Grouper Users - Open Discussion List

[Julio Polo <>]

We recently had a similar problem.  Check your LDAP server logs and see what validation operations are being attempted by Grouper.  In our case, those validation queries didn't work because our LDAP account didn't have the permissions for it (even though it did have permissions to get subject data).

After fiddling with changing the LDAP account permissions and getting some things to work, we opted instead to change the Grouper LDAP validator property from SearchValidator to CompareLdapValidator.  We also had to finesse the other validation properties so that it would result in success. I think the file we changed was grouper-loader.properties, and the settings we changed were:

# validator setup, currently supports CompareLdapValidator and SearchValidator. additional properties below for CompareLdapValidator.

# {valueType: "string", regex: "^ldap\\.([^.]+)\\.validator$"}

#ldap.personLdap.validator = SearchValidator

# validator setup, currently supports CompareLdapValidator and SearchValidator. additional properties below for CompareLdapValidator.

# {valueType: "string", regex: "^ldap\\.([^.]+)\\.validatorCompareDn$"}

#ldap.personLdap.validatorCompareDn = ou=people,dc=example,dc=com

# validator setup, currently supports CompareLdapValidator and SearchValidator. additional properties below for CompareLdapValidator.

# {valueType: "string", regex: "^ldap\\.([^.]+)\\.validatorCompareAttribute$"}

#ldap.personLdap.validatorCompareAttribute = ou

# validator setup, currently supports CompareLdapValidator and SearchValidator. additional properties below for CompareLdapValidator.

# {valueType: "string", regex: "^ldap\\.([^.]+)\\.validatorCompareValue$"}

#ldap.personLdap.validatorCompareValue = people

The key to our debugging the issue was to look at our LDAP server logs and separately attempting those LDAP operations using the Grouper LDAP account and seeing whether that returned any entries (for searchValidator) or a result code (I think, for CompareLdapValidator)

-julio

Julio Polo
Enterprise Middleware, Identity and Access Management
University of Hawaii

On Wed, Jul 24, 2019 at 10:49 AM Siju Jacob <> wrote:

Hi Team,

    We are upgrading from grouper 2.3 to grouper 2.4

      I am having trouble connecting to ldap using GrouperJndiSourceAdapter in subject.properties

      subjectApi.source.ldap_servicedn.adapterClass = edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter

        

     It works fine with LdapSourceAdapterLegacy

     subjectApi.source.ldap_servicedn.adapterClass = edu.internet2.middleware.subject.provider.LdapSourceAdapterLegacy

 

 

     Below is the exception I get with GrouperJndiSourceAdapter when the server starts up

 

subject.properties jdbc source id:   jdbc: GrouperJdbcConnectionProvider

subject.properties ldap source id:   ldap_servicedn: nonPersonLdap

24-Jul-2019 16:41:22.399 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive C:\opt\grouper\apache-tomcat-8.5.12\webapps\grouper-ws.war has finished in 27,164 ms

24-Jul-2019 16:41:22.405 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [http-nio-8080]

24-Jul-2019 16:41:22.413 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [ajp-nio-8009]

24-Jul-2019 16:41:22.417 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 27215 ms

Subject API error: error with subject source id: ldap_servicedn, name: Service Dns from LDAP, problem with getSubject by id, in subject.properties: search searchSubject: , edu.internet2.middleware.subject.SourceUnavailableException: Ldap Exception: Could not initialize pool,

Problem with ldap conection: nonPersonLdap,

Error querying ldap server id: nonPersonLdap, searchDn: ou=Special Users,dc=rutgers,dc=edu, filter: '(& (uid=grouperTestSubjectByIdOnStartupASDFGHJ))', returning attributes: [Ljava.lang.String;@67955775

        at edu.internet2.middleware.subject.provider.LdapSourceAdapter.getLdapResultsHelper(LdapSourceAdapter.java:541)

        at edu.internet2.middleware.subject.provider.LdapSourceAdapter.getLdapResults(LdapSourceAdapter.java:433)

        at edu.internet2.middleware.subject.provider.LdapSourceAdapter.getLdapUnique(LdapSourceAdapter.java:562)

        at edu.internet2.middleware.subject.provider.LdapSourceAdapter.getSubject(LdapSourceAdapter.java:189)

        at edu.internet2.middleware.subject.SubjectCheckConfig.checkConfig(SubjectCheckConfig.java:114)

