Grouper Users - Open Discussion List

[Kathryn Huxtable <>]

Another thing to watch out for is that if you are already using  
eduPersonEntitlement ldappc will remove any non-Grouper values in the  
attribute. I wouldn't recommend re-using an attribute. But it  
shouldn't cause an error.

-K

On Jun 5, 2008, at 8:49 AM, Graham Seaman wrote:

> Hi,
>
> I'm trying to use ldappc to provision ldap (Fedora Directory Server)  
> from grouper. I'm fairly new to both ldap and grouper. My source for  
> users is the ldap directory. After a lot of struggling[1], I can now  
> get ldappc to provision grouper groups into the ldap directory,  
> correctly creating the group information and populating them with  
> the group members. But I have not been able to  persuade ldappc to   
> work with the -memberships option.
>
> My initial intent was  to  use the existing  eduPersonEntitlement  
> field to carry the membership information, with ldappc.xml set up as:
>
> <member-groups-list
>       list-object-class="eduPerson"
>       list-attribute="eduPersonEntitlement"
>       naming-attribute="name" />
> This attribute is already in use in my directory, but a quick look  
> at GrouperProvisioner.java suggested it should be able to append  
> group names to existing information in the  attribute.  When I  
> attempted this ldappc managed to find the records to update, but  
> threw exceptions when trying to update them:
>
> ./ldappc  -memberships -subject GrouperSystem
>
> javax.naming.directory.AttributeInUseException: [LDAP: error code 20  
> - Attribute Or Value Exists]; remaining name 'CN=xyz,ou=Flame
> Users,dc=lse,dc=ac,dc=uk'
>        at
> com 
> .sun 
> .jndi 
> .toolkit 
> .ctx 
> .PartialCompositeDirContext 
> .modifyAttributes(PartialCompositeDirContext.java:172)
>       at
> com 
> .sun 
> .jndi 
> .toolkit 
> .ctx 
> .PartialCompositeDirContext 
> .modifyAttributes(PartialCompositeDirContext.java:161)
>       at
> javax 
> .naming 
> .directory.InitialDirContext.modifyAttributes(InitialDirContext.java: 
> 148)
>       at
> edu 
> .internet2 
> .middleware 
> .ldappc.GrouperProvisioner.updateSubject(GrouperProvisioner.java:735)
>       at
> edu 
> .internet2 
> .middleware 
> .ldappc 
> .GrouperProvisioner 
> .performActualMembershipUpdates(GrouperProvisioner.java:622)
>       at
> edu 
> .internet2 
> .middleware 
> .ldappc 
> .GrouperProvisioner.provisionMemberships(GrouperProvisioner.java:437)
>       at
> edu 
> .internet2 
> .middleware 
> .ldappc.GrouperProvisioner.provision(GrouperProvisioner.java:185)
>
> (in the ldap log this shows as
> [05/Jun/2008:14:04:12 +0100] conn=18 op=9 MOD dn="CN=xyz,ou=Flame  
> Users,dc=lse,dc=ac,dc=uk"
> [05/Jun/2008:14:04:12 +0100] conn=18 op=9 RESULT err=20 tag=103  
> nentries=0 etime=0 )
>
> OK, so I assumed the problem was in the attribute already being in  
> use. I went back and redefined my ldap entries as having objectclass  
> eduMember, and restored ldappc.xml to the original default values:
>
>   <memberships>
>     <member-groups-list
>       list-object-class="eduMember"
>       list-attribute="isMemberOf"
>       naming-attribute="name" />
>   </memberships>
>
> But ldappc still throws exactly the same exception, although the  
> isMemberOf attribute is empty.
>
> Any suggestions as to what to try next?
>
> Thanks
> Graham Seaman
> [1] The initial configuration problems included a faulty  
> configuration causing ldappc to delete the entire ldap directory,  
> requiring a reinstall. After that I realised it would be sensible  
> for ldappc not to connect as the Directory manager, but as a user  
> with rather less power. Unfortunately this led to a series of minor  
> problems needing acis and exceptional rules which lead to my user  
> being effectively an administrator anyway..