Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] ldappc + membership

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] ldappc + membership

Chronological Thread 
  • From: Kathryn Huxtable <>
  • To: Graham Seaman <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] ldappc + membership
  • Date: Fri, 6 Jun 2008 12:42:30 -0500

Another thing to watch out for is that if you are already using eduPersonEntitlement ldappc will remove any non-Grouper values in the attribute. I wouldn't recommend re-using an attribute. But it shouldn't cause an error.


On Jun 5, 2008, at 8:49 AM, Graham Seaman wrote:


I'm trying to use ldappc to provision ldap (Fedora Directory Server) from grouper. I'm fairly new to both ldap and grouper. My source for users is the ldap directory. After a lot of struggling[1], I can now get ldappc to provision grouper groups into the ldap directory, correctly creating the group information and populating them with the group members. But I have not been able to persuade ldappc to work with the -memberships option.

My initial intent was to use the existing eduPersonEntitlement field to carry the membership information, with ldappc.xml set up as:

naming-attribute="name" />
This attribute is already in use in my directory, but a quick look at suggested it should be able to append group names to existing information in the attribute. When I attempted this ldappc managed to find the records to update, but threw exceptions when trying to update them:

./ldappc -memberships -subject GrouperSystem [LDAP: error code 20 - Attribute Or Value Exists]; remaining name 'CN=xyz,ou=Flame
com .sun .jndi .toolkit .ctx .PartialCompositeDirContext .modifyAttributes(
com .sun .jndi .toolkit .ctx .PartialCompositeDirContext .modifyAttributes(
javax .naming .directory.InitialDirContext.modifyAttributes( 148)
edu .internet2 .middleware .ldappc.GrouperProvisioner.updateSubject(
edu .internet2 .middleware .ldappc .GrouperProvisioner .performActualMembershipUpdates(
edu .internet2 .middleware .ldappc .GrouperProvisioner.provisionMemberships(
edu .internet2 .middleware .ldappc.GrouperProvisioner.provision(

(in the ldap log this shows as
[05/Jun/2008:14:04:12 +0100] conn=18 op=9 MOD dn="CN=xyz,ou=Flame Users,dc=lse,dc=ac,dc=uk"
[05/Jun/2008:14:04:12 +0100] conn=18 op=9 RESULT err=20 tag=103 nentries=0 etime=0 )

OK, so I assumed the problem was in the attribute already being in use. I went back and redefined my ldap entries as having objectclass eduMember, and restored ldappc.xml to the original default values:

naming-attribute="name" />

But ldappc still throws exactly the same exception, although the isMemberOf attribute is empty.

Any suggestions as to what to try next?

Graham Seaman
[1] The initial configuration problems included a faulty configuration causing ldappc to delete the entire ldap directory, requiring a reinstall. After that I realised it would be sensible for ldappc not to connect as the Directory manager, but as a user with rather less power. Unfortunately this led to a series of minor problems needing acis and exceptional rules which lead to my user being effectively an administrator anyway..

Archive powered by MHonArc 2.6.16.

Top of Page