Grouper Users - Open Discussion List

[Philip Harle <>]

I’ve attempted to specify the base as 'DC=campus,DC=ncl,DC=ac,DC=uk’ but this leads to the following error when adding users either in ‘Campus Users’ or ‘Other Users’

 

2016-11-07 10:21:34,882: [main] ERROR LdapSourceAdapter.getLdapResultsHelper(773) -  - Ldap NamingException: Unprocessed Continuation Reference(s)

javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=campus,DC=ncl,DC=ac,DC=uk'

        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2866)

        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)

        at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1849)

        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)

        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1789)

        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:412)

        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:394)

        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376)

        at edu.vt.middleware.ldap.AbstractLdap.search(AbstractLdap.java:215)

        at edu.vt.middleware.ldap.Ldap.search(Ldap.java:431)

        at edu.vt.middleware.ldap.Ldap.search(Ldap.java:347)

        ….

 

 

For reference sources.xml was changed to reflect below:

    <search>

        <searchType>searchSubject</searchType>

        <param>

            <param-name>filter</param-name>

            <param-value>

                (&amp;(cn=%TERM%)(objectclass=person))

            </param-value>

        </param>

               <param>

            <param-name>scope</param-name>

            <param-value>SUBTREE_SCOPE</param-value>

        </param>

        <param>

            <param-name>base</param-name>

            <param-value>DC=campus,DC=ncl,DC=ac,DC=uk</param-value>

        </param>

    </search>

    <search>

        <searchType>searchSubjectByIdentifier</searchType>

        <param>

            <param-name>filter</param-name>

            <param-value>

                (&amp;(cn=%TERM%)(objectclass=person))

            </param-value>

        </param>

        <param>

            <param-name>scope</param-name>

            <param-value>SUBTREE_SCOPE</param-value>

        </param>

        <param>

            <param-name>base</param-name>

            <param-value>DC=campus,DC=ncl,DC=ac,DC=uk</param-value>

        </param>

    </search>

 

And ‘OU=Campus Users,’ was removed from ldap.properties to give the peopleBaseDN as below:

edu.internet2.middleware.psp.peopleBaseDn=dc=campus,dc=ncl,dc=ac,dc=uk

 

 

When the line above is reverted to ‘edu.internet2.middleware.psp.peopleBaseDn=ou=Campus Users,dc=campus,dc=ncl,dc=ac,dc=uk’ the following expected error is shown in the log when trying to provision users contained in the ‘Other Users’ OU:

 

2016-11-07 11:38:01,291: [DefaultQuartzScheduler_Worker-6] INFO  Psp.execute(983) -  - Psp 'psp' - Calc CalcRequest[id=sma11,requestID=<null>,returnData=identifier,schemaEntityRef=SchemaEntityRef[targetID=ldap,entityName=member,isContainer=false]]

2016-11-07 11:38:01,291: [DefaultQuartzScheduler_Worker-6] INFO  Psp.execute(987) -  - Psp 'psp' - Calc XML:

<psp:calcRequest xmlns:psp='http://grouper.internet2.edu/psp' returnData='identifier'>

  <psp:id ID='sma11'/>

  <psp:schemaEntity targetID='ldap' entityName='member'/>

</psp:calcRequest>

 

Has anyone else tried specifying the peopleBaseDN as the root domain rather than an OU?

 

Thanks,
Phil

 

From:
Sent: 04 November 2016 18:39
To: Philip Harle <>
Cc:
Subject: Re: [grouper-users] Multiple searchSubjects in sources.xml

 

If AD behaves like other LDAP servers, you could specify the base as 'DC=campus,DC=ncl,DC=ac,DC=uk' and change the ACI for the LDAP/AD account you configured Grouper with so that it only has access to the two branches you want (OU=Campus Users and OU=Other Users)

Julio Polo
Enterprise Middleware, Identity and Access Management
Information Technology Services
University of Hawaii

 

On Fri, Nov 4, 2016 at 1:33 AM, Philip Harle <> wrote:

Inside of sources.xml we specify the path to the base OU in Active Directory containing the majority of our user accounts. However, we have a scenario where our subject user accounts exist across two separate locations in AD.

We currently use the following:
    <search>
        <searchType>searchSubjectByIdentifier</searchType>
        <param>
            <param-name>filter</param-name>
            <param-value>
                (&amp;(cn=%TERM%)(objectclass=person))
            </param-value>
        </param>
        <param>
            <param-name>scope</param-name>
            <param-value>SUBTREE_SCOPE</param-value>
        </param>
        <param>
            <param-name>base</param-name>
            <param-value>OU=Campus Users,DC=campus,DC=ncl,DC=ac,DC=uk</param-value>
        </param>
    </search>

Is it possible to specify a secondary location, for example 'OU=Other Users,DC=campus,DC=ncl,DC=ac,DC=uk' in addition to the one specified above?

I've attempted to construct a search block in sources.xml using numParameters to allow us to query a second location if the subject is not found in the first, but I've not had much success.

I realise this could be achieved by specifying the base as 'DC=campus,DC=ncl,DC=ac,DC=uk', however our domain contains a number of other root OU's that we'd rather not have Grouper search through in order to maintain performance of the service.

Thanks,

---
Phil Harle
IT Service
Newcastle University