Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] LDAP url and search base value

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] LDAP url and search base value

Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: Marwan Shaher <>, "" <>
  • Subject: RE: [grouper-users] LDAP url and search base value
  • Date: Wed, 2 Nov 2016 18:28:57 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:QZ2NAxRrHml/dhaVaXgrfZbMWdpsv+yvbD5Q0YIujvd0So/mwa65YBWN2/xhgRfzUJnB7Loc0qyN4vqmCTdLsMfJmUtBWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4Ov7yUtaLyZ/mjabioNaCMk1hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO9MxGlldhq5lhf44dqsrtY4q3wD89pozcNLUL37cqIkVvQYSW1+ayFmrPHs4DzKVxSG4DMnUmwWnwAAVw3M9g7zWNHqsiL6u/BV8y6eOtf/QbdydBifueMjAhDyjzofOiR87XrakNdYjaRHrQinqgAlhYPYfcvdYPVkeb7FcMlfWHFMRN15VipdD5m6YpdVSecNILALgZP6og5EjQqsCBPoTMjv0D5TzDei2KY6wvYsCynHxwdmAsoDtnKSodnoYvRBGdupxbXFmG2QJ8hd3i3wvc2RKkgs
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Note, you can make your own config items in the properties file and use
variables if you want to overlay pieces of it...

# ad-dev or ad-prod = ad-dev
ldap.pennKiteAd.url = ldaps://$$$$
changeLog.consumer.pspng_activedirectory.groupSearchBaseDn =
changeLog.consumer.pspng_activedirectory.userSearchBaseDn =

I know this email was about something else, but wanted to mention...

-----Original Message-----

On Behalf Of Marwan Shaher
Sent: Friday, October 28, 2016 4:04 PM

Subject: Re: [grouper-users] LDAP url and search base value

Thanks, Bert. It's not a big deal for us right now since we are omitting
the base DN from the URL and specifying it in the pspng config items. It
allows us to specify the domain component for the subject baseDN since
we have service accounts outside of the people ou. I don't think it's
worth a PSPNG patch, at least not in the short term, unless there is a
need to utilize the property overlays option that you suggested.



On 10/28/2016 12:42 PM, Bee-Lindgren, Bert wrote:
> Hello,
> It must be Ldaptive that is combining the two base DNs when they're
> specified in two places (URL & pspng config items).
> Everything works with an ldap url that does not include any base_dn
> information, including not having the trailing / :
> ldaps://
> If you'd like to continue with base-dn information in the URL[1], I'll
> patch PSPNG to interpret something like "group/subject basedn=/" to do
> the right thing.
> Sincerely,
> Bert Bee-Lindgren
> [1]-This might be useful to share ldap-pool configuration with other
> components that need the the base-dn specified in the url, or in order
> to use property overlays to more easily have different base-dns for
> different prod/test/dev environments.
> ------------------------------------------------------------------------
> *From:*
> <>
> on behalf of Marwan Shaher
> <>
> *Sent:* Friday, October 28, 2016 2:01 PM
> *To:*
> *Subject:* [grouper-users] LDAP url and search base value
> Hello all,
> We are in the process of testing PSPNG functionality with active
> directory. I'll probably send another email later today or early next
> week with some of the issues that we encountered. On a somewhat related
> note, we are noticing an odd behavior with ldap urls and we are not sure
> if this is caused by Grouper, the underlying ldap framework (ldaptive or
> vt-ldap), the AD/ldap servers or all or few of the above.
> Most of the documentation on the Grouper wiki relating to LDAP specifies
> the url as follows:
> ldaps://,dc=edu
> in our AD dev environment, this is
> ldaps://,DC=COLORADO,DC=EDU (capitalized
> here just for clarity)
> For group or subjects baseDn's (, PSPNG, ldap loader), it
> is also assumed to have the full base dn (e.g:
> ou=someOU,dc=school,dc=edu). However, the values specified for the group
> or subject baseDN's get always appended with the baseDN value specified
> in the server url.
> e.g:
> group/subject baseDN : ou=someOU,dc=div,dc=colorado,dc=edu
> LDAP url: ldaps://,dc=colorado,dc=edu
> then we see that searches for group/subject are done at the
> ou=someOU,dc=div,dc=colorado,dc=edu,DC=DIV,DC=COLORADO,DC=EDU .
> So, we either have to
> - specify the group/subject baseDN relative to the baseDN in the url .
> This may not always work, especially in cases where the whole directory
> tree needs to be specified for groups/subject (ie, if the groups and
> subjects are not contained in one OU)
> - specify the LDAP url without the search baseDN part (ie,
> ldaps:// ). This may not always be an option
> if the baseDN MUST be provided and can not be null. The PSPNG
> configuration allows for the baseDN to be omitted from the url.
> This hasn't been an issue for us so far since we specify the global
> catalog port for AD (3269) in, and because we provision
> to AD via a connector that reads from a message bus. We do not specify a
> search base in the url which allows us to specify "dc=colorado,dc=edu"
> as for group/subject baseDN's. However, because the global catalog is
> read-only, it can't be used for provisioning via PSPNG.
> Has anyone run into this issue? Or is everyone using the full baseDN's
> for the url and groups/subjects and this is something unique to our
> environment?
> Thanks,
> Marwan Shaher
> University of Colorado Boulder

  • RE: [grouper-users] LDAP url and search base value, Hyzer, Chris, 11/02/2016

Archive powered by MHonArc 2.6.19.

Top of Page