Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 25 Next »

[10:41:22 EDT(-0400)] * lennard1 (n=sparhk@ip68-98-56-21.ph.ph.cox.net) has left ##uportal
[10:54:28 EDT(-0400)] * EricDalquist (n=dalquist@bohemia.doit.wisc.edu) has joined ##uportal
[10:59:13 EDT(-0400)] * holdorph (n=holdorph@wsip-72-215-204-133.ph.ph.cox.net) has joined ##uportal
[11:10:54 EDT(-0400)] <sanji> is there a way to see more indepth messages when querying ldap attributes?
[11:13:26 EDT(-0400)] <sanji> i have the logger logging services.persondir and springframework.ldap but i dont see anything relating to the map query itself
[11:19:17 EDT(-0400)] <EricDalquist> if you have that set to debug you should be seeing all of the log messages
[11:20:12 EDT(-0400)] <EricDalquist> if you can capture a chunk of log data for a login into a fresh server (first time logging in so no caching) and share that perhaps another set of eyes will help.
[11:31:01 EDT(-0400)] <sanji> can't do the second, and i'm trawling through the debug messages
[11:36:02 EDT(-0400)] * lennard1 (n=sparhk@wsip-72-215-204-133.ph.ph.cox.net) has joined ##uportal
[11:49:07 EDT(-0400)] * invisibill (i=80876350@gateway/web/freenode/x-cnomftlugfojbcga) has joined ##uportal
[11:50:09 EDT(-0400)] <invisibill> Greetings uPortal devs: Do you know if I need to alter any configuration to enable the Identity Swapper portlet? I'm not sure what it uses on the back end to lookup the user identity, and am looking for clues.
[12:02:51 EDT(-0400)] * awills (n=awills@wsip-72-215-204-133.ph.ph.cox.net) has joined ##uportal
[12:03:30 EDT(-0400)] <awills> invisibill I don't believe you need to enable anything special
[12:03:55 EDT(-0400)] <awills> the portlet logs you out and back in as the specified individual
[12:04:17 EDT(-0400)] <awills> it also keeps track of who you really are, and allows you to become yourself again in 1 click, iirc
[12:04:38 EDT(-0400)] <invisibill> ok. thanks awills. I'm entering different values in for the search of data I think is there but not getting any results back.
[12:04:57 EDT(-0400)] <awills> i know it relies on person directory
[12:05:14 EDT(-0400)] <awills> are you searching for users?
[12:05:59 EDT(-0400)] <invisibill> yes. we do have persondirectory in use as far as I know by configuration from the personDirectoryContext.xml.
[12:06:41 EDT(-0400)] <awills> are you searching by username, first and/or last name, or something else?
[12:07:07 EDT(-0400)] <invisibill> I can look at the person attribute portlet and see that my "username" is billbrown but it doesn't come up in the search.
[12:07:25 EDT(-0400)] <invisibill> do I need to enter all of the parameters?
[12:07:33 EDT(-0400)] <awills> i shouldn't think so
[12:07:43 EDT(-0400)] <invisibill> thats what I'm thinking as well.
[12:08:11 EDT(-0400)] <invisibill> I've got the logs on info right now. I can turn up to debug and see if it shows anymore info I guess.
[12:08:25 EDT(-0400)] <invisibill> right now at info, nothing happens in the logs.
[12:08:33 EDT(-0400)] <awills> what if you search for admin? or demo? does it work?
[12:08:40 EDT(-0400)] <invisibill> oh. I'll try that.
[12:10:10 EDT(-0400)] <invisibill> admin did pull up just now. I wonder if I need to enable something else so that logged in users get their data to the same database location as the admin and other demo users?
[12:10:51 EDT(-0400)] <awills> that could be
[12:10:59 EDT(-0400)] <awills> and i bet it's in person directory
[12:12:33 EDT(-0400)] <awills> in partiicular, look at the U of Wisc enhancements to PersonAttributes from like a year ago... look for config elements designed to allow you to search the various DAOs
[12:12:47 EDT(-0400)] <invisibill> ok. I see that all of the poople who have logged in at some point are in the UP_USER table includeing the demo admin user and myself
[12:13:17 EDT(-0400)] <awills> yes, only users who have logged in... but you weren't able to find yourself, correct?
[12:13:24 EDT(-0400)] <invisibill> right.
[12:13:43 EDT(-0400)] <awills> i suspect you're getting admin info from the UP_PERSON_DIR table
[12:14:02 EDT(-0400)] <invisibill> ok. I'll have a look at the person directory config (already very customized) to see if there is more we can enable there do pull in the results.
