46bca74ce06f40f085da324a2d4c79ca,'GrouperSystem','application'
> > gsh 1% subj = findSubject("mw6")
> > subject: id='mw6' type='person' source='jndi' name='Michael White'
> > gsh 2% sess = GrouperSession.start(subj)
> > edu.internet2.middleware.grouper.GrouperSession:
> > 68ce3eb0ee3a4ab787466d80ba4885a5,'mw6','person'
> > gsh 3% member = MemberFinder.findBySubject(sess, subj)
> > member: id='mw6' type='person' source='jndi'
> > uuid='5c605c2715de4640829cda8e88aab41f'
> > gsh 4% member.getGroups()
> > group: name='etc:grouperUi:grouperUiUserData'
> > displayName='etc:grouperUi:grouperUiUserData'
> > uuid='58cd349ec9904e9786e9c6cbda02e4e2'
> > group: name='etc:sysadmingroup' displayName='etc:SysAdmin Group'
> > uuid='58c1d8dc6360450d93aac212c139b047'
> > group: name='uos_test:apps:vpn:all_users'
> > displayName='uos_test:apps:vpn:all_users'
> > uuid='197f152a977547c8be432a3888136092'
> > .... + other groups snipped out ...
> >
> > Finally, I've also been trying to upgrade as per Chris's suggestion, but the
> > installer is falling on its face when I try and upgrade the UI (saying it 
> > can't find
> > the UI properties file, even though it appears to be there to the naked eye -
> > the API upgrade that I did first appears to have worked OK) so I can't say
> > whether or not that would resolve my problem!
> >
> > Any additional thoughts, observations or suggestions (on fixing the wheel
> > group issue or getting the installer to upgrade from v2.2.0 to v2.2.1
> > successfully) would be most welcome!
> >
> > Cheers,
> >
> > Mike
> >
> > Michael White
> > eLearning Liaison and Development (eLD)
> > Information Services
> > S8, Library
> > University of Stirling
> > Stirling SCOTLAND
> > FK9 4LA
> > Email: 
> >
> > Tel: +44 (0) 1786 466877
> > Fax: +44 (0) 1786 466880
> > http://www.stir.ac.uk/is/staff/about/teams/aldt/#eld
> >
> >
> > > -----Original Message-----
> > > From: Waldbieser, Carl 
> > > [mailto:]
> > > Sent: 19 January 2015 17:23
> > > To: Michael White
> > > Cc: 
> > >
> > > Subject: Re: [grouper-users] LDAP auth and the wheel group?
> > >
> > > Michael,
> > >
> > > Did you create the wheel group and add yourself to it via the web UI
> > > or via GSH?
> > > Using the web UI to do this did not work for me.  There is a note
> > > about it in the online docs, somewhere.
> > > If you drop into GSH and create the group and add your account to it,
> > > it ought to work.
> > >
> > > I seem to recall the first time when I made the mistake of creating
> > > the wheel group via the new UI, I was able to drop into GSH, remove my
> > > account, re-add it, and save the group, and that straightened everything out.
> > >
> > > Thanks,
> > > Carl Waldbieser
> > > ITS System Programmer
> > > Lafayette College
> > >
> > > ----- Original Message -----
> > > From: "Michael White" 
> > > <>
> > > To: 
> > >
> > > Sent: Monday, January 19, 2015 11:31:04 AM
> > > Subject: [grouper-users] LDAP auth and the wheel group?
> > >
> > > Hi,
> > >
> > > I'm still in the early stages of playing and learning with Grouper
> > > v2.2.0. I've got a basic folder/group hierarchy set up, subjects
> > > coming from AD, and a number of groups being successfully populated via
> > the Loader :-).
> > > I'm now trying to switch to using our AD for authentication by
> > > switching to a JNDIRealm in Tomcat's server.xml - of course this means
> > > that I can no longer log on using the GrouperSystem account, so I've
> > > been trying to enable my AD account to be an admin account in Grouper by
> > adding it to my "wheel" group .
> > > . .
> > >
> > > I've added:
> > >
> > > groups.wheel.use                      = true
> > >
> > > - to "grouper.properties", and I note:
> > >
> > > groups.wheel.group                    = etc:sysadmingroup
> > >
> > > - in "grouper.base.properties".
> > >
> > > I created "etc:sysadmingroup" (as the Grouper System user) and added
> > > myself to it, however this doesn't appear to be working as hoped/expected.
> > >
> > > If I log on using my AD username, authentication appears to work and I
> > > arrive at the Grouper (new) UI and I'm correctly identified as me in
> > > the "Logged in as" line, but in the "Browse Folders" panel, it just
> > > shows "Error", which is reflected in the logs (appropriate snippet attached).
> > >
> > > If I switch to the old UI, I can browse the folder hierarchy, but I
> > > can only see groups that I have been granted explicit permissions for
> > > (i.e. still not behaving as an admin user).
> > >
> > > Have I misunderstood how this is supposed to work? or am I missing
> > > something obvious (or done something stupid!)?
> > >
> > > Any thoughts, observations, or pointers would be most welcome as I'm
> > > not sure what to try next.
> > >
> > > Cheers,
> > >
> > > Mike
> > >
> > > Michael White
> > > eLearning Liaison and Development (eLD) Information Services S8,
> > > Library University of Stirling Stirling SCOTLAND
> > > FK9 4LA
> > > Email: 
> > >
> > > Tel: +44 (0) 1786 466877
> > > Fax: +44 (0) 1786 466880
> > > http://www.stir.ac.uk/is/staff/about/teams/aldt/#eld
> > >
> > >
> > >
> > > --
> > > The University of Stirling has been ranked in the top 12 of UK
> > > universities for graduate employment*.
> > > 94% of our 2012 graduates were in work and/or further study within six
> > > months of graduation.
> > > *The Telegraph
> > > The University of Stirling is a charity registered in Scotland, number
> > > SC 011159.
> >
> >
> > --
> > The University of Stirling has been ranked in the top 12 of UK universities 
> > for
> > graduate employment*.
> > 94% of our 2012 graduates were in work and/or further study within six
> > months of graduation.
> > *The Telegraph
> > The University of Stirling is a charity registered in Scotland, number SC
> > 011159.


--
Peter St. Onge                           

Information Security Architect                     (416)978-5030
Business Continuity and Communications
Information + Technology Services          University of Toronto