Grouper Users - Open Discussion List

[Tom Barton <>]

[I'm keeping this just on the grouper-users list]

In addition to Kathryn's comment about not using the g:gsa source, I 
noticed a couple of other things about your ldappc.xml file that don't 
seem right, though I don't know whether they explain the error you're 
getting.

冯娟 wrote:
> <ldappc>
>  <grouper>
>    <group-queries>
>      <subordinate-stem-queries>
>        <stem-list>
>          <stem></stem>
>        </stem-list>
>      </subordinate-stem-queries>

I think that this selects no stems, ie, no groups will be provisioned. 
Either omit the <subordinate-stem-queries> element, which will signify 
all stems should be selected, or list some actual stem names.

>      <!--
>      <attribute-matching-queries>
>        <attribute-list>
>          <attribute name="attribute" value="value" />
>        </attribute-list>
>      </attribute-matching-queries>
>      -->
>    </group-queries>
>    <groups structure="flat"
>      root-dn="ou=Groups,dc=scut,dc=edu,dc=cn"
>      ldap-object-class="groupOfNames"
>      ldap-rdn-attribute="cn" grouper-attribute="name" >
>      <group-members-dn-list list-object-class="scutCNEduPerson"
> list-attribute="member" list-empty-value=""/>

The list-object-class value must be an objectclass containing the 
list-attribute. In your case, using "member" is fine, but then you 
probably mean list-object-class="groupOfNames".

>    </groups>
>
>    <memberships>
> <member-groups-list
>        list-object-class="groupOfNames"
>        list-attribute="ou"
>        naming-attribute="name" />

Similar to the above, using "ou" should work (though that might not be 
in accord with its intended semantics), but I doubt that you have or 
want your person ldap entries to have "groupOfNames" objectclass values. 
Some ldap servers won't allow 2 incompatible structural objectclass 
types on the same entry. For list-object-class here use 
"organizationalPerson", or possibly "organizationalRole", depending on 
what you're attempting to do, being the objectclass that contains the 
"ou" attribute.

>    </memberships>
>
>  </grouper>
>
>  <source-subject-identifiers>
>    <source-subject-identifier source="example" subject-attribute="uid" >
>      <ldap-search base="ou=People,dc=scut,dc=edu,dc=cn"
>        scope="subtree_scope"
>        filter="(uid={0})" />
>    </source-subject-identifier>
>    <source-subject-identifier source="g:gsa" subject-attribute="name">
>      <ldap-search base="ou=Groups,dc=scut,dc=edu,dc=cn"
> scope="subtree_scope"
> filter="(cn={0})" />
>    </source-subject-identifier>

Omit this <source-subject-identifier source="g:gsa" ...> element. Ldappc 
uses the grouper API directly and does not treat grouper groups as 
"subjects".

>  </source-subject-identifiers>
>
>  <ldap>
>    <context>
>      <parameter-list>
>        <parameter name="initial_context_factory" value="
> com.sun.jndi.ldap.LdapCtxFactory" />
>        <parameter name="provider_url" value="ldap://192.168.78.12:389"; />
>        <parameter name="security_authentication" value="simple" />
>        <parameter name="security_principal" value="cn=Directory Manager" />
>        <parameter name="security_credentials" value="ldap+admin" />
>      </parameter-list>
>    </context>
>  </ldap>
>
> </ldappc>