Grouper Users - Open Discussion List

[Akki Kumar <>]

Hi Chris,

I ran commands (in below link) to restrict source adapter search to a specific stem. However, when I search for the user (under restricted groups), it still searches both LDAP and AD source adapter.  The source adapters (LDAP & AD) are defined in the sources.xml. 

Questions:

• Do I need to run "RuleApi.runRulesForOwner(<STEM_NAME>)" to submit rules?
  
• Is there another way to define/restrict user search to a specific source adapter for a stem?
  
• I believe no other configuration needed other than running below commands in gsh and adding source adapter to the sources.xml, correct?

Commands:

https://drive.google.com/open?id=1LZvb6C54wai9NItrfbbYiUOdGCMMhrgsHC8YAopupy8

Any guidance is truly appreciated.

Thank you,

Akki

On Thu, Jun 29, 2017 at 11:06 AM, Akki Kumar <> wrote:

Hi Chris,

One more thing to add to the last email. The source adapters (LDAP & AD) are defined in the sources.xml. 

Questions:

• Is there a way to define/restrict user search to a specific source adapter for a stem. ?
  
• Is there other configuration needed other than running below commands in gsh and adding source adapter to the sources.xml?

Commands:

https://drive.google.com/open?id=1LZvb6C54wai9NItrfbbYiUOdGCMMhrgsHC8YAopupy8

Any guidance is truly appreciated.

Thank you,

Akki

On Wed, Jun 28, 2017 at 2:18 PM, Akki Kumar <> wrote:

Hi Chris,

As per your suggestions, I ran commands (in below link) to restrict source adapter search to a specific stem. However, when I search for the user (under restricted groups), it's still searches both LDAPand AD source adapter. Do I need to run "RuleApi.runRulesForOwner(<STEM_NAME>)" to submit rules?

Commands:

https://drive.google.com/open?id=1LZvb6C54wai9NItrfbbYiUOdGCMMhrgsHC8YAopupy8

Thank you,

Akki

On Thu, Jun 1, 2017 at 9:36 AM, Hyzer, Chris <> wrote:

There are two ways to identify subjects:

 

1.       Id: one thing that shouldn’t change and is probably opaque and identifies subject

2.       Identifier: could have multiple, identifies the user, could change, might or might not be opaque

 

If you use LDAP, then select what your ID would be.  Is that ID in AD as an attribute?  (if so, then you are all good)  Could you put it in there if not?  (if so then you are all good)  Is there another identifier for the subject which is in LDAP that is also in AD to look the subject up?  (if so then all good)

 

#2 will likely cause you problems.  i.e. you grant stuff to a subject in one source, but look them up in another source, the subject in the other source, even though it’s the same person, will have different rights.

 

Want to discuss on the next grouper bi-weekly call wed the 14^th at noon?  If you need something sooner that’s fine too, setup a doodle poll or something

 

Thanks

Chris

 

From: Stephen A Sazama [mailto:]
Sent: Wednesday, May 31, 2017 11:23 AM
To: Hyzer, Chris <>
Cc: Akki Kumar <>

Subject: Re: [grouper-users] Re: Error - Found multiple matching subjects

 

Hi Chris,

 

It sounds like we have two options:

1. Get all subjects from one place (LDAP is a superset of AD so that would be fine), but then how do we configure the provisioning to AD if it's not a subject source?

2. Mark folders to restrict them to certain subject sources. I get what you're saying now for this one but it seems like #1 would be the ideal option if we can make that work instead.

 

Any chance I could set up a call with you so we can discuss with some of the other members of our identity team?

 

Thanks,

Stephen

 

On Wed, May 24, 2017 at 1:34 PM, Hyzer, Chris <> wrote:

Im not saying use external subjects.  Im saying there is an example in that wiki of restricting folders for certain subject sources (in that case external, but in your case whatever source you want, e.g. AD)… know what I mean?

 

RuleApi.vetoSubjectAssignInFolderIfNotInGroup(SubjectFinder.findRootSubject(), rootStem, null, false, "someSourceId", Stem.Scope.SUB, "rule.entity.cannot.be.someSourceId", "Person cannot be assigned if in this source");

 

RuleApi.vetoSubjectAssignInFolderIfNotInGroup(SubjectFinder.findRootSubject(), allowedStem, null, true, "someSourceId", Stem.Scope.SUB, "rule.entity.can.be.someSourceId", "Person can be in this source");

 

Thanks

Chris

 

 

 

From: Stephen A Sazama [mailto:]
Sent: Wednesday, May 24, 2017 12:08 PM
To: Hyzer, Chris <>
Cc: Akki Kumar <>;

Subject: Re: [grouper-users] Re: Error - Found multiple matching subjects

 

Hi Chris,

 

Thanks for the info, we've got the patch now.

 

As for our other question, I'm not sure if external subjects are what we need (maybe they are). LDAP is a superset of AD. Should we remove AD as a source so only LDAP subjects can be added as members, or do we just need to tweak its configuration? Putting LDAP subjects into the AD-provisioned groups was not adding them into AD so we're missing something.

 

Thanks for any pointers,

Stephen

 

On Sun, May 21, 2017 at 6:05 PM, Hyzer, Chris <> wrote:

I fixed the problem where subjects that have id’s in multiple sources cause an error in the UI.

 

2.3.0 UI patch #26.

 

These jiras are in the patch:

 

Same subject ID in multiple sources causes error:

https://bugs.internet2.edu/jira/browse/GRP-1542

 

Subject API diagnostic does not show for admins but might show for non admins:

NOTE: everyone should install the patch for this part…

https://bugs.internet2.edu/jira/browse/GRP-1545

 

Can be looping in CSRF when session dies:

https://bugs.internet2.edu/jira/browse/GRP-1546

 

Do you still need the other functionality?

