Grouper Developers Forum

[THIA Jean-Marie <>]

Hi,

I tried the same thing. I manually removed a subject from the subject 
registry using a sql query. I cannot remove the subject from group using gsh 
(the message is : // error: subject not found: habu). But using the UI is 
more problematic, the server return a 500 error to the browser when I try to 
list the members of the group. I went to the tomcat and application logs and 
did not find anything interesting.

I think that the UI, should reflect the error and show the same message as 
gsh to resolve the http 500 error. We should have a way to force the deletion 
of a membership if there is an error when fetching the subject, just to avoid 
the fact that the LDAP server might be down.

Keeping things in sync with grouper registry and an remote LDAP subject 
registry is a hard job, and I vote for James's scrubber.

Jean Marie


> -----Original Message-----
> From: Cramton, James 
> [mailto:]
> Sent: mardi 4 septembre 2007 15:59
> To: Joy Veronneau; Grouper Dev
> Subject: RE: [grouper-dev] Grouper 1.2.0 in production at Brown
>
> We're thinking of writing a scrubber script that would remove any group
> members that are not active in the person registry. For our provisioned
> groups, this is already handled, but our population of non-provisioned
> groups will grow as Grouper is used more extensively, and these ad-hoc
> groups will need to be cleaned up under current design. It would be nice
> if Grouper did this cleanup natively. We'll be looking into this issue
> in more detail during the coming semester.
>
> James
>
> -----Original Message-----
> From: Joy Veronneau 
> [mailto:]
> Sent: Tuesday, September 04, 2007 9:39 AM
> To: Grouper Dev
> Subject: Re: [grouper-dev] Grouper 1.2.0 in production at Brown
>
>
> Hi,
>
> We will have this same problem at Cornell (group members who get
> removed from the directory and then can't be deleted from a group.)
> Our applicants will also be members of at least one group.  In addition,
> we have employees in our ldap directory who are deleted twice a year as
> they leave Cornell.  While we could try to remember to delete people
> from groups before we remove them from the directory, I suspect that
> won't always happen.
>
> Thanks,
>
> Joy
>
> > It's worth noting, however, that we encountered an architectural issue
> > under the jndi person registry that we avoid by the design of our sql
> > person registry. We saw java exceptions in Grouper for groups that
> > referenced person objects that have been purged from our LDAP
> > directory.
> > It seems the subject API needs to instantiate the subject before it
> > can
> > remove a member of a group. But if the subject does not exist in the
> > directory, Grouper produces a runtime exception when it tries to
> > instantiate the subject. We get around this with our sql person
> > registry
> > by never deleting people from our sql registry, even if they are
> > deleted
> > from our LDAP registry. We simply change their status in the sql
> > registry whenever it changes in the LDAP directory, so the last known
> > status of a deleted LDAP user is typically "deleted" in our sql
> > registry. For the time being, this is acceptable, but with each
> > passing
> > year, our person registry will grow by 40,000 people (mostly deleted
> > applicants). We would prefer to use our LDAP registry as our person
> > source in Grouper, but before we can realistically use an LDAP person
> > source, we will need a means of deleting people from a group if the
> > person object does not exist in the directory.