Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] JEXL syntax with PSPNG filters

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] JEXL syntax with PSPNG filters


Chronological Thread 
    < Chronological >      < Thread >
  • From: "Coleman, Erik C" <>
  • To: "Hyzer, Chris" <>, "" <>
  • Subject: RE: [grouper-users] JEXL syntax with PSPNG filters
  • Date: Fri, 12 Jul 2019 19:57:04 +0000

Sorry for delay… yes sAMAccountName is an attribute for a subject. Here are excerpts of relevant settings from subject.properties:

 

subjectApi.source.uofinetid.param.SubjectID_AttributeType.value = uiucEduUIN

subjectApi.source.uofinetid.param.SubjectID_formatToLowerCase.value = false

subjectApi.source.uofinetid.param.subjectIdentifierAttribute0.value = sAMAccountName

subjectApi.source.uofinetid.attributes = givenName, sn, sAMAccountName, uiucEduUIN, mail, displayName, department, distinguishedName

subjectApi.source.uofinetid.internalAttributes = searchAttribute0

 

and grouper-loader.properties:

changeLog.consumer.uofi_urbana.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim

changeLog.consumer.uofi_urbana.type = edu.internet2.middleware.grouper.pspng.LdapGroupProvisioner

changeLog.consumer.uofi_urbana.quartzCron = 0 * * * * ?

changeLog.consumer.uofi_urbana.ldapPoolName = uofildap

changeLog.consumer.uofi_urbana.isActiveDirectory = true

changeLog.consumer.uofi_urbana.memberAttributeName = member

changeLog.consumer.uofi_urbana.memberAttributeValueFormat = ${ldapUser.getDn()}

changeLog.consumer.uofi_urbana.groupSearchBaseDn = ou=AuthMan,ou=Urbana,dc=ad,dc=uillinois,dc=edu

changeLog.consumer.uofi_urbana.allGroupsSearchFilter = objectclass=group

changeLog.consumer.uofi_urbana.singleGroupSearchFilter = (&(objectclass=group)(cn=${group.name.substring(4).replace(":","-")}))

changeLog.consumer.uofi_urbana.groupCreationLdifTemplate = dn: cn=${group.name.substring(4).replace(":","-")}||cn: ${group.name.substring(4).replace(":","-")}||objectclass: group||description: ${group.description}

changeLog.consumer.uofi_urbana.groupCreationBaseDn = ou=AuthMan,ou=Urbana,dc=ad,dc=uillinois,dc=edu

changeLog.consumer.uofi_urbana.needsTargetSystemUsers = true

changeLog.consumer.uofi_urbana.userSearchBaseDn = dc=ad,dc=uillinois,dc=edu

changeLog.consumer.uofi_urbana.userSearchFilter = sAMAccountName=${subject.getAttributeValue('sAMAccountName')}

changeLog.consumer.uofi_urbana.userSearchAttributes = cn,distinguishedName,uiucEduUIN,displayName,sAMAccountName,objectClass

changeLog.consumer.uofi_urbana.grouperIsAuthoritative = true

 

Thanks!

 

-Erik

 

From: Hyzer, Chris <>
Sent: Thursday, July 11, 2019 7:44 AM
To: Coleman, Erik C <>;
Subject: RE: JEXL syntax with PSPNG filters

 

Is samaccountname an attribute for a subject?  I assume so.

 

Want to share sanitized subject.properties part for this source, and the grouper-loader.properties part for the pspng?

 

Thanks

Chris

 

 

From: <> On Behalf Of Coleman, Erik C
Sent: Wednesday, July 10, 2019 4:22 PM
To:
Subject: [grouper-users] JEXL syntax with PSPNG filters

 

Hi all,

 

Some of you may have seen my post over on the Slack channel, but I have not been able to resolve this, so I’m casting to a wider audience. I have our PSP-NG configuration set to match users to be placed in LDAP groups using a filter as follows in grouper-loader.properties:

 

changeLog.consumer.uofi_urbana.userSearchFilter = samaccountname=${subject.getAttributeValue('samaccountname')}

changeLog.consumer.uofi_urbana.userSearchAttributes = cn,distinguishedName,uiucEduUIN,displayName,samaccountname,objectClass

 

This filter was working, but somewhere along the line (I’m still trying to track down a patch/date where this changed) it seems to be failing the JEXL parsing when trying to resolve subjects, now I get the following exception stack shown at the end of this message.

 

I was able to use a filter that matches our UIN (an immutable ID) with ${subject.id} without error, however that isn’t ideal because we have some accounts (such as app service accounts) that don’t have UINs.  I’d like to be able to match on the subject Identifier (not the ID) as the AD attribute “samaccountname” is used as the subject Identifier and is guaranteed to be unique within the LDAP, but apparently something is awry with the JEXL parsing.  Does anyone have some ideas or tricks?