[12:14:05 EDT(-0400)] <awills> and real people should not have records there
[12:14:11 EDT(-0400)] <invisibill> oh. ok.
[12:14:32 EDT(-0400)] <invisibill> yep. only the demo users are in that table.
[12:14:34 EDT(-0400)] <awills> there may be a Spring property or 3 designed to allow DAOs to be queried
[12:15:10 EDT(-0400)] <EricDalquist> hello
[12:15:24 EDT(-0400)] <EricDalquist> invisibill: you use Shib right?
[12:15:28 EDT(-0400)] <awills> compare the properties that are specified for the UP_PERSON_DIR DAO and those for the LDAP dao (whence real users come)
[12:15:29 EDT(-0400)] <invisibill> yes.
[12:15:34 EDT(-0400)] <EricDalquist> and Shib provides attributes for the current user when the log in
[12:15:49 EDT(-0400)] <EricDalquist> it doesn't provide for a way to lookup attributes for any random user though
[12:15:50 EDT(-0400)] <EricDalquist> right?
[12:16:01 EDT(-0400)] <invisibill> checking now...
[12:16:13 EDT(-0400)] <EricDalquist> person directory is used to do the searching
[12:16:34 EDT(-0400)] <EricDalquist> but the in-session attribute source used for things like Shib can't really search
[12:16:40 EDT(-0400)] <EricDalquist> since it doesn't have some backing data source to go it
[12:16:41 EDT(-0400)] <invisibill> it has these properties: <property name="additionalDescriptors" ref="requestAttributeDescriptors" /> <property name="remoteUserAttribute" value="username" /> <property name="usernameAttribute" value="username" /> <property name="processingPosition" value="BOTH" /> <!-- UOC customization: add external login creds handler --> <property name="creds" ref="authHandle" /> <property name="headerAttributeMapping">
[12:16:53 EDT(-0400)] <EricDalquist> yeah
[12:17:03 EDT(-0400)] <EricDalquist> so that has no where to go to for searching for a user
[12:17:09 EDT(-0400)] <EricDalquist> it is provided information about the current user
[12:17:13 EDT(-0400)] <EricDalquist> but that is it
[12:17:33 EDT(-0400)] <EricDalquist> and that current user info is never stored anywhere and not visible to portal code by anyone other than the current user
[12:18:02 EDT(-0400)] <EricDalquist> depending on how your person directory context is setup you might be able to find people by their username to swap
[12:18:09 EDT(-0400)] <invisibill> ok that make sense. the bean is actually this guy : org.jasig.services.persondir.support.web.RequestAttributeSourceFilter which would need to be modified to deposit the info into the UP_PERSON_DIR table?
[12:18:39 EDT(-0400)] <EricDalquist> yeah though I'm not sure UP_PERSON_DIR has ever been tested to scale to that degree
[12:18:52 EDT(-0400)] <EricDalquist> uPortal does create entries in UP_USER for each user that has logged in but that entry only contains their username
[12:19:08 EDT(-0400)] <invisibill> I see.
[12:19:53 EDT(-0400)] <invisibill> UP_PERSON_DIR looks to mostly just have tne name and email info . basically the search params for the id swap portlet.
[12:20:20 EDT(-0400)] <EricDalquist> right, but there is code in several different places that uses that table
[12:20:36 EDT(-0400)] <EricDalquist> and I have no idea if the code and table are setup to have say 100,000 entries
[12:20:42 EDT(-0400)] <invisibill> so some of the other persondirectory.xml beans configurations do this population then?
[12:20:44 EDT(-0400)] <EricDalquist> it might work just fine
[12:20:49 EDT(-0400)] <EricDalquist> it might be slow
[12:21:05 EDT(-0400)] <EricDalquist> there is no code to do population of that table based on users logging in
[12:21:14 EDT(-0400)] <invisibill> or awills was saying I could configure the doa's to be searched?
[12:21:16 EDT(-0400)] <EricDalquist> I'm not sure anyone has done anything like that
[12:21:28 EDT(-0400)] <EricDalquist> but what would it be searching?
[12:21:34 EDT(-0400)] <EricDalquist> you don't have a store of data it can look it
[12:21:38 EDT(-0400)] <invisibill> right. I don't know.
[12:21:59 EDT(-0400)] <EricDalquist> like here we person directory setup to talk to our LDAP server to get attributes
[12:22:03 EDT(-0400)] <invisibill> I gues I can look at the IdentitySwapper Impl to see what it is looking for to find the user info.
