Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] LDAPPC provisioning of rollup groups

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] LDAPPC provisioning of rollup groups

Chronological Thread 
  • From: Tom Zeller <>
  • To: Tim Darby <>
  • Cc:
  • Subject: Re: [grouper-users] LDAPPC provisioning of rollup groups
  • Date: Mon, 22 Jun 2009 09:20:02 -0500
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=dRSad99BnGGJyWqK8hQxIT/GTRhemDrSqCu+w08bhVKE8tPHy3+3VLW+LhFw9Q16b5 4DOSnsnCOJJbREMh3QsMSUH8sUlH0g0l798kL/eWeKe401KRyxiZBe05/IAN6For8KDf NiJKftt/kOmlX7wWfU/IBzGBM4X/jA92vZVFk=

Yes, this is "normal" ldappc behavior as well as a bug (I'd link to jira but it appears to be down right now).

You'll need to run ldappc twice.

I stopped working on this one in lieu of integrating shibboleth's attribute resolver, since this issue has been around for so long.

The simplest solution is for ldappc to provision all groups without members, then go back and add members. Another option would be to calculate a tree of parent-child group memberships, but in my experience the use of "all" or "everyone" groups can make this approach unwieldly. I'm open to other ideas.


On Sun, Jun 21, 2009 at 3:59 PM, Tim Darby <> wrote:
I've created course groups with the following naming scheme: ED195A:002:all ED195A:002:instructor ED195A:002:learner ED195A:002:primaryinstructor ED195A:all

The "all" groups at each level contain the instructor, learner, and primary instructor groups.  When I try to provision these using LDAPPC to an empty groups OU, I get errors like this:

2009-06-21 11:42:10,707: [main] WARN  ErrorLog.warn(95) - [edu.internet2.middleware.ldappc.synchronize.GroupEntryS
ynchronizer] SUBJECT[[ NAME = ED195A:002:learner ][ ID = d2b981dc-0a8f-4b51-8e8
e-bd8ffb8934dc ]] Subject not found using [ subject id = ED195A:002:learner ][
source = g:gsa ][ filter = [base=ou=groups,dc=eds,dc=arizona,dc=edu][scope=2][filter=(cn={0})] ]

The groups are all being provisioned and all have people members, but the group ED195A:002:all has no group members.  When I look at how the groups are being provisioned, it appears that LDAPPC is working in alphabetical order.  In my example above, the groups are actually being provisioned in that order.  If that's the case, then the error makes sense because it's saying that it can't add that learner group as a member of the "all" group since the learner group doesn't exist in LDAP yet.  Is this normal behavior or am I missing something?

Tim Darby
University of Arizona

Archive powered by MHonArc 2.6.16.

Top of Page