Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Ldappc objectClass has no values

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Ldappc objectClass has no values


Chronological Thread 
  • From: Kathryn Huxtable <>
  • To: Colin Hudler <>
  • Cc:
  • Subject: Re: [grouper-users] Ldappc objectClass has no values
  • Date: Tue, 26 Aug 2008 16:44:12 -0500

Thanks, that makes sense to me. I think I can probably get something that works.

What LDAP are you using? This can make a difference for strange cases.

-K

On Aug 22, 2008, at 8:40 AM, Colin Hudler wrote:

Kathryn Huxtable wrote:
Okay, I looked at the code. You're not quite correct in your assumption that only objects that have an isMemberOf value will be included. There is a check in addSubjectDnSet for the presence of a list-object-class in the configuration, which if present will lead to a filter of the form:

(&(uid=*)(|(ismemberof=*)(objectclass=edumember)))

The "or" clause will include any object that has the edumember value in its objectclass attribute.

If you need an object class to contain the attribute, you should include it in the config.

Can you send me your (password sanitized) ldappc.xml file?


Thank you for looking. You're right, of course. I just observed it using that filter when a list-object-class was in member-groups- list. When list-object-class is set, and some of the entries need that objectclass, each one gets:

javax.naming.directory.AttributeInUseException: [LDAP: error code 20 - Attribute Or Value Exists]; Remaining name: 'uid=chudler2,ou=people,dc=uchicago,dc=edu'

Which made me think there was something wrong with addSubjectDnSet. However, the directory said:

Duplicate value addition in attribute "isMemberOf" of entry "uid=chudler2,ou=people,dc=uchicago,dc=edu"

I realize now that something else was going on when list-object- class is set. It is because some of those entries already have isMemberof, despite not having the objectclass (yes, pathological). If list-object-class is unset, I get the previously mentioned error about objectClass being "empty", but only for ldap entries that have no isMemberOf values. The provisioner works perfectly fine when every entry has the objectclass, I set a list-object-class on member- groups-list, and they have no isMemberOf values already. Attached is the ldappc.xml with list-object-class set.


On Aug 20, 2008, at 2:17 PM, Colin Hudler wrote:

I might be doing something wrong :-). Between 1.1.0 and 2.0 of ldappc I cannot provision subjects that have no ismember of attribute. For each subject it reports:

javax.naming.directory.InvalidAttributeValueException: 'objectClass' has no values.; Remaining name: 'uid=chudler,ou=people,dc=uchicago,dc=edu'

I noticed that GrouperProvisioner.addSubjectDnSet builds an LDAP filter like this:

String ldapFilter = LdapUtil.convertParameterToAsterisk(filter.getFilter(), 0);

"filter" is the source-subject-identifier. Here is that part of my ldappc.xml:

<source-subject-identifier source="uofc" subject-attribute="login">
<ldap-search base="ou=people,dc=uchicago,dc=edu" scope="subtree_scope" filter="(uid={0})"/>

It then combines the filter with listAttribute (ismemberof) which results in the total filter "(&(uid=*)(ismemberof=*))"

Just after, while iterating through the LDAP results, it builds a list of subjects that will need the list-object-class
if (hasObjectClass) { subjectObjectDns.add(subjectDn.toString()); }

Later on up the chain, the provisioner will use subjectOBjectDns to modify the LDAP entry (attempt to add the objectclass). What I don't understand is how it can trust that set, since it was only built off of the query that will return exactly those entries that have an ismemberof value. When list-object-class is null it throws the error, otherwise it tries to add the objectclass and gets an LDAP operations error. I tested up to 1.2-SNAPSHOT.

--
Colin Hudler
The University of Chicago

<?xml version="1.0" encoding="UTF-8"?>

<ldappc>
<grouper>
<group-queries>
<attribute-matching-queries>
<attribute-list>
<attribute name="name" value="uc:orgs:NSIT:Everyone"/>
</attribute-list>
</attribute-matching-queries>
</group-queries>
<memberships>
<member-groups-list list-object-class="eduMember" list- attribute="isMemberOf" naming-attribute="name"/>
</memberships>
</grouper>
<source-subject-identifiers>
<source-subject-identifier source="uofc" subject-attribute="login">
<ldap-search base="ou=people,dc=uchicago,dc=edu" scope="subtree_scope" filter="(uid={0})"/>
</source-subject-identifier>
</source-subject-identifiers>
<ldap>
<context>
<parameter-list>
<parameter name="initial_context_factory" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<parameter name="provider_url" value="ldaps://ldap- test.uchicago.edu"/>
<parameter name="security_authentication" value="simple"/>
<parameter name="security_principal" value="cn=provisioner,ou=agents,dc=uchicago,dc=edu"/>
<parameter name="security_credentials" value="heresmypassword"/>
</parameter-list>
</context>
</ldap>
</ldappc>




Archive powered by MHonArc 2.6.16.

Top of Page