Fixing PSPNG issue, and subject issue (which causes loader warnings)

docker · Apr 12, 2018 · 2be3d6f · 2be3d6f
1 parent fe41c23
commit 2be3d6f
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 11 deletions.
diff --git a/base/container_files/conf/subject.properties b/base/container_files/conf/subject.properties
@@ -14,7 +14,7 @@ subjectApi.source.ldap.param.SubjectID_formatToLowerCase.value = false
 subjectApi.source.ldap.param.Name_AttributeType.value = cn
 subjectApi.source.ldap.param.Description_AttributeType.value = cn
 subjectApi.source.ldap.param.VTLDAP_VALIDATOR.value = ConnectLdapValidator
-subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value = ${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('exampleEduRegId'), "")}
+subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value = ${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('employeeNumber'), "")}
 subjectApi.source.ldap.param.sortAttribute0.value = cn
 subjectApi.source.ldap.param.searchAttribute0.value = searchAttribute0
 
@@ -49,7 +49,7 @@ subjectApi.source.ldap.param.searchAttribute0.value = searchAttribute0
 
 # subject identifier to store in grouper's member table.  this is used to increase speed of loader and perhaps for provisioning
 # you can have up to max 1 subject identifier
-#subjectApi.source.example.param.subjectIdentifierAttribute0.value = uid
+subjectApi.source.ldap.param.subjectIdentifierAttribute0.value = employeeNumber
 
 #searchSubject: find a subject by ID.  ID is generally an opaque and permanent identifier, e.g. 12345678.
 #  Each subject has one and only on ID.  Returns one result when searching for one ID.
@@ -61,7 +61,7 @@ subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=inte
 #  identifies the user, e.g. jsmith or jsmith@institution.edu.
 #  Subjects can have multiple identifiers.  Note: it is nice to have if identifiers are unique
 #  even across sources.  Returns one result when searching for one identifier.
-subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(|(uid=%TERM%)(employeeNumber=%TERM%))(objectclass=person))
+subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(employeeNumber=%TERM%)(objectclass=person))
 subjectApi.source.ldap.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE
 subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people,dc=internet2,dc=edu
 

diff --git a/full-demo/Dockerfile b/full-demo/Dockerfile
@@ -10,6 +10,7 @@ ENV USERTOKEN=3.2.0_full_demo
 
 COPY container_files/demo.gsh /seed-data/
 COPY container_files/grouper-loader.properties /opt/grouper/conf/
+COPY container_files/subject.properties /opt/grouper/conf/
 
 RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \
     && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \

diff --git a/full-demo/container_files/demo.gsh b/full-demo/container_files/demo.gsh
@@ -36,7 +36,7 @@ attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperL
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_GROUPS_FROM_ATTRIBUTES");
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "demo");
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(eduPersonAffiliation=*)");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=People");
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=People,dc=internet2,dc=edu");
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "uid");
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupAttributeName(), "eduPersonAffiliation");
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId");
@@ -52,7 +52,7 @@ attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperL
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_GROUPS_FROM_ATTRIBUTES");
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "demo");
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(businessCategory=*)");
-attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=People");
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=People,dc=internet2,dc=edu");
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "uid");
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupAttributeName(), "businessCategory");
 attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId");

diff --git a/full-demo/container_files/grouper-loader.properties b/full-demo/container_files/grouper-loader.properties
@@ -37,7 +37,7 @@
 #note the URL should start with ldap: or ldaps: if it is SSL.  
 #It should contain the server and port (optional if not default), and baseDn,
 #e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu
-ldap.demo.url = ldap://localhost:389/dc=internet2,dc=edu
+ldap.demo.url = ldap://localhost:389/
 
 #optional, if authenticated
 ldap.demo.user = cn=root,dc=internet2,dc=edu
@@ -80,10 +80,11 @@ changeLog.consumer.pspng_groupOfUniqueNames.supportsEmptyGroups = false
 changeLog.consumer.pspng_groupOfUniqueNames.memberAttributeName = uniqueMember
 # changeLog.consumer.pspng_groupOfUniqueNames.memberAttributeValueFormat = ${ldapUser.getStringValue("uid")}
 changeLog.consumer.pspng_groupOfUniqueNames.memberAttributeValueFormat = ${ldapUser.getDn()}
-changeLog.consumer.pspng_groupOfUniqueNames.groupSearchBaseDn = ou=groups
+changeLog.consumer.pspng_groupOfUniqueNames.groupSearchBaseDn = ou=groups,dc=internet2,dc=edu
 changeLog.consumer.pspng_groupOfUniqueNames.allGroupsSearchFilter = objectclass=groupOfUniqueNames
 changeLog.consumer.pspng_groupOfUniqueNames.singleGroupSearchFilter = (&(objectclass=groupOfUniqueNames)(cn=${group.name}))
 changeLog.consumer.pspng_groupOfUniqueNames.groupSearchAttributes = cn,objectclass
 changeLog.consumer.pspng_groupOfUniqueNames.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: groupOfUniqueNames
-changeLog.consumer.pspng_groupOfUniqueNames.userSearchBaseDn = ou=people
-changeLog.consumer.pspng_groupOfUniqueNames.userSearchFilter = uid=${subject.id}
+changeLog.consumer.pspng_groupOfUniqueNames.userSearchBaseDn = ou=people,dc=internet2,dc=edu
+changeLog.consumer.pspng_groupOfUniqueNames.userSearchFilter = uid=${subject.id}
+changeLog.consumer.pspng_groupOfUniqueNames.grouperIsAuthoritative = true
diff --git a/full-demo/container_files/subject.properties b/full-demo/container_files/subject.properties
@@ -49,7 +49,7 @@ subjectApi.source.ldap.param.searchAttribute0.value = searchAttribute0
 
 # subject identifier to store in grouper's member table.  this is used to increase speed of loader and perhaps for provisioning
 # you can have up to max 1 subject identifier
-#subjectApi.source.example.param.subjectIdentifierAttribute0.value = uid
+subjectApi.source.ldap.param.subjectIdentifierAttribute0.value = employeeNumber
 
 #searchSubject: find a subject by ID.  ID is generally an opaque and permanent identifier, e.g. 12345678.
 #  Each subject has one and only on ID.  Returns one result when searching for one ID.
@@ -61,7 +61,7 @@ subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=inte
 #  identifies the user, e.g. jsmith or jsmith@institution.edu.
 #  Subjects can have multiple identifiers.  Note: it is nice to have if identifiers are unique
 #  even across sources.  Returns one result when searching for one identifier.
-subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(|(uid=%TERM%)(employeeNumber=%TERM%))(objectclass=person))
+subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(employeeNumber=%TERM%)(objectclass=person))
 subjectApi.source.ldap.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE
 subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people,dc=internet2,dc=edu