[12:22:04 EDT(-0400)] <EricDalquist> and that also lets us do searching
[12:22:09 EDT(-0400)] <EricDalquist> it uses Person Directory
[12:22:22 EDT(-0400)] <EricDalquist> so you need to setup a DAO in person directory to search for users
[12:22:31 EDT(-0400)] <invisibill> We also use the ldap bean to get info as well in our local environments which don't use shib.
[12:22:39 EDT(-0400)] <EricDalquist> ah ok
[12:22:46 EDT(-0400)] <invisibill> they look very simialr as far as user attrs in the personDirectoryContext.xml
[12:22:50 EDT(-0400)] <EricDalquist> so you have an LDAP attribute DAO setup in person directory?
[12:22:54 EDT(-0400)] <invisibill> yeah.
[12:24:16 EDT(-0400)] <EricDalquist> http://uportal.pastebin.com/f6d9a8cf9
[12:24:27 EDT(-0400)] <invisibill> we also have the cachinguPortalJdbcAttributeSource in the comments says is used to search for person ifno.
[12:24:31 EDT(-0400)] <EricDalquist> so there is an example of what our LDAP attribute dao looks like
[12:24:49 EDT(-0400)] <EricDalquist> the attributes in the "queryAttributeMapping" property are attributes that can be used for searching for a user
[12:24:58 EDT(-0400)] <EricDalquist> the key is the attribute name as uPortal sees it
[12:25:03 EDT(-0400)] <EricDalquist> the value is the attribute name as LDAP sees it
[12:26:52 EDT(-0400)] <invisibill> this is ours: http://uportal.pastebin.com/m3593843b looks like we don't have the searchControls property
[12:27:01 EDT(-0400)] <invisibill> is that what does the searching?
[12:28:03 EDT(-0400)] <invisibill> our queryAttributeMapping only has <entry key="username" value="uid" />
[12:28:47 EDT(-0400)] <EricDalquist> yeah, so your bean is setup to only let you search based on the username
[12:29:07 EDT(-0400)] <EricDalquist> you need to add additional attributes that you want to allow searching on into the queryAttributeMapping
[12:29:16 EDT(-0400)] <EricDalquist> there are a default set of search controls
[12:29:24 EDT(-0400)] <EricDalquist> we just tweak the defaults a bit
[12:29:56 EDT(-0400)] <invisibill> ok and that is completely missing in our shib requestAttributeFilterBean. I just verified that the search works fine iin my local deploy which uses ldap when I search for username.
[12:30:50 EDT(-0400)] <invisibill> ok. I'm thinkning this is something we want to add for the shib bean <bean id="requestAttributeSourceFilter" class="org.jasig.services.persondir.support.web.RequestAttributeSourceFilter">
[12:31:19 EDT(-0400)] <invisibill> now where to begin and can this be done in a day ??? (smile)
[12:31:45 EDT(-0400)] <invisibill> the ldap bean is only in use for the developers locally (sad)
[12:32:01 EDT(-0400)] <EricDalquist> well here is the person directory manual: http://www.ja-sig.org/wiki/display/PDM15/Person+Directory+1.5+Manual
[12:32:17 EDT(-0400)] <EricDalquist> and it sounds like you need to talk to your ldap folks about if you can use it in prod (tongue)
[12:32:59 EDT(-0400)] <holdorph> if I understand what you're asking bill, it can't be added to the shib bean
[12:33:07 EDT(-0400)] <invisibill> ok. cool. I'll start with reviewing that before I touch anything. but for now I think we are out of luck for using the identity swapper in prod because the persondirectory bean we are using does not have the functionality implemented.
[12:33:23 EDT(-0400)] <holdorph> because the shib bean can only find information about the current user, it doesn't have the aiblity to search for other users
[12:34:00 EDT(-0400)] <EricDalquist> right, to use idswapper you have to have a bean in person directory that can search for users
[12:34:14 EDT(-0400)] <invisibill> I think we just want to some how make our shib bean deposit some of the attributes to the right table? maybe I'm way off .
[12:34:26 EDT(-0400)] <EricDalquist> if you were to add an LDAP bean to your prod config along side your shib bean that would work
[12:34:36 EDT(-0400)] <EricDalquist> and that approach of caching attribute data in a table could work too
[12:34:47 EDT(-0400)] <holdorph> until they drift out of sync
[12:34:55 EDT(-0400)] <invisibill> well it is enabled in our prod configuration, but it doesn't seem to do anything.
