Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: LDAP Loader and AD ranged attributes

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: LDAP Loader and AD ranged attributes


Chronological Thread 
  • From: "Redman, Chad Eric" <>
  • To: grouper-users <>
  • Subject: [grouper-users] RE: LDAP Loader and AD ranged attributes
  • Date: Thu, 26 Jan 2017 15:14:36 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:V/5yfhDuxE8OHfYADnqlUyQJP3N1i/DPJgcQr6AfoPdwSPXzo8bcNUDSrc9gkEXOFd2CrakV16yL7uu/ACQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9GiTe5br5+NhW7oAXeusQUnIdpN7o8xAbOrnZUYepd2HlmJUiUnxby58ew+IBs/iFNsP8/9MBOTLv3cb0gQbNXEDopPWY15Nb2tRbYVguA+mEcUmQNnRVWBQXO8Qz3UY3wsiv+sep9xTWaMMjrRr06RTiu86FmQwLuhSwaNTA27XvXh9RwgqxFvRyhuxJxzY3aYI6XNfpxYqzScMgASmZdQspcTTBNDp+iY4YJEuEPPfxYr474p1YWoxewGRejC/7qyjBSgH/6xbAx3vohEQ7cwQMrAt0AsG7VrNrpOqsZTOe4w7XIzTrZcvxZwS3955bVfRAku/6MW6l9cdfXyUYzDQ/KkEifqZH8Mj6Ty+8DvW+b7+96WuKujW4qsw5xoj+oxscjjonGmJgZxUzD9SV82Io1JNu4SFJlbt6+FptfqT2aO5VsTsw8Xm5opT42xacFuZGhZiQKzY8nywbYa/yab4iI5hXjVOGSITtimH1lf7e/ihCv+kaj0u3xTte430xWoiZYl9TAq20B2wHW58iJRfZx4lut1DOB1w/N5exIPEU5mK/aJpI/wrM8jocfvETdEiPshkn7grWae0cn9+Sy6enrf7PrrYKGOYBukAHxKKEul9S/AesmNggOWHCW9/yg2bPk4UH1XaxGg+AunKTXqZzaIt8UqbCjDw9Sz4Yj9w2wDzC70NQegHYLNkpFeAiAj4j1JV7BPOz4Dfa4g1SqijtrwO3GPqHlApXKKXjDk63tcqp6605Z0AYzzNZf6IxICrwZPv78QFP9uMHdAxMkLgC43uPqCNty248CRW6CB6GZP73dvFOV4+8iJuiBaJEVtTrlLvgq/f/ujXs3mV8Heqmp2IMaZ2y4Hvt8PkqWeWDsjckcHmcPpAU+SvfniECEUTFPfXq9Qb8z5iwjBIK8EYjDXpytgKCG3CqjEZ1WfGdGCk2UEXj2bYWIQuoMaDmMLc97iTwJTryhS4461RGyrw/21aBrLuvS+i0Eq53jzt516PPPlR0s7zB7EdmS03zeB11zy2wSQCIu0bo6vFdw0EzLhadihOFAGMYW+uhESBwSNJjAwvZ8BsyoHA/NY4HaZkyhR4DsOzw9S9s3h5clY09xU/i4jxuJl36hA7YZoKaGCJk99IrB2XO3KspgnSWVnJI9hkUrF5McfVatgbRyolDe
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

For purposes of internet posterity, the JIRA issue in question is https://bugs.internet2.edu/jira/browse/GRP-1471 .  -Chad

 

From: [mailto:] On Behalf Of Redman, Chad Eric
Sent: Thursday, January 26, 2017 10:12 AM
To: Hyzer, Chris <>; grouper-users <>
Subject: [grouper-users] RE: LDAP Loader and AD ranged attributes

 

This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing

Feedback

Thanks! Your change looks a lot cleaner, and I'll try it out when I can. I'll try how it handles an invalid class name in the field; it should be non-functional either way, but leaving the exception uncaught may be a harder stop.

 

In the ticket, I wondered if using the property readers directly from vt-ldap would be a better long-term fix, since it would allow all its properties to be set, instead of passing a partial set through Grouper translations of them. Right after that, I noticed there is an ldap.*.configFileFromClasspath property that can nearly do this already -- it's just the validator that would still need a custom handling. Is this something supported? I didn't see it documented in the wiki or mentioned on the mailing lists.

 

-Chad

 

 

From: Hyzer, Chris []
Sent: Thursday, January 26, 2017 2:38 AM
To: Redman, Chad Eric <>; grouper-users <>
Subject: RE: LDAP Loader and AD ranged attributes

 

Thanks for the contribution Chad.  I modified it slightly (please review), and put it in patch api 2.3.0 #50

 

Regards

Chris

 

From: [] On Behalf Of Hyzer, Chris
Sent: Tuesday, January 24, 2017 4:06 PM
To: Redman, Chad Eric <>; grouper-users <>
Subject: [grouper-users] RE: LDAP Loader and AD ranged attributes

 

Yes please for pull request

 

From: [] On Behalf Of Redman, Chad Eric
Sent: Tuesday, January 24, 2017 3:34 PM
To: grouper-users <>
Subject: [grouper-users] LDAP Loader and AD ranged attributes

 

Hi,

 

We have some LDAP loader jobs that query AD for subjects. An issue we found when going to production was that our AD source returns a ranged attribute for a membership fields when there are over 1500 members. What this means is that the attribute returned from the query is not "member" but "member;range=0-1499". The client is then expected to do further queries to get the rest of the members, e.g. "member;range=1500-*" and so on.

 

The closest mention I could find for this problem was a 2009 post mentioning a custom result handler for LDAPPC that could handle ranged results. We applied a similar solution to the LDAP Loader. We created a custom RangeSearchResultHandler class (based on the one from https://code.google.com/archive/p/vt-middleware/wikis/vtldapAD.wiki#Range_Attributes) to handle the non-standard attribute label and the loop to get the results. The vt-ldap config has an option (searchResultHandlers) for a multi-valued list of search result handler classes. However, we needed to patch the Grouper code so that it could handle a new ldap.*.searchResultHandlers property in the grouper-loader.properties file and pass it on the LDAP config.

 

Has anyone come across the same issue in getting large result sets from AD? Has this already been solved? I tried the other recommended methods of setting pagedResultsSize, referral, and/or batchSize, with no success. From a debug session, it looks like they all fail to account for "member;range=0-1499" really being the member field.

 

I can put a pull request together, if this is something useful outside of our own installation.

 

-Chad

 




Archive powered by MHonArc 2.6.19.

Top of Page