 

Do you not have a source that has all members once?  i.e. is AD a superset of LDAP or viceversa?  Can you make a process that collates all subjects into one place (union of all subjects)?

 

Yes, you can mark folders as allowed or not allowed.  See the rule at the bottom of this wiki:

 

https://spaces.internet2.edu/display/Grouper/Grouper+external+subjects

 

 

 

Thanks

Chris

 

 

 

From: Stephen A Sazama [mailto:]
Sent: Wednesday, May 17, 2017 1:22 PM
To: Akki Kumar <>
Cc: Hyzer, Chris <>;
Subject: Re: [grouper-users] Re: Error - Found multiple matching subjects

 

Hi Chris,

 

I'll see if I can explain what we're trying to do. We have an LDAP source for all of our Grouper people subjects, and we are already provisioning a number of groups back to LDAP. We now want to provision some other groups into our Active Directory, so Akki added that as a source and the result is that we basically have 2 subjects for each person (one in LDAP source and one in AD source), since they are identified by a numeric ID number that is present in both LDAP and AD. That just makes it confusing for users when they go to add a group member and get 2 options that appear to be the same, so we want to figure out what is the best way for us to configure this.

 

- Do we want AD to be a second source, or can we configure it as something else since we only want to provision out to it? AD subjects wouldn't be needed if we can get it to recognize LDAP subject memberships by the ID and provision those to AD.

 

- Is there a way to mark groups such that they can only be assigned members from a given source? For example, we would want all groups to use the LDAP source by default, but mark a few to use the AD source so we can provision memberships back to AD.

 

I would think this scenario (one source of record, multiple LDAP/AD/Database sources to provision to) is fairly common. Please let us know if there are any existing examples we can take a look at.

 

Thanks!

Stephen

 

On Thu, May 11, 2017 at 2:39 PM, Akki Kumar <> wrote:

Hi Chris,

 

The Sources.xml file has two different source ids (ldap & ad). When I search for the user (Screenshot - a.jpg) in the Member Name or ID field, it spins and errors out (do not show the drop down). However, when I search for the user in the Search for an entity window (Screenshot - c.jpg), and it works. I am little baffled as to why the userid search work in the  Search for an entity window and not for the Member Name or ID.

 

Is screenshot will fine? I have attached screenshots to below link:

 

Screenshots:

https://drive.google.com/open?id=0BwgGnZC7vA-6ZGUyZWJoQi1Vcjg

 

 

Both source ids, ldap & ad, points to a different directory access protocol.

 

Thanks,

Akki

 

On Thu, May 11, 2017 at 1:10 PM, Hyzer, Chris <> wrote:

So you have two sources, with different source ids, and you search for a user, and select the user in the drop down?  Then after selecting they user you click add, and I gives an error?

 

As you know, its best not to have overlaps in subject sources…  any chance you can get a normalized view of users in a database or something?  However, this should work.  If you type in the userid and click add, that wont work, but if you type in a userid, and select the user from the combobox, and click add, that should work.  That associates it with a source id (or at least it should J )

 

Any chance you can make a quick video (e.g. on your phone) of the screen where you get the error and send it to me so I can see how this happens?

 

Thanks

Chris

 

 

From: Akki Kumar [mailto:]
Sent: Thursday, May 11, 2017 11:35 AM
To: Hyzer, Chris <>
Cc:
Subject: Error - Found multiple matching subjects

 

Hi Chris,

 

I installed Grouper 2.3.0 and created two source adapters, LDAP & AD, in sources.xml. Grouper threw below error when I search for a user (after clicking on the "Add members" button). I believe, it's trying to search for a user in both, LDAP & AD, and that is one of the reason it found multiple subjects. 

 

Question:

• Is there a way for a grouper to suggest both LDAP& AD user (in the search), instead of throwing an error? 

 

Note: 

• Multiple_Results parameter is set to true
• All patches are applied to grouper api
• I set authentication sourceId to ldap

 

Error:

2017-05-11 11:11:39,932: [ajp-nio-8009-exec-2] ERROR GrouperUiRestServlet.doGet(326) -  - Problem calling reflection from URL: edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group.addMemberFilter

edu.internet2.middleware.subject.SubjectNotUniqueException: found multiple matching subjects: 2, <USER_NAME>,

Problem calling method addMemberFilter on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group

        at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.thereCanOnlyBeOne(SourcesXmlResolver.java:492)

        at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.findByIdOrIdentifier(SourcesXmlResolver.java:527)

        at edu.internet2.middleware.grouper.subj.CachingResolver.findByIdOrIdentifier(CachingResolver.java:377)

        at edu.internet2.middleware.grouper.subj.ValidatingResolver.findByIdOrIdentifier(ValidatingResolver.java:203)

        at edu.internet2.middleware.grouper.SubjectFinder.findByIdOrIdentifier(SubjectFinder.java:316)

        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group$1.lookup(UiV2Group.java:599)

        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group$1.lookup(UiV2Group.java:581)

        at edu.internet2.middleware.grouper.grouperUi.beans.dojo.DojoComboLogic.logic(DojoComboLogic.java:118)

        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group.addMemberFilter(UiV2Group.java:581)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:606)

        at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:4143)

        at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:4094)

        at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:293)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

        at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:110)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

        at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1049)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

        at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:209)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

        at uk.ac.bris.is.grouper.ui.PreCASFilter.doFilter(PreCASFilter.java:128)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:595)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)

        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:624)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341)

        at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:478)

        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)

        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:798)

        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1441)

        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

        at java.lang.Thread.run(Thread.java:745)

 

Thank you,

Akki