Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Ldappc Provisioning to Active Directory

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Ldappc Provisioning to Active Directory

Chronological Thread 
  • From: Tom Zeller <>
  • To: "" <>
  • Cc: Richard James <>
  • Subject: Re: [grouper-users] Ldappc Provisioning to Active Directory
  • Date: Wed, 4 Aug 2010 10:59:09 -0500
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=iNd4c/vk4ai8mzqKGOzlHGDgY6CePBwpbZ686wOZnDDE7GzSig+hiaI4y33FuNiPIM 9v6ptbSJEduJmXjZSN4IeTkje46m1uOwnqOvp4Z2987S0Nv2FkmO2rV/FOKCZvPfyrAh 1fZgFDYX1VivBh57jobUgUYQqqlcynVeRijYw=

We figured this out off-list. I should make a better example on the
wiki for configuration and running ldappc when provisioning Active


On Wed, Aug 4, 2010 at 10:06 AM, Tom Zeller
> Did you remove this too ? If so, that error should not be present,
> which is why I'm asking.
> <memberships>
>  <member-groups-list list-object-class="eduMember"
> list-attribute="isMemberOf" naming-attribute="name" />
> </memberships>
> On Wed, Aug 4, 2010 at 9:59 AM, Richard James
> <>
> wrote:
>> Thanks for your help on this Tom, I amended the config file accordingly so
>> that it was not using hasMember and we are now able to provision groups
>> and their memberships successfully, which is very cool :)
>> We do encounter the following error in our log, on looking into it we
>> think it may be a mandatory attribute on one of the objects not being set.
>> 2010-08-04 15:24:15,654: [main] ERROR - Grouper Provision
>> Failed
>> edu.internet2.middleware.ldappc.exception.ConfigurationException: Member
>> groups list attribute is null
>>        at
>> edu.internet2.middleware.ldappc.Ldappc.addSubjectDnSet(
>>        at
>> edu.internet2.middleware.ldappc.Ldappc.buildSourceSubjectDnSet(
>>        at
>> edu.internet2.middleware.ldappc.Ldappc.provisionMemberships(
>>        at edu.internet2.middleware.ldappc.Ldappc.provision(
>>        at
>>        at edu.internet2.middleware.ldappc.Ldappc.main(
>>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>        at
>> sun.reflect.NativeMethodAccessorImpl.invoke(
>>        at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>        at java.lang.reflect.Method.invoke(
>>        at
>>        at
>>        at
>> It doesn't have a visible effect on the provisioning, so we will monitor
>> this to see if it does cause any issues.
>> Thanks again for helping us to get this to work.
>> Richard
>>>-----Original Message-----
>>> On Behalf Of Tom
>>>Sent: 03 August 2010 20:23
>>>To: Richard James
>>>Subject: Re: [grouper-users] Ldappc Provisioning to Active Directory
>>>Apologies for the delay.
>>>You're provisioning Active Directory, correct ? If so, remove
>>><memberships ... > (memberOf) from ldappc.xml.
>>>Did you extend your AD schema to include eduMember ? If not, remove
>>><group-members-name-list ...> (hasMember).
>>>Take a look at
>>>When adding a member to a group, Active Directory automatically
>>>manages the memberOf attribute of the member objects. By default,
>>>Active Directory does not support the hasMember attribute.
>>>On Tue, Aug 3, 2010 at 2:58 AM, Richard James
>>> wrote:
>>>> Hi Tom,
>>>> I have attached our ldappc.xml file and also the properties file for
>>>which I have removed any user credentials.
>>>> Regards
>>>> Richard
>>>>>-----Original Message-----
>>>>> On Behalf Of Tom
>>>>>Sent: 02 August 2010 17:56
>>>>>To: Richard James
>>>>>Subject: Re: [grouper-users] Ldappc Provisioning to Active Directory
>>>>>Could you reply with a sanitized (passwordless) version of your
>>>>>configuration, ldappc.xml, please ?
>>>>>On Mon, Aug 2, 2010 at 10:39 AM, Richard James
>>>>> wrote:
>>>>>> Hi All,
>>>>>> We have recently started testing the provisioning of grouper groups
>>>>>into our test Active directory using ldappc (we will move towards
>>>>>ldappcng once we have got ldappc working correctly). We have managed
>>>>>load a number of groups into the active directory but when it comes to
>>>>>assigning members to these groups we are coming across a few issues.
>>>>>> I have configured our ldappc.xml file in line with the example
>>>>>directory configuration which is documented here,
>>>>> Initially I
>>>>>commented out any memberships config, as per the guidance, but on
>>>>>to provision memberships, I got the error attached in
>>>>>nomembershipconfig.txt. There is definitely a member within the group
>>>>>are trying to provision, so I'm not sure why this message is being
>>>>>> I have then tried to add the memberships section into the config
>>>>>this time it recognises that there is a member of the group and
>>>>>the user with the correct path of the AD, but returns an attribute
>>>>>conversion error on attempting to provision the membership.
>>>>>> Unfortunately our experience of provisioning items into an ldap
>>>>>directory is very limited. The fact that we are able to create the
>>>>>groups in the active directory is very promising, but the assigning of
>>>>>members is leaving us a little baffled at the moment, so any
>>>>>pointers/guidance would be very much appreciated.
>>>>>> Many thanks in advance
>>>>>> Richard James
>>>>>> ISS Middleware Team
>>>>>> Newcastle University

Archive powered by MHonArc 2.6.16.

Top of Page