Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

[10:41:22 EDT(-0400)] * lennard1 (n=sparhk@ip68-98-56-21.ph.ph.cox.net) has left ##uportal
[10:54:28 EDT(-0400)] * EricDalquist (n=dalquist@bohemia.doit.wisc.edu) has joined ##uportal
[10:59:13 EDT(-0400)] * holdorph (n=holdorph@wsip-72-215-204-133.ph.ph.cox.net) has joined ##uportal
[11:10:54 EDT(-0400)] <sanji> is there a way to see more indepth messages when querying ldap attributes?
[11:13:26 EDT(-0400)] <sanji> i have the logger logging services.persondir and springframework.ldap but i dont see anything relating to the map query itself
[11:19:17 EDT(-0400)] <EricDalquist> if you have that set to debug you should be seeing all of the log messages
[11:20:12 EDT(-0400)] <EricDalquist> if you can capture a chunk of log data for a login into a fresh server (first time logging in so no caching) and share that perhaps another set of eyes will help.
[11:31:01 EDT(-0400)] <sanji> can't do the second, and i'm trawling through the debug messages
[11:36:02 EDT(-0400)] * lennard1 (n=sparhk@wsip-72-215-204-133.ph.ph.cox.net) has joined ##uportal
[11:49:07 EDT(-0400)] * invisibill (i=80876350@gateway/web/freenode/x-cnomftlugfojbcga) has joined ##uportal
[11:50:09 EDT(-0400)] <invisibill> Greetings uPortal devs: Do you know if I need to alter any configuration to enable the Identity Swapper portlet? I'm not sure what it uses on the back end to lookup the user identity, and am looking for clues.
[12:02:51 EDT(-0400)] * awills (n=awills@wsip-72-215-204-133.ph.ph.cox.net) has joined ##uportal
[12:03:30 EDT(-0400)] <awills> invisibill I don't believe you need to enable anything special
[12:03:55 EDT(-0400)] <awills> the portlet logs you out and back in as the specified individual
[12:04:17 EDT(-0400)] <awills> it also keeps track of who you really are, and allows you to become yourself again in 1 click, iirc
[12:04:38 EDT(-0400)] <invisibill> ok. thanks awills. I'm entering different values in for the search of data I think is there but not getting any results back.
[12:04:57 EDT(-0400)] <awills> i know it relies on person directory
[12:05:14 EDT(-0400)] <awills> are you searching for users?
[12:05:59 EDT(-0400)] <invisibill> yes. we do have persondirectory in use as far as I know by configuration from the personDirectoryContext.xml.
[12:06:41 EDT(-0400)] <awills> are you searching by username, first and/or last name, or something else?
[12:07:07 EDT(-0400)] <invisibill> I can look at the person attribute portlet and see that my "username" is billbrown but it doesn't come up in the search.
[12:07:25 EDT(-0400)] <invisibill> do I need to enter all of the parameters?
[12:07:33 EDT(-0400)] <awills> i shouldn't think so
[12:07:43 EDT(-0400)] <invisibill> thats what I'm thinking as well.
[12:08:11 EDT(-0400)] <invisibill> I've got the logs on info right now. I can turn up to debug and see if it shows anymore info I guess.
[12:08:25 EDT(-0400)] <invisibill> right now at info, nothing happens in the logs.
[12:08:33 EDT(-0400)] <awills> what if you search for admin? or demo? does it work?
[12:08:40 EDT(-0400)] <invisibill> oh. I'll try that.
[12:10:10 EDT(-0400)] <invisibill> admin did pull up just now. I wonder if I need to enable something else so that logged in users get their data to the same database location as the admin and other demo users?
[12:10:51 EDT(-0400)] <awills> that could be
[12:10:59 EDT(-0400)] <awills> and i bet it's in person directory
[12:12:33 EDT(-0400)] <awills> in partiicular, look at the U of Wisc enhancements to PersonAttributes from like a year ago... look for config elements designed to allow you to search the various DAOs
[12:12:47 EDT(-0400)] <invisibill> ok. I see that all of the poople who have logged in at some point are in the UP_USER table includeing the demo admin user and myself
[12:13:17 EDT(-0400)] <awills> yes, only users who have logged in... but you weren't able to find yourself, correct?