[12:34:55 EDT(-0400)] <EricDalquist> right
[12:35:11 EDT(-0400)] <invisibill> oh.
[12:35:34 EDT(-0400)] <EricDalquist> ldap may be enabled but if it is the config you pased it only has one attribute configured for searching
[12:35:41 EDT(-0400)] <EricDalquist> so you need to add more search attributes
[12:35:43 EDT(-0400)] <invisibill> I think when we enable it in security.properties, it takes precedence over the shib bean and then we don't get the shib specific data we need.
[12:36:01 EDT(-0400)] <EricDalquist> this has nothing to do with security.properties
[12:36:08 EDT(-0400)] <invisibill> ok.
[12:36:16 EDT(-0400)] <EricDalquist> only personDirectoryContext.xml is involved
[12:36:26 EDT(-0400)] <EricDalquist> persondirectory uses a tree structure of attribute DAOs
[12:36:48 EDT(-0400)] <EricDalquist> for example here our person directory config talks to 4 JDBC databases and an LDAP server
[12:37:02 EDT(-0400)] <EricDalquist> aggregating all of that into a single set of attributes for a user
[12:37:18 EDT(-0400)] <EricDalquist> and each DAO specifies a set of attributes that it supports for searching
[12:37:27 EDT(-0400)] <EricDalquist> what you need in your prod PD config
[12:37:35 EDT(-0400)] <EricDalquist> is one bean that provides the shib attributes for the user
[12:37:52 EDT(-0400)] <EricDalquist> and another bean that allows for searching for a user based on some set of attributes
[12:38:10 EDT(-0400)] <EricDalquist> that search bean sounds like it would use LDAP
[12:38:22 EDT(-0400)] <EricDalquist> if you're allowed to use LDAP to get user attributes in your prod environment
[12:38:58 EDT(-0400)] * lennard1 (n=sparhk@wsip-72-215-204-133.ph.ph.cox.net) has joined ##uportal
[12:41:51 EDT(-0400)] <invisibill> ok. I've got this in the person directorycontext.xml http://uportal.pastebin.com/m5fed7a04 we have the uPortalLdapAttributeSource commented out right now in our shib environments because I think we wanted to make sure the user attributes coming in came from the shib headers and not from ldap. I can try enabling this in our dev shib environment to see if It will allow us to do the identity swap search for the username at
[12:45:03 EDT(-0400)] <EricDalquist> so you could do a slightly more complex config
[12:45:26 EDT(-0400)] <EricDalquist> which would only go to the ldap config if the shib source didn't return info
[12:45:36 EDT(-0400)] <EricDalquist> I'm going to get our person directoy config posted somewhere
[12:46:07 EDT(-0400)] <invisibill> thats what we wanated to do originally but we couldn't get it to work or could never verify if it worked.
[12:52:26 EDT(-0400)] <invisibill> ok. so uncommenting the uPortalLdapAttributeSource attribute for the personAttributeDaos property allows me to find myself now with the identity swapper, but not anyone else so far.
[12:54:52 EDT(-0400)] <invisibill> so I think the ldap bean is enabled now alongside the shib attribute bean, but its not finding other users. so I think I need to enable more attributes to be searched for as you were saying?
[12:55:10 EDT(-0400)] <EricDalquist> right
[12:55:18 EDT(-0400)] <EricDalquist> you can look at the example config I posted earlier for how to do that
[12:55:28 EDT(-0400)] <invisibill> ok. thanks.
[13:05:34 EDT(-0400)] * Sememmon (n=Sememmon@wsip-72-215-204-133.ph.ph.cox.net) has joined ##uportal
[13:30:47 EDT(-0400)] <EricDalquist> http://www.ja-sig.org/wiki/download/attachments/27525146/personDirectoryContext.xml
[13:31:00 EDT(-0400)] <EricDalquist> so that is what we use in production for our person directory context
[13:31:21 EDT(-0400)] <EricDalquist> I'm working on a diagram of the thing since it is huge
[13:46:33 EDT(-0400)] <invisibill> Thanks Eric. I see that you have your org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao as a property of cachingLdapPersonAttributeDao. I'm wondering if I need to do the same in our setup. because with what I have now, I am only able to find myself and no others.
[13:47:12 EDT(-0400)] <invisibill> this is what I've got for the ldap bean: http://uportal.pastebin.com/m20c69a09
[13:52:32 EDT(-0400)] <invisibill> brb in 30 min. quick meeting. thanks for your help so far.

  • No labels