Grouper Users - Open Discussion List

[Colin Hudler <>]

I might be doing something wrong :-).  Between 1.1.0 and 2.0 of ldappc I 
cannot provision subjects that have no ismember of attribute.  For each 
subject it reports:

javax.naming.directory.InvalidAttributeValueException: 'objectClass' has 
no values.; Remaining name: 'uid=chudler,ou=people,dc=uchicago,dc=edu'

I noticed that GrouperProvisioner.addSubjectDnSet builds an LDAP filter 
like this:

       String ldapFilter = 
LdapUtil.convertParameterToAsterisk(filter.getFilter(), 0);

"filter" is the source-subject-identifier.  Here is that part of my 
ldappc.xml:

 <source-subject-identifier source="uofc" subject-attribute="login">
  <ldap-search base="ou=people,dc=uchicago,dc=edu" 
scope="subtree_scope" filter="(uid={0})"/>

It then combines the filter with listAttribute (ismemberof) which 
results in the total filter "(&(uid=*)(ismemberof=*))"

Just after, while iterating through the LDAP results, it builds a list 
of subjects that will need the list-object-class
       if (hasObjectClass) {   
subjectObjectDns.add(subjectDn.toString()); }

Later on up the chain, the provisioner will use subjectOBjectDns to 
modify the LDAP entry (attempt to add the objectclass).  What I don't 
understand is how it can trust that set, since it was only built off of 
the query that will return exactly those entries that have an ismemberof 
value.  When list-object-class is null it throws the error, otherwise it 
tries to add the objectclass and gets an LDAP operations error.  I 
tested up to 1.2-SNAPSHOT.

--
Colin Hudler
The University of Chicago