Grouper Developers Forum

[Tom Zeller <>]

Ldappc will not remove membership for a deleted group correctly if the member has other provisioned memberships.

Jira issue : https://bugs.internet2.edu/jira/browse/GRP-229

Given the test setup :

groupA

members: subjectA

groupB

members: subjectA

Ldappc will provision subjectA as :

cn=subjectA

isMemberOf : groupA

isMemberOf : groupB

Then delete groupA, and run ldappc -memberships, which will not change the provisioning of subjectA !

This is because, as Arnaud points out, the subject dn's membership is not removed since the subject is a member of another group. GrouperProvisioner.buildSourceSubjectDnSet slurps all subjects which are members via the filter "(&(uid=*)(|(isMemberOf=*)(objectClass=eduMember))", which in the case above includes subjectA. Then, when iterating over the groups to be provisioned, subjectA is removed from the memberships to be deleted since they are a member of another group !

buildSourceSubjectDnSet(existingSubjectDns, existingObjectDns);

for (Group group : groups) {

 for(Member member : (Set<Member) group.getMembers()) {

  ...

  existingSubjectDns.remove(subjectDn);

try {

 clearSubjectEntryMemberships(existingSubjectDns);

On Thu, Feb 19, 2009 at 11:43 AM, Arnaud Deman <> wrote:

Do not curse me but I think I have found another strange behaviour of ldappc regarding the deleted groups.
When a group is deleted, if the users belongs to some other groups then the isMemberOf remains in the user entry for this group.

After looking at the code I would say it is due to the fact that, in the method GrouperProvisionner.provisionMemberships, the user 's dn is removed from the list existingSubjectDns so it is not handled by the call of clearSubjectEntryMemberships(existingSubjectDns).