[12:13:24 EDT(-0400)] <invisibill> right.
[12:13:43 EDT(-0400)] <awills> i suspect you're getting admin info from the UP_PERSON_DIR table
[12:14:02 EDT(-0400)] <invisibill> ok. I'll have a look at the person directory config (already very customized) to see if there is more we can enable there do pull in the results.
[12:14:05 EDT(-0400)] <awills> and real people should not have records there
[12:14:11 EDT(-0400)] <invisibill> oh. ok.
[12:14:32 EDT(-0400)] <invisibill> yep. only the demo users are in that table.
[12:14:34 EDT(-0400)] <awills> there may be a Spring property or 3 designed to allow DAOs to be queried
[12:15:10 EDT(-0400)] <EricDalquist> hello
[12:15:24 EDT(-0400)] <EricDalquist> invisibill: you use Shib right?
[12:15:28 EDT(-0400)] <awills> compare the properties that are specified for the UP_PERSON_DIR DAO and those for the LDAP dao (whence real users come)
[12:15:29 EDT(-0400)] <invisibill> yes.
[12:15:34 EDT(-0400)] <EricDalquist> and Shib provides attributes for the current user when the log in
[12:15:49 EDT(-0400)] <EricDalquist> it doesn't provide for a way to lookup attributes for any random user though
[12:15:50 EDT(-0400)] <EricDalquist> right?
[12:16:01 EDT(-0400)] <invisibill> checking now...
[12:16:13 EDT(-0400)] <EricDalquist> person directory is used to do the searching
[12:16:34 EDT(-0400)] <EricDalquist> but the in-session attribute source used for things like Shib can't really search
[12:16:40 EDT(-0400)] <EricDalquist> since it doesn't have some backing data source to go it
[12:16:41 EDT(-0400)] <invisibill> it has these properties: <property name="additionalDescriptors" ref="requestAttributeDescriptors" /> <property name="remoteUserAttribute" value="username" /> <property name="usernameAttribute" value="username" /> <property name="processingPosition" value="BOTH" /> <!-- UOC customization: add external login creds handler --> <property name="creds" ref="authHandle" /> <property name="headerAttributeMapping">
[12:16:53 EDT(-0400)] <EricDalquist> yeah
[12:17:03 EDT(-0400)] <EricDalquist> so that has no where to go to for searching for a user
[12:17:09 EDT(-0400)] <EricDalquist> it is provided information about the current user
[12:17:13 EDT(-0400)] <EricDalquist> but that is it
[12:17:33 EDT(-0400)] <EricDalquist> and that current user info is never stored anywhere and not visible to portal code by anyone other than the current user
[12:18:02 EDT(-0400)] <EricDalquist> depending on how your person directory context is setup you might be able to find people by their username to swap
[12:18:09 EDT(-0400)] <invisibill> ok that make sense. the bean is actually this guy : org.jasig.services.persondir.support.web.RequestAttributeSourceFilter which would need to be modified to deposit the info into the UP_PERSON_DIR table?
[12:18:39 EDT(-0400)] <EricDalquist> yeah though I'm not sure UP_PERSON_DIR has ever been tested to scale to that degree
[12:18:52 EDT(-0400)] <EricDalquist> uPortal does create entries in UP_USER for each user that has logged in but that entry only contains their username
[12:19:08 EDT(-0400)] <invisibill> I see.
[12:19:53 EDT(-0400)] <invisibill> UP_PERSON_DIR looks to mostly just have tne name and email info . basically the search params for the id swap portlet.
[12:20:20 EDT(-0400)] <EricDalquist> right, but there is code in several different places that uses that table
[12:20:36 EDT(-0400)] <EricDalquist> and I have no idea if the code and table are setup to have say 100,000 entries
[12:20:42 EDT(-0400)] <invisibill> so some of the other persondirectory.xml beans configurations do this population then?
