Skip to Content.
Sympa Menu

grouper-users - Re: null dto in class edu.internet2.middleware.grouper.GrouperSession

Subject: Grouper Users - Open Discussion List

List archive

Re: null dto in class edu.internet2.middleware.grouper.GrouperSession


Chronological Thread 
  • From: Tom Barton <>
  • To: maliang <>
  • Cc: Grouper Users <>
  • Subject: Re: null dto in class edu.internet2.middleware.grouper.GrouperSession
  • Date: Fri, 03 Aug 2007 09:40:20 -0500

<CCing grouper-users again>

Comments below.

maliang wrote:
> I'm sorry for writing you such a long message.
>
> I met errors when I run the ldappc with grouper 1.2.
>
> Error : " [java] 2007-08-02 17:55:01,515 FATAL ErrorLog:
> [edu.internet2.middleware.ld appc.LdappcGrouperProvisioner] Grouper
> Provision Failed: null dto in class
> edu.internet2.middleware.grouper.GrouperSession"
>
> There is someone who also met the Error msg in the mail list ,but I
> haven't how he resolved .

It is not clear that provisioning actually failed, despite the error
message. Have you checked to see what, if anything, was in fact
provisioned to your LDAP directory?

> I have put the grouper-20070802.jar & subject-0.3.0-rc1-cvs.jar in
> the folder:ldappc/lib,and grouper-20070802.jar was generated by
> grouper v1.2 after the cmd "ant dist", subject-0.3.0-rc1-cvs.jar is
> the one which I used to run grouper v1.2.

Good.

> There two stems in grouper v1.2: etc and SCUT.And I want provision
> SCUT from grouper to my ldap server.
>
> I also modify the source code of ldappc just a little to make it
> output someting, and I got :
>
> "
> [java] before perform the search
> [java] searchControls:
> [java] CountLimit : 0
> [java] ReturningAttributes : null
> [java] SearchScope : 2
> [java] filter : (!(objectClass=groupOfNames))
> "
>
> All was output before "NamingEnumeration searchEnum =
> getContext().search(getRoot(), filter,searchControls);" in
> GroupEntrySynchronizer.java

I don't understand why that filter appears...

> I think there may be something wrong with my sources.xml and
> ldappc.xml.
>
> Here is the sources.xml and the ldappc.xml
>
> sources.xml :
> <?xml version="1.0" encoding="utf-8"?>
> <sources>
> <!-- Group Subject Resolver -->
> <!--
> NOTE: It is recommended that you **not** change the default
> values for this source adapter.
> -->
> <!--
> <source
> adapterClass="edu.internet2.middleware.grouper.GrouperSourceAdapter">
> <id>g:gsa</id>
> <name>Grouper: Group Source Adapter</name>
> <type>group</type>
> </source>
> -->
> <!-- Group Subject Resolver -->

You have this commented out. The GrouperSourceAdapter is required for
the grouper API, and hence ldappc, to work properly.

> <source
> adapterClass="edu.internet2.middleware.subject.provider.JDBCSourceAdapter">
> <!--id>jdbc</id-->
> <id>scut</id>
> <name>JDBC Source Adapter</name>
> <type>person</type>
> <init-param>
> <param-name>maxActive</param-name>
> <param-value>4</param-value>
> </init-param>
> <init-param>
> <param-name>maxIdle</param-name>
> <param-value>2</param-value>
> </init-param>
> <init-param>
> <param-name>maxWait</param-name>
> <param-value>5</param-value>
> </init-param>
> <!-- Oracle -->
> <init-param>
> <param-name>dbDriver</param-name>
> <param-value>oracle.jdbc.driver.OracleDriver</param-value>
> </init-param>
> <init-param>
> <param-name>dbUrl</param-name>
> <param-value>jdbc:oracle:thin:@xxxxxxx:ram-value>
> </init-param>
> <init-param>
> <param-name>dbUser</param-name>
> <param-value>xxxxram-value>
> </init-param>
> <init-param>
> <param-name>dbPwd</param-name>
> <param-value>xxxxram-value>
> </init-param>
>
> <init-param>
> <param-name>SubjectID_AttributeType</param-name>
> <param-value>subjectId</param-value>
> </init-param>
> <init-param>
> <param-name>Name_AttributeType</param-name>
> <param-value>name</param-value>
> </init-param>
> <init-param>
> <param-name>Description_AttributeType</param-name>
> <param-value>name</param-value>
> </init-param>
>
> <search>
> <searchType>searchSubject</searchType>
> <param>
> <param-name>numParameters</param-name>
> <param-value>1</param-value>
> </param>
> <param>
> <param-name>sql</param-name>
> <param-value>select * from Subject where (subjectId=?)</param-value>
> </param>
> </search>
> <search>
> <searchType>searchSubjectByIdentifier</searchType>
> <param>
> <param-name>numParameters</param-name>
> <param-value>1</param-value>
> </param>
> <param>
> <param-name>sql</param-name>
> <param-value>select * from Subject where (name=?)</param-value>
> </param>
> </search>
> <search>
> <searchType>search</searchType>
> <param>
> <param-name>numParameters</param-name>
> <param-value>2</param-value>
> </param>
> <param>
> <param-name>sql</param-name>
> <param-value>
> select * from Subject where
> (subjectId like '%?%')
> or (name like '%?%')

I think the syntax

like '%'||?||'%'

may be necessary, but I'm not an expert here.

