Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] vtldapPooling options seem to be ignored.

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] vtldapPooling options seem to be ignored.


Chronological Thread 
  • From: Jeffrey Crawford <>
  • To: Chris Hyzer <>
  • Cc: Gouper Users List <>
  • Subject: Re: [grouper-users] vtldapPooling options seem to be ignored.
  • Date: Thu, 10 Sep 2015 14:04:39 -0700
Attached

Jeffrey E. Crawford
ITS Application Administrator (IdM)
831-459-4365

Both pilots and IT professionals require training and currency before charging into clouds!
---------------------------------------

On Thu, Sep 10, 2015 at 1:51 PM, Chris Hyzer <> wrote:

Can you send me a sanitized copy of the sources.xml and ldap.properties files?  I think the vtlap properties need to be in an ldap.properties file

 

Thanks

Chris

 

From: Jeffrey Crawford [mailto:]
Sent: Thursday, September 10, 2015 4:48 PM


To: Chris Hyzer
Cc: Gouper Users List
Subject: Re: [grouper-users] vtldapPooling options seem to be ignored.

 

I'm attaching, let me know if you need it another way


Jeffrey E. Crawford
ITS Application Administrator (IdM)
831-459-4365

 

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

 

On Thu, Sep 10, 2015 at 12:55 PM, Chris Hyzer <> wrote:

Can you please send the full error stack?

 

Thanks,

Chris

 

From: Jeffrey Crawford [mailto:]
Sent: Thursday, September 10, 2015 12:40 PM
To: Chris Hyzer
Cc: Gouper Users List
Subject: Re: [grouper-users] vtldapPooling options seem to be ignored.

 

Ahh okay I have the patch but not the additional config elements, however it still doesn't seem to work (Looks like the work is done on the validator not the pruning).

I also tried adding the following to the ldap.properties file:
edu.vt.middleware.ldap.pool.validatePeriodically = true
edu.vt.middleware.ldap.pool.validateTimerPeriod = 30000

But I get the following error in the log:
No getter method found for edu.vt.middleware.ldap.pool.validatePeriodically


Jeffrey E. Crawford
ITS Application Administrator (IdM)
831-459-4365

 

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

 

On Thu, Sep 10, 2015 at 7:09 AM, Chris Hyzer <> wrote:

Please make sure you have the latest Grouper 2.2.1 with patches, and see this doc:

 

https://bugs.internet2.edu/jira/browse/GRP-1151

 

Thanks,

Chris

 

From: [mailto:] On Behalf Of Jeffrey Crawford
Sent: Wednesday, September 09, 2015 7:32 PM
To: Gouper Users List
Subject: [grouper-users] vtldapPooling options seem to be ignored.

 

After having trouble with pooled connections. I tried to adjust the parameters by using the options provided by https://code.google.com/p/vt-middleware/wiki/vtldapPooling. I'm pretty sure that at least the sources.xml referencing the ldap.properties file is ignoring those parameters.

I've tried setting edu.vt.middleware.ldap.pool.minPoolSize to "5" but I still only get three connections on startup. I've adjusted the edu.vt.middleware.ldap.pool.pruneTimerPeriod and edu.vt.middleware.ldap.pool.expirationTime but I never see the disconnect. at the theoretical maximum of two minutes. experationTime to 90 seconds and pruneTimerPeriod to 30.

We have a load balancer sitting between us and the multiple LDAP server backend, however if a connection is open and idle, the LB will drop the connection silently after about three minutes. However the vtldapPool defaults keep the connections open for a lot longer than the LB allows.