 

Thanks,

Erik Coleman

 

--------------------------

Dump of exception:

grouper-daemon;grouper_daemon.log;aws-prod;617683844790;2019-06-19 11:09:36,980: [FullSyncer(uofi_urbana)-Thread] INFO ProgressMonitor.<init>(36) - - Fetching subjects Started: TotalWorkExpected=9

grouper-daemon;grouper_daemon.log;aws-prod;617683844790;2019-06-19 11:09:36,980: [TSUserFetcher-uofi_urbana-full-1] DEBUG LdapProvisioner.fetchTargetSystemUsers(200) - - Fetching 9 users from target system

grouper-daemon;grouper_daemon.log;aws-prod;617683844790;2019-06-19 11:09:36,981: [TSUserFetcher-uofi_urbana-full-1] ERROR Provisioner.evaluateJexlExpression(746) - - Jexl _expression_ UserSearchFilter 'samaccountname=${edu.internet2.middleware.subject.getAttributeValue('samaccountname')}' could not be evaluated for subject ''650772210'/'person'/'uofinetid'/null' and group 'null/null' which used variableMap '{userSearchBaseDn=dc=ad,dc=uillinois,dc=edu, provisionerType=LdapGroupProvisioner, groupCreationBaseDn=ou=AuthMan,ou=Urbana,dc=ad,dc=uillinois,dc=edu, , subject='650772210'/'person'/'uofinetid', provisionerName=uofi_urbana, groupSearchBaseDn=ou=AuthMan,ou=Urbana,dc=ad,dc=uillinois,dc=edu}'

java.lang.RuntimeException: Error substituting string: '${edu.internet2.middleware.subject.getAttributeValue('samaccountname')}'

at edu.internet2.middleware.grouper.util.GrouperUtil.substituteExpressionLanguage(GrouperUtil.java:9401)

at edu.internet2.middleware.grouper.pspng.Provisioner.evaluateJexlExpression(Provisioner.java:702)

at edu.internet2.middleware.grouper.pspng.LdapProvisioner.getUserLdapFilter(LdapProvisioner.java:283)

at edu.internet2.middleware.grouper.pspng.LdapProvisioner.fetchTargetSystemUsers(LdapProvisioner.java:211)

at edu.internet2.middleware.grouper.pspng.Provisioner$2.call(Provisioner.java:847)

at edu.internet2.middleware.grouper.pspng.Provisioner$2.call(Provisioner.java:841)

at java.util.concurrent.FutureTask.run(FutureTask.java:266)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

at java.lang.Thread.run(Thread.java:748)

Caused by: org.apache.commons.jexl2.JexlException: ]: 'edu.internet2.middleware.subject.getAttributeValue('samaccountname');' method invocation error

at org.apache.commons.jexl2.Interpreter.call(Interpreter.java:1076)

at org.apache.commons.jexl2.Interpreter.visit(Interpreter.java:1100)

at org.apache.commons.jexl2.parser.ASTMethodNode.jjtAccept(ASTMethodNode.java:18)

at org.apache.commons.jexl2.Interpreter.visit(Interpreter.java:1317)

at org.apache.commons.jexl2.parser.ASTReference.jjtAccept(ASTReference.java:18)

at org.apache.commons.jexl2.Interpreter.interpret(Interpreter.java:232)

at org.apache.commons.jexl2.ExpressionImpl.evaluate(ExpressionImpl.java:65)

at edu.internet2.middleware.grouper.util.GrouperUtil.substituteExpressionLanguage(GrouperUtil.java:9352)

... 9 more

Caused by: java.lang.IllegalStateException: There is no open GrouperSession detected. Make sure to start a grouper session (e.g. GrouperSession.startRootSession() if you want to use a root session ) before calling this method

at edu.internet2.middleware.grouper.GrouperSession.staticGrouperSession(GrouperSession.java:1150)

at edu.internet2.middleware.grouper.GrouperSession.staticGrouperSession(GrouperSession.java:1098)

at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.find(SourcesXmlResolver.java:316)

at edu.internet2.middleware.grouper.subj.CachingResolver.find(CachingResolver.java:143)

at edu.internet2.middleware.grouper.subj.ValidatingResolver.find(ValidatingResolver.java:105)

at edu.internet2.middleware.grouper.SubjectFinder.findByIdAndSource(SubjectFinder.java:504)

at edu.internet2.middleware.grouper.subj.LazySubject.getSubject(LazySubject.java:215)

at edu.internet2.middleware.grouper.subj.LazySubject.getAttributeValue(LazySubject.java:139)

at sun.reflect.GeneratedMethodAccessor985.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at org.apache.commons.jexl2.internal.MethodExecutor.execute(MethodExecutor.java:64)

at org.apache.commons.jexl2.internal.AbstractExecutor$Method.invoke(AbstractExecutor.java:327)

at org.apache.commons.jexl2.Interpreter.call(Interpreter.java:1068)

... 16 more

grouper-daemon;grouper_daemon.log;aws-prod;617683844790;2019-06-19 11:09:36,981: [TSUserFetcher-uofi_urbana-full-1] WARN Provisioner$2.call(849) - - Batch-fetching subject information failed. Trying fetching information for each subject individually

edu.internet2.middleware.grouper.pspng.PspException: Jexl evaluation failed: Error substituting string: '${edu.internet2.middleware.subject.getAttributeValue('samaccountname')}'

at edu.internet2.middleware.grouper.pspng.Provisioner.evaluateJexlExpression(Provisioner.java:751)

at edu.internet2.middleware.grouper.pspng.LdapProvisioner.getUserLdapFilter(LdapProvisioner.java:283)

at edu.internet2.middleware.grouper.pspng.LdapProvisioner.fetchTargetSystemUsers(LdapProvisioner.java:211)

at edu.internet2.middleware.grouper.pspng.Provisioner$2.call(Provisioner.java:847)

at edu.internet2.middleware.grouper.pspng.Provisioner$2.call(Provisioner.java:841)

at java.util.concurrent.FutureTask.run(FutureTask.java:266)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

at java.lang.Thread.run(Thread.java:748)

 


Archive powered by MHonArc 2.6.19.

Top of Page