Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] LDAPPCNG: value of naming attribute 'cn' is not present in entry

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] LDAPPCNG: value of naming attribute 'cn' is not present in entry


Chronological Thread 
  • From: Tom Zeller <>
  • To: Francesco Malvezzi <>
  • Cc:
  • Subject: Re: [grouper-users] LDAPPCNG: value of naming attribute 'cn' is not present in entry
  • Date: Wed, 4 Aug 2010 07:58:02 -0500
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=tl17031WQ3zAPtPSUk/d7hX4/BSN8Pq0vQcAM0kqRIxh3guHJ4sKtFekXKu0N4gk2T nBtRo9yN6UAgcNvTtgULlYKc5p+HY3MRm/zGGj9bvHrCr/eFxirTwrapmvc6TdFSZvJ3 xxFHd6JSrYKbr8j1CiOJ1M7twCHoDSQZXkHj4=
For a multi-valued cn :

<resolver:AttributeDefinition id="cn" xsi:type="ad:Simple" >
<resolver:Dependency ref="cn-extension" />
<resolver:Dependency ref="cn-name" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition id="cn-extension" xsi:type="ad:Simple"
sourceAttributeID="extension">
<resolver:Dependency ref="GroupDataConnector" />
</resolver:AttributeDefinition>

<resolver:AttributeDefinition id="cn-name" xsi:type="ad:Simple"
sourceAttributeID="name">
<resolver:Dependency ref="GroupDataConnector" />
</resolver:AttributeDefinition>

I typed this up without trying it, but I think it will work :-)

TomZ

On Wed, Aug 4, 2010 at 7:50 AM, Tom Zeller
<>
wrote:
> The sourceAttributeID of the group-dn and cn attribute should be the
> same, probably "name" and not "extension".
>
> What ldap directory are you provisioning, OpenLDAP ?
>
> The cn attribute is multi-valued because ldappcng is provisioning
> "cesia" and the DSA is (probably) provisioning the RDN
> "unimore:cesia". Ldappcng is then trying to remove "unimore:cesia"
> from the cn attribute, since ldappcng thinks cn should just be
> "cesia", which will cause the DSA to complain.
>
> Make sense ?
>
> TomZ
>
> On Wed, Aug 4, 2010 at 7:06 AM, Francesco Malvezzi
> <>
> wrote:
>> Thank you for this great piece of software,
>>
>> I'm trying to setup a test grouper installation bound to local ldap,
>> following documentation at:
>>
>> https://spaces.internet2.edu/display/GrouperWG/Grouper+hosted+on+a+cloud+server
>> https://spaces.internet2.edu/display/GrouperWG/LDAPPCNG
>>
>> I'm using release 1.6.0.
>>
>> I've missed something very basic because when I provision, I receive a
>> [LDAP: error code 64 - value of naming attribute 'cn' is not present in
>> entry] on all already-inserted groups.
>>
>> At first groups get inserted correctly:
>>
>> # unimore:cesia, groupergroups, unimore.it
>> dn: cn=unimore:cesia,ou=groupergroups,dc=unimore,dc=it
>> objectClass: eduMember
>> objectClass: groupOfNames
>> objectClass: top
>> hasMember: malvezzi
>> member: uid=malvezzi,ou=people,dc=unimore,dc=it
>> cn: cesia
>> cn: unimore:cesia
>>
>> but then when I update the group it tries to change cn, which of course
>> wont't work, because it is part of the dn. Follows the snippet of the
>> ./gsh.sh -ldappcng -bulkCalc
>>
>> <ldappc:calcResponse status='success'
>> requestID='2010/08/04-13:45:04.739_QMQECL0Q'>
>>    <ldappc:id ID='unimore:cesia'/>
>>    <ldappc:pso entityName='group'>
>>      <psoID ID='cn=unimore:cesia,ou=groupergroups,dc=unimore,dc=it'
>> targetID='ldap'/>
>>      <data>
>>        <dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core'
>> name='objectClass'>
>>          <dsml:value>top</dsml:value>
>>          <dsml:value>groupOfNames</dsml:value>
>>          <dsml:value>eduMember</dsml:value>
>>        </dsml:attr>
>>        <dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core' name='cn'>
>>          <dsml:value>cesia</dsml:value>
>>        </dsml:attr>
>>        <dsml:attr xmlns:dsml='urn:oasis:names:tc:DSML:2:0:core'
>> name='hasMember'>
>>          <dsml:value>malvezzi</dsml:value>
>>        </dsml:attr>
>>      </data>
>>      <capabilityData mustUnderstand='true'
>> capabilityURI='urn:oasis:names:tc:SPML:2:0:reference'>
>>        <spmlref:reference xmlns='urn:oasis:names:tc:SPML:2:0'
>> xmlns:spmlref='urn:oasis:names:tc:SPML:2:0:reference'
>> typeOfReference='member'>
>>          <spmlref:toPsoID ID='uid=malvezzi,ou=people,dc=unimore,dc=it'
>> targetID='ldap'/>
>>        </spmlref:reference>
>>      </capabilityData>
>>    </ldappc:pso>
>>  </ldappc:calcResponse>
>>
>> in ldappc-resolver.xml cn is defined as:
>>
>> [...]
>>  <resolver:AttributeDefinition id="group-dn"
>> xsi:type="ldappc:LdapDnPSOIdentifier"
>>    structure="${DNstructure}" sourceAttributeID="name"
>> rdnAttributeName="cn" base="${groupsOU}">
>>    <resolver:Dependency ref="GroupDataConnector" />
>>  </resolver:AttributeDefinition>
>>
>>
>>  <resolver:AttributeDefinition id="cn" xsi:type="ad:Simple"
>> sourceAttributeID="extension">
>>    <resolver:Dependency ref="GroupDataConnector" />
>>  </resolver:AttributeDefinition>
>> [...]
>>
>> Why it changes a correct multi-valued cn (actually it's me thinking it
>> is correct: I might be wrong) to a single-valued cn which is not the one
>> defined in the dn?
>>
>> What did I wrong?
>>
>> Which other configuration files do you need to better understand?
>>
>> Thank you for the attention,
>>
>> Francesco Malvezzi
>> University of Modena and Reggio Emilia
>>
>

Archive powered by MHonArc 2.6.16.

Top of Page