grouper-users - Re: [grouper-users] Re: Error - Found multiple matching subjects
Subject: Grouper Users - Open Discussion List
List archive
- From: Akki Kumar <>
- To: "Hyzer, Chris" <>
- Cc: Stephen A Sazama <>,
- Subject: Re: [grouper-users] Re: Error - Found multiple matching subjects
- Date: Wed, 28 Jun 2017 14:18:28 -0400
- Ironport-phdr: 9a23:T2VF7xAWsgojHwJQPEIdUyQJP3N1i/DPJgcQr6AfoPdwSP77ocbcNUDSrc9gkEXOFd2Crakb26yL6+jJYi8p39WoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6lX71zMZGw3+OAxpPay1X9eK14Xkn9y1rtfzchdFnn71SrNoLQ785VHUvckHk4Z4AqcqwV3UunZOfaJbyX4+dnyJmBOpz8Sz/dZA7iFZobp1/stJQ6T8cL0lQKdEDTMgKDhtu+XksBDCSU2E4X5KATZeqQZBHwWQtEKyZZz2qCav87MlgCQ=
Commands:
https://drive.google.com/open?id=1LZvb6C54wai9NItrfbbYiUOdGCMMhrgsHC8YAopupy8
Thank you,
Akki
There are two ways to identify subjects:
1. Id: one thing that shouldn’t change and is probably opaque and identifies subject
2. Identifier: could have multiple, identifies the user, could change, might or might not be opaque
If you use LDAP, then select what your ID would be. Is that ID in AD as an attribute? (if so, then you are all good) Could you put it in there if not? (if so then you are all good) Is there another identifier for the subject which is in LDAP that is also in AD to look the subject up? (if so then all good)
#2 will likely cause you problems. i.e. you grant stuff to a subject in one source, but look them up in another source, the subject in the other source, even though it’s the same person, will have different rights.
Want to discuss on the next grouper bi-weekly call wed the 14th at noon? If you need something sooner that’s fine too, setup a doodle poll or something
Thanks
Chris
From: Stephen A Sazama [mailto:]
Sent: Wednesday, May 31, 2017 11:23 AM
To: Hyzer, Chris <>
Cc: Akki Kumar <>
Subject: Re: [grouper-users] Re: Error - Found multiple matching subjects
Hi Chris,
It sounds like we have two options:
1. Get all subjects from one place (LDAP is a superset of AD so that would be fine), but then how do we configure the provisioning to AD if it's not a subject source?
2. Mark folders to restrict them to certain subject sources. I get what you're saying now for this one but it seems like #1 would be the ideal option if we can make that work instead.
Any chance I could set up a call with you so we can discuss with some of the other members of our identity team?
Thanks,
Stephen
On Wed, May 24, 2017 at 1:34 PM, Hyzer, Chris <> wrote:
Im not saying use external subjects. Im saying there is an example in that wiki of restricting folders for certain subject sources (in that case external, but in your case whatever source you want, e.g. AD)… know what I mean?
RuleApi.
vetoSubjectAssignInFolderIfNot InGroup(SubjectFinder. findRootSubject(), rootStem, null, false, "someSourceId", Stem.Scope.SUB, "rule.entity.cannot.be. someSourceId", "Person cannot be assigned if in this source");
RuleApi.
vetoSubjectAssignInFolderIfNot InGroup(SubjectFinder. findRootSubject(), allowedStem, null, true, "someSourceId", Stem.Scope.SUB, "rule.entity.can.be. someSourceId", "Person can be in this source");
Thanks
Chris
From: Stephen A Sazama [mailto:]
Sent: Wednesday, May 24, 2017 12:08 PM
To: Hyzer, Chris <>
Cc: Akki Kumar <>;
Subject: Re: [grouper-users] Re: Error - Found multiple matching subjects
Hi Chris,
Thanks for the info, we've got the patch now.
As for our other question, I'm not sure if external subjects are what we need (maybe they are). LDAP is a superset of AD. Should we remove AD as a source so only LDAP subjects can be added as members, or do we just need to tweak its configuration? Putting LDAP subjects into the AD-provisioned groups was not adding them into AD so we're missing something.
Thanks for any pointers,
Stephen
On Sun, May 21, 2017 at 6:05 PM, Hyzer, Chris <> wrote:
I fixed the problem where subjects that have id’s in multiple sources cause an error in the UI.
2.3.0 UI patch #26.
These jiras are in the patch:
Same subject ID in multiple sources causes error:
https://bugs.internet2.edu/
jira/browse/GRP-1542
Subject API diagnostic does not show for admins but might show for non admins:
NOTE: everyone should install the patch for this part…
https://bugs.internet2.edu/
jira/browse/GRP-1545
Can be looping in CSRF when session dies:
https://bugs.internet2.edu/
jira/browse/GRP-1546
Do you still need the other functionality?
Do you not have a source that has all members once? i.e. is AD a superset of LDAP or viceversa? Can you make a process that collates all subjects into one place (union of all subjects)?
