Grouper Users - Open Discussion List

["Hyzer, Chris" <>]

Glad it worked.

 

Heres my test case:

 

    String subjectId = convertDntoSubjectIdOrIdentifier("CN=JNWHITWO,OU=Users,OU=ITS-23101,OU=UNIT-InformationTechnologyServices-2D031,OU=COLL-InformationTechnologyServices-02C01,OU=DIV-InformationTechnologyServices-DIV02,OU=FACSTAFF,DC=campus,DC=uncg,DC=edu");

   

    if (!"jnwhitwo".equals(subjectId)) {

      throw new RuntimeException("Expecting jnwhitwo but got: '" + subjectId + "'");

    }

   

    subjectId = convertDntoSubjectIdOrIdentifier("CN=ITS-23101-SYN-Identity_Architecture,OU=Groups,OU=ITS-23101,OU=UNIT-InformationTechnologyServices-2D031,OU=COLL-InformationTechnologyServices-02C01,OU=DIV-InformationTechnologyServices-DIV02,OU=FACSTAFF,DC=campus,DC=uncg,DC=edu");

 

    if (!"uncg:facstaff:ITS-23101:ITS-23101-SYN-Identity_Architecture".equals(subjectId)) {

      throw new RuntimeException("Expecting uncg:facstaff:ITS-23101:ITS-23101-SYN-Identity_Architecture but got: '" + subjectId + "'");

    }

 

    System.out.println("Success");

 

For people:

 

CN=JNWHITWO,OU=Users,OU=ITS-23101,OU=UNIT-InformationTechnologyServices-2D031,OU=COLL-InformationTechnologyServices-02C01,OU=DIV-InformationTechnologyServices-DIV02,OU=FACSTAFF,DC=campus,DC=uncg,DC=edu

Needs to be converted to

 

Jnwhitwo

 

That is what the loaderLdapElUtils.convertDnToSpecificValue(subjectId) does.

 

For groups:

 

CN=ITS-23101-SYN-Identity_Architecture,OU=Groups,OU=ITS-23101,OU=UNIT-InformationTechnologyServices-2D031,OU=COLL-InformationTechnologyServices-02C01,OU=DIV-InformationTechnologyServices-DIV02,OU=FACSTAFF,DC=campus,DC=uncg,DC=edu

 

Needs to be converted to: 

 

uncg:facstaff:ITS-23101:ITS-23101-SYN-Identity_Architecture

 

As you can see that is not as straightforward.  I think flat vs bushy for ldap groups could be a factor.  In fact, you might want to look at the attached source and make sure it works for you, i.e. are those two test cases sufficient?  J

 

Thanks

Chris

 

 

Ps. well, attachments might not work, here it is inline:

 

 

 

/**

* @author mchyzer

* $Id$

*/

package ldapGroupUserConverter;

 

import java.util.ArrayList;

import java.util.List;

 

import org.apache.log4j.Logger;

 

 

/**

* Convert a DN to a subjectId if its a person or to a groupName in Grouper if a group

*/

public class LdapGroupUserConverter {

 

  /**

   *

   */

  public LdapGroupUserConverter() {

  }

 

  /**

   * @param args

   */

  public static void main(String[] args) {

 

    String equalsValuePart = equalsValuePart("CN=ABCDEF");

   

    if (!"ABCDEF".equals(equalsValuePart)) {

      throw new RuntimeException("Expecting ABCDEF as the equals value part but got: '" + equalsValuePart + "'");

    }

   

    String subjectId = convertDntoSubjectIdOrIdentifier("CN=JNWHITWO,OU=Users,OU=ITS-23101,OU=UNIT-InformationTechnologyServices-2D031,OU=COLL-InformationTechnologyServices-02C01,OU=DIV-InformationTechnologyServices-DIV02,OU=FACSTAFF,DC=campus,DC=uncg,DC=edu");

   

    if (!"jnwhitwo".equals(subjectId)) {

      throw new RuntimeException("Expecting jnwhitwo but got: '" + subjectId + "'");

