Grouper Users - Open Discussion List

[Tom Zeller <>]

Scott,

I am surprised that you encountered a 15 minute interval during which ldap was out-of-sync.

Ldappc writes membership changes out to a file, sorts it, then updates each subject via one ldap operation (one modification per subject). So, the behavior you describes seems odd.

Are you able to look at directory server logs ? I know, that can be tedious.

I watch how ldappc updates memberships by commenting out updatesFile.delete() towards the bottom of GrouperProvisioner.performActualMembershipUpdates(). Is it reasonable for you to debug similarly ?

TomZ

On Thu, Apr 2, 2009 at 6:05 PM, Scott Koranda <> wrote:

Hi,

I am running ldappc from Grouper API 1.4.1 with this command
line:

./bin/gsh.sh -ldappc -subject GrouperSystem -groups -memberships -interval 60 -configManager /opt/grouper/ldappc/grouper/conf/ldappc.xml

This instance has been running since March 18 (today is April
2) and has accumulated 651 minutes and 48 seconds of CPU time
(as shown by 'ps').

Before making any changes in the state of Grouper my entry in
the LDAP server had the following values for the isMemberOf
attribute:

isMemberOf: Communities:LVC:LSC:CompComm:AuthProject:AuthProjectGroupMembers
isMemberOf: Communities:LVC:LSC:CompComm:CompCommGroupMembers
isMemberOf: Communities:LVC:LSC:MOU:UWM:UWMGroupManagers
isMemberOf: Communities:LVC:LSC:LSCGroupMembers
isMemberOf: Communities:LVC:LSC:MOU:UWM:UWMGroupMembers
isMemberOf: Communities:LVC:LVCGroupMembers
isMemberOf: Communities:LVC:LIGOLab:MIT:MITGroupManagers
isMemberOf: Communities:LVC:LIGOLab:LHO:LHOGroupManagers
isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:CIT:CITGroupManagers
isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:LIGOLabGroupManagers
isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:LLO:LLOGroupManagers
isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:LHO:LHOGroupManagers
isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:MIT:MITGroupManagers

I then added myself to a new group in Grouper. After about 5
minutes I then queried the LDAP server and saw that the
isMemberOf attrbitue had only a single value--the name of the
group to which I just added myself:

isMemberOf: Communities:LVC:LSC:MOU:UWM:UWMSupportStaff

This persisted for about 5 minutes. Eventually I found the
following values:

isMemberOf: Communities:LVC:LSC:MOU:UWM:UWMSupportStaff
isMemberOf: Communities:LVC:LIGOLab:LHO:LHOGroupManagers
isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:LIGOLabGroupManagers
isMemberOf: Communities:LVC:LSC:MOU:UWM:UWMGroupManagers
isMemberOf: Communities:LVC:LIGOLab:MIT:MITGroupManagers
isMemberOf: Communities:LVC:LSC:LSCGroupMembers
isMemberOf: Communities:LVC:LVCGroupMembers
isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:LLO:LLOGroupManagers
isMemberOf: Communities:LVC:LSC:CompComm:AuthProject:AuthProjectGroupMembers
isMemberOf: Communities:LVC:LSC:MOU:UWM:UWMGroupMembers
isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:LHO:LHOGroupManagers
isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:MIT:MITGroupManagers
isMemberOf: Communities:LVC:LSC:CompComm:CompCommGroupMembers
isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:CIT:CITGroupManagers

So after 15 minutes or so the isMemberOf attribute did properly
reflect the state of Grouper, but there was a substantial
amount of time during which the value did not reflect the
state of Grouper.

Is this to be expected?

Is there anything I can tune to make the synchronization
faster?

Thanks,

Scott