Yes, you can mark folders as allowed or not allowed. See the rule at the bottom of this wiki:
https://spaces.internet2.edu/
display/Grouper/Grouper+ external+subjects
Thanks
Chris
From: Stephen A Sazama [mailto:]
Sent: Wednesday, May 17, 2017 1:22 PM
To: Akki Kumar <>
Cc: Hyzer, Chris <>;
Subject: Re: [grouper-users] Re: Error - Found multiple matching subjects
Hi Chris,
I'll see if I can explain what we're trying to do. We have an LDAP source for all of our Grouper people subjects, and we are already provisioning a number of groups back to LDAP. We now want to provision some other groups into our Active Directory, so Akki added that as a source and the result is that we basically have 2 subjects for each person (one in LDAP source and one in AD source), since they are identified by a numeric ID number that is present in both LDAP and AD. That just makes it confusing for users when they go to add a group member and get 2 options that appear to be the same, so we want to figure out what is the best way for us to configure this.
- Do we want AD to be a second source, or can we configure it as something else since we only want to provision out to it? AD subjects wouldn't be needed if we can get it to recognize LDAP subject memberships by the ID and provision those to AD.
- Is there a way to mark groups such that they can only be assigned members from a given source? For example, we would want all groups to use the LDAP source by default, but mark a few to use the AD source so we can provision memberships back to AD.
I would think this scenario (one source of record, multiple LDAP/AD/Database sources to provision to) is fairly common. Please let us know if there are any existing examples we can take a look at.
Thanks!
Stephen
On Thu, May 11, 2017 at 2:39 PM, Akki Kumar <
> wrote: Hi Chris,
The Sources.xml file has two different source ids (ldap & ad). When I search for the user (Screenshot - a.jpg) in the Member Name or ID field, it spins and errors out (do not show the drop down). However, when I search for the user in the Search for an entity window (Screenshot - c.jpg), and it works. I am little baffled as to why the userid search work in the Search for an entity window and not for the Member Name or ID.
Is screenshot will fine? I have attached screenshots to below link:
Screenshots:
Both source ids, ldap & ad, points to a different directory access protocol.
Thanks,
Akki
On Thu, May 11, 2017 at 1:10 PM, Hyzer, Chris <> wrote:
So you have two sources, with different source ids, and you search for a user, and select the user in the drop down? Then after selecting they user you click add, and I gives an error?
As you know, its best not to have overlaps in subject sources… any chance you can get a normalized view of users in a database or something? However, this should work. If you type in the userid and click add, that wont work, but if you type in a userid, and select the user from the combobox, and click add, that should work. That associates it with a source id (or at least it should J )
Any chance you can make a quick video (e.g. on your phone) of the screen where you get the error and send it to me so I can see how this happens?
Thanks
Chris
From: Akki Kumar [mailto:]
Sent: Thursday, May 11, 2017 11:35 AM
To: Hyzer, Chris <>
Cc:
Subject: Error - Found multiple matching subjects
Hi Chris,
I installed Grouper 2.3.0 and created two source adapters, LDAP & AD, in sources.xml. Grouper threw below error when I search for a user (after clicking on the "Add members" button). I believe, it's trying to search for a user in both, LDAP & AD, and that is one of the reason it found multiple subjects.
Question:
- Is there a way for a grouper to suggest both LDAP& AD user (in the search), instead of throwing an error?
Note:
- Multiple_Results parameter is set to true
- All patches are applied to grouper api
- I set authentication sourceId to ldap
Error:
2017-05-11 11:11:39,932: [ajp-nio-8009-exec-2] ERROR GrouperUiRestServlet.doGet(
326) - - Problem calling reflection from URL: edu.internet2.middleware. grouper.grouperUi. serviceLogic.UiV2Group. addMemberFilter edu.internet2.middleware.
subject. SubjectNotUniqueException: found multiple matching subjects: 2, <USER_NAME>, Problem calling method addMemberFilter on edu.internet2.middleware.
grouper.grouperUi. serviceLogic.UiV2Group at edu.internet2.middleware.
grouper.subj. SourcesXmlResolver. thereCanOnlyBeOne( SourcesXmlResolver.java:492) at edu.internet2.middleware.
grouper.subj. SourcesXmlResolver. findByIdOrIdentifier( SourcesXmlResolver.java:527) at edu.internet2.middleware.
grouper.subj.CachingResolver. findByIdOrIdentifier( CachingResolver.java:377) at edu.internet2.middleware.
grouper.subj. ValidatingResolver. findByIdOrIdentifier( ValidatingResolver.java:203) at edu.internet2.middleware.
grouper.SubjectFinder. findByIdOrIdentifier( SubjectFinder.java:316) at edu.internet2.middleware.
grouper.grouperUi. serviceLogic.UiV2Group$1. lookup(UiV2Group.java:599) at edu.internet2.middleware.
grouper.grouperUi. serviceLogic.UiV2Group$1. lookup(UiV2Group.java:581) at edu.internet2.middleware.
grouper.grouperUi.beans.dojo. DojoComboLogic.logic( DojoComboLogic.java:118) at edu.internet2.middleware.
grouper.grouperUi. serviceLogic.UiV2Group. addMemberFilter(UiV2Group. java:581) at sun.reflect.