Jeffrey

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

 

 


# This is the configuration file for vt-ldap.
# See http://code.google.com/p/vt-middleware/wiki/vtldapProperties

edu.vt.middleware.ldap.ldapUrl=ldaps://hostname.ucsc.edu
edu.vt.middleware.ldap.searchScope=SUBTREE

# authn if simple
edu.vt.middleware.ldap.bindDn=cn=xxxxxxxxxx,ou=xxxx,dc=xxxx,dc=xxx
edu.vt.middleware.ldap.bindCredential=xxxxxxxxxxxxxxxxxxxxxxxxx

# The bind credential may be external and encrypted:
https://bugs.internet2.edu/jira/browse/GRP-122
# edu.vt.middleware.ldap.bindCredential=/path/to/ldap.pwd
edu.vt.middleware.ldap.authtype=simple

# encryption
edu.vt.middleware.ldap.ssl=false
edu.vt.middleware.ldap.tls=false

# pooling options
edu.vt.middleware.ldap.pool.minPoolSize=5
edu.vt.middleware.ldap.pool.maxPoolSize=10
edu.vt.middleware.ldap.pool.validatePeriodically=true
edu.vt.middleware.ldap.pool.validateTimerPeriod=30000

vt.middleware.ldap.pagedResultsSize=0

# authn for sasl external (certificates)
# edu.vt.middleware.ldap.authtype=EXTERNAL
# edu.vt.middleware.ldap.tls=true
# edu.vt.middleware.ldap.serviceUser=cn=admin.example.edu
# these to use PEM format cert and key
# pemCaFile=/path/to/ca.pem
# pemCertFile=/path/to/cert.pem
# pemKeyFile=/path/to/key.pem


# The default base DN for searches.
# All subordinate objects will be deleted during tests !
edu.vt.middleware.ldap.baseDn=dc=xxxx,dc=xxx

# The base DN for groups.
edu.internet2.middleware.psp.groupsBaseDn=ou=xxxxxx,dc=xxxx,dc=xxx

# The base DN for people.
edu.internet2.middleware.psp.peopleBaseDn=ou=xxxxxx,dc=xxxx,dc=xxx

# The group object class.
# OpenLDAP, RedHat, 389, ApacheDS, etc.
edu.internet2.middleware.psp.groupObjectClass=groupOfNames
# Active Directory
# edu.internet2.middleware.psp.groupObjectClass=group

# The base Grouper stem to be provisioned.
edu.internet2.middleware.psp.baseStem=xxxx:xxx

# The ldap DN structure may be either flat or bushy.
# In a flat structure all groups are provisioned under a single base DN
(container ID).
# A flat group's ldap RDN is its Grouper name or displayName.
# edu.internet2.middleware.psp.structure=flat
# edu.internet2.middleware.psp.cnSourceAttributeID=name

# In a bushy structure groups are provisioned hierarchically, with stems as
branches in the tree.
# A bushy group's RDN is its Grouper extension or displayExtension.
edu.internet2.middleware.psp.structure=bushy
edu.internet2.middleware.psp.cnSourceAttributeID=extension

# The QuotedDnResultHandler removes quotes from DNs of the form
"CN=quoted/name",DC=edu.
# The FqdnSearchResultHandler makes sure that all ldap dns are fully
qualified.
# You may wish to comment out the following property for the Grouper UI or WS.
edu.vt.middleware.ldap.searchResultHandlers=edu.internet2.middleware.psp.ldap.QuotedDnResultHandler,edu.vt.middleware.ldap.handler.FqdnSearchResultHandler

# handle Active Directory groups with a large (>1500) number of members
# see https://bugs.internet2.edu/jira/browse/GRP-335
# see http://code.google.com/p/vt-middleware/wiki/vtldapAD#Range_Attributes
#
edu.vt.middleware.ldap.searchResultHandlers=edu.internet2.middleware.ldappc.util.QuotedDnResultHandler,edu.vt.middleware.ldap.handler.FqdnSearchResultHandler,edu.internet2.middleware.ldappc.util.RangeSearchResultHandler
<?xml version="1.0" encoding="utf-8"?>

<!--
Grouper's subject resolver configuration
$Id: sources.example.xml,v 1.8 2009-08-11 20:18:09 mchyzer Exp $
-->

<sources>

<!-- Group Subject Resolver -->

<!--
You can flag a source as not throwing exception on a findAll (general
search) i.e. if it is
ok if it is down. Generally you probably won't want to do this. It
defaults to true if omitted.

