Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Re: loader.config.hierarchy question

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Re: loader.config.hierarchy question


Chronological Thread 
  • From: "Redman, Chad" <>
  • To: Jeffrey Williams <>, "" <>
  • Subject: RE: [grouper-users] Re: loader.config.hierarchy question
  • Date: Thu, 22 Feb 2018 17:08:37 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:BffdDBD99wlNystgbKW0UyQJP3N1i/DPJgcQr6AfoPdwSP37p8mwAkXT6L1XgUPTWs2DsrQY07GQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbAhEmDSwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VC+85Kl3VhDnlCYHNyY48G7JjMxwkLlbqw+lqxBm3oLYfJ2ZOP94c6jAf90VWHBBU95RWSJfH428c4UBAekPPelaronyu1QBoACkCgWwGO/i0CNEimP00KA8zu8vERvG3AslH98WvnjasMv6O7oXUe+vyqnE1SjIYu1W2Tjn9YfEfA0qrPaQUrJwa8Xe1FEgFxnbgVqNrIzqJTWV2/8Qs2id8+VsT/yghHM6qwxopDWk28QiipHRi44L0F/I6Th1zYMoKdGlVUJ2ZNCkHZRMuy2GMoZ2TN0tTm5ptSs/z7ALuIO3fCYSxJg6xxPTdeaLf5aS7h7+SOqdPy10iG9qdb+8nxqy/1avx+7gWsSx1VtHoCVIn9vMu30IzBPc9NKIR/h480quxDmAyRvc5+RZLk01m6fWK5gsyaMqmJUJq0TMBCr2lV32jKCIckUk/fCl5fz7b7vhupOQKZZ4hxz4PKgwg8C/Bv83PRYUU2ic5OS8yKbs/UrkQLVMk/I6iLHZsIrdJcQHuKG2HxNV0ock6xa5FTum18kYnWUDLFJCfxKHjJLlNE3JIPD9Ffu/glKsnyl3x/3eILHuGInBImXGnbv8YLpx9ktRyAQ8wNxD+55ZD78BL+z8V0LwsdHVCx40PxG6w+r/DdVyzIIeWWaBAq+DN6PStEeF6f4vI+aWeYAaoCz9JOY46P7rl3A5n0QQfbSv3ZQLcny3AOlpI1iBbXr2ntgBCXsKvhY5TOHyh12CSzlTZ2uqX60i/DE3EZ+mDZzdSYC3m7yMxyO7HpxNZmBaEVCAD23kd4SCW/cQdi2SOMlhnSIYVbS/UYMuywyhtBKpg4Zge8jZ9CMCuIOr69lx4+zakAp6oT56EMWZ12CEZ3xylWxOSjMriuQ360NnzUqb3LI9nudVD8d75vVVXx08OIKGieF2Fpq6Dg3becqRRUzjX86rGyoZT9QtzsUIblonXdiuk0aQ8TCtBupfrbGHAZUytur333H9bY4pwHbP2J47glUjS81nKGutwKNz6l6AVMbyj0yFmvPyJuwn1ynX+TLGlDLWsQ==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Hi Jeffrey,

 

I tried to replicate this with a demo server, but in my case both gsh and the UI worked. I am trying with the most recent 2.3 source code, which should be close to a patched system but not exact. By encrypted password, I assume this means the MorphString utility, right? I tried it both encrypted and plain, and either way it worked. Does your config look similar to either one of these? Was there a stack trace with the bind error?

 

 

PLAIN

 

classes/grouper-loader.properties

                loader.config.hierarchy = classpath:grouper-loader.base.properties, file:/opt/ext-conf/ldap.ADLdap.pass, classpath:grouper-loader.properties

                ldap.ADLdap.url = "ldap://localhost:389

                ldap.ADLdap.user = cn=manager,dc=example,dc=edu

 

/opt/ext-conf/ldap.ADLdap.pass

                ldap.ADLdap.pass = secret

 

 

ENCRYPTED

 

classes/grouper-loader.properties

                loader.config.hierarchy = classpath:grouper-loader.base.properties, file:/opt/ext-conf/ldap.ADLdap.pass.morphFile, classpath:grouper-loader.properties

 

                ldap.ADLdap.url = "ldap://localhost:389

                ldap.ADLdap.user = cn=manager,dc=example,dc=edu

                #ldap.ADLdap.pass = /opt/ext-conf/ADLdap.pass

 

classes/morphString.properties

                encrypt.key = /opt/ext-conf/morphString.pass

 

 

/opt/ext-conf/ldap.ADLdap.pass.morphFile

                ldap.ADLdap.pass = /opt/ext-conf/ADLdap.pass

 

/opt/ext-conf/morphString.pass

                Ech6Rosh9KapCas3

 

/opt/ext-conf/ADLdap.pass (this is "secret" encrypted)

                SwZFCPoqbjfg8u0nuF3O/g==

 

 

 

You can try these diagnostic calls in GSH to verify things are working, but it sounds like GSH wasn't the problem.

 

GrouperLoaderConfig.retrieveLdapProfile("ADLdap").getPass()

 

import edu.internet2.middleware.morphString.Morph

Morph.decryptIfFile("/opt/ext-conf/ADLdap.pass")

 

 

-Chad

 

 

 

From: [mailto:] On Behalf Of Jeffrey Williams
Sent: Thursday, February 15, 2018 4:27 PM
To:
Subject: [grouper-users] Re: loader.config.hierarchy question

 

final follow-up:

grouper-loader.properties has its ldap.ADLdap.pass variable commented out, so the variable read from the prior /opt/ext-conf/ldap.ADLdap.pass should have been its only definition.

 

On Thu, Feb 15, 2018 at 4:25 PM, Jeffrey Williams <> wrote:

Apologies, hit send a little early.

 

 

On Thu, Feb 15, 2018 at 4:14 PM, Jeffrey Williams <> wrote:

UNCG is running TIER's Grouper 2.3 container in production and we're looking to promote our LDAP loader config into production.

 

I've been working on a dual git repo setup where one contains the various Grouper configurations and needed modifications to the container, while the other contains the more senstive parts of the config that need not be included if we were to share our config with others.

 

vtldap seems to put a wrench into this with not seeming to handle ciphered passwords as indicated in the docs.  I had the idea of using loader.config hierarchy as follows:

 

# comma separated config files that override each other (files on the right override the left)  

loader.config.hierarchy = classpath:grouper-loader.base.properties, file:/opt/ext-conf/ldap.ADLdap.pass, file:/opt/etc/grouper-loader.properties, file:

/opt/etc/grouper-loader-pspng.properties

 

I had drop the unciphered ldap.ADLdap.pass variable into a separate file on a separate folder and let the loader read that first, followed by the rest of grouper-loader.properties.  This way, when we test ciphered LDAP loading creds again, we can reference the ciphered file in grouper-loader.properties with no additional changes.

 

Observations: It seems that while this configuration pans out in a loader-only scenario(i.e. apache, tomcat are not started), if I spin up a UI/WS only container, I get a bind error.  If I drop the unciphered PW back into grouper-loader.properties and restart the container, calling the loader job from the UI returns the same result as calling it from gsh session on the loader.

 

Question: Is there a significant difference in how the UI calls a loader job vs. how the daemon calls it?

 

 

 

--

Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)



 

--

Jeffrey Williams, Identity Management Specialist
Identity Architecture, ITS
University of North Carolina at Greensboro
256-TECH (256-8324)




Archive powered by MHonArc 2.6.19.

Top of Page