NativeMethodAccessorImpl. invoke0(Native Method) at sun.reflect.
NativeMethodAccessorImpl. invoke( NativeMethodAccessorImpl.java: 57) at sun.reflect.
DelegatingMethodAccessorImpl. invoke( DelegatingMethodAccessorImpl. java:43) at java.lang.reflect.Method.
invoke(Method.java:606) at edu.internet2.middleware.
grouper.util.GrouperUtil. invokeMethod(GrouperUtil.java: 4143) at edu.internet2.middleware.
grouper.util.GrouperUtil. callMethod(GrouperUtil.java: 4094) at edu.internet2.middleware.
grouper.j2ee. GrouperUiRestServlet.doGet( GrouperUiRestServlet.java:293) at javax.servlet.http.
HttpServlet.service( HttpServlet.java:635) at javax.servlet.http.
HttpServlet.service( HttpServlet.java:742) at org.apache.catalina.core.
ApplicationFilterChain. internalDoFilter( ApplicationFilterChain.java: 230) at org.apache.catalina.core.
ApplicationFilterChain. doFilter( ApplicationFilterChain.java: 165) at org.apache.tomcat.websocket.se
rver.WsFilter.doFilter( WsFilter.java:52) at org.apache.catalina.core.
ApplicationFilterChain. internalDoFilter( ApplicationFilterChain.java: 192) at org.apache.catalina.core.
ApplicationFilterChain. doFilter( ApplicationFilterChain.java: 165) at org.owasp.csrfguard.
CsrfGuardFilter.doFilter( CsrfGuardFilter.java:110) at org.apache.catalina.core.
ApplicationFilterChain. internalDoFilter( ApplicationFilterChain.java: 192) at org.apache.catalina.core.
ApplicationFilterChain. doFilter( ApplicationFilterChain.java: 165) at edu.internet2.middleware.
grouper.ui.GrouperUiFilter. doFilter(GrouperUiFilter.java: 1049) at org.apache.catalina.core.
ApplicationFilterChain. internalDoFilter( ApplicationFilterChain.java: 192) at org.apache.catalina.core.
ApplicationFilterChain. doFilter( ApplicationFilterChain.java: 165) at edu.yale.its.tp.cas.client.
filter.CASFilter.doFilter( CASFilter.java:209) at org.apache.catalina.core.
ApplicationFilterChain. internalDoFilter( ApplicationFilterChain.java: 192) at org.apache.catalina.core.
ApplicationFilterChain. doFilter( ApplicationFilterChain.java: 165) at uk.ac.bris.is.grouper.ui.
PreCASFilter.doFilter( PreCASFilter.java:128) at org.apache.catalina.core.
ApplicationFilterChain. internalDoFilter( ApplicationFilterChain.java: 192) at org.apache.catalina.core.
ApplicationFilterChain. doFilter( ApplicationFilterChain.java: 165) at org.apache.catalina.core.
StandardWrapperValve.invoke( StandardWrapperValve.java:198) at org.apache.catalina.core.
StandardContextValve.invoke( StandardContextValve.java:96) at org.apache.catalina.
authenticator. AuthenticatorBase.invoke( AuthenticatorBase.java:595) at org.apache.catalina.core.
StandardHostValve.invoke( StandardHostValve.java:140) at org.apache.catalina.valves.
ErrorReportValve.invoke( ErrorReportValve.java:80) at org.apache.catalina.valves.
AbstractAccessLogValve.invoke( AbstractAccessLogValve.java: 624) at org.apache.catalina.core.
StandardEngineValve.invoke( StandardEngineValve.java:87) at org.apache.catalina.connector.
CoyoteAdapter.service( CoyoteAdapter.java:341) at org.apache.coyote.ajp.
AjpProcessor.service( AjpProcessor.java:478) at org.apache.coyote.
AbstractProcessorLight. process( AbstractProcessorLight.java: 66) at org.apache.coyote.
AbstractProtocol$ ConnectionHandler.process( AbstractProtocol.java:798) at org.apache.tomcat.util.net.
NioEndpoint$SocketProcessor. doRun(NioEndpoint.java:1441) at org.apache.tomcat.util.net.
SocketProcessorBase.run( SocketProcessorBase.java:49) at java.util.concurrent.
ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1145) at java.util.concurrent.
ThreadPoolExecutor$Worker.run( ThreadPoolExecutor.java:615) at org.apache.tomcat.util.
threads.TaskThread$ WrappingRunnable.run( TaskThread.java:61) at java.lang.Thread.run(Thread.
java:745)
Thank you,
Akki
- Re: [grouper-users] Re: Error - Found multiple matching subjects, Akki Kumar, 06/28/2017
- Re: [grouper-users] Re: Error - Found multiple matching subjects, Akki Kumar, 06/29/2017
Archive powered by MHonArc 2.6.19.