<init-param>
<param-name>throwErrorOnFindAllFailure</param-name>
<param-value>false</param-value>
</init-param>
-->

<!--
You can make virtual attributes (attributes with formatting or based on
other attributes) like this:
init-param name is subjectVirtualAttribute_<index>_<name> where index
is the order to be processed
if some depend on others (0 to 99). The value is the jexl expression
language. You can use subjectUtils
methods (aliased with "subjectUtils", or you can register your own
class (must have default constructor).
Here are examples:

<init-param>
<param-name>subjectVirtualAttribute_0_loginIdLfName</param-name>
<param-value>Hey ${subject.getAttributeValue('LOGINID')} and
${subject.getAttributeValue('LFNAME')}</param-value>
</init-param>
<init-param>
<param-name>subjectVirtualAttribute_1_loginIdLfNameLoginId</param-name>
<param-value>${subject.getAttributeValue('loginIdLfName')} Hey
${subject.getAttributeValue('LOGINID')} and
${subject.getAttributeValue('LFNAME')}</param-value>
</init-param>
<init-param>

<param-name>subjectVirtualAttributeVariable_JDBCSourceAdapterTest</param-name>

<param-value>edu.internet2.middleware.subject.provider.JDBCSourceAdapterTest</param-value>
</init-param>
<init-param>
<param-name>subjectVirtualAttribute_2_loginIdSquared</param-name>

<param-value>${JDBCSourceAdapterTest.appendToSelf(subject.getAttributeValue('LOGINID'))}</param-value>
</init-param>

The first virtual attribute is accessible via:
subject.getAttributeValue("loginIdLfNameLoginId");

you can set these c3p0 settings: maxConnectionAge (seconds),
testConnectionOnCheckout (true|false),
preferredTestQuery (e.g. select 1 from dual), idleConnectionTestPeriod
(seconds)

-->

<!--
NOTE: It is recommended that you **not** change the default
values for this source adapter.
-->
<source
adapterClass="edu.internet2.middleware.grouper.GrouperSourceAdapter">
<id>g:gsa</id>
<name>Grouper: Group Source Adapter</name>
<type>group</type>

<init-param>
<param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>

<param-value>${subject.getAttributeValue('name')},${subject.getAttributeValue('displayName')},${subject.getAttributeValue('alternateName')}</param-value>
</init-param>
<init-param>
<param-name>sortAttribute0</param-name>
<param-value>displayExtension</param-value>
</init-param>
<init-param>
<param-name>searchAttribute0</param-name>
<param-value>searchAttribute0</param-value>
</init-param>
<!-- on a findPage() this is the most results returned -->
<init-param>
<param-name>maxPageSize</param-name>
<param-value>100</param-value>
</init-param>
<internal-attribute>searchAttribute0</internal-attribute>
</source>
<!-- Group Subject Resolver -->

<!--
NOTE: It is recommended that you **not** change the default
values for this source adapter.
-->
<source
adapterClass="edu.internet2.middleware.grouper.entity.EntitySourceAdapter">
<id>grouperEntities</id>
<name>Grouper: Entity Source Adapter</name>
<type>application</type>

<init-param>
<param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>
<!-- TODO add attribute for subject identifier -->

<param-value>${subject.getAttributeValue('name')},${subject.getAttributeValue('displayName')},${subject.getAttributeValue('alternateName')}</param-value>
</init-param>
<init-param>
<param-name>sortAttribute0</param-name>
<param-value>name</param-value>
</init-param>
<init-param>
<param-name>searchAttribute0</param-name>
<param-value>searchAttribute0</param-value>
</init-param>
<internal-attribute>searchAttribute0</internal-attribute>
</source>

<source
adapterClass="edu.internet2.middleware.subject.provider.LdapSourceAdapter">
<id>ucscidm</id>
<name>UCSC CruzID</name>
<type>person</type>

