Grouper Users - Open Discussion List

[Marwan Shaher <>]

Thanks, Bert. It's not a big deal for us right now since we are omitting 
the base DN from the URL and specifying it in the pspng config items. It 
allows us to specify the domain component for the subject baseDN since 
we have service accounts outside of the people ou. I don't think it's 
worth a PSPNG patch, at least not in the short term, unless there is a 
need to utilize the property overlays option that you suggested.

Thanks,

Marwan

On 10/28/2016 12:42 PM, Bee-Lindgren, Bert wrote:
> Hello,
>
>
> It must be Ldaptive that is combining the two base DNs when they're
> specified in two places (URL & pspng config items).
>
>
> Everything works with an ldap url that does not include any base_dn
> information, including not having the trailing / :
>
> ldaps://ldapserver.school.edu:636
>
>
> If you'd like to continue with base-dn information in the URL[1], I'll
> patch PSPNG to interpret something like "group/subject basedn=/" to do
> the right thing.
>
> Sincerely,
>   Bert Bee-Lindgren
>
> [1]-This might be useful to share ldap-pool configuration with other
> components that need the the base-dn specified in the url, or in order
> to use property overlays to more easily have different base-dns for
> different prod/test/dev environments.
>
>
> ------------------------------------------------------------------------
> *From:* 
>
> <>
>  on behalf of Marwan Shaher
> <>
> *Sent:* Friday, October 28, 2016 2:01 PM
> *To:* 
>
> *Subject:* [grouper-users] LDAP url and search base value
>
> Hello all,
> We are in the process of testing PSPNG functionality with active
> directory. I'll probably send another email later today or early next
> week with some of the issues that we encountered. On a somewhat related
> note, we are noticing an odd behavior with ldap urls and we are not sure
> if this is caused by Grouper, the underlying ldap framework (ldaptive or
> vt-ldap), the AD/ldap servers or all or few of the above.
> Most of the documentation on the Grouper wiki relating to LDAP specifies
> the url as follows:
> ldaps://ldapserver.school.edu:636/dc=school,dc=edu
> in our AD dev environment, this is
> ldaps://div.colorado.edu:636/DC=DIV,DC=COLORADO,DC=EDU  (capitalized
> here just for clarity)
>
> For group or subjects baseDn's (ldap.properties, PSPNG, ldap loader), it
> is also assumed to have the full base dn (e.g:
> ou=someOU,dc=school,dc=edu). However, the values specified for the group
> or subject baseDN's get always appended with the baseDN value specified
> in the server url.
> e.g:
> group/subject baseDN : ou=someOU,dc=div,dc=colorado,dc=edu
> LDAP url: ldaps://div.colorado.edu:636/dc=div,dc=colorado,dc=edu
> then we see that searches for group/subject are done at the
> ou=someOU,dc=div,dc=colorado,dc=edu,DC=DIV,DC=COLORADO,DC=EDU .
> So, we either have to
> - specify the group/subject baseDN relative to the baseDN in the url .
> This may not always work, especially in cases where the whole directory
> tree needs to be specified for groups/subject (ie, if the groups and
> subjects are not contained in one OU)
>
> - specify the LDAP url without the search baseDN part (ie,
> ldaps://ldapserver.school.edu:636/ ). This may not always be an option
> if the baseDN MUST be provided and can not be null. The PSPNG
> configuration allows for the baseDN to be omitted from the url.
>
> This hasn't been an issue for us so far since we specify the global
> catalog port for AD (3269) in ldap.properties, and because we provision
> to AD via a connector that reads from a message bus. We do not specify a
> search base in the url which allows us to specify "dc=colorado,dc=edu"
> as for group/subject baseDN's. However, because the global catalog is
> read-only, it can't be used for provisioning via PSPNG.
>
> Has anyone run into this issue? Or is everyone using the full baseDN's
> for the url and groups/subjects and this is something unique to our
> environment?
>
> Thanks,
>
> Marwan Shaher
> University of Colorado Boulder