Grouper Users - Open Discussion List

["Bee-Lindgren, Bert" <>]

Hello,

It must be Ldaptive that is combining the two base DNs when they're specified in two places (URL & pspng config items).

Everything works with an ldap url that does not include any base_dn information, including not having the trailing / :

ldaps://ldapserver.school.edu:636 

If you'd like to continue with base-dn information in the URL[1], I'll patch PSPNG to interpret something like "group/subject basedn=/" to do the right thing.

Sincerely,

  Bert Bee-Lindgren

[1]-This might be useful to share ldap-pool configuration with other components that need the the base-dn specified in the url, or in order to use property overlays to more easily have different base-dns for different prod/test/dev environments.

---

From: <> on behalf of Marwan Shaher <>
Sent: Friday, October 28, 2016 2:01 PM
To:
Subject: [grouper-users] LDAP url and search base value

 

Hello all,
We are in the process of testing PSPNG functionality with active
directory. I'll probably send another email later today or early next
week with some of the issues that we encountered. On a somewhat related
note, we are noticing an odd behavior with ldap urls and we are not sure
if this is caused by Grouper, the underlying ldap framework (ldaptive or
vt-ldap), the AD/ldap servers or all or few of the above.
Most of the documentation on the Grouper wiki relating to LDAP specifies
the url as follows:
ldaps://ldapserver.school.edu:636/dc=school,dc=edu
in our AD dev environment, this is
ldaps://div.colorado.edu:636/DC=DIV,DC=COLORADO,DC=EDU  (capitalized
here just for clarity)

For group or subjects baseDn's (ldap.properties, PSPNG, ldap loader), it
is also assumed to have the full base dn (e.g:
ou=someOU,dc=school,dc=edu). However, the values specified for the group
or subject baseDN's get always appended with the baseDN value specified
in the server url.
e.g:
group/subject baseDN : ou=someOU,dc=div,dc=colorado,dc=edu
LDAP url: ldaps://div.colorado.edu:636/dc=div,dc=colorado,dc=edu
then we see that searches for group/subject are done at the
ou=someOU,dc=div,dc=colorado,dc=edu,DC=DIV,DC=COLORADO,DC=EDU .
So, we either have to
- specify the group/subject baseDN relative to the baseDN in the url .
This may not always work, especially in cases where the whole directory
tree needs to be specified for groups/subject (ie, if the groups and
subjects are not contained in one OU)

- specify the LDAP url without the search baseDN part (ie,
ldaps://ldapserver.school.edu:636/ ). This may not always be an option
if the baseDN MUST be provided and can not be null. The PSPNG
configuration allows for the baseDN to be omitted from the url.

This hasn't been an issue for us so far since we specify the global
catalog port for AD (3269) in ldap.properties, and because we provision
to AD via a connector that reads from a message bus. We do not specify a
search base in the url which allows us to specify "dc=colorado,dc=edu"
as for group/subject baseDN's. However, because the global catalog is
read-only, it can't be used for provisioning via PSPNG.

Has anyone run into this issue? Or is everyone using the full baseDN's
for the url and groups/subjects and this is something unique to our
environment?

Thanks,

Marwan Shaher
University of Colorado Boulder