        at edu.internet2.middleware.grouper.misc.GrouperCheckConfig$1.callback(GrouperCheckConfig.java:530)

        at edu.internet2.middleware.grouper.GrouperSession.callbackGrouperSession(GrouperSession.java:974)

        at edu.internet2.middleware.grouper.misc.GrouperCheckConfig.checkConfig(GrouperCheckConfig.java:526)

        at edu.internet2.middleware.grouper.misc.GrouperStartup.startup(GrouperStartup.java:313)

        at edu.internet2.middleware.grouper.subj.SubjectResolverFactory.getInstance(SubjectResolverFactory.java:58)

        at edu.internet2.middleware.grouper.SubjectFinder.getResolver(SubjectFinder.java:928)

        at edu.internet2.middleware.grouper.SubjectFinder.findRootSubject(SubjectFinder.java:913)

        at edu.internet2.middleware.grouper.GrouperSession.startRootSession(GrouperSession.java:427)

        at edu.internet2.middleware.grouper.instrumentation.InstrumentationThread$1.run(InstrumentationThread.java:69)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

        at java.lang.Thread.run(Thread.java:745)

Caused by: java.lang.IllegalStateException: Could not initialize pool,

Problem with ldap conection: nonPersonLdap,

Error querying ldap server id: nonPersonLdap, searchDn: ou=Special Users,dc=rutgers,dc=edu, filter: '(& (uid=grouperTestSubjectByIdOnStartupASDFGHJ))', returning attributes: [Ljava.lang.String;@67955775

        at edu.vt.middleware.ldap.pool.AbstractLdapPool.initializePool(AbstractLdapPool.java:173)

        at edu.vt.middleware.ldap.pool.AbstractLdapPool.initialize(AbstractLdapPool.java:128)

        at edu.internet2.middleware.grouper.ldap.vtldap.VTLdapSessionImpl.blockingLdapPool(VTLdapSessionImpl.java:240)

        at edu.internet2.middleware.grouper.ldap.vtldap.VTLdapSessionImpl.callbackLdapSession(VTLdapSessionImpl.java:263)

        at edu.internet2.middleware.grouper.ldap.vtldap.VTLdapSessionImpl.list(VTLdapSessionImpl.java:475)

        at edu.internet2.middleware.subject.provider.LdapSourceAdapter.getLdapResultsHelper(LdapSourceAdapter.java:538)

        ... 16 more

 

 

 

·         Below is the entry from my grouper-loader.properties

 

    ldap.nonPersonLdap.url="ldaps://test-ldap.rutgers.edu:636/dc=rutgers,dc=edu,ou=Special Users

                   ldap.nonPersonLdap.user = uid=XXXXX-authentication,ou=Special Users,dc=rutgers,dc=edu

                   ldap.nonPersonLdap.pass = xxxxxxxxxxxxxxxxxx

 

 

===========================================================================================================

 

·         Below is the entry from my subject.properties

 

#########################################

## Configuration for source id: ldap-servicedn

## Source configName: ldap_servicedn

#########################################

subjectApi.source.ldap_servicedn.id = ldap_servicedn

 

# this is a friendly name for the source

subjectApi.source.ldap_servicedn.name = Service Dns from LDAP

 

# type is not used all that much.  Can have multiple types, comma separate.  Can be person, group, application

subjectApi.source.ldap_servicedn.types = person

 

subjectApi.source.ldap_servicedn.param.ldapServerId.value=nonPersonLdap

 

# the adapter class implements the interface: edu.internet2.middleware.subject.Source

# adapter class must extend: edu.internet2.middleware.subject.provider.BaseSourceAdapter

# edu.internet2.middleware.grouper.subj.GrouperJdbcSourceAdapter2  :  if doing JDBC this should be used if possible.  All subject data in one table/view.

