Grouper Users - Open Discussion List

[Tom Zeller <>]

The sourceAttributeID of the group-dn and cn attribute should be the
same, probably "name" and not "extension".

What ldap directory are you provisioning, OpenLDAP ?

The cn attribute is multi-valued because ldappcng is provisioning
"cesia" and the DSA is (probably) provisioning the RDN
"unimore:cesia". Ldappcng is then trying to remove "unimore:cesia"
from the cn attribute, since ldappcng thinks cn should just be
"cesia", which will cause the DSA to complain.

Make sense ?

TomZ

On Wed, Aug 4, 2010 at 7:06 AM, Francesco Malvezzi
<>
 wrote:
> Thank you for this great piece of software,
>
> I'm trying to setup a test grouper installation bound to local ldap,
> following documentation at:
>
> https://spaces.internet2.edu/display/GrouperWG/Grouper+hosted+on+a+cloud+server
> https://spaces.internet2.edu/display/GrouperWG/LDAPPCNG
>
> I'm using release 1.6.0.
>
> I've missed something very basic because when I provision, I receive a
> [LDAP: error code 64 - value of naming attribute 'cn' is not present in
> entry] on all already-inserted groups.
>
> At first groups get inserted correctly:
>
> # unimore:cesia, groupergroups, unimore.it
> dn: cn=unimore:cesia,ou=groupergroups,dc=unimore,dc=it
> objectClass: eduMember
> objectClass: groupOfNames
> objectClass: top
> hasMember: malvezzi
> member: uid=malvezzi,ou=people,dc=unimore,dc=it
> cn: cesia
> cn: unimore:cesia
>
> but then when I update the group it tries to change cn, which of course
> wont't work, because it is part of the dn. Follows the snippet of the
> ./gsh.sh -ldappcng -bulkCalc
>
> <ldappc:calcResponse status='success'
> requestID='2010/08/04-13:45:04.739_QMQECL0Q'>
>    <ldappc:id ID='unimore:cesia'/>
>    <ldappc:pso entityName='group'>
>      <psoID ID='cn=unimore:cesia,ou=groupergroups,dc=unimore,dc=it'
> targetID='ldap'/>
>      <data>
>        <dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core'
> name='objectClass'>
>          <dsml:value>top</dsml:value>
>          <dsml:value>groupOfNames</dsml:value>
>          <dsml:value>eduMember</dsml:value>
>        </dsml:attr>
>        <dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' name='cn'>
>          <dsml:value>cesia</dsml:value>
>        </dsml:attr>
>        <dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core'
> name='hasMember'>
>          <dsml:value>malvezzi</dsml:value>
>        </dsml:attr>
>      </data>
>      <capabilityData mustUnderstand='true'
> capabilityURI='urn:oasis:names:tc:SPML:2:0:reference'>
>        <spmlref:reference xmlns='urn:oasis:names:tc:SPML:2:0'
> xmlns:spmlref='urn:oasis:names:tc:SPML:2:0:reference'
> typeOfReference='member'>
>          <spmlref:toPsoID ID='uid=malvezzi,ou=people,dc=unimore,dc=it'
> targetID='ldap'/>
>        </spmlref:reference>
>      </capabilityData>
>    </ldappc:pso>
>  </ldappc:calcResponse>
>
> in ldappc-resolver.xml cn is defined as:
>
> [...]
>  <resolver:AttributeDefinition id="group-dn"
> xsi:type="ldappc:LdapDnPSOIdentifier"
>    structure="${DNstructure}" sourceAttributeID="name"
> rdnAttributeName="cn" base="${groupsOU}">
>    <resolver:Dependency ref="GroupDataConnector" />
>  </resolver:AttributeDefinition>
>
>
>  <resolver:AttributeDefinition id="cn" xsi:type="ad:Simple"
> sourceAttributeID="extension">
>    <resolver:Dependency ref="GroupDataConnector" />
>  </resolver:AttributeDefinition>
> [...]
>
> Why it changes a correct multi-valued cn (actually it's me thinking it
> is correct: I might be wrong) to a single-valued cn which is not the one
> defined in the dn?
>
> What did I wrong?
>
> Which other configuration files do you need to better understand?
>
> Thank you for the attention,
>
> Francesco Malvezzi
> University of Modena and Reggio Emilia
>