Grouper Users - Open Discussion List

[Richard James <>]

Thanks for your help on this Tom, I amended the config file accordingly so 
that it was not using hasMember and we are now able to provision groups and 
their memberships successfully, which is very cool :) 

We do encounter the following error in our log, on looking into it we think 
it may be a mandatory attribute on one of the objects not being set.

2010-08-04 15:24:15,654: [main] ERROR Ldappc.run(283) - Grouper Provision 
Failed
edu.internet2.middleware.ldappc.exception.ConfigurationException: Member 
groups list attribute is null
        at 
edu.internet2.middleware.ldappc.Ldappc.addSubjectDnSet(Ldappc.java:962)
        at 
edu.internet2.middleware.ldappc.Ldappc.buildSourceSubjectDnSet(Ldappc.java:926)
        at 
edu.internet2.middleware.ldappc.Ldappc.provisionMemberships(Ldappc.java:591)
        at edu.internet2.middleware.ldappc.Ldappc.provision(Ldappc.java:383)
        at edu.internet2.middleware.ldappc.Ldappc.run(Ldappc.java:253)
        at edu.internet2.middleware.ldappc.Ldappc.main(Ldappc.java:208)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at 
edu.internet2.middleware.grouper.app.gsh.GrouperShell.handleSpecialCase(GrouperShell.java:188)
        at 
edu.internet2.middleware.grouper.app.gsh.GrouperShell.main(GrouperShell.java:128)
        at 
edu.internet2.middleware.grouper.app.gsh.GrouperShellWrapper.main(GrouperShellWrapper.java:16)

It doesn't have a visible effect on the provisioning, so we will monitor this 
to see if it does cause any issues.

Thanks again for helping us to get this to work.

Richard

>-----Original Message-----
>From: 
>
> 
>[mailto:]
> On Behalf Of Tom
>Zeller
>Sent: 03 August 2010 20:23
>To: Richard James
>Cc: 
>
>Subject: Re: [grouper-users] Ldappc Provisioning to Active Directory
>
>Apologies for the delay.
>
>You're provisioning Active Directory, correct ? If so, remove
><memberships ... > (memberOf) from ldappc.xml.
>
>Did you extend your AD schema to include eduMember ? If not, remove
><group-members-name-list ...> (hasMember).
>
>Take a look at ldappc.example.ad.xml.
>
>When adding a member to a group, Active Directory automatically
>manages the memberOf attribute of the member objects. By default,
>Active Directory does not support the hasMember attribute.
>
>TomZ
>
>On Tue, Aug 3, 2010 at 2:58 AM, Richard James
><>
> wrote:
>> Hi Tom,
>>
>> I have attached our ldappc.xml file and also the properties file for
>which I have removed any user credentials.
>>
>> Regards
>>
>> Richard
>>
>>>-----Original Message-----
>>>From: 
>>>
>>> 
>>>[mailto:]
>>> On Behalf Of Tom
>>>Zeller
>>>Sent: 02 August 2010 17:56
>>>To: Richard James
>>>Cc: 
>>>
>>>Subject: Re: [grouper-users] Ldappc Provisioning to Active Directory
>>>
>>>Could you reply with a sanitized (passwordless) version of your
>>>configuration, ldappc.xml, please ?
>>>
>>>On Mon, Aug 2, 2010 at 10:39 AM, Richard James
>>><>
>>> wrote:
>>>> Hi All,
>>>>
>>>> We have recently started testing the provisioning of grouper groups
>>>into our test Active directory using ldappc (we will move towards
>using
>>>ldappcng once we have got ldappc working correctly). We have managed
>to
>>>load a number of groups into the active directory but when it comes to
>>>assigning members to these groups we are coming across a few issues.
>>>>
>>>> I have configured our ldappc.xml file in line with the example
>active
>>>directory configuration which is documented here,
>>>https://spaces.internet2.edu/display/GrouperWG/LDAPPC. Initially I
>>>commented out any memberships config, as per the guidance, but on
>trying
>>>to provision memberships, I got the error attached in
>>>nomembershipconfig.txt. There is definitely a member within the group
>we
>>>are trying to provision, so I'm not sure why this message is being
>>>returned.
>>>>
>>>> I have then tried to add the memberships section into the config
>file,
>>>this time it recognises that there is a member of the group and
>locates
>>>the user with the correct path of the AD, but returns an attribute
>>>conversion error on attempting to provision the membership.
>>>(membershipconfig.txt).
>>>>
>>>> Unfortunately our experience of provisioning items into an ldap
>>>directory is very limited. The fact that we are able to create the
>>>groups in the active directory is very promising, but the assigning of
>>>members is leaving us a little baffled at the moment, so any
>>>pointers/guidance would be very much appreciated.
>>>>
>>>> Many thanks in advance
>>>>
>>>> Richard James
>>>> ISS Middleware Team
>>>> Newcastle University
>>>>
>>>>
>>>>
>>