Grouper Users - Open Discussion List

[Stephen A Sazama <>]

Hi Chris,

Thanks for the info, we've got the patch now.

As for our other question, I'm not sure if external subjects are what we need (maybe they are). LDAP is a superset of AD. Should we remove AD as a source so only LDAP subjects can be added as members, or do we just need to tweak its configuration? Putting LDAP subjects into the AD-provisioned groups was not adding them into AD so we're missing something.

Thanks for any pointers,

Stephen

On Sun, May 21, 2017 at 6:05 PM, Hyzer, Chris <> wrote:

I fixed the problem where subjects that have id’s in multiple sources cause an error in the UI.

 

2.3.0 UI patch #26.

 

These jiras are in the patch:

 

Same subject ID in multiple sources causes error:

https://bugs.internet2.edu/jira/browse/GRP-1542

 

Subject API diagnostic does not show for admins but might show for non admins:

NOTE: everyone should install the patch for this part…

https://bugs.internet2.edu/jira/browse/GRP-1545

 

Can be looping in CSRF when session dies:

https://bugs.internet2.edu/jira/browse/GRP-1546

 

Do you still need the other functionality?

 

Do you not have a source that has all members once?  i.e. is AD a superset of LDAP or viceversa?  Can you make a process that collates all subjects into one place (union of all subjects)?

 

Yes, you can mark folders as allowed or not allowed.  See the rule at the bottom of this wiki:

 

https://spaces.internet2.edu/display/Grouper/Grouper+external+subjects

 

 

 

Thanks

Chris

 

 

 

From: Stephen A Sazama [mailto:]
Sent: Wednesday, May 17, 2017 1:22 PM
To: Akki Kumar <>
Cc: Hyzer, Chris <>;
Subject: Re: [grouper-users] Re: Error - Found multiple matching subjects

 

Hi Chris,

 

I'll see if I can explain what we're trying to do. We have an LDAP source for all of our Grouper people subjects, and we are already provisioning a number of groups back to LDAP. We now want to provision some other groups into our Active Directory, so Akki added that as a source and the result is that we basically have 2 subjects for each person (one in LDAP source and one in AD source), since they are identified by a numeric ID number that is present in both LDAP and AD. That just makes it confusing for users when they go to add a group member and get 2 options that appear to be the same, so we want to figure out what is the best way for us to configure this.

 

- Do we want AD to be a second source, or can we configure it as something else since we only want to provision out to it? AD subjects wouldn't be needed if we can get it to recognize LDAP subject memberships by the ID and provision those to AD.

 

- Is there a way to mark groups such that they can only be assigned members from a given source? For example, we would want all groups to use the LDAP source by default, but mark a few to use the AD source so we can provision memberships back to AD.

 

I would think this scenario (one source of record, multiple LDAP/AD/Database sources to provision to) is fairly common. Please let us know if there are any existing examples we can take a look at.

 

Thanks!

Stephen

 

On Thu, May 11, 2017 at 2:39 PM, Akki Kumar <> wrote:

Hi Chris,

 

The Sources.xml file has two different source ids (ldap & ad). When I search for the user (Screenshot - a.jpg) in the Member Name or ID field, it spins and errors out (do not show the drop down). However, when I search for the user in the Search for an entity window (Screenshot - c.jpg), and it works. I am little baffled as to why the userid search work in the  Search for an entity window and not for the Member Name or ID.

 

Is screenshot will fine? I have attached screenshots to below link:

 

Screenshots:

https://drive.google.com/open?id=0BwgGnZC7vA-6ZGUyZWJoQi1Vcjg

 

 

Both source ids, ldap & ad, points to a different directory access protocol.

 

Thanks,

Akki

 

On Thu, May 11, 2017 at 1:10 PM, Hyzer, Chris <> wrote:

So you have two sources, with different source ids, and you search for a user, and select the user in the drop down?  Then after selecting they user you click add, and I gives an error?

 

As you know, its best not to have overlaps in subject sources…  any chance you can get a normalized view of users in a database or something?  However, this should work.  If you type in the userid and click add, that wont work, but if you type in a userid, and select the user from the combobox, and click add, that should work.  That associates it with a source id (or at least it should J )

 

Any chance you can make a quick video (e.g. on your phone) of the screen where you get the error and send it to me so I can see how this happens?

 

Thanks

Chris

 

 

From: Akki Kumar [mailto:]
Sent: Thursday, May 11, 2017 11:35 AM
To: Hyzer, Chris <>
Cc:
Subject: Error - Found multiple matching subjects

 

Hi Chris,

 

I installed Grouper 2.3.0 and created two source adapters, LDAP & AD, in sources.xml. Grouper threw below error when I search for a user (after clicking on the "Add members" button). I believe, it's trying to search for a user in both, LDAP & AD, and that is one of the reason it found multiple subjects. 

 

Question:

• Is there a way for a grouper to suggest both LDAP& AD user (in the search), instead of throwing an error? 

 

Note: 

• Multiple_Results parameter is set to true
• All patches are applied to grouper api
• I set authentication sourceId to ldap

 

Error:

2017-05-11 11:11:39,932: [ajp-nio-8009-exec-2] ERROR GrouperUiRestServlet.doGet(326) -  - Problem calling reflection from URL: edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group.addMemberFilter

edu.internet2.middleware.subject.SubjectNotUniqueException: found multiple matching subjects: 2, <USER_NAME>,

Problem calling method addMemberFilter on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group

        at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.thereCanOnlyBeOne(SourcesXmlResolver.java:492)

        at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.findByIdOrIdentifier(SourcesXmlResolver.java:527)

        at edu.internet2.middleware.grouper.subj.CachingResolver.findByIdOrIdentifier(CachingResolver.java:377)

        at edu.internet2.middleware.grouper.subj.ValidatingResolver.findByIdOrIdentifier(ValidatingResolver.java:203)

        at edu.internet2.middleware.grouper.SubjectFinder.findByIdOrIdentifier(SubjectFinder.java:316)

        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group$1.lookup(UiV2Group.java:599)

        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group$1.lookup(UiV2Group.java:581)

        at edu.internet2.middleware.grouper.grouperUi.beans.dojo.DojoComboLogic.logic(DojoComboLogic.java:118)

        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group.addMemberFilter(UiV2Group.java:581)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:606)

        at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:4143)

        at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:4094)

        at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:293)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

        at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:110)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

        at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1049)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

        at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:209)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

        at uk.ac.bris.is.grouper.ui.PreCASFilter.doFilter(PreCASFilter.java:128)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:595)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)

        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:624)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341)

        at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:478)

        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)

        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:798)

        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1441)

        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

        at java.lang.Thread.run(Thread.java:745)

 

Thank you,

Akki