Grouper Users - Open Discussion List

[Rob Gorrell <>]

Excellent Chris, thank you, this is working flawlessly... i'm now loading AD groups of groups inside grouper preserving the "nesting".

I'm trying to understand in english terms, why this was a customization and I guess it has to do with my lack of understanding for the LDAP subject _expression_ attribute. Normally, I was using loaderLdapElUtils.convertDnToSpecificValue(subjectId)... which I guess took the user object's ldap DN and matched it to a subjectID. but the part that doesn't make sense to me, is our users's subjectID's are unix UID's... not usernames or DNs. So why were we mapping users ok based on DN's but not groups?

I'm just trying to understand why this customization that you so wonderfully wrote for me was needed in the first place (but I am still very thankful that it works). Could I have named/loaded/etc my groups differently where such a customization wouldn't have been needed to load groups of groups?

-Rob

On Thu, Aug 4, 2016 at 8:55 AM, Hyzer, Chris <> wrote:

Rob, my email got rejected due to attachment, but its attached to confluence and jira below

 

From: Hyzer, Chris
Sent: Wednesday, August 03, 2016 8:15 PM
To: 'Rob Gorrell' <>;
Subject: RE: [grouper-users] loading nested groups from an LDAP source

 

An example is done:

 

https://spaces.internet2.edu/display/Grouper/Grouper+-+Loader+LDAP#Grouper-LoaderLDAP-ExampleofconvertingDNtosubjectIdorGroupname(institutionspecific)

 

https://bugs.internet2.edu/jira/browse/GRP-1354

 

There is a jar attached inside the zip in this email

 

Add the ldapGroupUserConverter.jar to the classpath (e.g. to lib/custom)

 

In the grouper-loader.properties, add the class

 

loader.ldap.el.classes = ldapGroupUserConverter.LdapGroupUserConverter

 

Set the Grouper loader LDAP subject _expression_ attribute to     ${ldapGroupUserConverter.convertDntoSubjectIdOrIdentifier(subjectId)}

 

Unset the subject source id

 

If the subjectId is a subjectId, then make sure Grouper loader LDAP subject ID type is "subjectIdOrIdentifier".  If it is a subjectIdentifier (more common), then you can set it as subjectIdentifier.

 

Log the conversions with this in log4j.properties

 

log4j.logger.ldapGroupUserConverter.LdapGroupUserConverter = DEBUG

 

Let me know how it goes!  J

 

Thanks

Chris

 

From: [] On Behalf Of Rob Gorrell
Sent: Monday, July 25, 2016 9:46 AM
To:
Subject: [grouper-users] loading nested groups from an LDAP source

 

I currently have an LDAP_GROUP_LIST loader job pulling groups from an Active Directory source. In AD, we use a lot of group nesting (group of groups). When the loader job executes, it only loads those *user* objects with direct memberships to each group skipping over any *group* objects that are also direct members. What I would like it to do is resolve each group member in Grouper's internal source so that the group nesting copies over to grouper. Grouper has all these groups, but apparently the memberships aren't being resolved as it would seem the only subject source being used is my one that contains people (uncg-person).

-Rob

--

Robert W. Gorrell
Systems Architect, Identity and Access Management

University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA

--

Robert W. Gorrell
Systems Architect, Identity and Access Management

University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA