Details
-
Task
-
Resolution: Fixed
-
Minor
-
None
-
None
Description
[grouper-users] loading nested groups from an LDAP source
RG
Rob Gorrell <rwgorrel@uncg.edu>
Today 2:43 PM
Correct. Here is a DN for a user, JNWHITWO, that was in my original example:
member: CN=JNWHITWO,OU=Users,OU=ITS-23101,OU=UNIT-InformationTechnologyServices-2D031,OU=COLL-InformationTechnologyServices-02C01,OU=DIV-InformationTechnologyServices-DIV02,OU=FACSTAFF,DC=campus,DC=uncg,DC=edu
HC
Hyzer, Chris
Wed 8/3/2016 2:40 PM
So if I start at uncg, and I ignore “campus”, and I put everything else in there, then im good right? J Please send me the DN for a user, and I will see what I can do. Thanks Chris From: Rob Gorrell rwgorrel@uncg.edu Sent: Wednesday, August 03, 2016
RG
Rob Gorrell <rwgorrel@uncg.edu>
Wed 8/3/2016 2:24 PM
so take the following member of the ITS-23101-SYN-Infrastructure_Architecture group: member: CN=ITS-23101-SYN-Identity_Architecture,OU=Groups,OU=ITS-23101,OU=UNIT-InformationTechnologyServices-2D031,OU=COLL-InformationTechnologyServices-02C01,OU=DIV-InformationTechnologyServices-DIV02,OU=FACSTAFF,DC=campus,DC=uncg,DC=edu
HC
Hyzer, Chris
Fri 7/29/2016 11:06 PM
For one of the groups, what is the full ID path? Ie. Can it be translated from the dn? Or is the extension unique and it can be looked up by only extension? Thanks Chris
RG
Rob Gorrell <rwgorrel@uncg.edu>
Fri 7/29/2016 11:05 AM
Here is an example LDIF of one the AD groups that gets loaded.... you'll notice the first 5 values of the 'member' field are reference to other groups while the last value is reference to a user. Grouper loader only resolves that user member as a subject, but
RG
Rob Gorrell <rwgorrel@uncg.edu>
Fri 7/29/2016 10:36 AM
I removed the attribute all together, and while the loader job still ran unaffected, it inserted no new memberships... and going to check the groups confirmed, all the right user members where there, but no (nested) group members. -Rob
HC
Hyzer, Chris
Thu 7/28/2016 5:00 PM
Can you please remove the attribute (or blank it out), and try it? Grouper loader LDAP source ID Since you are using subject ID type of subjectIdentifier it should resolve the grouper group system name which is the last part of the DN and then find it as the
HC
Hyzer, Chris
Mon 7/25/2016 12:46 PM
Have you connected to the cmu public ldap? Can you tell if there are nested groups there? ldap.andrew.cmu.edu Thanks chris
RG
Rob Gorrell <rwgorrel@uncg.edu>
Mon 7/25/2016 11:59 AM
oh gosh... I'll have to think on that... its a logistical nightmare since we don't let LDAP leave our campus and push all external auth on SSO. I'm assuming what i'm asking about would pertain to any LDAP directory as don't all LDAP instances support "group
HC
Hyzer, Chris
Mon 7/25/2016 11:49 AM
Im not sure we have done that before. Is there any way to get me temporarily a login and access to your AD so I can make it work? Otherwise I need to figure out how I can get an AD environment that I can work with to set this up and make it work… Thanks Chris
RG
Rob Gorrell <rwgorrel@uncg.edu>
Mon 7/25/2016 11:45 AM
Yes, I want the group to stay the member... not normalize/flatten all the memberships into a grouper group. The same group names that are in AD existing in grouper, the Loader need only to look them up against groupers internal source, not my uncg-person source
HC
Hyzer, Chris
Mon 7/25/2016 11:27 AM
Just to clarify, do you want the group that is a member of the group in ldap to cause grouper to find that group and add to the group in grouper? Or you want to find all the members of the groups and subgroups etc and just add the members to the group? Thanks
RG
Rob Gorrell <rwgorrel@uncg.edu>
Mon 7/25
yea... i don't think there is anything that really needs to be sanitized below...
Grouper loader LDAP filter (&(objectClass=group)(cn=ITS-23101-)(description=Org Chart Group))
Grouper loader LDAP quartz cron 0 13 3-23 * * ?
Grouper loader LDAP subject attribute name member
Grouper loader LDAP subject ID type subjectIdentifier
Grouper loader LDAP extra attributes cn
Grouper loader LDAP server ID campusLdap
Grouper loader LDAP source ID uncg-person
Grouper loader LDAP group name expression uncg:facstaff:ITS-23101:${groupAttributes['cn']}
Grouper loader LDAP type LDAP_GROUP_LIST
Grouper loader LDAP subject expression ${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}
Grouper loader LDAP search base DN OU=Groups,OU=ITS-23101,OU=UNIT-InformationTechnologyServices-2D031,OU=COLL-InformationTechnologyServices-02C01,OU=DIV-InformationTechnologyServices-DIV02,OU=FACSTAFF
HC
Hyzer, Chris
Mon 7/25/2016 11:08 AM
Can you send me the sanitized config attributes and values for the job? You don’t have to cc the list J Thanks Chris
G
grouper-users-request@internet2.edu
on behalf of
Rob Gorrell <rwgorrel@uncg.edu>
Reply all|
Mon 7/25
grouper-users@internet2.edu
Inbox
I currently have an LDAP_GROUP_LIST loader job pulling groups from an Active Directory source. In AD, we use a lot of group nesting (group of groups). When the loader job executes, it only loads those user objects with direct memberships to each group skipping over any group objects that are also direct members. What I would like it to do is resolve each group member in Grouper's internal source so that the group nesting copies over to grouper. Grouper has all these groups, but apparently the memberships aren't being resolved as it would seem the only subject source being used is my one that contains people (uncg-person).
-Rob
–
Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro