Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Ldappc objectClass has no values

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Ldappc objectClass has no values


Chronological Thread 
  • From: Kathryn Huxtable <>
  • To: Colin Hudler <>
  • Cc:
  • Subject: Re: [grouper-users] Ldappc objectClass has no values
  • Date: Thu, 21 Aug 2008 15:16:19 -0500

Okay, I looked at the code. You're not quite correct in your assumption that only objects that have an isMemberOf value will be included. There is a check in addSubjectDnSet for the presence of a list-object-class in the configuration, which if present will lead to a filter of the form:

(&(uid=*)(|(ismemberof=*)(objectclass=edumember)))

The "or" clause will include any object that has the edumember value in its objectclass attribute.

If you need an object class to contain the attribute, you should include it in the config.

Can you send me your (password sanitized) ldappc.xml file?

-K

On Aug 20, 2008, at 2:17 PM, Colin Hudler wrote:

I might be doing something wrong :-). Between 1.1.0 and 2.0 of ldappc I cannot provision subjects that have no ismember of attribute. For each subject it reports:

javax.naming.directory.InvalidAttributeValueException: 'objectClass' has no values.; Remaining name: 'uid=chudler,ou=people,dc=uchicago,dc=edu'

I noticed that GrouperProvisioner.addSubjectDnSet builds an LDAP filter like this:

String ldapFilter = LdapUtil.convertParameterToAsterisk(filter.getFilter(), 0);

"filter" is the source-subject-identifier. Here is that part of my ldappc.xml:

<source-subject-identifier source="uofc" subject-attribute="login">
<ldap-search base="ou=people,dc=uchicago,dc=edu" scope="subtree_scope" filter="(uid={0})"/>

It then combines the filter with listAttribute (ismemberof) which results in the total filter "(&(uid=*)(ismemberof=*))"

Just after, while iterating through the LDAP results, it builds a list of subjects that will need the list-object-class
if (hasObjectClass) { subjectObjectDns.add(subjectDn.toString()); }

Later on up the chain, the provisioner will use subjectOBjectDns to modify the LDAP entry (attempt to add the objectclass). What I don't understand is how it can trust that set, since it was only built off of the query that will return exactly those entries that have an ismemberof value. When list-object-class is null it throws the error, otherwise it tries to add the objectclass and gets an LDAP operations error. I tested up to 1.2-SNAPSHOT.

--
Colin Hudler
The University of Chicago





Archive powered by MHonArc 2.6.16.

Top of Page