Grouper Developers Forum

[Tom Barton <>]

I'll add an item to this effect to the draft roadmap that we'll be 
discussing over the near term.

THIA Jean-Marie wrote:
> Hi,
>
> I tried the same thing. I manually removed a subject from the subject 
> registry using a sql query. I cannot remove the subject from group using gsh 
> (the message is : // error: subject not found: habu). But using the UI is 
> more problematic, the server return a 500 error to the browser when I try to 
> list the members of the group. I went to the tomcat and application logs and 
> did not find anything interesting.
>
> I think that the UI, should reflect the error and show the same message as 
> gsh to resolve the http 500 error. We should have a way to force the deletion 
> of a membership if there is an error when fetching the subject, just to avoid 
> the fact that the LDAP server might be down.
>
> Keeping things in sync with grouper registry and an remote LDAP subject 
> registry is a hard job, and I vote for James's scrubber.
>
> Jean Marie
>
>
> > -----Original Message-----
> > From: Cramton, James 
> > [mailto:]
> > Sent: mardi 4 septembre 2007 15:59
> > To: Joy Veronneau; Grouper Dev
> > Subject: RE: [grouper-dev] Grouper 1.2.0 in production at Brown
> >
> > We're thinking of writing a scrubber script that would remove any group
> > members that are not active in the person registry. For our provisioned
> > groups, this is already handled, but our population of non-provisioned
> > groups will grow as Grouper is used more extensively, and these ad-hoc
> > groups will need to be cleaned up under current design. It would be nice
> > if Grouper did this cleanup natively. We'll be looking into this issue
> > in more detail during the coming semester.
> >
> > James
> >
> > -----Original Message-----
> > From: Joy Veronneau 
> > [mailto:]
> > Sent: Tuesday, September 04, 2007 9:39 AM
> > To: Grouper Dev
> > Subject: Re: [grouper-dev] Grouper 1.2.0 in production at Brown
> >
> >
> > Hi,
> >
> > We will have this same problem at Cornell (group members who get
> > removed from the directory and then can't be deleted from a group.)
> > Our applicants will also be members of at least one group.  In addition,
> > we have employees in our ldap directory who are deleted twice a year as
> > they leave Cornell.  While we could try to remember to delete people
> > from groups before we remove them from the directory, I suspect that
> > won't always happen.
> >
> > Thanks,
> >
> > Joy
> >
> > > It's worth noting, however, that we encountered an architectural issue
> > > under the jndi person registry that we avoid by the design of our sql
> > > person registry. We saw java exceptions in Grouper for groups that
> > > referenced person objects that have been purged from our LDAP
> > > directory.
> > > It seems the subject API needs to instantiate the subject before it
> > > can
> > > remove a member of a group. But if the subject does not exist in the
> > > directory, Grouper produces a runtime exception when it tries to
> > > instantiate the subject. We get around this with our sql person
> > > registry
> > > by never deleting people from our sql registry, even if they are
> > > deleted
> > > from our LDAP registry. We simply change their status in the sql
> > > registry whenever it changes in the LDAP directory, so the last known
> > > status of a deleted LDAP user is typically "deleted" in our sql
> > > registry. For the time being, this is acceptable, but with each
> > > passing
> > > year, our person registry will grow by 40,000 people (mostly deleted
> > > applicants). We would prefer to use our LDAP registry as our person
> > > source in Grouper, but before we can realistically use an LDAP person
> > > source, we will need a means of deleting people from a group if the
> > > person object does not exist in the directory.