Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] ldappc updates of isMemberOf attribute

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] ldappc updates of isMemberOf attribute


Chronological Thread 
  • From: Scott Koranda <>
  • To: Tom Zeller <>
  • Cc: Grouper Users Mailing List <>
  • Subject: Re: [grouper-users] ldappc updates of isMemberOf attribute
  • Date: Tue, 21 Apr 2009 11:13:21 -0500

For the archives...

> Scott,
> I am surprised that you encountered a 15 minute interval during which ldap
> was out-of-sync.
>
> Ldappc writes membership changes out to a file, sorts it, then updates each
> subject via one ldap operation (one modification per subject). So, the
> behavior you describes seems odd.
>
> Are you able to look at directory server logs ? I know, that can be tedious.
>
> I watch how ldappc updates memberships by commenting out
> updatesFile.delete() towards the bottom of
> GrouperProvisioner.performActualMembershipUpdates(). Is it reasonable for
> you to debug similarly ?

With Tom's help I was able to determine that what I was
actually seeing was cycling in the isMemberOf attribute due to
bug 227:

https://bugs.internet2.edu/jira/browse/GRP-227

I just happened to be catching the cycling at certain times
and so it appeared that the synchronization was taking longer
than it actually was taking.

My workaround for bug 227 is to manually delete/clear the
isMemberOf attribute and then let ldappc "fix" it. As long as
the isMemberOf attribute is fully provisioned during a cycle
the bug is not tickled.

Cheers,

Scott

>
> TomZ
>
> On Thu, Apr 2, 2009 at 6:05 PM, Scott Koranda
> <
> > wrote:
>
> > Hi,
> >
> > I am running ldappc from Grouper API 1.4.1 with this command
> > line:
> >
> > ./bin/gsh.sh -ldappc -subject GrouperSystem -groups -memberships -interval
> > 60 -configManager /opt/grouper/ldappc/grouper/conf/ldappc.xml
> >
> > This instance has been running since March 18 (today is April
> > 2) and has accumulated 651 minutes and 48 seconds of CPU time
> > (as shown by 'ps').
> >
> > Before making any changes in the state of Grouper my entry in
> > the LDAP server had the following values for the isMemberOf
> > attribute:
> >
> > isMemberOf:
> > Communities:LVC:LSC:CompComm:AuthProject:AuthProjectGroupMembers
> > isMemberOf: Communities:LVC:LSC:CompComm:CompCommGroupMembers
> > isMemberOf: Communities:LVC:LSC:MOU:UWM:UWMGroupManagers
> > isMemberOf: Communities:LVC:LSC:LSCGroupMembers
> > isMemberOf: Communities:LVC:LSC:MOU:UWM:UWMGroupMembers
> > isMemberOf: Communities:LVC:LVCGroupMembers
> > isMemberOf: Communities:LVC:LIGOLab:MIT:MITGroupManagers
> > isMemberOf: Communities:LVC:LIGOLab:LHO:LHOGroupManagers
> > isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:CIT:CITGroupManagers
> > isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:LIGOLabGroupManagers
> > isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:LLO:LLOGroupManagers
> > isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:LHO:LHOGroupManagers
> > isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:MIT:MITGroupManagers
> >
> > I then added myself to a new group in Grouper. After about 5
> > minutes I then queried the LDAP server and saw that the
> > isMemberOf attrbitue had only a single value--the name of the
> > group to which I just added myself:
> >
> > isMemberOf: Communities:LVC:LSC:MOU:UWM:UWMSupportStaff
> >
> > This persisted for about 5 minutes. Eventually I found the
> > following values:
> >
> > isMemberOf: Communities:LVC:LSC:MOU:UWM:UWMSupportStaff
> > isMemberOf: Communities:LVC:LIGOLab:LHO:LHOGroupManagers
> > isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:LIGOLabGroupManagers
> > isMemberOf: Communities:LVC:LSC:MOU:UWM:UWMGroupManagers
> > isMemberOf: Communities:LVC:LIGOLab:MIT:MITGroupManagers
> > isMemberOf: Communities:LVC:LSC:LSCGroupMembers
> > isMemberOf: Communities:LVC:LVCGroupMembers
> > isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:LLO:LLOGroupManagers
> > isMemberOf:
> > Communities:LVC:LSC:CompComm:AuthProject:AuthProjectGroupMembers
> > isMemberOf: Communities:LVC:LSC:MOU:UWM:UWMGroupMembers
> > isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:LHO:LHOGroupManagers
> > isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:MIT:MITGroupManagers
> > isMemberOf: Communities:LVC:LSC:CompComm:CompCommGroupMembers
> > isMemberOf: Communities:LVC:LSC:MOU:LIGOLab:CIT:CITGroupManagers
> >
> > So after 15 minutes or so the isMemberOf attribute did properly
> > reflect the state of Grouper, but there was a substantial
> > amount of time during which the value did not reflect the
> > state of Grouper.
> >
> > Is this to be expected?
> >
> > Is there anything I can tune to make the synchronization
> > faster?
> >
> > Thanks,
> >
> > Scott
> >



Archive powered by MHonArc 2.6.16.

Top of Page