Grouper Users - Open Discussion List

[Tom Zeller <>]

We figured this out off-list. I should make a better example on the
wiki for configuration and running ldappc when provisioning Active
Directory.

TomZ

On Wed, Aug 4, 2010 at 10:06 AM, Tom Zeller 
<>
 wrote:
> Did you remove this too ? If so, that error should not be present,
> which is why I'm asking.
>
> <memberships>
>  <member-groups-list list-object-class="eduMember"
> list-attribute="isMemberOf" naming-attribute="name" />
> </memberships>
>
> On Wed, Aug 4, 2010 at 9:59 AM, Richard James
> <>
>  wrote:
>> Thanks for your help on this Tom, I amended the config file accordingly so 
>> that it was not using hasMember and we are now able to provision groups 
>> and their memberships successfully, which is very cool :)
>>
>> We do encounter the following error in our log, on looking into it we 
>> think it may be a mandatory attribute on one of the objects not being set.
>>
>> 2010-08-04 15:24:15,654: [main] ERROR Ldappc.run(283) - Grouper Provision 
>> Failed
>> edu.internet2.middleware.ldappc.exception.ConfigurationException: Member 
>> groups list attribute is null
>>        at 
>> edu.internet2.middleware.ldappc.Ldappc.addSubjectDnSet(Ldappc.java:962)
>>        at 
>> edu.internet2.middleware.ldappc.Ldappc.buildSourceSubjectDnSet(Ldappc.java:926)
>>        at 
>> edu.internet2.middleware.ldappc.Ldappc.provisionMemberships(Ldappc.java:591)
>>        at edu.internet2.middleware.ldappc.Ldappc.provision(Ldappc.java:383)
>>        at edu.internet2.middleware.ldappc.Ldappc.run(Ldappc.java:253)
>>        at edu.internet2.middleware.ldappc.Ldappc.main(Ldappc.java:208)
>>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>        at 
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>        at 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>        at 
>> edu.internet2.middleware.grouper.app.gsh.GrouperShell.handleSpecialCase(GrouperShell.java:188)
>>        at 
>> edu.internet2.middleware.grouper.app.gsh.GrouperShell.main(GrouperShell.java:128)
>>        at 
>> edu.internet2.middleware.grouper.app.gsh.GrouperShellWrapper.main(GrouperShellWrapper.java:16)
>>
>> It doesn't have a visible effect on the provisioning, so we will monitor 
>> this to see if it does cause any issues.
>>
>> Thanks again for helping us to get this to work.
>>
>> Richard
>>
>>>-----Original Message-----
>>>From: 
>>>
>>> 
>>>[mailto:]
>>> On Behalf Of Tom
>>>Zeller
>>>Sent: 03 August 2010 20:23
>>>To: Richard James
>>>Cc: 
>>>
>>>Subject: Re: [grouper-users] Ldappc Provisioning to Active Directory
>>>
>>>Apologies for the delay.
>>>
>>>You're provisioning Active Directory, correct ? If so, remove
>>><memberships ... > (memberOf) from ldappc.xml.
>>>
>>>Did you extend your AD schema to include eduMember ? If not, remove
>>><group-members-name-list ...> (hasMember).
>>>
>>>Take a look at ldappc.example.ad.xml.
>>>
>>>When adding a member to a group, Active Directory automatically
>>>manages the memberOf attribute of the member objects. By default,
>>>Active Directory does not support the hasMember attribute.
>>>
>>>TomZ
>>>
>>>On Tue, Aug 3, 2010 at 2:58 AM, Richard James
>>><>
>>> wrote:
>>>> Hi Tom,
>>>>
>>>> I have attached our ldappc.xml file and also the properties file for
>>>which I have removed any user credentials.
>>>>
>>>> Regards
>>>>
>>>> Richard
>>>>
>>>>>-----Original Message-----
>>>>>From: 
>>>>>
>>>>> 
>>>>>[mailto:]
>>>>> On Behalf Of Tom
>>>>>Zeller
>>>>>Sent: 02 August 2010 17:56
>>>>>To: Richard James
>>>>>Cc: 
>>>>>
>>>>>Subject: Re: [grouper-users] Ldappc Provisioning to Active Directory
>>>>>
>>>>>Could you reply with a sanitized (passwordless) version of your
>>>>>configuration, ldappc.xml, please ?
>>>>>
>>>>>On Mon, Aug 2, 2010 at 10:39 AM, Richard James
>>>>><>
>>>>> wrote:
>>>>>> Hi All,
>>>>>>
>>>>>> We have recently started testing the provisioning of grouper groups
>>>>>into our test Active directory using ldappc (we will move towards
>>>using
>>>>>ldappcng once we have got ldappc working correctly). We have managed
>>>to
>>>>>load a number of groups into the active directory but when it comes to
>>>>>assigning members to these groups we are coming across a few issues.
>>>>>>
>>>>>> I have configured our ldappc.xml file in line with the example
>>>active
>>>>>directory configuration which is documented here,
>>>>>https://spaces.internet2.edu/display/GrouperWG/LDAPPC. Initially I
>>>>>commented out any memberships config, as per the guidance, but on
>>>trying
>>>>>to provision memberships, I got the error attached in
>>>>>nomembershipconfig.txt. There is definitely a member within the group
>>>we
>>>>>are trying to provision, so I'm not sure why this message is being
>>>>>returned.
>>>>>>
>>>>>> I have then tried to add the memberships section into the config
>>>file,
>>>>>this time it recognises that there is a member of the group and
>>>locates
>>>>>the user with the correct path of the AD, but returns an attribute
>>>>>conversion error on attempting to provision the membership.
>>>>>(membershipconfig.txt).
>>>>>>
>>>>>> Unfortunately our experience of provisioning items into an ldap
>>>>>directory is very limited. The fact that we are able to create the
>>>>>groups in the active directory is very promising, but the assigning of
>>>>>members is leaving us a little baffled at the moment, so any
>>>>>pointers/guidance would be very much appreciated.
>>>>>>
>>>>>> Many thanks in advance
>>>>>>
>>>>>> Richard James
>>>>>> ISS Middleware Team
>>>>>> Newcastle University
>>>>>>
>>>>>>
>>>>>>
>>>>
>>
>