<!-- Note that most of the ldap configuration is in the properties file.
The filename can be a file in your classpath or an absolute
pathname. -->
<init-param>
<param-name>ldapProperties_file</param-name>
<param-value>ldap.properties</param-value>
</init-param>
<init-param>
<param-name>VTLDAP_VALIDATOR</param-name>
<param-value>CompareLdapValidator</param-value>
</init-param>
<init-param>
<param-name>VTLDAP_VALIDATOR_COMPARE_DN</param-name>
<param-value>ou=xxxxxx,dc=xxxx,dc=xxx</param-value>
</init-param>
<init-param>
<param-name>VTLDAP_VALIDATOR_COMPARE_SEARCH_FILTER_STRING</param-name>
<param-value>ou=xxxxxx</param-value>
</init-param>
<!--
<init-param>
<param-name>INITIAL_CONTEXT_FACTORY</param-name>
<param-value>com.sun.jndi.ldap.LdapCtxFactory</param-value>
</init-param>
<init-param>
<param-name>PROVIDER_URL</param-name>
<param-value>ldaps://xxxxxxxxx.xxxx.xxx:636</param-value>
</init-param>
<init-param>
<param-name>SECURITY_AUTHENTICATION</param-name>
<param-value>simple</param-value>
</init-param>
<init-param>
<param-name>SECURITY_PRINCIPAL</param-name>
<param-value>cn=xxxxxxxxxx,ou=xxxx,dc=xxxx,dc=xxx</param-value>
</init-param>
<init-param>
<param-name>SECURITY_CREDENTIALS</param-name>
<param-value>xxxxxxxxxxxxxxxxxxxxxxxxx</param-value>
</init-param>
-->

<init-param>
<param-name>Multiple_Results</param-name>
<param-value>false</param-value>
</init-param>

<init-param>
<param-name>sortAttribute0</param-name>
<param-value>cn</param-value>
</init-param>
<init-param>
<param-name>searchAttribute0</param-name>
<param-value>cn</param-value>
</init-param>

<init-param>
<param-name>SubjectID_AttributeType</param-name>
<param-value>xxxxxxxxxxGuID</param-value>
</init-param>
<init-param>
<param-name>SubjectID_formatToLowerCase</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>Name_AttributeType</param-name>
<param-value>uid</param-value>
</init-param>
<init-param>
<param-name>Description_AttributeType</param-name>
<param-value>cn</param-value>
</init-param>

<search>
<searchType>searchSubject</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(&amp;(xxxxxxxxxxGuID=%TERM%)(objectclass=xxxxxxxxxx))
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>SUBTREE_SCOPE</param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>ou=xxxxxx,dc=xxxx,dc=xxx</param-value>
</param>

</search>
<search>
<searchType>searchSubjectByIdentifier</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(&amp;(uid=%TERM%)(objectclass=person))
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>SUBTREE_SCOPE</param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>ou=xxxxxx,dc=xxxx,dc=xxx</param-value>
</param>
</search>

<!-- use the firstlastfilter to allow: last, first lookup -->
<search>
<searchType>search</searchType>
<param>
<param-name>filter</param-name>
<param-value>

(&amp;(|(|(uid=%TERM%)(cn=*%TERM%*))(xxxxxxxxxxGuid=%TERM%))(objectclass=xxxxxxxxxx))
</param-value>
</param>
<param>
<param-name>firstlastfilter</param-name>
<param-value>
(&amp;(sn=%TERM%)(objectclass=person)))
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>SUBTREE_SCOPE</param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>ou=xxxxxx,dc=xxxx,dc=xxx</param-value>
</param>
</search>
<init-param>
<param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>

<param-value>${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'),

"")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'),

"")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('xxxxxxxxxxGuID'),
"")}</param-value>
</init-param>
<init-param>
<param-name>sortAttribute0</param-name>
<param-value>cn</param-value>
</init-param>
<init-param>
<param-name>searchAttribute0</param-name>
<param-value>searchAttribute0</param-value>
</init-param>
<internal-attribute>searchAttribute0</internal-attribute>
///Attributes you would like to display when doing a search
<attribute>uid</attribute>
<attribute>cn</attribute>
<attribute>displayName</attribute>
<attribute>eduPersonPrimaryAffiliation</attribute>
<attribute>xxxxxxxxxxGuID</attribute>

</source>

</sources>


Archive powered by MHonArc 2.6.16.

Top of Page