# edu.internet2.middleware.grouper.subj.GrouperJdbcSourceAdapter   :  oldest JDBC source.  Put freeform queries in here

# edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter   :  used for LDAP

subjectApi.source.ldap_servicedn.adapterClass = edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter

 

# e.g. com.sun.jndi.ldap.LdapCtxFactory

subjectApi.source.ldap_servicedn.param.INITIAL_CONTEXT_FACTORY.value = com.sun.jndi.ldap.LdapCtxFactory

 

# e.g. ldap://localhost:389

subjectApi.source.ldap_servicedn.param.PROVIDER_URL.value = ldaps://test-ldap.rutgers.edu:636

 

# e.g. simple, none, sasl_mech

subjectApi.source.ldap_servicedn.param.SECURITY_AUTHENTICATION.value = simple

 

# e.g. cn=Manager,dc=example,dc=edu

subjectApi.source.ldap_servicedn.param.SECURITY_PRINCIPAL.value = uid=xxxxxxxxxxxx,ou=Special Users,dc=rutgers,dc=edu

 

# can be a password or a filename of the encrypted password

subjectApi.source.ldap_servicedn.param.SECURITY_CREDENTIALS.value = xxxxxxxxxxxxxxxxxxxxxxxx

 

# ldap attribute which is the subject id.  e.g. exampleEduRegID   Each subject has one and only one subject id.  Generally it is opaque and permanent.

subjectApi.source.ldap_servicedn.param.SubjectID_AttributeType.value = uid

 

# if the subject id should be changed to lower case after reading from datastore.  true or false

subjectApi.source.ldap_servicedn.param.SubjectID_formatToLowerCase.value = false

 

# attribute which is the subject name

subjectApi.source.ldap_servicedn.param.Name_AttributeType.value = cn

 

# attribute which is the subject description

subjectApi.source.ldap_servicedn.param.Description_AttributeType.value = ou

 

# This virtual attribute index 0 is accessible via: subject.getAttributeValue("searchAttribute0");

subjectApi.source.ldap_servicedn.param.subjectVirtualAttribute_0_searchAttribute0.value = ${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('exampleEduRegId'), "")}

 

# the 1st sort attribute for lists on screen that are derived from member table (e.g. search for member in group)

# you can have up to 5 sort attributes

subjectApi.source.ldap_servicedn.param.sortAttribute0.value = cn

 

# the 1st search attribute for lists on screen that are derived from member table (e.g. search for member in group)

# you can have up to 5 search attributes

subjectApi.source.ldap_servicedn.param.searchAttribute0.value = searchAttribute0

 

#searchSubject: find a subject by ID.  ID is generally an opaque and permanent identifier, e.g. 12345678.

#  Each subject has one and only on ID.  Returns one result when searching for one ID.

 

# sql is the sql to search for the subject by id.  %TERM% will be subsituted by the id searched for

subjectApi.source.ldap_servicedn.search.searchSubject.param.filter.value = (& (uid=%TERM%))

 

# Scope Values can be: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE

subjectApi.source.ldap_servicedn.search.searchSubject.param.scope.value = SUBTREE_SCOPE

 

# base dn to search in

subjectApi.source.ldap_servicedn.search.searchSubject.param.base.value = ou=Special Users,dc=rutgers,dc=edu

 

#searchSubjectByIdentifier: find a subject by identifier.  Identifier is anything that uniquely

#  identifies the user, e.g. jsmith or .

#  Subjects can have multiple identifiers.  Note: it is nice to have if identifiers are unique

#  even across sources.  Returns one result when searching for one identifier.

 

# sql is the sql to search for the subject by identifier.  %TERM% will be subsituted by the identifier searched for

subjectApi.source.ldap_servicedn.search.searchSubjectByIdentifier.param.filter.value = (& (uid=%TERM%))

 

# Scope Values can be: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE

subjectApi.source.ldap_servicedn.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE

 

# base dn to search in

subjectApi.source.ldap_servicedn.search.searchSubjectByIdentifier.param.base.value = ou=Special Users,dc=rutgers,dc=edu

 

#   search: find subjects by free form search.  Returns multiple results.

 

# sql is the sql to search for the subject by free form search.  %TERM% will be subsituted by the text searched for

subjectApi.source.ldap_servicedn.search.search.param.filter.value = (& (|(|(uid=%TERM%)(cn=*%TERM%*))))

 

# Scope Values can be: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE

subjectApi.source.ldap_servicedn.search.search.param.scope.value = SUBTREE_SCOPE

 

# base dn to search in

subjectApi.source.ldap_servicedn.search.search.param.base.value = ou=Special Users,dc=rutgers,dc=edu

 

# attributes from ldap object to become subject attributes.  comma separated

subjectApi.source.ldap_servicedn.attributes = cn, sn, uid, ou

 

# internal attributes are used by grouper only not exposed to code that uses subjects.  comma separated

subjectApi.source.ldap_servicedn.internalAttributes = searchAttribute0

 

==========================================================================================================

 

Thanks,

Siju Jacob