Grouper Developers Forum

[Gagné Sébastien <>]

I found the problem, sorry to say, but it’s a Grouper problem, it all boils down to “AttributeModifier.java” where you have 2 problems :

 

AttributeModifier.java

=== First  ===

Line 123

 

/**

* If false, modifications should consist of add and delete operations. If true, modifications should consist of

* replace operations.

*/

private boolean replaceValues = false;

 

This should be set to True, I don’t understand why the default is false. Do you have a good reason for it ?

 

=== Second ===

Lines 416-432

you’re doing adds before deletes, you should reverse them, i.e.

 

            if (deletes.size() > 0) {

                DSMLModification dsmlMod =

                        new DSMLModification(attributeName, makeDSMLValues(deletes), ModificationMode.DELETE);

                Modification modification = new Modification();

                modification.addOpenContentElement(dsmlMod);

                modification.setModificationMode(ModificationMode.DELETE);

                modifications.add(modification);

            }

 

            if (adds.size() > 0) {

                DSMLModification dsmlMod =

                        new DSMLModification(attributeName, makeDSMLValues(adds), ModificationMode.ADD);

                Modification modification = new Modification();

                modification.addOpenContentElement(dsmlMod);

                modification.setModificationMode(ModificationMode.ADD);

                modifications.add(modification);

            }

 

I don’t understand how an “Add before Delete” can even work on a single valued attribute and why it didn’t fail before.

 

Is it possible to fix it in the Trunk ?

 

Thanks

 

 

De : Gagné Sébastien
Envoyé : 5 février 2013 10:16
À : Gagné Sébastien;
Objet : RE: [grouper-dev] RE: Different attribute that are the same for AD

 

Ok, I think I understand what’s happening now :

The modify request is doing “Add” before “Delete”, this usually work (see #1), but not if the description is similar (e.g. only the case is modified, see #2), in that case Active Directory is refusing the Add because you’re trying to add the same value a second time. If the delete is done before the Add (see #3), then everything works fine.

 

Is the Add-Delete sequence controlled in Grouper or is it something in vt-ldap ? I think that always doing delete first should solve these problems.

 

Test cases :

 

#1   - Two different description with Add first = OK

 

#!RESULT OK

#!DATE 2013-02-05T15:00:13.951

dn: CN=0107-admins,OU=acad,OU=Grouper,OU=People,DC=devsim,DC=umontreal,DC=ca

changetype: modify

add: description

description: departement

-

delete: description

description: Administrateurs du departement 0107, Urbanisme (Institut d')

-

 

#2  - Two equivalent (equals for AD) description with add first = FAILURE

 

#!RESULT ERROR

#!DATE 2013-02-05T15:01:06.666

#!ERROR [LDAP: error code 20 - 00002083: AtrErr: DSID-031513D7, #1:    0: 00002083: DSID-031513D7, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att d (description):len 22 _

dn: CN=0107-admins,OU=acad,OU=Grouper,OU=People,DC=devsim,DC=umontreal,DC=ca

changetype: modify

add: description

description: DEPARTEMENT

-

delete: description

description: departement

-

 

#3  - Two equivalent (equals for AD) description with delete first = SUCCESS

 

#!RESULT OK

#!DATE 2013-02-05T15:08:17.702

dn: CN=0107-admins,OU=acad,OU=Grouper,OU=People,DC=devsim,DC=umontreal,DC=ca

changetype: modify

delete: description

description: DEPARTEMENT

-

add: description

description: Departement

 

De : [] De la part de Gagné Sébastien
Envoyé : 4 février 2013 15:47
À :
Objet : [grouper-dev] RE: Different attribute that are the same for AD

 

I did a few more tests, and doing similar changes using an LDIF file using Apache Directory Studio did work, so I’m a little more confused

 

#!RESULT OK

#!DATE 2013-02-04T20:42:57.142

dn: CN=0107-admins,OU=acad,OU=Grouper,OU=People,DC=devsim,DC=umontreal,DC=ca

changetype: modify

replace: description

description: DEPARTEMENT

-

 

#!RESULT OK

#!DATE 2013-02-04T20:43:17.269

dn: CN=0107-admins,OU=acad,OU=Grouper,OU=People,DC=devsim,DC=umontreal,DC=ca

changetype: modify

replace: description

description: Departement

 

#!RESULT OK

#!DATE 2013-02-04T20:43:23.062

dn: CN=0107-admins,OU=acad,OU=Grouper,OU=People,DC=devsim,DC=umontreal,DC=ca

changetype: modify

replace: description

description:: RMOpcGFydGVtZW50  (note : this is « Département » in base 64)

 

De : Gagné Sébastien
Envoyé : 4 février 2013 14:23
À : Grouper Dev ()
Objet : Different attribute that are the same for AD

 

Hi,

A few weeks back I sent an email about AD thinking accent character are the same as their non-accented form and that cause an error in the sync. I found another use case that should be more plausible for an english crowd : upper vs lower-case

 

Here is a use case using the “description” attribute :

1-      A course is created using the description “MASTERS DEGREE”

2-      Our loader creates a group with the description “MASTERS DEGREE”

3-      The group is synched in Active directory with description = MASTERS DEGREE

4-      2 days later, the teacher sees the all caps title and changes it to “Masters Degree”

5-      Grouper updates the description to “Masters Degree”

6-      The PSP sees the difference (changelog or bulk) and tries to change “MASTERS DEGREE” to “Masters Degree”

7-      Active Directory throws an exception saying it’s the same value (LDAP: error code 20 (ATT_OR_VALUE_EXISTS))

 

This wouldn’t happen if another letter was added or changed. Do you think something can be done about it ? I have trouble seeing what could be done…

 

 

Sébastien Gagné,     | Analyste en informatique

514-343-6111 x33844  | Université de Montréal,

                     | Pavillon Roger-Gaudry, local X-100-11