Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-1428

LDAP Loader validator incomplete; ldap.properties also missing validator properties

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 2.3.0
    • 2.4.0
    • grouperLoader
    • None

    Description

      I have a pull request to implement LDAP validators in the LDAP loader, getting rid of the "validate called, but no validator configured" errors. You did say you were switching to ldaptive, but either way you probably want some framework for it, since right now the functionality is totally missing. Anyway, feel free to ignore or reject the pull request.

      Also, I added but commented validator settings in ldap.properties.example to set validation trigger type. The sample LDAP source in sources.example.xml shows how to set up a validator, but it's not obvious that it won't be called unless you define the trigger criteria.

      Details

      1) LDAP Loader

      In grouper-loader, LDAP Loader parameter validateOnCheckout gives error (at WARN level): "validate called, but no validator configured". There is no way to turn this off; if all the validator choices are set to false, validateOnCheckout will be set to true due to source code checks.

      You don't see this by default because of the default log4j log level of ERROR. There is a commented out logging override for vt-ldap of INFO. If you uncomment this, you can see this error line for every triggered loader group.

      Setting validatePeriodically instead of validateOnCheckout avoids give this error. But only because the pool's initialize() function is not called, so that the periodic filter is not triggered. Nor is the pruneTimerPeriod timer ever triggered (and expirationTime timer, in case you thought to set this hidden parameter).

      There is no current way to set a validator via property files. That's because the validator isn't part of the pool configuration object, but rather set up in the DefaultLdapFactory object.

      The patch I propose sets up validators correctly for use in the LDAP Loader. It does this by adding some "pseudo" properties to grouper-loader.properties that set up the validator object and puts it into the factory:

      ldap.personLdap.validator = CompareLdapValidator (or ConnectLdapValidator)
      ldap.personLdap.validatorCompareDn = ou=people,dc=example,dc=com
      ldap.personLdap.validatorCompareSearchFilterString = (ou=people)

      I tested this locally by both network sniffing and turning up the vt-ldap log levels, and the CompareLdapValidator is working as needed. I couldn't see much effect with the ConnectLdapValidator, but I don't know what it's supposed to look like.

      2) Subject sources

      GRP-1151 added functionality to set a validator for LDAP sources in sources.xml. However, if you don't also set the validation trigger in ldap.properties, it will never be utilized. My patch just adds commented lines to the ldap.properties.example file, noting the default property settings for it in the pool config, including that all the triggers are false unless you manually enable one.

      The original request in GRP-1151 was that the user had already added those settings to ldap.properties. But for everyone else, it's not obvious that the sample validator won't trigger without setting up additional properties that aren't documented.

      Attachments

        Activity

          People

            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            chad.redman@at.internet2.edu Chad Redman (unc.edu)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Smart Checklist