Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-1354

example of ldap loader resolving people or groups

    XMLWordPrintable

Details

    • Task
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • None
    • 2.3.0, 2.3.1
    • grouperLoader
    • None

    Description

      [grouper-users] loading nested groups from an LDAP source

      RG
      Rob Gorrell <rwgorrel@uncg.edu>

      Today 2:43 PM
      Correct. Here is a DN for a user, JNWHITWO, that was in my original example:

      member: CN=JNWHITWO,OU=Users,OU=ITS-23101,OU=UNIT-InformationTechnologyServices-2D031,OU=COLL-InformationTechnologyServices-02C01,OU=DIV-InformationTechnologyServices-DIV02,OU=FACSTAFF,DC=campus,DC=uncg,DC=edu
      HC
      Hyzer, Chris
      Wed 8/3/2016 2:40 PM
      So if I start at uncg, and I ignore “campus”, and I put everything else in there, then im good right? J Please send me the DN for a user, and I will see what I can do. Thanks Chris From: Rob Gorrell rwgorrel@uncg.edu Sent: Wednesday, August 03, 2016
      RG
      Rob Gorrell <rwgorrel@uncg.edu>
      Wed 8/3/2016 2:24 PM
      so take the following member of the ITS-23101-SYN-Infrastructure_Architecture group: member: CN=ITS-23101-SYN-Identity_Architecture,OU=Groups,OU=ITS-23101,OU=UNIT-InformationTechnologyServices-2D031,OU=COLL-InformationTechnologyServices-02C01,OU=DIV-InformationTechnologyServices-DIV02,OU=FACSTAFF,DC=campus,DC=uncg,DC=edu
      HC
      Hyzer, Chris
      Fri 7/29/2016 11:06 PM
      For one of the groups, what is the full ID path? Ie. Can it be translated from the dn? Or is the extension unique and it can be looked up by only extension? Thanks Chris
      RG
      Rob Gorrell <rwgorrel@uncg.edu>
      Fri 7/29/2016 11:05 AM
      Here is an example LDIF of one the AD groups that gets loaded.... you'll notice the first 5 values of the 'member' field are reference to other groups while the last value is reference to a user. Grouper loader only resolves that user member as a subject, but
      RG
      Rob Gorrell <rwgorrel@uncg.edu>
      Fri 7/29/2016 10:36 AM
      I removed the attribute all together, and while the loader job still ran unaffected, it inserted no new memberships... and going to check the groups confirmed, all the right user members where there, but no (nested) group members. -Rob
      HC
      Hyzer, Chris
      Thu 7/28/2016 5:00 PM
      Can you please remove the attribute (or blank it out), and try it? Grouper loader LDAP source ID Since you are using subject ID type of subjectIdentifier it should resolve the grouper group system name which is the last part of the DN and then find it as the
      HC
      Hyzer, Chris
      Mon 7/25/2016 12:46 PM
      Have you connected to the cmu public ldap? Can you tell if there are nested groups there? ldap.andrew.cmu.edu Thanks chris
      RG
      Rob Gorrell <rwgorrel@uncg.edu>
      Mon 7/25/2016 11:59 AM
      oh gosh... I'll have to think on that... its a logistical nightmare since we don't let LDAP leave our campus and push all external auth on SSO. I'm assuming what i'm asking about would pertain to any LDAP directory as don't all LDAP instances support "group
      HC
      Hyzer, Chris
      Mon 7/25/2016 11:49 AM
      Im not sure we have done that before. Is there any way to get me temporarily a login and access to your AD so I can make it work? Otherwise I need to figure out how I can get an AD environment that I can work with to set this up and make it work… Thanks Chris
      RG
      Rob Gorrell <rwgorrel@uncg.edu>
      Mon 7/25/2016 11:45 AM
      Yes, I want the group to stay the member... not normalize/flatten all the memberships into a grouper group. The same group names that are in AD existing in grouper, the Loader need only to look them up against groupers internal source, not my uncg-person source
      HC
      Hyzer, Chris
      Mon 7/25/2016 11:27 AM
      Just to clarify, do you want the group that is a member of the group in ldap to cause grouper to find that group and add to the group in grouper? Or you want to find all the members of the groups and subgroups etc and just add the members to the group? Thanks
      RG
      Rob Gorrell <rwgorrel@uncg.edu>

      Mon 7/25
      yea... i don't think there is anything that really needs to be sanitized below...

      Grouper loader LDAP filter (&(objectClass=group)(cn=ITS-23101-)(description=Org Chart Group))
      Grouper loader LDAP quartz cron 0 13 3-23 * * ?
      Grouper loader LDAP subject attribute name member
      Grouper loader LDAP subject ID type subjectIdentifier
      Grouper loader LDAP extra attributes cn
      Grouper loader LDAP server ID campusLdap
      Grouper loader LDAP source ID uncg-person
      Grouper loader LDAP group name expression uncg:facstaff:ITS-23101:${groupAttributes['cn']}
      Grouper loader LDAP type LDAP_GROUP_LIST
      Grouper loader LDAP subject expression ${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}
      Grouper loader LDAP search base DN OU=Groups,OU=ITS-23101,OU=UNIT-InformationTechnologyServices-2D031,OU=COLL-InformationTechnologyServices-02C01,OU=DIV-InformationTechnologyServices-DIV02,OU=FACSTAFF
      HC
      Hyzer, Chris
      Mon 7/25/2016 11:08 AM
      Can you send me the sanitized config attributes and values for the job? You don’t have to cc the list J Thanks Chris
      G
      grouper-users-request@internet2.edu
      on behalf of
      Rob Gorrell <rwgorrel@uncg.edu>
      Reply all|
      Mon 7/25
      grouper-users@internet2.edu
      Inbox
      I currently have an LDAP_GROUP_LIST loader job pulling groups from an Active Directory source. In AD, we use a lot of group nesting (group of groups). When the loader job executes, it only loads those user objects with direct memberships to each group skipping over any group objects that are also direct members. What I would like it to do is resolve each group member in Grouper's internal source so that the group nesting copies over to grouper. Grouper has all these groups, but apparently the memberships aren't being resolved as it would seem the only subject source being used is my one that contains people (uncg-person).

      -Rob


      Robert W. Gorrell
      Systems Architect, Identity and Access Management
      University of NC at Greensboro

      Attachments

        Activity

          People

            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Smart Checklist