grouper-users - Re: [grouper-users] ldappc + membership
Subject: Grouper Users - Open Discussion List
List archive
- From: Graham Seaman <>
- To: "" <>
- Subject: Re: [grouper-users] ldappc + membership
- Date: Thu, 05 Jun 2008 18:22:06 +0100
Tom Barton wrote:
Googling for the meaning of err: 20, it seems possible that there's a case sensitivity bug, probably somewhere in Ldappc, that's being exposed by your DN having mixed case. Is it easy for you to change the case of that OU to all lower, just to test and confirm that this somehow exposes the exception?I'm afraid that makes no difference at all:
javax.naming.directory.AttributeInUseException: [LDAP: error code 20 - Attribute Or Value Exists]; remaining name 'cn=seamang,ou=flame users,dc=lse,dc=ac,dc=uk'
Graham
I've created bug MCO-15 in jira to track this.
Tom
Graham Seaman wrote:
Hi,
I'm trying to use ldappc to provision ldap (Fedora Directory Server) from grouper. I'm fairly new to both ldap and grouper. My source for users is the ldap directory. After a lot of struggling[1], I can now get ldappc to provision grouper groups into the ldap directory, correctly creating the group information and populating them with the group members. But I have not been able to persuade ldappc to work with the -memberships option.
My initial intent was to use the existing eduPersonEntitlement field to carry the membership information, with ldappc.xml set up as:
<member-groups-list
list-object-class="eduPerson"
list-attribute="eduPersonEntitlement"
naming-attribute="name" />
This attribute is already in use in my directory, but a quick look at GrouperProvisioner.java suggested it should be able to append group names to existing information in the attribute. When I attempted this ldappc managed to find the records to update, but threw exceptions when trying to update them:
./ldappc -memberships -subject GrouperSystem
javax.naming.directory.AttributeInUseException: [LDAP: error code 20 - Attribute Or Value Exists]; remaining name 'CN=xyz,ou=Flame
Users,dc=lse,dc=ac,dc=uk'
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:161)
at
javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:148)
at
edu.internet2.middleware.ldappc.GrouperProvisioner.updateSubject(GrouperProvisioner.java:735)
at
edu.internet2.middleware.ldappc.GrouperProvisioner.performActualMembershipUpdates(GrouperProvisioner.java:622)
at
edu.internet2.middleware.ldappc.GrouperProvisioner.provisionMemberships(GrouperProvisioner.java:437)
at
edu.internet2.middleware.ldappc.GrouperProvisioner.provision(GrouperProvisioner.java:185)
(in the ldap log this shows as
[05/Jun/2008:14:04:12 +0100] conn=18 op=9 MOD dn="CN=xyz,ou=Flame Users,dc=lse,dc=ac,dc=uk"
[05/Jun/2008:14:04:12 +0100] conn=18 op=9 RESULT err=20 tag=103 nentries=0 etime=0 )
OK, so I assumed the problem was in the attribute already being in use. I went back and redefined my ldap entries as having objectclass eduMember, and restored ldappc.xml to the original default values:
<memberships>
<member-groups-list
list-object-class="eduMember"
list-attribute="isMemberOf"
naming-attribute="name" />
</memberships>
But ldappc still throws exactly the same exception, although the isMemberOf attribute is empty.
Any suggestions as to what to try next?
Thanks
Graham Seaman
[1] The initial configuration problems included a faulty configuration causing ldappc to delete the entire ldap directory, requiring a reinstall. After that I realised it would be sensible for ldappc not to connect as the Directory manager, but as a user with rather less power. Unfortunately this led to a series of minor problems needing acis and exceptional rules which lead to my user being effectively an administrator anyway..
--
Sponsor me from London to Brighton on http://www.justgiving.com/grahamseaman
- ldappc + membership, Graham Seaman, 06/05/2008
- Re: [grouper-users] ldappc + membership, Tom Barton, 06/05/2008
- Re: [grouper-users] ldappc + membership, Graham Seaman, 06/05/2008
- Re: [grouper-users] ldappc + membership, Kathryn Huxtable, 06/05/2008
- Re: [grouper-users] ldappc + membership, Graham Seaman, 06/06/2008
- Re: [grouper-users] ldappc + membership, Kathryn Huxtable, 06/06/2008
- Re: [grouper-users] ldappc + membership, Michael R. Gettes, 06/06/2008
- Re: [grouper-users] ldappc + membership, Kathryn Huxtable, 06/06/2008
- Re: [grouper-users] ldappc + membership, Kathryn Huxtable, 06/06/2008
- Re: [grouper-users] ldappc + membership, Michael R. Gettes, 06/06/2008
- Re: [grouper-users] ldappc + membership, Kathryn Huxtable, 06/06/2008
- Re: [grouper-users] ldappc + membership, Kathryn Huxtable, 06/06/2008
- Re: [grouper-users] ldappc + membership, Graham Seaman, 06/09/2008
- Re: [grouper-users] ldappc + membership, Graham Seaman, 06/09/2008
- Re: [grouper-users] ldappc + membership, Kathryn Huxtable, 06/09/2008
- Re: [grouper-users] ldappc + membership, Graham Seaman, 06/09/2008
- Re: [grouper-users] ldappc + membership, Graham Seaman, 06/06/2008
- Re: [grouper-users] ldappc + membership, Kathryn Huxtable, 06/05/2008
- Re: [grouper-users] ldappc + membership, Graham Seaman, 06/05/2008
- Re: [grouper-users] ldappc + membership, Tom Barton, 06/05/2008
Archive powered by MHonArc 2.6.16.