grouper-users - [grouper-users] LDAP url and search base value
Subject: Grouper Users - Open Discussion List
List archive
- From: Marwan Shaher <>
- To: "" <>
- Subject: [grouper-users] LDAP url and search base value
- Date: Fri, 28 Oct 2016 12:01:05 -0600
- Ironport-phdr: 9a23:fvonXhOl+VvSW3hPi10l6mtUPXoX/o7sNwtQ0KIMzox0KPX+rarrMEGX3/hxlliBBdydsKMezbWN+Pm5ACQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09fr2zQd+IyZvsnLnrotX6WEZhvHKFe7R8LRG7/036l/I9ps9cEJs30QbDuXBSeu5blitCLFOXmAvgtI/rpMYwuxJ54K16spYcGeWnJ+VrBYBfWX4pKWco/MDx8ATYQBGUznoaTmgMlBdUWU7I4AywFsP+qCznrudnnTSBMNftZbEyRTm46ap3ElnlhDpRZBAj92SCr8Vqk6td6Cmhrhxy2caAZYiPK/N4OLjddNMXX0JqWcJWTSVNBcWRQ7ZZXLlJBvpRs4So/whGlhC5HwT5Wbvi
Hello all,
We are in the process of testing PSPNG functionality with active directory. I'll probably send another email later today or early next week with some of the issues that we encountered. On a somewhat related note, we are noticing an odd behavior with ldap urls and we are not sure if this is caused by Grouper, the underlying ldap framework (ldaptive or vt-ldap), the AD/ldap servers or all or few of the above.
Most of the documentation on the Grouper wiki relating to LDAP specifies the url as follows:
ldaps://ldapserver.school.edu:636/dc=school,dc=edu
in our AD dev environment, this is
ldaps://div.colorado.edu:636/DC=DIV,DC=COLORADO,DC=EDU (capitalized here just for clarity)
For group or subjects baseDn's (ldap.properties, PSPNG, ldap loader), it is also assumed to have the full base dn (e.g: ou=someOU,dc=school,dc=edu). However, the values specified for the group or subject baseDN's get always appended with the baseDN value specified in the server url.
e.g:
group/subject baseDN : ou=someOU,dc=div,dc=colorado,dc=edu
LDAP url: ldaps://div.colorado.edu:636/dc=div,dc=colorado,dc=edu
then we see that searches for group/subject are done at the ou=someOU,dc=div,dc=colorado,dc=edu,DC=DIV,DC=COLORADO,DC=EDU .
So, we either have to
- specify the group/subject baseDN relative to the baseDN in the url . This may not always work, especially in cases where the whole directory tree needs to be specified for groups/subject (ie, if the groups and subjects are not contained in one OU)
- specify the LDAP url without the search baseDN part (ie, ldaps://ldapserver.school.edu:636/ ). This may not always be an option if the baseDN MUST be provided and can not be null. The PSPNG configuration allows for the baseDN to be omitted from the url.
This hasn't been an issue for us so far since we specify the global catalog port for AD (3269) in ldap.properties, and because we provision to AD via a connector that reads from a message bus. We do not specify a search base in the url which allows us to specify "dc=colorado,dc=edu" as for group/subject baseDN's. However, because the global catalog is read-only, it can't be used for provisioning via PSPNG.
Has anyone run into this issue? Or is everyone using the full baseDN's for the url and groups/subjects and this is something unique to our environment?
Thanks,
Marwan Shaher
University of Colorado Boulder
- [grouper-users] LDAP url and search base value, Marwan Shaher, 10/28/2016
- Re: [grouper-users] LDAP url and search base value, Bee-Lindgren, Bert, 10/28/2016
- Re: [grouper-users] LDAP url and search base value, Marwan Shaher, 10/28/2016
- Re: [grouper-users] LDAP url and search base value, Bee-Lindgren, Bert, 10/28/2016
Archive powered by MHonArc 2.6.19.