    }

   

    subjectId = convertDntoSubjectIdOrIdentifier("CN=ITS-23101-SYN-Identity_Architecture,OU=Groups,OU=ITS-23101,OU=UNIT-InformationTechnologyServices-2D031,OU=COLL-InformationTechnologyServices-02C01,OU=DIV-InformationTechnologyServices-DIV02,OU=FACSTAFF,DC=campus,DC=uncg,DC=edu");

 

    if (!"uncg:facstaff:ITS-23101:ITS-23101-SYN-Identity_Architecture".equals(subjectId)) {

      throw new RuntimeException("Expecting uncg:facstaff:ITS-23101:ITS-23101-SYN-Identity_Architecture but got: '" + subjectId + "'");

    }

 

    System.out.println("Success");

  }

 

  /** logger */

  final static Logger LOG = Logger.getLogger(LdapGroupUserConverter.class);

 

  /**

   * convert dn to subject identifier or group name, log the result

   * @param dn

   * @return the subject identifier or group name

   */

  public static String convertDntoSubjectIdOrIdentifier(String dn) {

    String result = convertDntoSubjectIdOrIdentifierHelper(dn);

    LOG.debug("Converting dn '" + dn + "' to: '" + result + "'");

    return result;

  }

 

  /**

   * convert dn to subject identifier or group name, log the result

   * @param dn

   * @return the subject identifier or group name

   */

  private static String convertDntoSubjectIdOrIdentifierHelper(String dn) {

 

    if (dn == null || "".equals(dn.trim())) {

      return dn;

    }

    String[] partsArray = dn.split(",");

   

    List<String> partsList = new ArrayList<String>();

   

    for (String string : partsArray) {

      partsList.add(string);

    }

   

    //get a user: CN=JNWHITWO,OU=Users

    if (partsList.size() >= 2 && "OU=Users".equals(partsList.get(1))) {

      String firstPart = partsList.get(0);

      if (firstPart != null && firstPart.startsWith("CN=")) {

        return equalsValuePart(firstPart).toLowerCase();

      }

    }

 

    //get a group:

    // From:  CN=ITS-23101-SYN-Identity_Architecture,OU=Groups,OU=ITS-23101,OU=UNIT-InformationTechnologyServices-2D031,OU=COLL-InformationTechnologyServices-02C01,OU=DIV-InformationTechnologyServices-DIV02,OU=FACSTAFF,DC=campus,DC=uncg,DC=edu

 

    //CN=ITS-23101-SYN-Identity_Architecture,

    //OU=Groups,

    //OU=ITS-23101,

    //OU=UNIT-InformationTechnologyServices-2D031,

    //OU=COLL-InformationTechnologyServices-02C01,

    //OU=DIV-InformationTechnologyServices-DIV02,

    //OU=FACSTAFF,

    //DC=campus,

    //DC=uncg,

    //DC=edu

   

    // To:    uncg:facstaff:ITS-23101:ITS-23101-SYN-Identity_Architecture

    if (partsList.size() >= 2 && "OU=Groups".equals(partsList.get(1))) {

     

      StringBuilder groupName = new StringBuilder();

      groupName.insert(0, equalsValuePart(partsList.get(0)));

      groupName.insert(0, ":");

     

      //remove extension

      partsList.remove(0);

     

      //remove ou=groups

      partsList.remove(0);

     

      if (partsList.size() > 0) {

       

        groupName.insert(0, equalsValuePart(partsList.get(0)));

        groupName.insert(0, ":");

        partsList.remove(0);

      }

 

      //go until facstaff

      while(true) {

        if (partsList.size() >= 2 && partsList.get(1) != null && "dc=campus".equals(partsList.get(1).toLowerCase()) ) {

          groupName.insert(0, equalsValuePart(partsList.get(0)).toLowerCase());

          groupName.insert(0, ":");

          partsList.remove(0);

          break;

        }

        partsList.remove(0);

      }

     

      if (partsList.size() > 2) {

        //get rid of campus

        partsList.remove(0);

 