[12:20:44 EDT(-0400)] <EricDalquist> it might work just fine
[12:20:49 EDT(-0400)] <EricDalquist> it might be slow
[12:21:05 EDT(-0400)] <EricDalquist> there is no code to do population of that table based on users logging in
[12:21:14 EDT(-0400)] <invisibill> or awills was saying I could configure the doa's to be searched?
[12:21:16 EDT(-0400)] <EricDalquist> I'm not sure anyone has done anything like that
[12:21:28 EDT(-0400)] <EricDalquist> but what would it be searching?
[12:21:34 EDT(-0400)] <EricDalquist> you don't have a store of data it can look it
[12:21:38 EDT(-0400)] <invisibill> right. I don't know.
[12:21:59 EDT(-0400)] <EricDalquist> like here we person directory setup to talk to our LDAP server to get attributes
[12:22:03 EDT(-0400)] <invisibill> I gues I can look at the IdentitySwapper Impl to see what it is looking for to find the user info.
[12:22:04 EDT(-0400)] <EricDalquist> and that also lets us do searching
[12:22:09 EDT(-0400)] <EricDalquist> it uses Person Directory
[12:22:22 EDT(-0400)] <EricDalquist> so you need to setup a DAO in person directory to search for users
[12:22:31 EDT(-0400)] <invisibill> We also use the ldap bean to get info as well in our local environments which don't use shib.
[12:22:39 EDT(-0400)] <EricDalquist> ah ok
[12:22:46 EDT(-0400)] <invisibill> they look very simialr as far as user attrs in the personDirectoryContext.xml
[12:22:50 EDT(-0400)] <EricDalquist> so you have an LDAP attribute DAO setup in person directory?
[12:22:54 EDT(-0400)] <invisibill> yeah.
[12:24:16 EDT(-0400)] <EricDalquist> http://uportal.pastebin.com/f6d9a8cf9
[12:24:27 EDT(-0400)] <invisibill> we also have the cachinguPortalJdbcAttributeSource in the comments says is used to search for person ifno.
[12:24:31 EDT(-0400)] <EricDalquist> so there is an example of what our LDAP attribute dao looks like
[12:24:49 EDT(-0400)] <EricDalquist> the attributes in the "queryAttributeMapping" property are attributes that can be used for searching for a user
[12:24:58 EDT(-0400)] <EricDalquist> the key is the attribute name as uPortal sees it
[12:25:03 EDT(-0400)] <EricDalquist> the value is the attribute name as LDAP sees it
[12:26:52 EDT(-0400)] <invisibill> this is ours: http://uportal.pastebin.com/m3593843b looks like we don't have the searchControls property
[12:27:01 EDT(-0400)] <invisibill> is that what does the searching?
[12:28:03 EDT(-0400)] <invisibill> our queryAttributeMapping only has <entry key="username" value="uid" />
[12:28:47 EDT(-0400)] <EricDalquist> yeah, so your bean is setup to only let you search based on the username
[12:29:07 EDT(-0400)] <EricDalquist> you need to add additional attributes that you want to allow searching on into the queryAttributeMapping
[12:29:16 EDT(-0400)] <EricDalquist> there are a default set of search controls
[12:29:24 EDT(-0400)] <EricDalquist> we just tweak the defaults a bit
[12:29:56 EDT(-0400)] <invisibill> ok and that is completely missing in our shib requestAttributeFilterBean. I just verified that the search works fine iin my local deploy which uses ldap when I search for username.
[12:30:50 EDT(-0400)] <invisibill> ok. I'm thinkning this is something we want to add for the shib bean <bean id="requestAttributeSourceFilter" class="org.jasig.services.persondir.support.web.RequestAttributeSourceFilter">
[12:31:19 EDT(-0400)] <invisibill> now where to begin and can this be done in a day ??? (smile)
[12:31:45 EDT(-0400)] <invisibill> the ldap bean is only in use for the developers locally (sad)
[12:32:01 EDT(-0400)] <EricDalquist> well here is the person directory manual: http://www.ja-sig.org/wiki/display/PDM15/Person+Directory+1.5+Manual
[12:32:17 EDT(-0400)] <EricDalquist> and it sounds like you need to talk to your ldap folks about if you can use it in prod (tongue)

  • No labels