> </param-value>
> </param>
> </search>
> </source>
> </sources>
>
>
>
> ldappc.xml
> <?xml version="1.0" encoding="utf-8"?>
> <!--
> * This file contains data for testing Ldappc.
> *
> * See ldappcTemplate.xml for documentation regarding how to use these
> * elements.
> -->
> <ldappc>
> <grouper>
> <group-queries>
> <subordinate-stem-queries>
> <stem-list>
> <stem>SCUT</stem>
> </stem-list>
> </subordinate-stem-queries>
> </group-queries>
> <groups structure="flat"
> root-dn="ou=testgrouper,dc=scut,dc=edu,dc=edu"

Are there really 2 "dc=edu" DN components?

> ldap-object-class="groupOfNames"
> ldap-rdn-attribute="cn" grouper-attribute="name" >
> <group-members-dn-list list-object-class="groupOfNames"
> list-attribute="member" list-empty-value=""/>
> <group-members-name-list list-object-class="eduMember"
> list-attribute="hasMember" >
> <source-subject-name-mapping>
> <source-subject-name-map source="SCUT" subject-attribute="uid" />

1. Is there a 'uid' column in the Subjects table in your 'scut' source?
2. The source is case sensitive: use 'scut' here or 'SCUT' in sources.xml.

> <!--source-subject-name-map source="g:gsa"
> subject-attribute="name" /-->

Although this is optional, without it names of subgroups will not be
listed in group-members-name-list.

> </source-subject-name-mapping>
> </group-members-name-list>
> <!--
> <group-attribute-mapping ldap-object-class="">
> <group-attribute-map group-attribute="xxxx" ldap-attribute="yyyy" />
> </group-attribute-mapping>
> -->
> </groups>
> <memberships>
> <member-groups-list
> list-object-class="eduMember"
> list-attribute="isMemberOf"
> naming-attribute="name" />
> </memberships>
> </grouper>
>
> <signet>
> <permissions-listing stored-as="string"
> string-object-class="eduPerson"
> string-attribute="eduPersonEntitlement"
> string-prefix="urn:mace:example.edu:permission:" />
> <!--
> <permissions-queries>
> <subsystem-queries>
> <subsystem-list>
> <subsystem id="" />
> </subsystem-list>
> </subsystem-queries>
> <function-queries>
> <function-list>
> <function id="" />
> </function-list>
> </function-queries>
> </permissions-queries>
> -->
> </signet>

Are you also provisioning signet permissions? If not, the entire
<signet> section should be removed or commented out.

> <source-subject-identifiers>
> <source-subject-identifier source="SCUT" subject-attribute="LOGINID" >
> <ldap-search base="ou=testgrouper,dc=scut,dc=edu,dc=cn"
> scope="subtree_scope"
> filter="(uid={0})" />
> </source-subject-identifier>

1. Source is case sensitive.
2. subject-attribute must exist in the source.
3. 2 "dc=edu" DN components.
4. Are the LDAP entries corresponding to 'scut' subjects located under
ou=testgrouper? More commonly these are placed under "ou-people', or
some ou distinct from where the group entries are placed.

> <source-subject-identifier source="signet" subject-attribute="uid">
> <ldap-search base="ou=testgrouper,dc=scut,dc=edu,dc=cn"
> scope="subtree_scope"
> filter="(uid={0})" />
> </source-subject-identifier>
> </source-subject-identifiers>

You have no 'signet' source. This section should be removed.

If you want group entries to have isMemberOf values (that show the
groups they are subgroups of), you'll need a source-subject-identifier
section for source='g:gsa' to tell ldappc how to locate a group in ldap
when it is viewed as a kind of Subject. This is also necessary, I think,
to list the DNs of subgroups in a group's group-members-dn-list attribute.

> <ldap>
> <context>
> <parameter-list>
> <parameter name="initial_context_factory"
> value="com.sun.jndi.ldap.LdapCtxFactory" />
> <parameter name="provider_url" value="ldap://192.168.78.16:399"; />
> <parameter name="security_authentication" value="simple" />
> <parameter name="security_principal" value="xxx>
> <parameter name="security_credentials" value="xxxx
> </parameter-list>
> </context>
> </ldap>
>
> </ldappc>



Archive powered by MHonArc 2.6.16.

Top of Page