        //we are left with uncg

        groupName.insert(0, equalsValuePart(partsList.get(0)).toLowerCase());

       

        return groupName.toString();

      }

     

    }

 

    return dn;

  }

 

  /**

   * convert AB=whatever  to   whatever

   * @param string

   * @return the "whatever" value

   */

  public static String equalsValuePart(String string) {

   

    if (string == null) {

      return string;

    }

   

    int equalsIndex = string.indexOf('=');

   

    if (equalsIndex < 0) {

      return string;

    }

 

    return string.substring(equalsIndex+1, string.length());

   

  }

 

}

 

 

 

 

 

 

 

 

From: Rob Gorrell [mailto:]
Sent: Thursday, August 04, 2016 11:51 AM
To: Hyzer, Chris <>
Cc:
Subject: Re: [grouper-users] loading nested groups from an LDAP source

 

Excellent Chris, thank you, this is working flawlessly... i'm now loading AD groups of groups inside grouper preserving the "nesting".

I'm trying to understand in english terms, why this was a customization and I guess it has to do with my lack of understanding for the LDAP subject _expression_ attribute. Normally, I was using loaderLdapElUtils.convertDnToSpecificValue(subjectId)... which I guess took the user object's ldap DN and matched it to a subjectID. but the part that doesn't make sense to me, is our users's subjectID's are unix UID's... not usernames or DNs. So why were we mapping users ok based on DN's but not groups?

I'm just trying to understand why this customization that you so wonderfully wrote for me was needed in the first place (but I am still very thankful that it works). Could I have named/loaded/etc my groups differently where such a customization wouldn't have been needed to load groups of groups?

-Rob

 

 

On Thu, Aug 4, 2016 at 8:55 AM, Hyzer, Chris <> wrote:

Rob, my email got rejected due to attachment, but its attached to confluence and jira below

 

From: Hyzer, Chris
Sent: Wednesday, August 03, 2016 8:15 PM
To: 'Rob Gorrell' <>;
Subject: RE: [grouper-users] loading nested groups from an LDAP source

 

An example is done:

 

https://spaces.internet2.edu/display/Grouper/Grouper+-+Loader+LDAP#Grouper-LoaderLDAP-ExampleofconvertingDNtosubjectIdorGroupname(institutionspecific)

 

https://bugs.internet2.edu/jira/browse/GRP-1354

 

There is a jar attached inside the zip in this email

 

Add the ldapGroupUserConverter.jar to the classpath (e.g. to lib/custom)

 

In the grouper-loader.properties, add the class

 

loader.ldap.el.classes = ldapGroupUserConverter.LdapGroupUserConverter

 

Set the Grouper loader LDAP subject _expression_ attribute to     ${ldapGroupUserConverter.convertDntoSubjectIdOrIdentifier(subjectId)}

 

Unset the subject source id

 

If the subjectId is a subjectId, then make sure Grouper loader LDAP subject ID type is "subjectIdOrIdentifier".  If it is a subjectIdentifier (more common), then you can set it as subjectIdentifier.

 

Log the conversions with this in log4j.properties

 

log4j.logger.ldapGroupUserConverter.LdapGroupUserConverter = DEBUG

 

Let me know how it goes!  J

 

Thanks

Chris

 

From: [] On Behalf Of Rob Gorrell
Sent: Monday, July 25, 2016 9:46 AM
To:
Subject: [grouper-users] loading nested groups from an LDAP source

 

I currently have an LDAP_GROUP_LIST loader job pulling groups from an Active Directory source. In AD, we use a lot of group nesting (group of groups). When the loader job executes, it only loads those *user* objects with direct memberships to each group skipping over any *group* objects that are also direct members. What I would like it to do is resolve each group member in Grouper's internal source so that the group nesting copies over to grouper. Grouper has all these groups, but apparently the memberships aren't being resolved as it would seem the only subject source being used is my one that contains people (uncg-person).

-Rob

--

Robert W. Gorrell
Systems Architect, Identity and Access Management

University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA

--

Robert W. Gorrell
Systems Architect, Identity and Access Management

University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA