Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Ldappc Provisioning to Active Directory

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Ldappc Provisioning to Active Directory


Chronological Thread 
  • From: Richard James <>
  • To: "'Tom Zeller'" <>, "" <>
  • Subject: RE: [grouper-users] Ldappc Provisioning to Active Directory
  • Date: Thu, 5 Aug 2010 11:02:06 +0100
  • Accept-language: en-US, en-GB
  • Acceptlanguage: en-US, en-GB

I will create a page within the Newcastle University section on the Grouper
wiki, which will document the configuration involved for the provisioning of
groups/members in Active Directory from our implementation. Hopefully it will
be a good reference page for any users new to provisioning to an AD like
ourselves :)

I will post the link once I have created the page.

Richie

>-----Original Message-----
>From:
>
>
>[mailto:]
> On Behalf Of Tom
>Zeller
>Sent: 04 August 2010 16:59
>To:
>
>Cc: Richard James
>Subject: Re: [grouper-users] Ldappc Provisioning to Active Directory
>
>We figured this out off-list. I should make a better example on the
>wiki for configuration and running ldappc when provisioning Active
>Directory.
>
>TomZ
>
>On Wed, Aug 4, 2010 at 10:06 AM, Tom Zeller
><>
> wrote:
>> Did you remove this too ? If so, that error should not be present,
>> which is why I'm asking.
>>
>> <memberships>
>>  <member-groups-list list-object-class="eduMember"
>> list-attribute="isMemberOf" naming-attribute="name" />
>> </memberships>
>>
>> On Wed, Aug 4, 2010 at 9:59 AM, Richard James
>> <>
>> wrote:
>>> Thanks for your help on this Tom, I amended the config file
>accordingly so that it was not using hasMember and we are now able to
>provision groups and their memberships successfully, which is very cool
>:)
>>>
>>> We do encounter the following error in our log, on looking into it we
>think it may be a mandatory attribute on one of the objects not being
>set.
>>>
>>> 2010-08-04 15:24:15,654: [main] ERROR Ldappc.run(283) - Grouper
>Provision Failed
>>> edu.internet2.middleware.ldappc.exception.ConfigurationException:
>Member groups list attribute is null
>>>        at
>edu.internet2.middleware.ldappc.Ldappc.addSubjectDnSet(Ldappc.java:962)
>>>        at
>edu.internet2.middleware.ldappc.Ldappc.buildSourceSubjectDnSet(Ldappc.ja
>va:926)
>>>        at
>edu.internet2.middleware.ldappc.Ldappc.provisionMemberships(Ldappc.java:
>591)
>>>        at
>edu.internet2.middleware.ldappc.Ldappc.provision(Ldappc.java:383)
>>>        at edu.internet2.middleware.ldappc.Ldappc.run(Ldappc.java:253)
>>>        at
>edu.internet2.middleware.ldappc.Ldappc.main(Ldappc.java:208)
>>>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>        at
>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
>a:39)
>>>        at
>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
>Impl.java:25)
>>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>>        at
>edu.internet2.middleware.grouper.app.gsh.GrouperShell.handleSpecialCase(
>GrouperShell.java:188)
>>>        at
>edu.internet2.middleware.grouper.app.gsh.GrouperShell.main(GrouperShell.
>java:128)
>>>        at
>edu.internet2.middleware.grouper.app.gsh.GrouperShellWrapper.main(Groupe
>rShellWrapper.java:16)
>>>
>>> It doesn't have a visible effect on the provisioning, so we will
>monitor this to see if it does cause any issues.
>>>
>>> Thanks again for helping us to get this to work.
>>>
>>> Richard
>>>
>>>>-----Original Message-----
>>>>From:
>>>>
>>>>
>>>>[mailto:]
>>>> On Behalf Of Tom
>>>>Zeller
>>>>Sent: 03 August 2010 20:23
>>>>To: Richard James
>>>>Cc:
>>>>
>>>>Subject: Re: [grouper-users] Ldappc Provisioning to Active Directory
>>>>
>>>>Apologies for the delay.
>>>>
>>>>You're provisioning Active Directory, correct ? If so, remove
>>>><memberships ... > (memberOf) from ldappc.xml.
>>>>
>>>>Did you extend your AD schema to include eduMember ? If not, remove
>>>><group-members-name-list ...> (hasMember).
>>>>
>>>>Take a look at ldappc.example.ad.xml.
>>>>
>>>>When adding a member to a group, Active Directory automatically
>>>>manages the memberOf attribute of the member objects. By default,
>>>>Active Directory does not support the hasMember attribute.
>>>>
>>>>TomZ
>>>>
>>>>On Tue, Aug 3, 2010 at 2:58 AM, Richard James
>>>><>
>>>> wrote:
>>>>> Hi Tom,
>>>>>
>>>>> I have attached our ldappc.xml file and also the properties file
>for
>>>>which I have removed any user credentials.
>>>>>
>>>>> Regards
>>>>>
>>>>> Richard
>>>>>
>>>>>>-----Original Message-----
>>>>>>From:
>>>>>>
>>>>>>
>>>>>>[mailto:]
>>>>>> On Behalf Of
>Tom
>>>>>>Zeller
>>>>>>Sent: 02 August 2010 17:56
>>>>>>To: Richard James
>>>>>>Cc:
>>>>>>
>>>>>>Subject: Re: [grouper-users] Ldappc Provisioning to Active
>Directory
>>>>>>
>>>>>>Could you reply with a sanitized (passwordless) version of your
>>>>>>configuration, ldappc.xml, please ?
>>>>>>
>>>>>>On Mon, Aug 2, 2010 at 10:39 AM, Richard James
>>>>>><>
>>>>>> wrote:
>>>>>>> Hi All,
>>>>>>>
>>>>>>> We have recently started testing the provisioning of grouper
>groups
>>>>>>into our test Active directory using ldappc (we will move towards
>>>>using
>>>>>>ldappcng once we have got ldappc working correctly). We have
>managed
>>>>to
>>>>>>load a number of groups into the active directory but when it comes
>to
>>>>>>assigning members to these groups we are coming across a few
>issues.
>>>>>>>
>>>>>>> I have configured our ldappc.xml file in line with the example
>>>>active
>>>>>>directory configuration which is documented here,
>>>>>>https://spaces.internet2.edu/display/GrouperWG/LDAPPC. Initially I
>>>>>>commented out any memberships config, as per the guidance, but on
>>>>trying
>>>>>>to provision memberships, I got the error attached in
>>>>>>nomembershipconfig.txt. There is definitely a member within the
>group
>>>>we
>>>>>>are trying to provision, so I'm not sure why this message is being
>>>>>>returned.
>>>>>>>
>>>>>>> I have then tried to add the memberships section into the config
>>>>file,
>>>>>>this time it recognises that there is a member of the group and
>>>>locates
>>>>>>the user with the correct path of the AD, but returns an attribute
>>>>>>conversion error on attempting to provision the membership.
>>>>>>(membershipconfig.txt).
>>>>>>>
>>>>>>> Unfortunately our experience of provisioning items into an ldap
>>>>>>directory is very limited. The fact that we are able to create the
>>>>>>groups in the active directory is very promising, but the assigning
>of
>>>>>>members is leaving us a little baffled at the moment, so any
>>>>>>pointers/guidance would be very much appreciated.
>>>>>>>
>>>>>>> Many thanks in advance
>>>>>>>
>>>>>>> Richard James
>>>>>>> ISS Middleware Team
>>>>>>> Newcastle University
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>
>>



Archive powered by MHonArc 2.6.16.

Top of Page