From 2be3d6f517d6fafec10bbbcc3be6c4091edae2b4 Mon Sep 17 00:00:00 2001 From: John Gasper Date: Thu, 12 Apr 2018 09:41:11 -0700 Subject: [PATCH] Fixing PSPNG issue, and subject issue (which causes loader warnings) --- base/container_files/conf/subject.properties | 6 +++--- full-demo/Dockerfile | 1 + full-demo/container_files/demo.gsh | 4 ++-- full-demo/container_files/grouper-loader.properties | 9 +++++---- full-demo/container_files/subject.properties | 4 ++-- 5 files changed, 13 insertions(+), 11 deletions(-) diff --git a/base/container_files/conf/subject.properties b/base/container_files/conf/subject.properties index 2d4e312..5ef2de5 100644 --- a/base/container_files/conf/subject.properties +++ b/base/container_files/conf/subject.properties @@ -14,7 +14,7 @@ subjectApi.source.ldap.param.SubjectID_formatToLowerCase.value = false subjectApi.source.ldap.param.Name_AttributeType.value = cn subjectApi.source.ldap.param.Description_AttributeType.value = cn subjectApi.source.ldap.param.VTLDAP_VALIDATOR.value = ConnectLdapValidator -subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value = ${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('exampleEduRegId'), "")} +subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value = ${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('employeeNumber'), "")} subjectApi.source.ldap.param.sortAttribute0.value = cn subjectApi.source.ldap.param.searchAttribute0.value = searchAttribute0 @@ -49,7 +49,7 @@ subjectApi.source.ldap.param.searchAttribute0.value = searchAttribute0 # subject identifier to store in grouper's member table. this is used to increase speed of loader and perhaps for provisioning # you can have up to max 1 subject identifier -#subjectApi.source.example.param.subjectIdentifierAttribute0.value = uid +subjectApi.source.ldap.param.subjectIdentifierAttribute0.value = employeeNumber #searchSubject: find a subject by ID. ID is generally an opaque and permanent identifier, e.g. 12345678. # Each subject has one and only on ID. Returns one result when searching for one ID. @@ -61,7 +61,7 @@ subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=inte # identifies the user, e.g. jsmith or jsmith@institution.edu. # Subjects can have multiple identifiers. Note: it is nice to have if identifiers are unique # even across sources. Returns one result when searching for one identifier. -subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(|(uid=%TERM%)(employeeNumber=%TERM%))(objectclass=person)) +subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(employeeNumber=%TERM%)(objectclass=person)) subjectApi.source.ldap.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people,dc=internet2,dc=edu diff --git a/full-demo/Dockerfile b/full-demo/Dockerfile index 218f27f..4b18986 100644 --- a/full-demo/Dockerfile +++ b/full-demo/Dockerfile @@ -10,6 +10,7 @@ ENV USERTOKEN=3.2.0_full_demo COPY container_files/demo.gsh /seed-data/ COPY container_files/grouper-loader.properties /opt/grouper/conf/ +COPY container_files/subject.properties /opt/grouper/conf/ RUN (/usr/sbin/slapd -h "ldap:/// ldaps:/// ldapi:///" -u ldap &) \ && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \ diff --git a/full-demo/container_files/demo.gsh b/full-demo/container_files/demo.gsh index 480de57..abaa8c3 100644 --- a/full-demo/container_files/demo.gsh +++ b/full-demo/container_files/demo.gsh @@ -36,7 +36,7 @@ attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperL attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_GROUPS_FROM_ATTRIBUTES"); attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "demo"); attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(eduPersonAffiliation=*)"); -attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=People"); +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=People,dc=internet2,dc=edu"); attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "uid"); attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupAttributeName(), "eduPersonAffiliation"); attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId"); @@ -52,7 +52,7 @@ attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperL attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_GROUPS_FROM_ATTRIBUTES"); attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "demo"); attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(businessCategory=*)"); -attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=People"); +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=People,dc=internet2,dc=edu"); attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "uid"); attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapGroupAttributeName(), "businessCategory"); attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId"); diff --git a/full-demo/container_files/grouper-loader.properties b/full-demo/container_files/grouper-loader.properties index 9e262b6..6a59f36 100644 --- a/full-demo/container_files/grouper-loader.properties +++ b/full-demo/container_files/grouper-loader.properties @@ -37,7 +37,7 @@ #note the URL should start with ldap: or ldaps: if it is SSL. #It should contain the server and port (optional if not default), and baseDn, #e.g. ldaps://ldapserver.school.edu:636/dc=school,dc=edu -ldap.demo.url = ldap://localhost:389/dc=internet2,dc=edu +ldap.demo.url = ldap://localhost:389/ #optional, if authenticated ldap.demo.user = cn=root,dc=internet2,dc=edu @@ -80,10 +80,11 @@ changeLog.consumer.pspng_groupOfUniqueNames.supportsEmptyGroups = false changeLog.consumer.pspng_groupOfUniqueNames.memberAttributeName = uniqueMember # changeLog.consumer.pspng_groupOfUniqueNames.memberAttributeValueFormat = ${ldapUser.getStringValue("uid")} changeLog.consumer.pspng_groupOfUniqueNames.memberAttributeValueFormat = ${ldapUser.getDn()} -changeLog.consumer.pspng_groupOfUniqueNames.groupSearchBaseDn = ou=groups +changeLog.consumer.pspng_groupOfUniqueNames.groupSearchBaseDn = ou=groups,dc=internet2,dc=edu changeLog.consumer.pspng_groupOfUniqueNames.allGroupsSearchFilter = objectclass=groupOfUniqueNames changeLog.consumer.pspng_groupOfUniqueNames.singleGroupSearchFilter = (&(objectclass=groupOfUniqueNames)(cn=${group.name})) changeLog.consumer.pspng_groupOfUniqueNames.groupSearchAttributes = cn,objectclass changeLog.consumer.pspng_groupOfUniqueNames.groupCreationLdifTemplate = dn: cn=${group.name}||cn: ${group.name}||objectclass: groupOfUniqueNames -changeLog.consumer.pspng_groupOfUniqueNames.userSearchBaseDn = ou=people -changeLog.consumer.pspng_groupOfUniqueNames.userSearchFilter = uid=${subject.id} \ No newline at end of file +changeLog.consumer.pspng_groupOfUniqueNames.userSearchBaseDn = ou=people,dc=internet2,dc=edu +changeLog.consumer.pspng_groupOfUniqueNames.userSearchFilter = uid=${subject.id} +changeLog.consumer.pspng_groupOfUniqueNames.grouperIsAuthoritative = true diff --git a/full-demo/container_files/subject.properties b/full-demo/container_files/subject.properties index 0440064..bc0ccdf 100644 --- a/full-demo/container_files/subject.properties +++ b/full-demo/container_files/subject.properties @@ -49,7 +49,7 @@ subjectApi.source.ldap.param.searchAttribute0.value = searchAttribute0 # subject identifier to store in grouper's member table. this is used to increase speed of loader and perhaps for provisioning # you can have up to max 1 subject identifier -#subjectApi.source.example.param.subjectIdentifierAttribute0.value = uid +subjectApi.source.ldap.param.subjectIdentifierAttribute0.value = employeeNumber #searchSubject: find a subject by ID. ID is generally an opaque and permanent identifier, e.g. 12345678. # Each subject has one and only on ID. Returns one result when searching for one ID. @@ -61,7 +61,7 @@ subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=inte # identifies the user, e.g. jsmith or jsmith@institution.edu. # Subjects can have multiple identifiers. Note: it is nice to have if identifiers are unique # even across sources. Returns one result when searching for one identifier. -subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(|(uid=%TERM%)(employeeNumber=%TERM%))(objectclass=person)) +subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(employeeNumber=%TERM%)(objectclass=person)) subjectApi.source.ldap.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people,dc=internet2,dc=edu